2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "torture/rpc/rpc.h"
31 #include "torture/rpc/netlogon.h"
32 #include "../lib/crypto/crypto.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_netlogon.h"
36 #include "librpc/gen_ndr/ndr_lsa_c.h"
37 #include "param/param.h"
38 #include "libcli/security/security.h"
40 #define TEST_MACHINE_NAME "torturetest"
42 static bool test_LogonUasLogon(struct torture_context *tctx,
43 struct dcerpc_pipe *p)
46 struct netr_LogonUasLogon r;
47 struct netr_UasInfo *info = NULL;
49 r.in.server_name = NULL;
50 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51 r.in.workstation = TEST_MACHINE_NAME;
54 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61 struct dcerpc_pipe *p)
64 struct netr_LogonUasLogoff r;
65 struct netr_UasLogoffInfo info;
67 r.in.server_name = NULL;
68 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69 r.in.workstation = TEST_MACHINE_NAME;
72 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78 static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79 struct cli_credentials *credentials,
80 struct creds_CredentialState **creds_out)
83 struct netr_ServerReqChallenge r;
84 struct netr_ServerAuthenticate a;
85 struct netr_Credential credentials1, credentials2, credentials3;
86 struct creds_CredentialState *creds;
87 const struct samr_Password *mach_password;
88 const char *machine_name;
90 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91 machine_name = cli_credentials_get_workstation(credentials);
93 torture_comment(tctx, "Testing ServerReqChallenge\n");
95 creds = talloc(tctx, struct creds_CredentialState);
96 torture_assert(tctx, creds != NULL, "memory allocation");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
106 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
108 a.in.server_name = NULL;
109 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
110 a.in.secure_channel_type = SEC_CHAN_BDC;
111 a.in.computer_name = machine_name;
112 a.in.credentials = &credentials3;
113 a.out.return_credentials = &credentials3;
115 creds_client_init(creds, &credentials1, &credentials2,
116 mach_password, &credentials3,
119 torture_comment(tctx, "Testing ServerAuthenticate\n");
121 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123 /* This allows the tests to continue against the more fussy windows 2008 */
124 if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
125 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
126 credentials, SEC_CHAN_BDC, creds_out);
129 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131 torture_assert(tctx, creds_client_check(creds, &credentials3),
132 "Credential chaining failed");
138 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
139 uint32_t negotiate_flags,
140 struct cli_credentials *machine_credentials,
142 struct creds_CredentialState **creds_out)
145 struct netr_ServerReqChallenge r;
146 struct netr_ServerAuthenticate2 a;
147 struct netr_Credential credentials1, credentials2, credentials3;
148 struct creds_CredentialState *creds;
149 const struct samr_Password *mach_password;
150 const char *machine_name;
151 const char *plain_pass;
153 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
154 machine_name = cli_credentials_get_workstation(machine_credentials);
156 torture_comment(tctx, "Testing ServerReqChallenge\n");
158 creds = talloc(tctx, struct creds_CredentialState);
159 torture_assert(tctx, creds != NULL, "memory allocation");
161 r.in.server_name = NULL;
162 r.in.computer_name = machine_name;
163 r.in.credentials = &credentials1;
164 r.out.return_credentials = &credentials2;
166 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
168 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
169 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
171 a.in.server_name = NULL;
172 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
173 a.in.secure_channel_type = sec_chan_type;
174 a.in.computer_name = machine_name;
175 a.in.negotiate_flags = &negotiate_flags;
176 a.out.negotiate_flags = &negotiate_flags;
177 a.in.credentials = &credentials3;
178 a.out.return_credentials = &credentials3;
180 creds_client_init(creds, &credentials1, &credentials2,
181 mach_password, &credentials3,
184 torture_comment(tctx, "Testing ServerAuthenticate2\n");
186 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
187 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
189 torture_assert(tctx, creds_client_check(creds, &credentials3),
190 "Credential chaining failed");
192 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
199 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
200 uint32_t negotiate_flags,
201 struct cli_credentials *machine_credentials,
202 struct creds_CredentialState **creds_out)
205 struct netr_ServerReqChallenge r;
206 struct netr_ServerAuthenticate3 a;
207 struct netr_Credential credentials1, credentials2, credentials3;
208 struct creds_CredentialState *creds;
209 struct samr_Password mach_password;
211 const char *machine_name;
212 const char *plain_pass;
214 machine_name = cli_credentials_get_workstation(machine_credentials);
215 plain_pass = cli_credentials_get_password(machine_credentials);
217 torture_comment(tctx, "Testing ServerReqChallenge\n");
219 creds = talloc(tctx, struct creds_CredentialState);
220 torture_assert(tctx, creds != NULL, "memory allocation");
222 r.in.server_name = NULL;
223 r.in.computer_name = machine_name;
224 r.in.credentials = &credentials1;
225 r.out.return_credentials = &credentials2;
227 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
229 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
230 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
232 E_md4hash(plain_pass, mach_password.hash);
234 a.in.server_name = NULL;
235 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
236 a.in.secure_channel_type = SEC_CHAN_BDC;
237 a.in.computer_name = machine_name;
238 a.in.negotiate_flags = &negotiate_flags;
239 a.in.credentials = &credentials3;
240 a.out.return_credentials = &credentials3;
241 a.out.negotiate_flags = &negotiate_flags;
244 creds_client_init(creds, &credentials1, &credentials2,
245 &mach_password, &credentials3,
248 torture_comment(tctx, "Testing ServerAuthenticate3\n");
250 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
251 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
252 torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
254 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
256 /* Prove that requesting a challenge again won't break it */
257 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
258 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
265 try a change password for our machine account
267 static bool test_SetPassword(struct torture_context *tctx,
268 struct dcerpc_pipe *p,
269 struct cli_credentials *machine_credentials)
272 struct netr_ServerPasswordSet r;
273 const char *password;
274 struct creds_CredentialState *creds;
275 struct netr_Authenticator credential, return_authenticator;
276 struct samr_Password new_password;
278 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
282 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
283 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
284 r.in.secure_channel_type = SEC_CHAN_BDC;
285 r.in.computer_name = TEST_MACHINE_NAME;
286 r.in.credential = &credential;
287 r.in.new_password = &new_password;
288 r.out.return_authenticator = &return_authenticator;
290 password = generate_random_str(tctx, 8);
291 E_md4hash(password, new_password.hash);
293 creds_des_encrypt(creds, &new_password);
295 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
