2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "torture/rpc/rpc.h"
31 #include "torture/rpc/netlogon.h"
32 #include "../lib/crypto/crypto.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_netlogon.h"
36 #include "librpc/gen_ndr/ndr_lsa_c.h"
37 #include "param/param.h"
38 #include "libcli/security/security.h"
40 #define TEST_MACHINE_NAME "torturetest"
42 static bool test_LogonUasLogon(struct torture_context *tctx,
43 struct dcerpc_pipe *p)
46 struct netr_LogonUasLogon r;
47 struct netr_UasInfo *info = NULL;
49 r.in.server_name = NULL;
50 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51 r.in.workstation = TEST_MACHINE_NAME;
54 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61 struct dcerpc_pipe *p)
64 struct netr_LogonUasLogoff r;
65 struct netr_UasLogoffInfo info;
67 r.in.server_name = NULL;
68 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69 r.in.workstation = TEST_MACHINE_NAME;
72 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78 static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79 struct cli_credentials *credentials,
80 struct creds_CredentialState **creds_out)
83 struct netr_ServerReqChallenge r;
84 struct netr_ServerAuthenticate a;
85 struct netr_Credential credentials1, credentials2, credentials3;
86 struct creds_CredentialState *creds;
87 const struct samr_Password *mach_password;
88 const char *machine_name;
90 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91 machine_name = cli_credentials_get_workstation(credentials);
93 torture_comment(tctx, "Testing ServerReqChallenge\n");
95 creds = talloc(tctx, struct creds_CredentialState);
96 torture_assert(tctx, creds != NULL, "memory allocation");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
106 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
108 a.in.server_name = NULL;
109 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
110 a.in.secure_channel_type = SEC_CHAN_BDC;
111 a.in.computer_name = machine_name;
112 a.in.credentials = &credentials3;
113 a.out.return_credentials = &credentials3;
115 creds_client_init(creds, &credentials1, &credentials2,
116 mach_password, &credentials3,
119 torture_comment(tctx, "Testing ServerAuthenticate\n");
121 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123 /* This allows the tests to continue against the more fussy windows 2008 */
124 if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
125 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
126 credentials, SEC_CHAN_BDC, creds_out);
129 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131 torture_assert(tctx, creds_client_check(creds, &credentials3),
132 "Credential chaining failed");
138 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
139 uint32_t negotiate_flags,
140 struct cli_credentials *machine_credentials,
142 struct creds_CredentialState **creds_out)
145 struct netr_ServerReqChallenge r;
146 struct netr_ServerAuthenticate2 a;
147 struct netr_Credential credentials1, credentials2, credentials3;
148 struct creds_CredentialState *creds;
149 const struct samr_Password *mach_password;
150 const char *machine_name;
151 const char *plain_pass;
153 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
154 machine_name = cli_credentials_get_workstation(machine_credentials);
156 torture_comment(tctx, "Testing ServerReqChallenge\n");
158 creds = talloc(tctx, struct creds_CredentialState);
159 torture_assert(tctx, creds != NULL, "memory allocation");
161 r.in.server_name = NULL;
162 r.in.computer_name = machine_name;
163 r.in.credentials = &credentials1;
164 r.out.return_credentials = &credentials2;
166 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
168 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
169 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
171 a.in.server_name = NULL;
172 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
173 a.in.secure_channel_type = sec_chan_type;
174 a.in.computer_name = machine_name;
175 a.in.negotiate_flags = &negotiate_flags;
176 a.out.negotiate_flags = &negotiate_flags;
177 a.in.credentials = &credentials3;
178 a.out.return_credentials = &credentials3;
180 creds_client_init(creds, &credentials1, &credentials2,
181 mach_password, &credentials3,
184 torture_comment(tctx, "Testing ServerAuthenticate2\n");
186 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
187 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
189 torture_assert(tctx, creds_client_check(creds, &credentials3),
190 "Credential chaining failed");
192 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
199 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
200 uint32_t negotiate_flags,
201 struct cli_credentials *machine_credentials,
202 struct creds_CredentialState **creds_out)
205 struct netr_ServerReqChallenge r;
206 struct netr_ServerAuthenticate3 a;
207 struct netr_Credential credentials1, credentials2, credentials3;
208 struct creds_CredentialState *creds;
209 struct samr_Password mach_password;
211 const char *machine_name;
212 const char *plain_pass;
214 machine_name = cli_credentials_get_workstation(machine_credentials);
215 plain_pass = cli_credentials_get_password(machine_credentials);
217 torture_comment(tctx, "Testing ServerReqChallenge\n");
219 creds = talloc(tctx, struct creds_CredentialState);
220 torture_assert(tctx, creds != NULL, "memory allocation");
222 r.in.server_name = NULL;
223 r.in.computer_name = machine_name;
224 r.in.credentials = &credentials1;
225 r.out.return_credentials = &credentials2;
227 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
229 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
230 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
232 E_md4hash(plain_pass, mach_password.hash);
234 a.in.server_name = NULL;
235 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
