2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "torture/rpc/rpc.h"
31 #include "torture/rpc/netlogon.h"
32 #include "../lib/crypto/crypto.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_netlogon.h"
36 #include "librpc/gen_ndr/ndr_lsa_c.h"
37 #include "param/param.h"
38 #include "libcli/security/security.h"
40 #define TEST_MACHINE_NAME "torturetest"
42 static bool test_LogonUasLogon(struct torture_context *tctx,
43 struct dcerpc_pipe *p)
46 struct netr_LogonUasLogon r;
47 struct netr_UasInfo *info = NULL;
49 r.in.server_name = NULL;
50 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51 r.in.workstation = TEST_MACHINE_NAME;
54 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61 struct dcerpc_pipe *p)
64 struct netr_LogonUasLogoff r;
65 struct netr_UasLogoffInfo info;
67 r.in.server_name = NULL;
68 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69 r.in.workstation = TEST_MACHINE_NAME;
72 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79 struct cli_credentials *credentials,
80 struct creds_CredentialState **creds_out)
83 struct netr_ServerReqChallenge r;
84 struct netr_ServerAuthenticate a;
85 struct netr_Credential credentials1, credentials2, credentials3;
86 struct creds_CredentialState *creds;
87 const struct samr_Password *mach_password;
88 const char *machine_name;
90 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91 machine_name = cli_credentials_get_workstation(credentials);
93 torture_comment(tctx, "Testing ServerReqChallenge\n");
95 creds = talloc(tctx, struct creds_CredentialState);
96 torture_assert(tctx, creds != NULL, "memory allocation");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
106 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
108 a.in.server_name = NULL;
109 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
110 a.in.secure_channel_type = SEC_CHAN_BDC;
111 a.in.computer_name = machine_name;
112 a.in.credentials = &credentials3;
113 a.out.return_credentials = &credentials3;
115 creds_client_init(creds, &credentials1, &credentials2,
116 mach_password, &credentials3,
119 torture_comment(tctx, "Testing ServerAuthenticate\n");
121 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123 /* This allows the tests to continue against the more fussy windows 2008 */
124 if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
125 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
126 credentials, SEC_CHAN_BDC, creds_out);
129 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131 torture_assert(tctx, creds_client_check(creds, &credentials3),
132 "Credential chaining failed");
138 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
139 uint32_t negotiate_flags,
140 struct cli_credentials *machine_credentials,
142 struct creds_CredentialState **creds_out)
145 struct netr_ServerReqChallenge r;
146 struct netr_ServerAuthenticate2 a;
147 struct netr_Credential credentials1, credentials2, credentials3;
148 struct creds_CredentialState *creds;
149 const struct samr_Password *mach_password;
150 const char *machine_name;
152 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
153 machine_name = cli_credentials_get_workstation(machine_credentials);
155 torture_comment(tctx, "Testing ServerReqChallenge\n");
157 creds = talloc(tctx, struct creds_CredentialState);
158 torture_assert(tctx, creds != NULL, "memory allocation");
160 r.in.server_name = NULL;
161 r.in.computer_name = machine_name;
162 r.in.credentials = &credentials1;
163 r.out.return_credentials = &credentials2;
165 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
167 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
168 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
170 a.in.server_name = NULL;
171 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
172 a.in.secure_channel_type = sec_chan_type;
173 a.in.computer_name = machine_name;
174 a.in.negotiate_flags = &negotiate_flags;
175 a.out.negotiate_flags = &negotiate_flags;
176 a.in.credentials = &credentials3;
177 a.out.return_credentials = &credentials3;
179 creds_client_init(creds, &credentials1, &credentials2,
180 mach_password, &credentials3,
183 torture_comment(tctx, "Testing ServerAuthenticate2\n");
185 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
186 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
188 torture_assert(tctx, creds_client_check(creds, &credentials3),
189 "Credential chaining failed");
191 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
198 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
199 uint32_t negotiate_flags,
200 struct cli_credentials *machine_credentials,
201 struct creds_CredentialState **creds_out)
204 struct netr_ServerReqChallenge r;
205 struct netr_ServerAuthenticate3 a;
206 struct netr_Credential credentials1, credentials2, credentials3;
207 struct creds_CredentialState *creds;
208 struct samr_Password mach_password;
210 const char *machine_name;
211 const char *plain_pass;
213 machine_name = cli_credentials_get_workstation(machine_credentials);
214 plain_pass = cli_credentials_get_password(machine_credentials);
216 torture_comment(tctx, "Testing ServerReqChallenge\n");
218 creds = talloc(tctx, struct creds_CredentialState);
219 torture_assert(tctx, creds != NULL, "memory allocation");
221 r.in.server_name = NULL;
222 r.in.computer_name = machine_name;
223 r.in.credentials = &credentials1;
224 r.out.return_credentials = &credentials2;
226 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
228 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
229 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
231 E_md4hash(plain_pass, mach_password.hash);
233 a.in.server_name = NULL;
234 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
235 a.in.secure_channel_type = SEC_CHAN_BDC;
236 a.in.computer_name = machine_name;
237 a.in.negotiate_flags = &negotiate_flags;
238 a.in.credentials = &credentials3;
239 a.out.return_credentials = &credentials3;
240 a.out.negotiate_flags = &negotiate_flags;
243 creds_client_init(creds, &credentials1, &credentials2,
244 &mach_password, &credentials3,
247 torture_comment(tctx, "Testing ServerAuthenticate3\n");
249 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
250 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
251 torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
253 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
255 /* Prove that requesting a challenge again won't break it */
256 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
257 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
264 try a change password for our machine account
266 static bool test_SetPassword(struct torture_context *tctx,
267 struct dcerpc_pipe *p,
268 struct cli_credentials *machine_credentials)
271 struct netr_ServerPasswordSet r;
272 const char *password;
273 struct creds_CredentialState *creds;
274 struct netr_Authenticator credential, return_authenticator;
275 struct samr_Password new_password;
277 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
281 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
282 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
283 r.in.secure_channel_type = SEC_CHAN_BDC;
284 r.in.computer_name = TEST_MACHINE_NAME;
285 r.in.credential = &credential;
286 r.in.new_password = &new_password;
287 r.out.return_authenticator = &return_authenticator;
289 password = generate_random_str(tctx, 8);
290 E_md4hash(password, new_password.hash);
292 creds_des_encrypt(creds, &new_password);
294 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
295 torture_comment(tctx, "Changing machine account password to '%s'\n",
298 creds_client_authenticator(creds, &credential);