296 torture_comment(tctx, "Changing machine account password to '%s'\n",
299 creds_client_authenticator(creds, &credential);
301 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
302 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
304 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
305 torture_comment(tctx, "Credential chaining failed\n");
308 /* by changing the machine password twice we test the
309 credentials chaining fully, and we verify that the server
310 allows the password to be set to the same value twice in a
311 row (match win2k3) */
312 torture_comment(tctx,
313 "Testing a second ServerPasswordSet on machine account\n");
314 torture_comment(tctx,
315 "Changing machine account password to '%s' (same as previous run)\n", password);
317 creds_client_authenticator(creds, &credential);
319 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
320 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
322 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
323 torture_comment(tctx, "Credential chaining failed\n");
326 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
329 test_SetupCredentials(p, tctx, machine_credentials, &creds),
330 "ServerPasswordSet failed to actually change the password");
336 generate a random password for password change tests
338 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
341 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
342 generate_random_buffer(password.data, password.length);
344 for (i=0; i < len; i++) {
345 if (((uint16_t *)password.data)[i] == 0) {
346 ((uint16_t *)password.data)[i] = 1;
354 try a change password for our machine account
356 static bool test_SetPassword2(struct torture_context *tctx,
357 struct dcerpc_pipe *p,
358 struct cli_credentials *machine_credentials)
361 struct netr_ServerPasswordSet2 r;
362 const char *password;
363 DATA_BLOB new_random_pass;
364 struct creds_CredentialState *creds;
365 struct samr_CryptPassword password_buf;
366 struct samr_Password nt_hash;
367 struct netr_Authenticator credential, return_authenticator;
368 struct netr_CryptPassword new_password;
370 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = SEC_CHAN_BDC;
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_str(tctx, 8);
383 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
384 creds_arcfour_crypt(creds, password_buf.data, 516);
386 memcpy(new_password.data, password_buf.data, 512);
387 new_password.length = IVAL(password_buf.data, 512);
389 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
390 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
392 creds_client_authenticator(creds, &credential);
394 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
395 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
397 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
403 if (!torture_setting_bool(tctx, "dangerous", false)) {
404 torture_comment(tctx,
405 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
407 /* by changing the machine password to ""
408 * we check if the server uses password restrictions
409 * for ServerPasswordSet2
410 * (win2k3 accepts "")
413 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
414 creds_arcfour_crypt(creds, password_buf.data, 516);
416 memcpy(new_password.data, password_buf.data, 512);
417 new_password.length = IVAL(password_buf.data, 512);
419 torture_comment(tctx,
420 "Testing ServerPasswordSet2 on machine account\n");
421 torture_comment(tctx,
422 "Changing machine account password to '%s'\n", password);
424 creds_client_authenticator(creds, &credential);
426 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
427 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
429 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
430 torture_comment(tctx, "Credential chaining failed\n");
433 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
436 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
437 "ServerPasswordSet failed to actually change the password");
439 /* now try a random password */
440 password = generate_random_str(tctx, 8);
441 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
442 creds_arcfour_crypt(creds, password_buf.data, 516);
444 memcpy(new_password.data, password_buf.data, 512);
445 new_password.length = IVAL(password_buf.data, 512);
447 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
448 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
450 creds_client_authenticator(creds, &credential);
452 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
453 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
455 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
456 torture_comment(tctx, "Credential chaining failed\n");
459 /* by changing the machine password twice we test the
460 credentials chaining fully, and we verify that the server
461 allows the password to be set to the same value twice in a
462 row (match win2k3) */
463 torture_comment(tctx,
464 "Testing a second ServerPasswordSet2 on machine account\n");
465 torture_comment(tctx,
466 "Changing machine account password to '%s' (same as previous run)\n", password);
468 creds_client_authenticator(creds, &credential);
470 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
471 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
473 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
474 torture_comment(tctx, "Credential chaining failed\n");
477 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
479 torture_assert (tctx,
480 test_SetupCredentials(p, tctx, machine_credentials, &creds),
481 "ServerPasswordSet failed to actually change the password");
483 new_random_pass = netlogon_very_rand_pass(tctx, 128);
485 /* now try a random stream of bytes for a password */
486 set_pw_in_buffer(password_buf.data, &new_random_pass);
488 creds_arcfour_crypt(creds, password_buf.data, 516);
490 memcpy(new_password.data, password_buf.data, 512);
491 new_password.length = IVAL(password_buf.data, 512);
493 torture_comment(tctx,
494 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
496 creds_client_authenticator(creds, &credential);
498 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
499 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
501 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
502 torture_comment(tctx, "Credential chaining failed\n");
505 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
507 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
508 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
510 torture_assert (tctx,
511 test_SetupCredentials(p, tctx, machine_credentials, &creds),
512 "ServerPasswordSet failed to actually change the password");
517 static bool test_GetPassword(struct torture_context *tctx,
518 struct dcerpc_pipe *p,
519 struct cli_credentials *machine_credentials)
521 struct netr_ServerPasswordGet r;
522 struct creds_CredentialState *creds;
523 struct netr_Authenticator credential;
525 struct netr_Authenticator return_authenticator;
526 struct samr_Password password;
528 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
532 creds_client_authenticator(creds, &credential);
534 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
535 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
536 r.in.secure_channel_type = SEC_CHAN_BDC;
537 r.in.computer_name = TEST_MACHINE_NAME;
538 r.in.credential = &credential;
539 r.out.return_authenticator = &return_authenticator;
540 r.out.password = &password;
542 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
543 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
548 static bool test_GetTrustPasswords(struct torture_context *tctx,
549 struct dcerpc_pipe *p,