236 a.in.secure_channel_type = SEC_CHAN_BDC;
237 a.in.computer_name = machine_name;
238 a.in.negotiate_flags = &negotiate_flags;
239 a.in.credentials = &credentials3;
240 a.out.return_credentials = &credentials3;
241 a.out.negotiate_flags = &negotiate_flags;
244 creds_client_init(creds, &credentials1, &credentials2,
245 &mach_password, &credentials3,
248 torture_comment(tctx, "Testing ServerAuthenticate3\n");
250 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
251 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
252 torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
254 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
256 /* Prove that requesting a challenge again won't break it */
257 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
258 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
265 try a change password for our machine account
267 static bool test_SetPassword(struct torture_context *tctx,
268 struct dcerpc_pipe *p,
269 struct cli_credentials *machine_credentials)
272 struct netr_ServerPasswordSet r;
273 const char *password;
274 struct creds_CredentialState *creds;
275 struct netr_Authenticator credential, return_authenticator;
276 struct samr_Password new_password;
278 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
282 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
283 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
284 r.in.secure_channel_type = SEC_CHAN_BDC;
285 r.in.computer_name = TEST_MACHINE_NAME;
286 r.in.credential = &credential;
287 r.in.new_password = &new_password;
288 r.out.return_authenticator = &return_authenticator;
290 password = generate_random_str(tctx, 8);
291 E_md4hash(password, new_password.hash);
293 creds_des_encrypt(creds, &new_password);
295 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
296 torture_comment(tctx, "Changing machine account password to '%s'\n",
299 creds_client_authenticator(creds, &credential);
301 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
302 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
304 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
305 torture_comment(tctx, "Credential chaining failed\n");
308 /* by changing the machine password twice we test the
309 credentials chaining fully, and we verify that the server
310 allows the password to be set to the same value twice in a
311 row (match win2k3) */
312 torture_comment(tctx,
313 "Testing a second ServerPasswordSet on machine account\n");
314 torture_comment(tctx,
315 "Changing machine account password to '%s' (same as previous run)\n", password);
317 creds_client_authenticator(creds, &credential);
319 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
320 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
322 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
323 torture_comment(tctx, "Credential chaining failed\n");
326 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
329 test_SetupCredentials(p, tctx, machine_credentials, &creds),
330 "ServerPasswordSet failed to actually change the password");
336 generate a random password for password change tests
338 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
341 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
342 generate_random_buffer(password.data, password.length);
344 for (i=0; i < len; i++) {
345 if (((uint16_t *)password.data)[i] == 0) {
346 ((uint16_t *)password.data)[i] = 1;
354 try a change password for our machine account
356 static bool test_SetPassword2(struct torture_context *tctx,
357 struct dcerpc_pipe *p,
358 struct cli_credentials *machine_credentials)
361 struct netr_ServerPasswordSet2 r;
362 const char *password;
363 DATA_BLOB new_random_pass;
364 struct creds_CredentialState *creds;
365 struct samr_CryptPassword password_buf;
366 struct samr_Password nt_hash;
367 struct netr_Authenticator credential, return_authenticator;
368 struct netr_CryptPassword new_password;
370 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = SEC_CHAN_BDC;
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_str(tctx, 8);
383 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
384 creds_arcfour_crypt(creds, password_buf.data, 516);
386 memcpy(new_password.data, password_buf.data, 512);
387 new_password.length = IVAL(password_buf.data, 512);
389 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
390 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
392 creds_client_authenticator(creds, &credential);
394 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
395 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
397 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
403 if (!torture_setting_bool(tctx, "dangerous", false)) {
404 torture_comment(tctx,
405 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
407 /* by changing the machine password to ""
408 * we check if the server uses password restrictions
409 * for ServerPasswordSet2
410 * (win2k3 accepts "")
413 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
414 creds_arcfour_crypt(creds, password_buf.data, 516);
416 memcpy(new_password.data, password_buf.data, 512);
417 new_password.length = IVAL(password_buf.data, 512);
419 torture_comment(tctx,
420 "Testing ServerPasswordSet2 on machine account\n");
421 torture_comment(tctx,
422 "Changing machine account password to '%s'\n", password);
424 creds_client_authenticator(creds, &credential);
426 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
427 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
429 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
430 torture_comment(tctx, "Credential chaining failed\n");
433 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
436 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
437 "ServerPasswordSet failed to actually change the password");