300 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
301 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
303 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
304 torture_comment(tctx, "Credential chaining failed\n");
307 /* by changing the machine password twice we test the
308 credentials chaining fully, and we verify that the server
309 allows the password to be set to the same value twice in a
310 row (match win2k3) */
311 torture_comment(tctx,
312 "Testing a second ServerPasswordSet on machine account\n");
313 torture_comment(tctx,
314 "Changing machine account password to '%s' (same as previous run)\n", password);
316 creds_client_authenticator(creds, &credential);
318 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
319 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
321 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
322 torture_comment(tctx, "Credential chaining failed\n");
325 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
328 test_SetupCredentials(p, tctx, machine_credentials, &creds),
329 "ServerPasswordSet failed to actually change the password");
335 generate a random password for password change tests
337 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
340 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
341 generate_random_buffer(password.data, password.length);
343 for (i=0; i < len; i++) {
344 if (((uint16_t *)password.data)[i] == 0) {
345 ((uint16_t *)password.data)[i] = 1;
353 try a change password for our machine account
355 static bool test_SetPassword2(struct torture_context *tctx,
356 struct dcerpc_pipe *p,
357 struct cli_credentials *machine_credentials)
360 struct netr_ServerPasswordSet2 r;
361 const char *password;
362 DATA_BLOB new_random_pass;
363 struct creds_CredentialState *creds;
364 struct samr_CryptPassword password_buf;
365 struct samr_Password nt_hash;
366 struct netr_Authenticator credential, return_authenticator;
367 struct netr_CryptPassword new_password;
369 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
373 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
374 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
375 r.in.secure_channel_type = SEC_CHAN_BDC;
376 r.in.computer_name = TEST_MACHINE_NAME;
377 r.in.credential = &credential;
378 r.in.new_password = &new_password;
379 r.out.return_authenticator = &return_authenticator;
381 password = generate_random_str(tctx, 8);
382 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
383 creds_arcfour_crypt(creds, password_buf.data, 516);
385 memcpy(new_password.data, password_buf.data, 512);
386 new_password.length = IVAL(password_buf.data, 512);
388 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
389 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
391 creds_client_authenticator(creds, &credential);
393 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
394 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
396 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
397 torture_comment(tctx, "Credential chaining failed\n");
400 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
402 if (!torture_setting_bool(tctx, "dangerous", false)) {
403 torture_comment(tctx,
404 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
406 /* by changing the machine password to ""
407 * we check if the server uses password restrictions
408 * for ServerPasswordSet2
409 * (win2k3 accepts "")
412 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
413 creds_arcfour_crypt(creds, password_buf.data, 516);
415 memcpy(new_password.data, password_buf.data, 512);
416 new_password.length = IVAL(password_buf.data, 512);
418 torture_comment(tctx,
419 "Testing ServerPasswordSet2 on machine account\n");
420 torture_comment(tctx,
421 "Changing machine account password to '%s'\n", password);
423 creds_client_authenticator(creds, &credential);
425 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
426 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
428 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
429 torture_comment(tctx, "Credential chaining failed\n");
432 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
435 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
436 "ServerPasswordSet failed to actually change the password");
438 /* now try a random password */
439 password = generate_random_str(tctx, 8);
440 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
441 creds_arcfour_crypt(creds, password_buf.data, 516);
443 memcpy(new_password.data, password_buf.data, 512);
444 new_password.length = IVAL(password_buf.data, 512);
446 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
447 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
449 creds_client_authenticator(creds, &credential);
451 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
452 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
454 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
455 torture_comment(tctx, "Credential chaining failed\n");
458 /* by changing the machine password twice we test the
459 credentials chaining fully, and we verify that the server
460 allows the password to be set to the same value twice in a
461 row (match win2k3) */
462 torture_comment(tctx,
463 "Testing a second ServerPasswordSet2 on machine account\n");
464 torture_comment(tctx,
465 "Changing machine account password to '%s' (same as previous run)\n", password);
467 creds_client_authenticator(creds, &credential);
469 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
470 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
472 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
473 torture_comment(tctx, "Credential chaining failed\n");
476 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
478 torture_assert (tctx,
479 test_SetupCredentials(p, tctx, machine_credentials, &creds),
480 "ServerPasswordSet failed to actually change the password");
482 new_random_pass = netlogon_very_rand_pass(tctx, 128);
484 /* now try a random stream of bytes for a password */
485 set_pw_in_buffer(password_buf.data, &new_random_pass);
487 creds_arcfour_crypt(creds, password_buf.data, 516);
489 memcpy(new_password.data, password_buf.data, 512);
490 new_password.length = IVAL(password_buf.data, 512);
492 torture_comment(tctx,
493 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
495 creds_client_authenticator(creds, &credential);
497 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
498 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
500 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
501 torture_comment(tctx, "Credential chaining failed\n");
504 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
506 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
507 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
509 torture_assert (tctx,
510 test_SetupCredentials(p, tctx, machine_credentials, &creds),
511 "ServerPasswordSet failed to actually change the password");
516 static bool test_GetPassword(struct torture_context *tctx,
517 struct dcerpc_pipe *p,
518 struct cli_credentials *machine_credentials)
520 struct netr_ServerPasswordGet r;
521 struct creds_CredentialState *creds;
522 struct netr_Authenticator credential;
524 struct netr_Authenticator return_authenticator;
525 struct samr_Password password;
527 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
531 creds_client_authenticator(creds, &credential);
533 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
534 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
535 r.in.secure_channel_type = SEC_CHAN_BDC;
536 r.in.computer_name = TEST_MACHINE_NAME;
537 r.in.credential = &credential;
538 r.out.return_authenticator = &return_authenticator;