550 struct cli_credentials *machine_credentials)
552 struct netr_ServerTrustPasswordsGet r;
553 struct creds_CredentialState *creds;
554 struct netr_Authenticator credential;
556 struct netr_Authenticator return_authenticator;
557 struct samr_Password password, password2;
559 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
563 creds_client_authenticator(creds, &credential);
565 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
566 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
567 r.in.secure_channel_type = SEC_CHAN_BDC;
568 r.in.computer_name = TEST_MACHINE_NAME;
569 r.in.credential = &credential;
570 r.out.return_authenticator = &return_authenticator;
571 r.out.password = &password;
572 r.out.password2 = &password2;
574 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
575 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
581 try a netlogon SamLogon
583 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
584 struct cli_credentials *credentials,
585 struct creds_CredentialState *creds)
588 struct netr_LogonSamLogon r;
589 struct netr_Authenticator auth, auth2;
590 union netr_LogonLevel logon;
591 union netr_Validation validation;
592 uint8_t authoritative;
593 struct netr_NetworkInfo ninfo;
594 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
596 int flags = CLI_CRED_NTLM_AUTH;
597 if (lp_client_lanman_auth(tctx->lp_ctx)) {
598 flags |= CLI_CRED_LANMAN_AUTH;
601 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
602 flags |= CLI_CRED_NTLMv2_AUTH;
605 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
606 &ninfo.identity_info.account_name.string,
607 &ninfo.identity_info.domain_name.string);
609 generate_random_buffer(ninfo.challenge,
610 sizeof(ninfo.challenge));
611 chal = data_blob_const(ninfo.challenge,
612 sizeof(ninfo.challenge));
614 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
615 cli_credentials_get_domain(credentials));
617 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
623 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
625 ninfo.lm.data = lm_resp.data;
626 ninfo.lm.length = lm_resp.length;
628 ninfo.nt.data = nt_resp.data;
629 ninfo.nt.length = nt_resp.length;
631 ninfo.identity_info.parameter_control = 0;
632 ninfo.identity_info.logon_id_low = 0;
633 ninfo.identity_info.logon_id_high = 0;
634 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
636 logon.network = &ninfo;
638 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
639 r.in.computer_name = cli_credentials_get_workstation(credentials);
640 r.in.credential = &auth;
641 r.in.return_authenticator = &auth2;
642 r.in.logon_level = 2;
644 r.out.validation = &validation;
645 r.out.authoritative = &authoritative;
647 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
651 creds_client_authenticator(creds, &auth);
653 r.in.validation_level = i;
655 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
656 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
658 torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
659 "Credential chaining failed");
662 r.in.credential = NULL;
666 r.in.validation_level = i;
668 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
670 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
671 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
672 "LogonSamLogon expected INVALID_PARAMETER");
680 try a netlogon SamLogon
682 static bool test_SamLogon(struct torture_context *tctx,
683 struct dcerpc_pipe *p,
684 struct cli_credentials *credentials)
686 struct creds_CredentialState *creds;
688 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
692 return test_netlogon_ops(p, tctx, credentials, creds);
695 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
696 static uint64_t sequence_nums[3];
699 try a netlogon DatabaseSync
701 static bool test_DatabaseSync(struct torture_context *tctx,
702 struct dcerpc_pipe *p,
703 struct cli_credentials *machine_credentials)
706 struct netr_DatabaseSync r;
707 struct creds_CredentialState *creds;
708 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
710 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
711 struct netr_Authenticator credential, return_authenticator;
713 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
717 ZERO_STRUCT(return_authenticator);
719 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
720 r.in.computername = TEST_MACHINE_NAME;
721 r.in.preferredmaximumlength = (uint32_t)-1;
722 r.in.return_authenticator = &return_authenticator;
723 r.out.delta_enum_array = &delta_enum_array;
724 r.out.return_authenticator = &return_authenticator;
726 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
728 uint32_t sync_context = 0;
730 r.in.database_id = database_ids[i];
731 r.in.sync_context = &sync_context;
732 r.out.sync_context = &sync_context;
734 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
737 creds_client_authenticator(creds, &credential);
739 r.in.credential = &credential;
741 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
742 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
745 /* Native mode servers don't do this */
746 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
749 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
751 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
752 torture_comment(tctx, "Credential chaining failed\n");
755 if (delta_enum_array &&
756 delta_enum_array->num_deltas > 0 &&
757 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
758 delta_enum_array->delta_enum[0].delta_union.domain) {
759 sequence_nums[r.in.database_id] =
760 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
761 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
763 (unsigned long long)sequence_nums[r.in.database_id]);
765 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
773 try a netlogon DatabaseDeltas
775 static bool test_DatabaseDeltas(struct torture_context *tctx,
776 struct dcerpc_pipe *p,
777 struct cli_credentials *machine_credentials)
780 struct netr_DatabaseDeltas r;
781 struct creds_CredentialState *creds;
782 struct netr_Authenticator credential;
783 struct netr_Authenticator return_authenticator;
784 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
785 const uint32_t database_ids[] = {0, 1, 2};
788 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
792 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
793 r.in.computername = TEST_MACHINE_NAME;
794 r.in.preferredmaximumlength = (uint32_t)-1;
795 ZERO_STRUCT(r.in.return_authenticator);
796 r.out.return_authenticator = &return_authenticator;
797 r.out.delta_enum_array = &delta_enum_array;
799 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
800 r.in.database_id = database_ids[i];
801 r.in.sequence_num = &sequence_nums[r.in.database_id];
803 if (*r.in.sequence_num == 0) continue;
805 *r.in.sequence_num -= 1;
807 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
808 r.in.database_id, (unsigned long long)*r.in.sequence_num);
811 creds_client_authenticator(creds, &credential);
813 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
814 if (NT_STATUS_EQUAL(status,
815 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
816 torture_comment(tctx, "not considering %s to be an error\n",
820 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
823 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
825 if (!creds_client_check(creds, &return_authenticator.cred)) {
826 torture_comment(tctx, "Credential chaining failed\n");
829 (*r.in.sequence_num)++;
830 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
836 static bool test_DatabaseRedo(struct torture_context *tctx,
837 struct dcerpc_pipe *p,