439 /* now try a random password */
440 password = generate_random_str(tctx, 8);
441 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
442 creds_arcfour_crypt(creds, password_buf.data, 516);
444 memcpy(new_password.data, password_buf.data, 512);
445 new_password.length = IVAL(password_buf.data, 512);
447 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
448 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
450 creds_client_authenticator(creds, &credential);
452 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
453 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
455 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
456 torture_comment(tctx, "Credential chaining failed\n");
459 /* by changing the machine password twice we test the
460 credentials chaining fully, and we verify that the server
461 allows the password to be set to the same value twice in a
462 row (match win2k3) */
463 torture_comment(tctx,
464 "Testing a second ServerPasswordSet2 on machine account\n");
465 torture_comment(tctx,
466 "Changing machine account password to '%s' (same as previous run)\n", password);
468 creds_client_authenticator(creds, &credential);
470 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
471 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
473 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
474 torture_comment(tctx, "Credential chaining failed\n");
477 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
479 torture_assert (tctx,
480 test_SetupCredentials(p, tctx, machine_credentials, &creds),
481 "ServerPasswordSet failed to actually change the password");
483 new_random_pass = netlogon_very_rand_pass(tctx, 128);
485 /* now try a random stream of bytes for a password */
486 set_pw_in_buffer(password_buf.data, &new_random_pass);
488 creds_arcfour_crypt(creds, password_buf.data, 516);
490 memcpy(new_password.data, password_buf.data, 512);
491 new_password.length = IVAL(password_buf.data, 512);
493 torture_comment(tctx,
494 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
496 creds_client_authenticator(creds, &credential);
498 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
499 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
501 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
502 torture_comment(tctx, "Credential chaining failed\n");
505 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
507 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
508 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
510 torture_assert (tctx,
511 test_SetupCredentials(p, tctx, machine_credentials, &creds),
512 "ServerPasswordSet failed to actually change the password");
517 static bool test_GetPassword(struct torture_context *tctx,
518 struct dcerpc_pipe *p,
519 struct cli_credentials *machine_credentials)
521 struct netr_ServerPasswordGet r;
522 struct creds_CredentialState *creds;
523 struct netr_Authenticator credential;
525 struct netr_Authenticator return_authenticator;
526 struct samr_Password password;
528 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
532 creds_client_authenticator(creds, &credential);
534 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
535 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
536 r.in.secure_channel_type = SEC_CHAN_BDC;
537 r.in.computer_name = TEST_MACHINE_NAME;
538 r.in.credential = &credential;
539 r.out.return_authenticator = &return_authenticator;
540 r.out.password = &password;
542 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
543 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
548 static bool test_GetTrustPasswords(struct torture_context *tctx,
549 struct dcerpc_pipe *p,
550 struct cli_credentials *machine_credentials)
552 struct netr_ServerTrustPasswordsGet r;
553 struct creds_CredentialState *creds;
554 struct netr_Authenticator credential;
556 struct netr_Authenticator return_authenticator;
557 struct samr_Password password, password2;
559 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
563 creds_client_authenticator(creds, &credential);
565 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
566 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
567 r.in.secure_channel_type = SEC_CHAN_BDC;
568 r.in.computer_name = TEST_MACHINE_NAME;
569 r.in.credential = &credential;
570 r.out.return_authenticator = &return_authenticator;
571 r.out.password = &password;
572 r.out.password2 = &password2;
574 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
575 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
581 try a netlogon SamLogon
583 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
584 struct cli_credentials *credentials,
585 struct creds_CredentialState *creds)
588 struct netr_LogonSamLogon r;
589 struct netr_Authenticator auth, auth2;
590 union netr_LogonLevel logon;
591 union netr_Validation validation;
592 uint8_t authoritative;
593 struct netr_NetworkInfo ninfo;
594 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
596 int flags = CLI_CRED_NTLM_AUTH;
597 if (lp_client_lanman_auth(tctx->lp_ctx)) {
598 flags |= CLI_CRED_LANMAN_AUTH;
601 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
602 flags |= CLI_CRED_NTLMv2_AUTH;
605 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
606 &ninfo.identity_info.account_name.string,
607 &ninfo.identity_info.domain_name.string);
609 generate_random_buffer(ninfo.challenge,
610 sizeof(ninfo.challenge));
611 chal = data_blob_const(ninfo.challenge,
612 sizeof(ninfo.challenge));
614 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
615 cli_credentials_get_domain(credentials));
617 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
623 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
625 ninfo.lm.data = lm_resp.data;
626 ninfo.lm.length = lm_resp.length;
628 ninfo.nt.data = nt_resp.data;