539 r.out.password = &password;
541 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
542 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
547 static bool test_GetTrustPasswords(struct torture_context *tctx,
548 struct dcerpc_pipe *p,
549 struct cli_credentials *machine_credentials)
551 struct netr_ServerTrustPasswordsGet r;
552 struct creds_CredentialState *creds;
553 struct netr_Authenticator credential;
555 struct netr_Authenticator return_authenticator;
556 struct samr_Password password, password2;
558 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
562 creds_client_authenticator(creds, &credential);
564 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
565 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
566 r.in.secure_channel_type = SEC_CHAN_BDC;
567 r.in.computer_name = TEST_MACHINE_NAME;
568 r.in.credential = &credential;
569 r.out.return_authenticator = &return_authenticator;
570 r.out.password = &password;
571 r.out.password2 = &password2;
573 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
574 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
580 try a netlogon SamLogon
582 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
583 struct cli_credentials *credentials,
584 struct creds_CredentialState *creds)
587 struct netr_LogonSamLogon r;
588 struct netr_Authenticator auth, auth2;
589 union netr_LogonLevel logon;
590 union netr_Validation validation;
591 uint8_t authoritative;
592 struct netr_NetworkInfo ninfo;
593 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
595 int flags = CLI_CRED_NTLM_AUTH;
596 if (lp_client_lanman_auth(tctx->lp_ctx)) {
597 flags |= CLI_CRED_LANMAN_AUTH;
600 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
601 flags |= CLI_CRED_NTLMv2_AUTH;
604 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
605 &ninfo.identity_info.account_name.string,
606 &ninfo.identity_info.domain_name.string);
608 generate_random_buffer(ninfo.challenge,
609 sizeof(ninfo.challenge));
610 chal = data_blob_const(ninfo.challenge,
611 sizeof(ninfo.challenge));
613 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
614 cli_credentials_get_domain(credentials));
616 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
622 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
624 ninfo.lm.data = lm_resp.data;
625 ninfo.lm.length = lm_resp.length;
627 ninfo.nt.data = nt_resp.data;
628 ninfo.nt.length = nt_resp.length;
630 ninfo.identity_info.parameter_control = 0;
631 ninfo.identity_info.logon_id_low = 0;
632 ninfo.identity_info.logon_id_high = 0;
633 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
635 logon.network = &ninfo;
637 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
638 r.in.computer_name = cli_credentials_get_workstation(credentials);
639 r.in.credential = &auth;
640 r.in.return_authenticator = &auth2;
641 r.in.logon_level = 2;
643 r.out.validation = &validation;
644 r.out.authoritative = &authoritative;
646 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
650 creds_client_authenticator(creds, &auth);
652 r.in.validation_level = i;
654 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
655 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
657 torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
658 "Credential chaining failed");
661 r.in.credential = NULL;
665 r.in.validation_level = i;
667 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
669 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
670 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
671 "LogonSamLogon expected INVALID_PARAMETER");
679 try a netlogon SamLogon
681 static bool test_SamLogon(struct torture_context *tctx,
682 struct dcerpc_pipe *p,
683 struct cli_credentials *credentials)
685 struct creds_CredentialState *creds;
687 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
691 return test_netlogon_ops(p, tctx, credentials, creds);
694 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
695 static uint64_t sequence_nums[3];
698 try a netlogon DatabaseSync
700 static bool test_DatabaseSync(struct torture_context *tctx,
701 struct dcerpc_pipe *p,
702 struct cli_credentials *machine_credentials)
705 struct netr_DatabaseSync r;
706 struct creds_CredentialState *creds;
707 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
709 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
710 struct netr_Authenticator credential, return_authenticator;
712 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
716 ZERO_STRUCT(return_authenticator);
718 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
719 r.in.computername = TEST_MACHINE_NAME;
720 r.in.preferredmaximumlength = (uint32_t)-1;
721 r.in.return_authenticator = &return_authenticator;
722 r.out.delta_enum_array = &delta_enum_array;
723 r.out.return_authenticator = &return_authenticator;
725 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
727 uint32_t sync_context = 0;
729 r.in.database_id = database_ids[i];
730 r.in.sync_context = &sync_context;
731 r.out.sync_context = &sync_context;
733 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
736 creds_client_authenticator(creds, &credential);
738 r.in.credential = &credential;
740 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
741 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
744 /* Native mode servers don't do this */
745 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
748 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
750 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
751 torture_comment(tctx, "Credential chaining failed\n");
754 if (delta_enum_array &&
755 delta_enum_array->num_deltas > 0 &&
756 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
757 delta_enum_array->delta_enum[0].delta_union.domain) {
758 sequence_nums[r.in.database_id] =
759 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
760 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
762 (unsigned long long)sequence_nums[r.in.database_id]);
764 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
772 try a netlogon DatabaseDeltas
774 static bool test_DatabaseDeltas(struct torture_context *tctx,
775 struct dcerpc_pipe *p,
776 struct cli_credentials *machine_credentials)
779 struct netr_DatabaseDeltas r;
780 struct creds_CredentialState *creds;
781 struct netr_Authenticator credential;
782 struct netr_Authenticator return_authenticator;
783 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
784 const uint32_t database_ids[] = {0, 1, 2};
787 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
791 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
792 r.in.computername = TEST_MACHINE_NAME;
793 r.in.preferredmaximumlength = (uint32_t)-1;
794 ZERO_STRUCT(r.in.return_authenticator);
795 r.out.return_authenticator = &return_authenticator;
796 r.out.delta_enum_array = &delta_enum_array;
798 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
799 r.in.database_id = database_ids[i];
800 r.in.sequence_num = &sequence_nums[r.in.database_id];
802 if (*r.in.sequence_num == 0) continue;
804 *r.in.sequence_num -= 1;
806 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
807 r.in.database_id, (unsigned long long)*r.in.sequence_num);
810 creds_client_authenticator(creds, &credential);
812 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
813 if (NT_STATUS_EQUAL(status,
814 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
815 torture_comment(tctx, "not considering %s to be an error\n",
819 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
822 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
824 if (!creds_client_check(creds, &return_authenticator.cred)) {
825 torture_comment(tctx, "Credential chaining failed\n");