838 struct cli_credentials *machine_credentials)
841 struct netr_DatabaseRedo r;
842 struct creds_CredentialState *creds;
843 struct netr_Authenticator credential;
844 struct netr_Authenticator return_authenticator;
845 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
846 struct netr_ChangeLogEntry e;
847 struct dom_sid null_sid, *sid;
850 ZERO_STRUCT(null_sid);
852 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
863 NTSTATUS expected_error;
864 uint32_t expected_num_results;
865 uint8_t expected_delta_type_1;
866 uint8_t expected_delta_type_2;
870 /* SAM_DATABASE_DOMAIN */
875 .db_index = SAM_DATABASE_DOMAIN,
876 .delta_type = NETR_DELTA_MODIFY_COUNT,
879 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
880 .expected_num_results = 0,
881 .comment = "NETR_DELTA_MODIFY_COUNT"
886 .db_index = SAM_DATABASE_DOMAIN,
890 .expected_error = NT_STATUS_OK,
891 .expected_num_results = 1,
892 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
893 .comment = "NULL DELTA"
898 .db_index = SAM_DATABASE_DOMAIN,
899 .delta_type = NETR_DELTA_DOMAIN,
902 .expected_error = NT_STATUS_OK,
903 .expected_num_results = 1,
904 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
905 .comment = "NETR_DELTA_DOMAIN"
908 .rid = DOMAIN_RID_ADMINISTRATOR,
910 .db_index = SAM_DATABASE_DOMAIN,
911 .delta_type = NETR_DELTA_USER,
914 .expected_error = NT_STATUS_OK,
915 .expected_num_results = 1,
916 .expected_delta_type_1 = NETR_DELTA_USER,
917 .comment = "NETR_DELTA_USER by rid 500"
920 .rid = DOMAIN_RID_GUEST,
922 .db_index = SAM_DATABASE_DOMAIN,
923 .delta_type = NETR_DELTA_USER,
926 .expected_error = NT_STATUS_OK,
927 .expected_num_results = 1,
928 .expected_delta_type_1 = NETR_DELTA_USER,
929 .comment = "NETR_DELTA_USER by rid 501"
933 .flags = NETR_CHANGELOG_SID_INCLUDED,
934 .db_index = SAM_DATABASE_DOMAIN,
935 .delta_type = NETR_DELTA_USER,
938 .expected_error = NT_STATUS_OK,
939 .expected_num_results = 1,
940 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
941 .comment = "NETR_DELTA_USER by sid and flags"
945 .flags = NETR_CHANGELOG_SID_INCLUDED,
946 .db_index = SAM_DATABASE_DOMAIN,
947 .delta_type = NETR_DELTA_USER,
950 .expected_error = NT_STATUS_OK,
951 .expected_num_results = 1,
952 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
953 .comment = "NETR_DELTA_USER by null_sid and flags"
957 .flags = NETR_CHANGELOG_NAME_INCLUDED,
958 .db_index = SAM_DATABASE_DOMAIN,
959 .delta_type = NETR_DELTA_USER,
961 .name = "administrator",
962 .expected_error = NT_STATUS_OK,
963 .expected_num_results = 1,
964 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
965 .comment = "NETR_DELTA_USER by name 'administrator'"
968 .rid = DOMAIN_RID_ADMINS,
970 .db_index = SAM_DATABASE_DOMAIN,
971 .delta_type = NETR_DELTA_GROUP,
974 .expected_error = NT_STATUS_OK,
975 .expected_num_results = 2,
976 .expected_delta_type_1 = NETR_DELTA_GROUP,
977 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
978 .comment = "NETR_DELTA_GROUP by rid 512"
981 .rid = DOMAIN_RID_ADMINS,
983 .db_index = SAM_DATABASE_DOMAIN,
984 .delta_type = NETR_DELTA_GROUP_MEMBER,
987 .expected_error = NT_STATUS_OK,
988 .expected_num_results = 2,
989 .expected_delta_type_1 = NETR_DELTA_GROUP,
990 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
991 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
995 /* SAM_DATABASE_BUILTIN */
1000 .db_index = SAM_DATABASE_BUILTIN,
1001 .delta_type = NETR_DELTA_MODIFY_COUNT,
1004 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1005 .expected_num_results = 0,
1006 .comment = "NETR_DELTA_MODIFY_COUNT"
1011 .db_index = SAM_DATABASE_BUILTIN,
1012 .delta_type = NETR_DELTA_DOMAIN,
1015 .expected_error = NT_STATUS_OK,
1016 .expected_num_results = 1,
1017 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1018 .comment = "NETR_DELTA_DOMAIN"
1021 .rid = DOMAIN_RID_ADMINISTRATOR,
1023 .db_index = SAM_DATABASE_BUILTIN,
1024 .delta_type = NETR_DELTA_USER,
1027 .expected_error = NT_STATUS_OK,
1028 .expected_num_results = 1,
1029 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1030 .comment = "NETR_DELTA_USER by rid 500"
1035 .db_index = SAM_DATABASE_BUILTIN,
1036 .delta_type = NETR_DELTA_USER,
1039 .expected_error = NT_STATUS_OK,
1040 .expected_num_results = 1,
1041 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1042 .comment = "NETR_DELTA_USER"
1047 .db_index = SAM_DATABASE_BUILTIN,
1048 .delta_type = NETR_DELTA_ALIAS,
1051 .expected_error = NT_STATUS_OK,
1052 .expected_num_results = 2,
1053 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1054 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1055 .comment = "NETR_DELTA_ALIAS by rid 544"
1060 .db_index = SAM_DATABASE_BUILTIN,
1061 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1064 .expected_error = NT_STATUS_OK,
1065 .expected_num_results = 2,
1066 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1067 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1068 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1073 .db_index = SAM_DATABASE_BUILTIN,
1077 .expected_error = NT_STATUS_OK,
1078 .expected_num_results = 1,
1079 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1080 .comment = "NULL DELTA by rid 544"
1084 .flags = NETR_CHANGELOG_SID_INCLUDED,
1085 .db_index = SAM_DATABASE_BUILTIN,
1087 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1089 .expected_error = NT_STATUS_OK,
1090 .expected_num_results = 1,
1091 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1092 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1096 .flags = NETR_CHANGELOG_SID_INCLUDED,
1097 .db_index = SAM_DATABASE_BUILTIN,
1098 .delta_type = NETR_DELTA_ALIAS,
1099 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1101 .expected_error = NT_STATUS_OK,
1102 .expected_num_results = 2,
1103 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1104 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1105 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1109 .flags = NETR_CHANGELOG_SID_INCLUDED,
1110 .db_index = SAM_DATABASE_BUILTIN,
1111 .delta_type = NETR_DELTA_ALIAS,
1112 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1114 .expected_error = NT_STATUS_OK,
1115 .expected_num_results = 1,
1116 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1117 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1120 /* SAM_DATABASE_PRIVS */
1125 .db_index = SAM_DATABASE_PRIVS,
1129 .expected_error = NT_STATUS_ACCESS_DENIED,
1130 .expected_num_results = 0,
1131 .comment = "NULL DELTA"
1136 .db_index = SAM_DATABASE_PRIVS,
1137 .delta_type = NETR_DELTA_MODIFY_COUNT,
1140 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1141 .expected_num_results = 0,
1142 .comment = "NETR_DELTA_MODIFY_COUNT"
1147 .db_index = SAM_DATABASE_PRIVS,
1148 .delta_type = NETR_DELTA_POLICY,
1151 .expected_error = NT_STATUS_OK,
1152 .expected_num_results = 1,
1153 .expected_delta_type_1 = NETR_DELTA_POLICY,
1154 .comment = "NETR_DELTA_POLICY"
1158 .flags = NETR_CHANGELOG_SID_INCLUDED,
1159 .db_index = SAM_DATABASE_PRIVS,
1160 .delta_type = NETR_DELTA_POLICY,
1163 .expected_error = NT_STATUS_OK,
1164 .expected_num_results = 1,
1165 .expected_delta_type_1 = NETR_DELTA_POLICY,
1166 .comment = "NETR_DELTA_POLICY by null sid and flags"
1170 .flags = NETR_CHANGELOG_SID_INCLUDED,
1171 .db_index = SAM_DATABASE_PRIVS,
1172 .delta_type = NETR_DELTA_POLICY,
1173 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1175 .expected_error = NT_STATUS_OK,
1176 .expected_num_results = 1,
1177 .expected_delta_type_1 = NETR_DELTA_POLICY,
1178 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1181 .rid = DOMAIN_RID_ADMINISTRATOR,
1183 .db_index = SAM_DATABASE_PRIVS,