828 (*r.in.sequence_num)++;
829 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
835 static bool test_DatabaseRedo(struct torture_context *tctx,
836 struct dcerpc_pipe *p,
837 struct cli_credentials *machine_credentials)
840 struct netr_DatabaseRedo r;
841 struct creds_CredentialState *creds;
842 struct netr_Authenticator credential;
843 struct netr_Authenticator return_authenticator;
844 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
845 struct netr_ChangeLogEntry e;
846 struct dom_sid null_sid, *sid;
849 ZERO_STRUCT(null_sid);
851 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
862 NTSTATUS expected_error;
863 uint32_t expected_num_results;
864 uint8_t expected_delta_type_1;
865 uint8_t expected_delta_type_2;
869 /* SAM_DATABASE_DOMAIN */
874 .db_index = SAM_DATABASE_DOMAIN,
875 .delta_type = NETR_DELTA_MODIFY_COUNT,
878 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
879 .expected_num_results = 0,
880 .comment = "NETR_DELTA_MODIFY_COUNT"
885 .db_index = SAM_DATABASE_DOMAIN,
889 .expected_error = NT_STATUS_OK,
890 .expected_num_results = 1,
891 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
892 .comment = "NULL DELTA"
897 .db_index = SAM_DATABASE_DOMAIN,
898 .delta_type = NETR_DELTA_DOMAIN,
901 .expected_error = NT_STATUS_OK,
902 .expected_num_results = 1,
903 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
904 .comment = "NETR_DELTA_DOMAIN"
907 .rid = DOMAIN_RID_ADMINISTRATOR,
909 .db_index = SAM_DATABASE_DOMAIN,
910 .delta_type = NETR_DELTA_USER,
913 .expected_error = NT_STATUS_OK,
914 .expected_num_results = 1,
915 .expected_delta_type_1 = NETR_DELTA_USER,
916 .comment = "NETR_DELTA_USER by rid 500"
919 .rid = DOMAIN_RID_GUEST,
921 .db_index = SAM_DATABASE_DOMAIN,
922 .delta_type = NETR_DELTA_USER,
925 .expected_error = NT_STATUS_OK,
926 .expected_num_results = 1,
927 .expected_delta_type_1 = NETR_DELTA_USER,
928 .comment = "NETR_DELTA_USER by rid 501"
932 .flags = NETR_CHANGELOG_SID_INCLUDED,
933 .db_index = SAM_DATABASE_DOMAIN,
934 .delta_type = NETR_DELTA_USER,
937 .expected_error = NT_STATUS_OK,
938 .expected_num_results = 1,
939 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
940 .comment = "NETR_DELTA_USER by sid and flags"
944 .flags = NETR_CHANGELOG_SID_INCLUDED,
945 .db_index = SAM_DATABASE_DOMAIN,
946 .delta_type = NETR_DELTA_USER,
949 .expected_error = NT_STATUS_OK,
950 .expected_num_results = 1,
951 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
952 .comment = "NETR_DELTA_USER by null_sid and flags"
956 .flags = NETR_CHANGELOG_NAME_INCLUDED,
957 .db_index = SAM_DATABASE_DOMAIN,
958 .delta_type = NETR_DELTA_USER,
960 .name = "administrator",
961 .expected_error = NT_STATUS_OK,
962 .expected_num_results = 1,
963 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
964 .comment = "NETR_DELTA_USER by name 'administrator'"
967 .rid = DOMAIN_RID_ADMINS,
969 .db_index = SAM_DATABASE_DOMAIN,
970 .delta_type = NETR_DELTA_GROUP,
973 .expected_error = NT_STATUS_OK,
974 .expected_num_results = 2,
975 .expected_delta_type_1 = NETR_DELTA_GROUP,
976 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
977 .comment = "NETR_DELTA_GROUP by rid 512"
980 .rid = DOMAIN_RID_ADMINS,
982 .db_index = SAM_DATABASE_DOMAIN,
983 .delta_type = NETR_DELTA_GROUP_MEMBER,
986 .expected_error = NT_STATUS_OK,
987 .expected_num_results = 2,
988 .expected_delta_type_1 = NETR_DELTA_GROUP,
989 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
990 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
994 /* SAM_DATABASE_BUILTIN */
999 .db_index = SAM_DATABASE_BUILTIN,
1000 .delta_type = NETR_DELTA_MODIFY_COUNT,
1003 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1004 .expected_num_results = 0,
1005 .comment = "NETR_DELTA_MODIFY_COUNT"
1010 .db_index = SAM_DATABASE_BUILTIN,
1011 .delta_type = NETR_DELTA_DOMAIN,
1014 .expected_error = NT_STATUS_OK,
1015 .expected_num_results = 1,
1016 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1017 .comment = "NETR_DELTA_DOMAIN"
1020 .rid = DOMAIN_RID_ADMINISTRATOR,
1022 .db_index = SAM_DATABASE_BUILTIN,
1023 .delta_type = NETR_DELTA_USER,
1026 .expected_error = NT_STATUS_OK,
1027 .expected_num_results = 1,
1028 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1029 .comment = "NETR_DELTA_USER by rid 500"
1034 .db_index = SAM_DATABASE_BUILTIN,
1035 .delta_type = NETR_DELTA_USER,
1038 .expected_error = NT_STATUS_OK,
1039 .expected_num_results = 1,
1040 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1041 .comment = "NETR_DELTA_USER"
1046 .db_index = SAM_DATABASE_BUILTIN,
1047 .delta_type = NETR_DELTA_ALIAS,
1050 .expected_error = NT_STATUS_OK,
1051 .expected_num_results = 2,
1052 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1053 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1054 .comment = "NETR_DELTA_ALIAS by rid 544"
1059 .db_index = SAM_DATABASE_BUILTIN,
1060 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1063 .expected_error = NT_STATUS_OK,
1064 .expected_num_results = 2,
1065 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1066 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1067 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1072 .db_index = SAM_DATABASE_BUILTIN,
1076 .expected_error = NT_STATUS_OK,
1077 .expected_num_results = 1,
1078 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1079 .comment = "NULL DELTA by rid 544"
1083 .flags = NETR_CHANGELOG_SID_INCLUDED,
1084 .db_index = SAM_DATABASE_BUILTIN,
1086 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1088 .expected_error = NT_STATUS_OK,
1089 .expected_num_results = 1,
1090 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1091 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1095 .flags = NETR_CHANGELOG_SID_INCLUDED,
1096 .db_index = SAM_DATABASE_BUILTIN,
1097 .delta_type = NETR_DELTA_ALIAS,
1098 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1100 .expected_error = NT_STATUS_OK,
1101 .expected_num_results = 2,
1102 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1103 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1104 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1108 .flags = NETR_CHANGELOG_SID_INCLUDED,
1109 .db_index = SAM_DATABASE_BUILTIN,
1110 .delta_type = NETR_DELTA_ALIAS,
1111 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1113 .expected_error = NT_STATUS_OK,
1114 .expected_num_results = 1,
1115 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1116 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1119 /* SAM_DATABASE_PRIVS */
1124 .db_index = SAM_DATABASE_PRIVS,
1128 .expected_error = NT_STATUS_ACCESS_DENIED,
1129 .expected_num_results = 0,
1130 .comment = "NULL DELTA"
1135 .db_index = SAM_DATABASE_PRIVS,
1136 .delta_type = NETR_DELTA_MODIFY_COUNT,
1139 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1140 .expected_num_results = 0,
1141 .comment = "NETR_DELTA_MODIFY_COUNT"
1146 .db_index = SAM_DATABASE_PRIVS,
1147 .delta_type = NETR_DELTA_POLICY,
1150 .expected_error = NT_STATUS_OK,
1151 .expected_num_results = 1,
1152 .expected_delta_type_1 = NETR_DELTA_POLICY,
1153 .comment = "NETR_DELTA_POLICY"
1157 .flags = NETR_CHANGELOG_SID_INCLUDED,
1158 .db_index = SAM_DATABASE_PRIVS,
1159 .delta_type = NETR_DELTA_POLICY,
1162 .expected_error = NT_STATUS_OK,
1163 .expected_num_results = 1,
1164 .expected_delta_type_1 = NETR_DELTA_POLICY,
1165 .comment = "NETR_DELTA_POLICY by null sid and flags"
1169 .flags = NETR_CHANGELOG_SID_INCLUDED,
1170 .db_index = SAM_DATABASE_PRIVS,
1171 .delta_type = NETR_DELTA_POLICY,
1172 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1174 .expected_error = NT_STATUS_OK,
1175 .expected_num_results = 1,
1176 .expected_delta_type_1 = NETR_DELTA_POLICY,
1177 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1180 .rid = DOMAIN_RID_ADMINISTRATOR,
1182 .db_index = SAM_DATABASE_PRIVS,
1183 .delta_type = NETR_DELTA_ACCOUNT,
1186 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1187 .expected_num_results = 0,
1188 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1192 .flags = NETR_CHANGELOG_SID_INCLUDED,
1193 .db_index = SAM_DATABASE_PRIVS,
1194 .delta_type = NETR_DELTA_ACCOUNT,
1195 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1197 .expected_error = NT_STATUS_OK,
1198 .expected_num_results = 1,
1199 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1200 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1204 .flags = NETR_CHANGELOG_SID_INCLUDED |
1205 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1206 .db_index = SAM_DATABASE_PRIVS,
1207 .delta_type = NETR_DELTA_ACCOUNT,
1208 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1210 .expected_error = NT_STATUS_OK,
1211 .expected_num_results = 1,
1212 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1213 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1217 .flags = NETR_CHANGELOG_SID_INCLUDED |
1218 NETR_CHANGELOG_NAME_INCLUDED,
1219 .db_index = SAM_DATABASE_PRIVS,
1220 .delta_type = NETR_DELTA_ACCOUNT,
1221 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1223 .expected_error = NT_STATUS_INVALID_PARAMETER,
1224 .expected_num_results = 0,
1225 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1228 .rid = DOMAIN_RID_ADMINISTRATOR,
1229 .flags = NETR_CHANGELOG_SID_INCLUDED,
1230 .db_index = SAM_DATABASE_PRIVS,
1231 .delta_type = NETR_DELTA_ACCOUNT,
1234 .expected_error = NT_STATUS_OK,
1235 .expected_num_results = 1,
1236 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1237 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1241 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1242 .db_index = SAM_DATABASE_PRIVS,
1243 .delta_type = NETR_DELTA_SECRET,
1245 .name = "IsurelydontexistIhope",
1246 .expected_error = NT_STATUS_OK,
1247 .expected_num_results = 1,
1248 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1249 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1253 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1254 .db_index = SAM_DATABASE_PRIVS,
1255 .delta_type = NETR_DELTA_SECRET,
1257 .name = "G$BCKUPKEY_P",
1258 .expected_error = NT_STATUS_OK,
1259 .expected_num_results = 1,
1260 .expected_delta_type_1 = NETR_DELTA_SECRET,
1261 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1265 ZERO_STRUCT(return_authenticator);
1267 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1268 r.in.computername = TEST_MACHINE_NAME;
1269 r.in.return_authenticator = &return_authenticator;
1270 r.out.return_authenticator = &return_authenticator;
1271 r.out.delta_enum_array = &delta_enum_array;
1273 for (d=0; d<3; d++) {
1275 const char *database;
1282 database = "BUILTIN";
1291 torture_comment(tctx, "Testing DatabaseRedo\n");
1293 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1297 for (i=0;i<ARRAY_SIZE(changes);i++) {
1299 if (d != changes[i].db_index) {
1303 creds_client_authenticator(creds, &credential);
1305 r.in.credential = &credential;
1307 e.serial_number1 = 0;
1308 e.serial_number2 = 0;
1309 e.object_rid = changes[i].rid;
1310 e.flags = changes[i].flags;
1311 e.db_index = changes[i].db_index;
1312 e.delta_type = changes[i].delta_type;
1314 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1315 case NETR_CHANGELOG_SID_INCLUDED:
1316 e.object.object_sid = changes[i].sid;
1318 case NETR_CHANGELOG_NAME_INCLUDED:
1319 e.object.object_name = changes[i].name;
1325 r.in.change_log_entry = e;
1327 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1328 database, changes[i].comment);
1330 status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1331 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1335 torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1336 if (delta_enum_array) {
1337 torture_assert_int_equal(tctx,
1338 delta_enum_array->num_deltas,
1339 changes[i].expected_num_results,
1340 changes[i].comment);
1341 if (delta_enum_array->num_deltas > 0) {
1342 torture_assert_int_equal(tctx,
1343 delta_enum_array->delta_enum[0].delta_type,
1344 changes[i].expected_delta_type_1,
1345 changes[i].comment);
1347 if (delta_enum_array->num_deltas > 1) {
1348 torture_assert_int_equal(tctx,
1349 delta_enum_array->delta_enum[1].delta_type,
1350 changes[i].expected_delta_type_2,
1351 changes[i].comment);
1355 if (!creds_client_check(creds, &return_authenticator.cred)) {
1356 torture_comment(tctx, "Credential chaining failed\n");
1357 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1369 try a netlogon AccountDeltas
1371 static bool test_AccountDeltas(struct torture_context *tctx,
1372 struct dcerpc_pipe *p,
1373 struct cli_credentials *machine_credentials)
1376 struct netr_AccountDeltas r;
1377 struct creds_CredentialState *creds;
1379 struct netr_AccountBuffer buffer;
1380 uint32_t count_returned = 0;
1381 uint32_t total_entries = 0;
1382 struct netr_UAS_INFO_0 recordid;
1383 struct netr_Authenticator return_authenticator;
1385 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1389 ZERO_STRUCT(return_authenticator);
1391 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1392 r.in.computername = TEST_MACHINE_NAME;
1393 r.in.return_authenticator = &return_authenticator;
1394 creds_client_authenticator(creds, &r.in.credential);
1395 ZERO_STRUCT(r.in.uas);
1398 r.in.buffersize=100;
1399 r.out.buffer = &buffer;
1400 r.out.count_returned = &count_returned;
1401 r.out.total_entries = &total_entries;
1402 r.out.recordid = &recordid;
1403 r.out.return_authenticator = &return_authenticator;
1405 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1406 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1407 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1413 try a netlogon AccountSync
1415 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1416 struct cli_credentials *machine_credentials)
1419 struct netr_AccountSync r;
1420 struct creds_CredentialState *creds;
1422 struct netr_AccountBuffer buffer;
1423 uint32_t count_returned = 0;
1424 uint32_t total_entries = 0;
1425 uint32_t next_reference = 0;
1426 struct netr_UAS_INFO_0 recordid;
1427 struct netr_Authenticator return_authenticator;
1429 ZERO_STRUCT(recordid);
1430 ZERO_STRUCT(return_authenticator);
1432 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1436 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1437 r.in.computername = TEST_MACHINE_NAME;
1438 r.in.return_authenticator = &return_authenticator;
1439 creds_client_authenticator(creds, &r.in.credential);
1440 r.in.recordid = &recordid;
1443 r.in.buffersize=100;
1444 r.out.buffer = &buffer;
1445 r.out.count_returned = &count_returned;
1446 r.out.total_entries = &total_entries;
1447 r.out.next_reference = &next_reference;
1448 r.out.recordid = &recordid;
1449 r.out.return_authenticator = &return_authenticator;
1451 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1452 status = dcerpc_netr_AccountSync(p, tctx, &r);
1453 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1459 try a netlogon GetDcName
1461 static bool test_GetDcName(struct torture_context *tctx,
1462 struct dcerpc_pipe *p)
1465 struct netr_GetDcName r;
1466 const char *dcname = NULL;
1468 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1469 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1470 r.out.dcname = &dcname;
1472 status = dcerpc_netr_GetDcName(p, tctx, &r);
1473 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1474 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1476 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1482 try a netlogon LogonControl