1184 .delta_type = NETR_DELTA_ACCOUNT,
1187 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1188 .expected_num_results = 0,
1189 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1193 .flags = NETR_CHANGELOG_SID_INCLUDED,
1194 .db_index = SAM_DATABASE_PRIVS,
1195 .delta_type = NETR_DELTA_ACCOUNT,
1196 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1198 .expected_error = NT_STATUS_OK,
1199 .expected_num_results = 1,
1200 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1201 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1205 .flags = NETR_CHANGELOG_SID_INCLUDED |
1206 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1207 .db_index = SAM_DATABASE_PRIVS,
1208 .delta_type = NETR_DELTA_ACCOUNT,
1209 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1211 .expected_error = NT_STATUS_OK,
1212 .expected_num_results = 1,
1213 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1214 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1218 .flags = NETR_CHANGELOG_SID_INCLUDED |
1219 NETR_CHANGELOG_NAME_INCLUDED,
1220 .db_index = SAM_DATABASE_PRIVS,
1221 .delta_type = NETR_DELTA_ACCOUNT,
1222 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1224 .expected_error = NT_STATUS_INVALID_PARAMETER,
1225 .expected_num_results = 0,
1226 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1229 .rid = DOMAIN_RID_ADMINISTRATOR,
1230 .flags = NETR_CHANGELOG_SID_INCLUDED,
1231 .db_index = SAM_DATABASE_PRIVS,
1232 .delta_type = NETR_DELTA_ACCOUNT,
1235 .expected_error = NT_STATUS_OK,
1236 .expected_num_results = 1,
1237 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1238 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1242 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1243 .db_index = SAM_DATABASE_PRIVS,
1244 .delta_type = NETR_DELTA_SECRET,
1246 .name = "IsurelydontexistIhope",
1247 .expected_error = NT_STATUS_OK,
1248 .expected_num_results = 1,
1249 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1250 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1254 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1255 .db_index = SAM_DATABASE_PRIVS,
1256 .delta_type = NETR_DELTA_SECRET,
1258 .name = "G$BCKUPKEY_P",
1259 .expected_error = NT_STATUS_OK,
1260 .expected_num_results = 1,
1261 .expected_delta_type_1 = NETR_DELTA_SECRET,
1262 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1266 ZERO_STRUCT(return_authenticator);
1268 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1269 r.in.computername = TEST_MACHINE_NAME;
1270 r.in.return_authenticator = &return_authenticator;
1271 r.out.return_authenticator = &return_authenticator;
1272 r.out.delta_enum_array = &delta_enum_array;
1274 for (d=0; d<3; d++) {
1276 const char *database;
1283 database = "BUILTIN";
1292 torture_comment(tctx, "Testing DatabaseRedo\n");
1294 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1298 for (i=0;i<ARRAY_SIZE(changes);i++) {
1300 if (d != changes[i].db_index) {
1304 creds_client_authenticator(creds, &credential);
1306 r.in.credential = &credential;
1308 e.serial_number1 = 0;
1309 e.serial_number2 = 0;
1310 e.object_rid = changes[i].rid;
1311 e.flags = changes[i].flags;
1312 e.db_index = changes[i].db_index;
1313 e.delta_type = changes[i].delta_type;
1315 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1316 case NETR_CHANGELOG_SID_INCLUDED:
1317 e.object.object_sid = changes[i].sid;
1319 case NETR_CHANGELOG_NAME_INCLUDED:
1320 e.object.object_name = changes[i].name;
1326 r.in.change_log_entry = e;
1328 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1329 database, changes[i].comment);
1331 status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1332 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1336 torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1337 if (delta_enum_array) {
1338 torture_assert_int_equal(tctx,
1339 delta_enum_array->num_deltas,
1340 changes[i].expected_num_results,
1341 changes[i].comment);
1342 if (delta_enum_array->num_deltas > 0) {
1343 torture_assert_int_equal(tctx,
1344 delta_enum_array->delta_enum[0].delta_type,
1345 changes[i].expected_delta_type_1,
1346 changes[i].comment);
1348 if (delta_enum_array->num_deltas > 1) {
1349 torture_assert_int_equal(tctx,
1350 delta_enum_array->delta_enum[1].delta_type,
1351 changes[i].expected_delta_type_2,
1352 changes[i].comment);
1356 if (!creds_client_check(creds, &return_authenticator.cred)) {
1357 torture_comment(tctx, "Credential chaining failed\n");
1358 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1370 try a netlogon AccountDeltas
1372 static bool test_AccountDeltas(struct torture_context *tctx,
1373 struct dcerpc_pipe *p,
1374 struct cli_credentials *machine_credentials)
1377 struct netr_AccountDeltas r;
1378 struct creds_CredentialState *creds;
1380 struct netr_AccountBuffer buffer;
1381 uint32_t count_returned = 0;
1382 uint32_t total_entries = 0;
1383 struct netr_UAS_INFO_0 recordid;
1384 struct netr_Authenticator return_authenticator;
1386 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1390 ZERO_STRUCT(return_authenticator);
1392 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1393 r.in.computername = TEST_MACHINE_NAME;
1394 r.in.return_authenticator = &return_authenticator;
1395 creds_client_authenticator(creds, &r.in.credential);
1396 ZERO_STRUCT(r.in.uas);
1399 r.in.buffersize=100;
1400 r.out.buffer = &buffer;
1401 r.out.count_returned = &count_returned;
1402 r.out.total_entries = &total_entries;
1403 r.out.recordid = &recordid;
1404 r.out.return_authenticator = &return_authenticator;
1406 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1407 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1408 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1414 try a netlogon AccountSync
1416 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1417 struct cli_credentials *machine_credentials)
1420 struct netr_AccountSync r;
1421 struct creds_CredentialState *creds;
1423 struct netr_AccountBuffer buffer;
1424 uint32_t count_returned = 0;
1425 uint32_t total_entries = 0;
1426 uint32_t next_reference = 0;
1427 struct netr_UAS_INFO_0 recordid;
1428 struct netr_Authenticator return_authenticator;
1430 ZERO_STRUCT(recordid);
1431 ZERO_STRUCT(return_authenticator);
1433 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1437 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1438 r.in.computername = TEST_MACHINE_NAME;
1439 r.in.return_authenticator = &return_authenticator;
1440 creds_client_authenticator(creds, &r.in.credential);
1441 r.in.recordid = &recordid;
1444 r.in.buffersize=100;
1445 r.out.buffer = &buffer;
1446 r.out.count_returned = &count_returned;
1447 r.out.total_entries = &total_entries;
1448 r.out.next_reference = &next_reference;
1449 r.out.recordid = &recordid;
1450 r.out.return_authenticator = &return_authenticator;
1452 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1453 status = dcerpc_netr_AccountSync(p, tctx, &r);
1454 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1460 try a netlogon GetDcName
1462 static bool test_GetDcName(struct torture_context *tctx,
1463 struct dcerpc_pipe *p)
1466 struct netr_GetDcName r;
1467 const char *dcname = NULL;
1469 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1470 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1471 r.out.dcname = &dcname;
1473 status = dcerpc_netr_GetDcName(p, tctx, &r);
1474 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1475 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1477 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1483 try a netlogon LogonControl
1485 static bool test_LogonControl(struct torture_context *tctx,