1484 static bool test_LogonControl(struct torture_context *tctx,
1485 struct dcerpc_pipe *p)
1488 struct netr_LogonControl r;
1489 union netr_CONTROL_QUERY_INFORMATION info;
1492 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1493 r.in.function_code = 1;
1499 torture_comment(tctx, "Testing LogonControl level %d\n", i);
1501 status = dcerpc_netr_LogonControl(p, tctx, &r);
1502 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1510 try a netlogon GetAnyDCName
1512 static bool test_GetAnyDCName(struct torture_context *tctx,
1513 struct dcerpc_pipe *p)
1516 struct netr_GetAnyDCName r;
1517 const char *dcname = NULL;
1519 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1520 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1521 r.out.dcname = &dcname;
1523 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1524 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1525 torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1528 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1536 try a netlogon LogonControl2
1538 static bool test_LogonControl2(struct torture_context *tctx,
1539 struct dcerpc_pipe *p)
1542 struct netr_LogonControl2 r;
1543 union netr_CONTROL_DATA_INFORMATION data;
1544 union netr_CONTROL_QUERY_INFORMATION query;
1547 data.domain = lp_workgroup(tctx->lp_ctx);
1549 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1551 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1553 r.out.query = &query;
1558 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1559 i, r.in.function_code);
1561 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1562 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1565 data.domain = lp_workgroup(tctx->lp_ctx);
1567 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1573 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1574 i, r.in.function_code);
1576 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1577 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1580 data.domain = lp_workgroup(tctx->lp_ctx);
1582 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1588 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1589 i, r.in.function_code);
1591 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1592 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1595 data.debug_level = ~0;
1597 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1603 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1604 i, r.in.function_code);
1606 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1607 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1614 try a netlogon DatabaseSync2
1616 static bool test_DatabaseSync2(struct torture_context *tctx,
1617 struct dcerpc_pipe *p,
1618 struct cli_credentials *machine_credentials)
1621 struct netr_DatabaseSync2 r;
1622 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1623 struct netr_Authenticator return_authenticator, credential;
1625 struct creds_CredentialState *creds;
1626 const uint32_t database_ids[] = {0, 1, 2};
1629 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1630 machine_credentials,
1631 SEC_CHAN_BDC, &creds)) {
1635 ZERO_STRUCT(return_authenticator);
1637 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1638 r.in.computername = TEST_MACHINE_NAME;
1639 r.in.preferredmaximumlength = (uint32_t)-1;
1640 r.in.return_authenticator = &return_authenticator;
1641 r.out.return_authenticator = &return_authenticator;
1642 r.out.delta_enum_array = &delta_enum_array;
1644 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1646 uint32_t sync_context = 0;
1648 r.in.database_id = database_ids[i];
1649 r.in.sync_context = &sync_context;
1650 r.out.sync_context = &sync_context;
1651 r.in.restart_state = 0;
1653 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1656 creds_client_authenticator(creds, &credential);
1658 r.in.credential = &credential;
1660 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1661 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1664 /* Native mode servers don't do this */
1665 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1669 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1671 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
1672 torture_comment(tctx, "Credential chaining failed\n");
1675 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1683 try a netlogon LogonControl2Ex
1685 static bool test_LogonControl2Ex(struct torture_context *tctx,
1686 struct dcerpc_pipe *p)
1689 struct netr_LogonControl2Ex r;
1690 union netr_CONTROL_DATA_INFORMATION data;
1691 union netr_CONTROL_QUERY_INFORMATION query;
1694 data.domain = lp_workgroup(tctx->lp_ctx);
1696 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1698 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1700 r.out.query = &query;
1705 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1706 i, r.in.function_code);
1708 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1709 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1712 data.domain = lp_workgroup(tctx->lp_ctx);
1714 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1720 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1721 i, r.in.function_code);
1723 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1724 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1727 data.domain = lp_workgroup(tctx->lp_ctx);
1729 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1735 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1736 i, r.in.function_code);
1738 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1739 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1742 data.debug_level = ~0;
1744 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1750 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1751 i, r.in.function_code);
1753 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1754 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1760 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1761 struct dcerpc_pipe *p, const char *trusted_domain_name)
1764 struct netr_DsRGetForestTrustInformation r;
1765 struct lsa_ForestTrustInformation info, *info_ptr;
1769 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1770 r.in.trusted_domain_name = trusted_domain_name;
1772 r.out.forest_trust_info = &info_ptr;
1774 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1776 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1777 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1778 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1784 try a netlogon netr_DsrEnumerateDomainTrusts
1786 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1787 struct dcerpc_pipe *p)
1790 struct netr_DsrEnumerateDomainTrusts r;
1791 struct netr_DomainTrustList trusts;
1794 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1795 r.in.trust_flags = 0x3f;
1796 r.out.trusts = &trusts;
1798 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1799 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1800 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1802 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1803 * will show non-forest trusts and all UPN suffixes of the own forest
1804 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1806 if (r.out.trusts->count) {
1807 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1812 for (i=0; i<r.out.trusts->count; i++) {
1814 /* get info for transitive forest trusts */
1816 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1817 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1818 r.out.trusts->array[i].dns_name)) {
1827 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1828 struct dcerpc_pipe *p)