1486 struct dcerpc_pipe *p)
1489 struct netr_LogonControl r;
1490 union netr_CONTROL_QUERY_INFORMATION info;
1493 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1494 r.in.function_code = 1;
1500 torture_comment(tctx, "Testing LogonControl level %d\n", i);
1502 status = dcerpc_netr_LogonControl(p, tctx, &r);
1503 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1511 try a netlogon GetAnyDCName
1513 static bool test_GetAnyDCName(struct torture_context *tctx,
1514 struct dcerpc_pipe *p)
1517 struct netr_GetAnyDCName r;
1518 const char *dcname = NULL;
1520 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1521 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1522 r.out.dcname = &dcname;
1524 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1525 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1526 torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1529 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1537 try a netlogon LogonControl2
1539 static bool test_LogonControl2(struct torture_context *tctx,
1540 struct dcerpc_pipe *p)
1543 struct netr_LogonControl2 r;
1544 union netr_CONTROL_DATA_INFORMATION data;
1545 union netr_CONTROL_QUERY_INFORMATION query;
1548 data.domain = lp_workgroup(tctx->lp_ctx);
1550 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1552 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1554 r.out.query = &query;
1559 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1560 i, r.in.function_code);
1562 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1563 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1566 data.domain = lp_workgroup(tctx->lp_ctx);
1568 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1574 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1575 i, r.in.function_code);
1577 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1578 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1581 data.domain = lp_workgroup(tctx->lp_ctx);
1583 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1589 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1590 i, r.in.function_code);
1592 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1593 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1596 data.debug_level = ~0;
1598 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1604 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1605 i, r.in.function_code);
1607 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1608 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1615 try a netlogon DatabaseSync2
1617 static bool test_DatabaseSync2(struct torture_context *tctx,
1618 struct dcerpc_pipe *p,
1619 struct cli_credentials *machine_credentials)
1622 struct netr_DatabaseSync2 r;
1623 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1624 struct netr_Authenticator return_authenticator, credential;
1626 struct creds_CredentialState *creds;
1627 const uint32_t database_ids[] = {0, 1, 2};
1630 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1631 machine_credentials,
1632 SEC_CHAN_BDC, &creds)) {
1636 ZERO_STRUCT(return_authenticator);
1638 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1639 r.in.computername = TEST_MACHINE_NAME;
1640 r.in.preferredmaximumlength = (uint32_t)-1;
1641 r.in.return_authenticator = &return_authenticator;
1642 r.out.return_authenticator = &return_authenticator;
1643 r.out.delta_enum_array = &delta_enum_array;
1645 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1647 uint32_t sync_context = 0;
1649 r.in.database_id = database_ids[i];
1650 r.in.sync_context = &sync_context;
1651 r.out.sync_context = &sync_context;
1652 r.in.restart_state = 0;
1654 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1657 creds_client_authenticator(creds, &credential);
1659 r.in.credential = &credential;
1661 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1662 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1665 /* Native mode servers don't do this */
1666 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1670 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1672 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
1673 torture_comment(tctx, "Credential chaining failed\n");
1676 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1684 try a netlogon LogonControl2Ex
1686 static bool test_LogonControl2Ex(struct torture_context *tctx,
1687 struct dcerpc_pipe *p)
1690 struct netr_LogonControl2Ex r;
1691 union netr_CONTROL_DATA_INFORMATION data;
1692 union netr_CONTROL_QUERY_INFORMATION query;
1695 data.domain = lp_workgroup(tctx->lp_ctx);
1697 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1699 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1701 r.out.query = &query;
1706 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1707 i, r.in.function_code);
1709 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1710 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1713 data.domain = lp_workgroup(tctx->lp_ctx);
1715 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1721 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1722 i, r.in.function_code);
1724 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1725 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1728 data.domain = lp_workgroup(tctx->lp_ctx);
1730 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1736 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1737 i, r.in.function_code);
1739 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1740 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1743 data.debug_level = ~0;
1745 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1751 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1752 i, r.in.function_code);
1754 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1755 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1761 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1762 struct dcerpc_pipe *p, const char *trusted_domain_name)
1765 struct netr_DsRGetForestTrustInformation r;
1766 struct lsa_ForestTrustInformation info, *info_ptr;
1770 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1771 r.in.trusted_domain_name = trusted_domain_name;
1773 r.out.forest_trust_info = &info_ptr;
1775 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1777 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1778 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1779 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1785 try a netlogon netr_DsrEnumerateDomainTrusts
1787 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1788 struct dcerpc_pipe *p)
1791 struct netr_DsrEnumerateDomainTrusts r;
1792 struct netr_DomainTrustList trusts;
1795 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1796 r.in.trust_flags = 0x3f;
1797 r.out.trusts = &trusts;
1799 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1800 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1801 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1803 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1804 * will show non-forest trusts and all UPN suffixes of the own forest
1805 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1807 if (r.out.trusts->count) {
1808 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1813 for (i=0; i<r.out.trusts->count; i++) {
1815 /* get info for transitive forest trusts */
1817 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1818 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1819 r.out.trusts->array[i].dns_name)) {
1828 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1829 struct dcerpc_pipe *p)
1832 struct netr_NetrEnumerateTrustedDomains r;