1831 struct netr_NetrEnumerateTrustedDomains r;
1832 struct netr_Blob trusted_domains_blob;
1834 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1835 r.out.trusted_domains_blob = &trusted_domains_blob;
1837 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1838 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1839 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1844 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1845 struct dcerpc_pipe *p)
1848 struct netr_NetrEnumerateTrustedDomainsEx r;
1849 struct netr_DomainTrustList dom_trust_list;
1851 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1852 r.out.dom_trust_list = &dom_trust_list;
1854 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1855 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1856 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1862 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1863 const char *computer_name,
1864 const char *expected_site)
1867 struct netr_DsRGetSiteName r;
1868 const char *site = NULL;
1870 if (torture_setting_bool(tctx, "samba4", false))
1871 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1873 r.in.computer_name = computer_name;
1875 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1877 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1878 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1879 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1880 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1882 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1883 torture_comment(tctx,
1884 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1886 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1887 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1888 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1894 try a netlogon netr_DsRGetDCName
1896 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1897 struct dcerpc_pipe *p)
1900 struct netr_DsRGetDCName r;
1901 struct netr_DsRGetDCNameInfo *info = NULL;
1903 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1904 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1905 r.in.domain_guid = NULL;
1906 r.in.site_guid = NULL;
1907 r.in.flags = DS_RETURN_DNS_NAME;
1910 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1911 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1912 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1913 return test_netr_DsRGetSiteName(p, tctx,
1915 info->dc_site_name);
1919 try a netlogon netr_DsRGetDCNameEx
1921 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1922 struct dcerpc_pipe *p)
1925 struct netr_DsRGetDCNameEx r;
1926 struct netr_DsRGetDCNameInfo *info = NULL;
1928 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1929 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1930 r.in.domain_guid = NULL;
1931 r.in.site_name = NULL;
1932 r.in.flags = DS_RETURN_DNS_NAME;
1935 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1936 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1937 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1939 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1940 info->dc_site_name);
1944 try a netlogon netr_DsRGetDCNameEx2
1946 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1947 struct dcerpc_pipe *p)
1950 struct netr_DsRGetDCNameEx2 r;
1951 struct netr_DsRGetDCNameInfo *info = NULL;
1953 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1954 r.in.client_account = NULL;
1955 r.in.mask = 0x00000000;
1956 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1957 r.in.domain_guid = NULL;
1958 r.in.site_name = NULL;
1959 r.in.flags = DS_RETURN_DNS_NAME;
1962 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1964 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1965 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1966 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1968 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1969 r.in.client_account = TEST_MACHINE_NAME"$";
1970 r.in.mask = ACB_SVRTRUST;
1971 r.in.flags = DS_RETURN_FLAT_NAME;
1974 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1975 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1976 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1977 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1978 info->dc_site_name);
1981 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1982 struct dcerpc_pipe *p)
1985 struct netr_DsrGetDcSiteCoverageW r;
1986 struct DcSitesCtr *ctr = NULL;
1988 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1991 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1992 torture_assert_ntstatus_ok(tctx, status, "failed");
1993 torture_assert_werr_ok(tctx, r.out.result, "failed");
1998 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
1999 struct dcerpc_pipe *p)
2002 struct netr_DsRAddressToSitenamesW r;
2003 struct netr_DsRAddress addr;
2004 struct netr_DsRAddressToSitenamesWCtr *ctr;
2006 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2009 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2011 addr.buffer[0] = 2; /* AF_INET */
2012 addr.buffer[4] = 127;
2017 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2019 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2020 r.in.addresses[0] = addr;
2023 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2024 torture_assert_ntstatus_ok(tctx, status, "failed");
2025 torture_assert_werr_ok(tctx, r.out.result, "failed");
2030 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2031 struct dcerpc_pipe *p)
2034 struct netr_DsRAddressToSitenamesExW r;
2035 struct netr_DsRAddress addr;
2036 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2038 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2041 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2043 addr.buffer[0] = 2; /* AF_INET */
2044 addr.buffer[4] = 127;
2049 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2051 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2052 r.in.addresses[0] = addr;
2055 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2056 torture_assert_ntstatus_ok(tctx, status, "failed");
2057 torture_assert_werr_ok(tctx, r.out.result, "failed");
2062 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2063 struct dcerpc_pipe *p,
2064 struct cli_credentials *machine_credentials)
2067 struct netr_ServerGetTrustInfo r;
2069 struct netr_Authenticator a;
2070 struct netr_Authenticator return_authenticator;
2071 struct samr_Password new_owf_password;
2072 struct samr_Password old_owf_password;
2073 struct netr_TrustInfo *trust_info;
2075 struct creds_CredentialState *creds;
2077 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2078 machine_credentials, &creds)) {
2082 creds_client_authenticator(creds, &a);
2084 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2085 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2086 r.in.secure_channel_type = SEC_CHAN_BDC;
2087 r.in.computer_name = TEST_MACHINE_NAME;
2088 r.in.credential = &a;
2090 r.out.return_authenticator = &return_authenticator;
2091 r.out.new_owf_password = &new_owf_password;
2092 r.out.old_owf_password = &old_owf_password;
2093 r.out.trust_info = &trust_info;
2095 status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2096 torture_assert_ntstatus_ok(tctx, status, "failed");
2097 torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2103 static bool test_GetDomainInfo(struct torture_context *tctx,
2104 struct dcerpc_pipe *p,
2105 struct cli_credentials *machine_credentials)
2108 struct netr_LogonGetDomainInfo r;
2109 struct netr_DomainQuery1 q1;
2110 struct netr_Authenticator a;
2111 struct creds_CredentialState *creds;
2112 union netr_DomainInfo info;