1833 struct netr_Blob trusted_domains_blob;
1835 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1836 r.out.trusted_domains_blob = &trusted_domains_blob;
1838 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1839 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1840 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1845 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1846 struct dcerpc_pipe *p)
1849 struct netr_NetrEnumerateTrustedDomainsEx r;
1850 struct netr_DomainTrustList dom_trust_list;
1852 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1853 r.out.dom_trust_list = &dom_trust_list;
1855 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1856 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1857 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1863 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1864 const char *computer_name,
1865 const char *expected_site)
1868 struct netr_DsRGetSiteName r;
1869 const char *site = NULL;
1871 if (torture_setting_bool(tctx, "samba4", false))
1872 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1874 r.in.computer_name = computer_name;
1876 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1878 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1879 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1880 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1881 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1883 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1884 torture_comment(tctx,
1885 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1887 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1888 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1889 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1895 try a netlogon netr_DsRGetDCName
1897 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1898 struct dcerpc_pipe *p)
1901 struct netr_DsRGetDCName r;
1902 struct netr_DsRGetDCNameInfo *info = NULL;
1904 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1905 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1906 r.in.domain_guid = NULL;
1907 r.in.site_guid = NULL;
1908 r.in.flags = DS_RETURN_DNS_NAME;
1911 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1912 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1913 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1914 return test_netr_DsRGetSiteName(p, tctx,
1916 info->dc_site_name);
1920 try a netlogon netr_DsRGetDCNameEx
1922 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1923 struct dcerpc_pipe *p)
1926 struct netr_DsRGetDCNameEx r;
1927 struct netr_DsRGetDCNameInfo *info = NULL;
1929 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1930 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1931 r.in.domain_guid = NULL;
1932 r.in.site_name = NULL;
1933 r.in.flags = DS_RETURN_DNS_NAME;
1936 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1937 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1938 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1940 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1941 info->dc_site_name);
1945 try a netlogon netr_DsRGetDCNameEx2
1947 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1948 struct dcerpc_pipe *p)
1951 struct netr_DsRGetDCNameEx2 r;
1952 struct netr_DsRGetDCNameInfo *info = NULL;
1954 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1955 r.in.client_account = NULL;
1956 r.in.mask = 0x00000000;
1957 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1958 r.in.domain_guid = NULL;
1959 r.in.site_name = NULL;
1960 r.in.flags = DS_RETURN_DNS_NAME;
1963 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1965 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1966 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1967 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1969 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1970 r.in.client_account = TEST_MACHINE_NAME"$";
1971 r.in.mask = ACB_SVRTRUST;
1972 r.in.flags = DS_RETURN_FLAT_NAME;
1975 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1976 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1977 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1978 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1979 info->dc_site_name);
1982 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1983 struct dcerpc_pipe *p)
1986 struct netr_DsrGetDcSiteCoverageW r;
1987 struct DcSitesCtr *ctr = NULL;
1989 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1992 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1993 torture_assert_ntstatus_ok(tctx, status, "failed");
1994 torture_assert_werr_ok(tctx, r.out.result, "failed");
1999 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2000 struct dcerpc_pipe *p)
2003 struct netr_DsRAddressToSitenamesW r;
2004 struct netr_DsRAddress addr;
2005 struct netr_DsRAddressToSitenamesWCtr *ctr;
2007 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2010 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2012 addr.buffer[0] = 2; /* AF_INET */
2013 addr.buffer[4] = 127;
2018 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2020 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2021 r.in.addresses[0] = addr;
2024 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2025 torture_assert_ntstatus_ok(tctx, status, "failed");
2026 torture_assert_werr_ok(tctx, r.out.result, "failed");
2031 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2032 struct dcerpc_pipe *p)
2035 struct netr_DsRAddressToSitenamesExW r;
2036 struct netr_DsRAddress addr;
2037 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2039 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2042 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2044 addr.buffer[0] = 2; /* AF_INET */
2045 addr.buffer[4] = 127;
2050 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2052 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2053 r.in.addresses[0] = addr;
2056 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2057 torture_assert_ntstatus_ok(tctx, status, "failed");
2058 torture_assert_werr_ok(tctx, r.out.result, "failed");
2063 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2064 struct dcerpc_pipe *p,
2065 struct cli_credentials *machine_credentials)
2068 struct netr_ServerGetTrustInfo r;
2070 struct netr_Authenticator a;
2071 struct netr_Authenticator return_authenticator;
2072 struct samr_Password new_owf_password;
2073 struct samr_Password old_owf_password;
2074 struct netr_TrustInfo *trust_info;
2076 struct creds_CredentialState *creds;
2078 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2079 machine_credentials, &creds)) {
2083 creds_client_authenticator(creds, &a);
2085 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2086 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2087 r.in.secure_channel_type = SEC_CHAN_BDC;
2088 r.in.computer_name = TEST_MACHINE_NAME;
2089 r.in.credential = &a;
2091 r.out.return_authenticator = &return_authenticator;
2092 r.out.new_owf_password = &new_owf_password;
2093 r.out.old_owf_password = &old_owf_password;
2094 r.out.trust_info = &trust_info;
2096 status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2097 torture_assert_ntstatus_ok(tctx, status, "failed");
2098 torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2104 static bool test_GetDomainInfo(struct torture_context *tctx,
2105 struct dcerpc_pipe *p,
2106 struct cli_credentials *machine_credentials)
2109 struct netr_LogonGetDomainInfo r;
2110 struct netr_DomainQuery1 q1;
2111 struct netr_Authenticator a;
2112 struct creds_CredentialState *creds;
2113 union netr_DomainInfo info;