2114 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2115 machine_credentials, &creds)) {
2121 creds_client_authenticator(creds, &a);
2123 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2124 r.in.computer_name = TEST_MACHINE_NAME;
2126 r.in.credential = &a;
2127 r.in.return_authenticator = &a;
2128 r.out.return_authenticator = &a;
2131 r.in.query.query1 = &q1;
2134 /* this should really be the fully qualified name */
2135 q1.workstation_domain = TEST_MACHINE_NAME;
2136 q1.workstation_site = "Default-First-Site-Name";
2137 q1.blob2.length = 0;
2139 q1.blob2.array = NULL;
2140 q1.product.string = "product string";
2142 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2144 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2145 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2146 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2148 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2149 creds_client_authenticator(creds, &a);
2151 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2152 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2153 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2159 static void async_callback(struct rpc_request *req)
2161 int *counter = (int *)req->async.private_data;
2162 if (NT_STATUS_IS_OK(req->status)) {
2167 static bool test_GetDomainInfo_async(struct torture_context *tctx,
2168 struct dcerpc_pipe *p,
2169 struct cli_credentials *machine_credentials)
2172 struct netr_LogonGetDomainInfo r;
2173 struct netr_DomainQuery1 q1;
2174 struct netr_Authenticator a;
2175 #define ASYNC_COUNT 100
2176 struct creds_CredentialState *creds;
2177 struct creds_CredentialState *creds_async[ASYNC_COUNT];
2178 struct rpc_request *req[ASYNC_COUNT];
2180 int *async_counter = talloc(tctx, int);
2181 union netr_DomainInfo info;
2183 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2184 machine_credentials, &creds)) {
2189 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2190 r.in.computer_name = TEST_MACHINE_NAME;
2192 r.in.credential = &a;
2193 r.in.return_authenticator = &a;
2194 r.out.return_authenticator = &a;
2197 r.in.query.query1 = &q1;
2200 /* this should really be the fully qualified name */
2201 q1.workstation_domain = TEST_MACHINE_NAME;
2202 q1.workstation_site = "Default-First-Site-Name";
2203 q1.blob2.length = 0;
2205 q1.blob2.array = NULL;
2206 q1.product.string = "product string";
2208 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2212 for (i=0;i<ASYNC_COUNT;i++) {
2213 creds_client_authenticator(creds, &a);
2215 creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2216 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2218 req[i]->async.callback = async_callback;
2219 req[i]->async.private_data = async_counter;
2221 /* even with this flush per request a w2k3 server seems to
2222 clag with multiple outstanding requests. bleergh. */
2223 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2224 "event_loop_once failed");
2227 for (i=0;i<ASYNC_COUNT;i++) {
2228 status = dcerpc_ndr_request_recv(req[i]);
2230 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2231 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2233 torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
2234 "Credential chaining failed at async");
2237 torture_comment(tctx,
2238 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2240 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2245 static bool test_ManyGetDCName(struct torture_context *tctx,
2246 struct dcerpc_pipe *p)
2249 struct dcerpc_pipe *p2;
2250 struct lsa_ObjectAttribute attr;
2251 struct lsa_QosInfo qos;
2252 struct lsa_OpenPolicy2 o;
2253 struct policy_handle lsa_handle;
2254 struct lsa_DomainList domains;
2256 struct lsa_EnumTrustDom t;
2257 uint32_t resume_handle = 0;
2258 struct netr_GetAnyDCName d;
2259 const char *dcname = NULL;
2263 if (p->conn->transport.transport != NCACN_NP) {
2267 torture_comment(tctx, "Torturing GetDCName\n");
2269 status = dcerpc_secondary_connection(p, &p2, p->binding);
2270 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2272 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2273 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2276 qos.impersonation_level = 2;
2277 qos.context_mode = 1;
2278 qos.effective_only = 0;
2281 attr.root_dir = NULL;
2282 attr.object_name = NULL;
2283 attr.attributes = 0;
2284 attr.sec_desc = NULL;
2285 attr.sec_qos = &qos;
2287 o.in.system_name = "\\";
2289 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2290 o.out.handle = &lsa_handle;
2292 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2293 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2295 t.in.handle = &lsa_handle;
2296 t.in.resume_handle = &resume_handle;
2297 t.in.max_size = 1000;
2298 t.out.domains = &domains;
2299 t.out.resume_handle = &resume_handle;
2301 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2303 if ((!NT_STATUS_IS_OK(status) &&
2304 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2305 torture_fail(tctx, "Could not list domains");
2309 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2310 dcerpc_server_name(p));
2311 d.out.dcname = &dcname;
2313 for (i=0; i<domains.count * 4; i++) {
2314 struct lsa_DomainInfo *info =
2315 &domains.domains[rand()%domains.count];
2317 d.in.domainname = info->name.string;
2319 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2320 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2322 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2323 dcname ? dcname : "unknown");
2329 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2331 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2332 struct torture_rpc_tcase *tcase;
2333 struct torture_test *test;
2335 tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
2336 &ndr_table_netlogon, TEST_MACHINE_NAME);
2338 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2339 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2340 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2341 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2342 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2343 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2344 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2345 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2346 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2347 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2348 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2349 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2350 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2351 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2352 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2353 torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2354 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2355 torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2356 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2357 torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2358 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2359 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2360 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2361 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2362 test->dangerous = true;
2363 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2364 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2365 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2366 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2367 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2368 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2369 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
git.samba.org / metze / samba / wip.git / blob