2115 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2116 machine_credentials, &creds)) {
2122 creds_client_authenticator(creds, &a);
2124 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2125 r.in.computer_name = TEST_MACHINE_NAME;
2127 r.in.credential = &a;
2128 r.in.return_authenticator = &a;
2129 r.out.return_authenticator = &a;
2132 r.in.query.query1 = &q1;
2135 /* this should really be the fully qualified name */
2136 q1.workstation_domain = TEST_MACHINE_NAME;
2137 q1.workstation_site = "Default-First-Site-Name";
2138 q1.blob2.length = 0;
2140 q1.blob2.data = NULL;
2141 q1.product.string = "product string";
2143 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2145 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2146 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2147 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2149 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2150 creds_client_authenticator(creds, &a);
2152 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2153 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2154 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2160 static void async_callback(struct rpc_request *req)
2162 int *counter = (int *)req->async.private_data;
2163 if (NT_STATUS_IS_OK(req->status)) {
2168 static bool test_GetDomainInfo_async(struct torture_context *tctx,
2169 struct dcerpc_pipe *p,
2170 struct cli_credentials *machine_credentials)
2173 struct netr_LogonGetDomainInfo r;
2174 struct netr_DomainQuery1 q1;
2175 struct netr_Authenticator a;
2176 #define ASYNC_COUNT 100
2177 struct creds_CredentialState *creds;
2178 struct creds_CredentialState *creds_async[ASYNC_COUNT];
2179 struct rpc_request *req[ASYNC_COUNT];
2181 int *async_counter = talloc(tctx, int);
2182 union netr_DomainInfo info;
2184 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2185 machine_credentials, &creds)) {
2190 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2191 r.in.computer_name = TEST_MACHINE_NAME;
2193 r.in.credential = &a;
2194 r.in.return_authenticator = &a;
2195 r.out.return_authenticator = &a;
2198 r.in.query.query1 = &q1;
2201 /* this should really be the fully qualified name */
2202 q1.workstation_domain = TEST_MACHINE_NAME;
2203 q1.workstation_site = "Default-First-Site-Name";
2204 q1.blob2.length = 0;
2206 q1.blob2.data = NULL;
2207 q1.product.string = "product string";
2209 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2213 for (i=0;i<ASYNC_COUNT;i++) {
2214 creds_client_authenticator(creds, &a);
2216 creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2217 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2219 req[i]->async.callback = async_callback;
2220 req[i]->async.private_data = async_counter;
2222 /* even with this flush per request a w2k3 server seems to
2223 clag with multiple outstanding requests. bleergh. */
2224 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2225 "event_loop_once failed");
2228 for (i=0;i<ASYNC_COUNT;i++) {
2229 status = dcerpc_ndr_request_recv(req[i]);
2231 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2232 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2234 torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
2235 "Credential chaining failed at async");
2238 torture_comment(tctx,
2239 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2241 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2246 static bool test_ManyGetDCName(struct torture_context *tctx,
2247 struct dcerpc_pipe *p)
2250 struct dcerpc_pipe *p2;
2251 struct lsa_ObjectAttribute attr;
2252 struct lsa_QosInfo qos;
2253 struct lsa_OpenPolicy2 o;
2254 struct policy_handle lsa_handle;
2255 struct lsa_DomainList domains;
2257 struct lsa_EnumTrustDom t;
2258 uint32_t resume_handle = 0;
2259 struct netr_GetAnyDCName d;
2260 const char *dcname = NULL;
2264 if (p->conn->transport.transport != NCACN_NP) {
2268 torture_comment(tctx, "Torturing GetDCName\n");
2270 status = dcerpc_secondary_connection(p, &p2, p->binding);
2271 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2273 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2274 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2277 qos.impersonation_level = 2;
2278 qos.context_mode = 1;
2279 qos.effective_only = 0;
2282 attr.root_dir = NULL;
2283 attr.object_name = NULL;
2284 attr.attributes = 0;
2285 attr.sec_desc = NULL;
2286 attr.sec_qos = &qos;
2288 o.in.system_name = "\\";
2290 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2291 o.out.handle = &lsa_handle;
2293 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2294 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2296 t.in.handle = &lsa_handle;
2297 t.in.resume_handle = &resume_handle;
2298 t.in.max_size = 1000;
2299 t.out.domains = &domains;
2300 t.out.resume_handle = &resume_handle;
2302 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2304 if ((!NT_STATUS_IS_OK(status) &&
2305 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2306 torture_fail(tctx, "Could not list domains");
2310 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2311 dcerpc_server_name(p));
2312 d.out.dcname = &dcname;
2314 for (i=0; i<domains.count * 4; i++) {
2315 struct lsa_DomainInfo *info =
2316 &domains.domains[rand()%domains.count];
2318 d.in.domainname = info->name.string;
2320 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2321 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2323 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2324 dcname ? dcname : "unknown");
2330 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2332 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2333 struct torture_rpc_tcase *tcase;
2334 struct torture_test *test;
2336 tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
2337 &ndr_table_netlogon, TEST_MACHINE_NAME);
2339 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2340 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2341 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2342 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2343 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2344 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2345 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2346 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2347 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2348 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2349 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2350 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2351 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2352 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2353 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2354 torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2355 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2356 torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2357 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2358 torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2359 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2360 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2361 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2362 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2363 test->dangerous = true;
2364 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2365 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2366 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2367 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2368 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2369 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2370 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);