629 ninfo.nt.length = nt_resp.length;
631 ninfo.identity_info.parameter_control = 0;
632 ninfo.identity_info.logon_id_low = 0;
633 ninfo.identity_info.logon_id_high = 0;
634 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
636 logon.network = &ninfo;
638 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
639 r.in.computer_name = cli_credentials_get_workstation(credentials);
640 r.in.credential = &auth;
641 r.in.return_authenticator = &auth2;
642 r.in.logon_level = 2;
644 r.out.validation = &validation;
645 r.out.authoritative = &authoritative;
647 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
651 creds_client_authenticator(creds, &auth);
653 r.in.validation_level = i;
655 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
656 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
658 torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
659 "Credential chaining failed");
662 r.in.credential = NULL;
666 r.in.validation_level = i;
668 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
670 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
671 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
672 "LogonSamLogon expected INVALID_PARAMETER");
680 try a netlogon SamLogon
682 static bool test_SamLogon(struct torture_context *tctx,
683 struct dcerpc_pipe *p,
684 struct cli_credentials *credentials)
686 struct creds_CredentialState *creds;
688 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
692 return test_netlogon_ops(p, tctx, credentials, creds);
695 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
696 static uint64_t sequence_nums[3];
699 try a netlogon DatabaseSync
701 static bool test_DatabaseSync(struct torture_context *tctx,
702 struct dcerpc_pipe *p,
703 struct cli_credentials *machine_credentials)
706 struct netr_DatabaseSync r;
707 struct creds_CredentialState *creds;
708 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
710 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
711 struct netr_Authenticator credential, return_authenticator;
713 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
717 ZERO_STRUCT(return_authenticator);
719 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
720 r.in.computername = TEST_MACHINE_NAME;
721 r.in.preferredmaximumlength = (uint32_t)-1;
722 r.in.return_authenticator = &return_authenticator;
723 r.out.delta_enum_array = &delta_enum_array;
724 r.out.return_authenticator = &return_authenticator;
726 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
728 uint32_t sync_context = 0;
730 r.in.database_id = database_ids[i];
731 r.in.sync_context = &sync_context;
732 r.out.sync_context = &sync_context;
734 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
737 creds_client_authenticator(creds, &credential);
739 r.in.credential = &credential;
741 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
742 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
745 /* Native mode servers don't do this */
746 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
749 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
751 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
752 torture_comment(tctx, "Credential chaining failed\n");
755 if (delta_enum_array &&
756 delta_enum_array->num_deltas > 0 &&
757 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
758 delta_enum_array->delta_enum[0].delta_union.domain) {
759 sequence_nums[r.in.database_id] =
760 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
761 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
763 (unsigned long long)sequence_nums[r.in.database_id]);
765 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
773 try a netlogon DatabaseDeltas
775 static bool test_DatabaseDeltas(struct torture_context *tctx,
776 struct dcerpc_pipe *p,
777 struct cli_credentials *machine_credentials)
780 struct netr_DatabaseDeltas r;
781 struct creds_CredentialState *creds;
782 struct netr_Authenticator credential;
783 struct netr_Authenticator return_authenticator;
784 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
785 const uint32_t database_ids[] = {0, 1, 2};
788 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
792 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
793 r.in.computername = TEST_MACHINE_NAME;
794 r.in.preferredmaximumlength = (uint32_t)-1;
795 ZERO_STRUCT(r.in.return_authenticator);
796 r.out.return_authenticator = &return_authenticator;
797 r.out.delta_enum_array = &delta_enum_array;
799 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
800 r.in.database_id = database_ids[i];
801 r.in.sequence_num = &sequence_nums[r.in.database_id];
803 if (*r.in.sequence_num == 0) continue;
805 *r.in.sequence_num -= 1;
807 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
808 r.in.database_id, (unsigned long long)*r.in.sequence_num);
811 creds_client_authenticator(creds, &credential);
813 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
814 if (NT_STATUS_EQUAL(status,
815 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
816 torture_comment(tctx, "not considering %s to be an error\n",
820 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
823 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
825 if (!creds_client_check(creds, &return_authenticator.cred)) {
826 torture_comment(tctx, "Credential chaining failed\n");
829 (*r.in.sequence_num)++;
830 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
836 static bool test_DatabaseRedo(struct torture_context *tctx,
837 struct dcerpc_pipe *p,
838 struct cli_credentials *machine_credentials)
841 struct netr_DatabaseRedo r;
842 struct creds_CredentialState *creds;
843 struct netr_Authenticator credential;
844 struct netr_Authenticator return_authenticator;
845 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
846 struct netr_ChangeLogEntry e;
847 struct dom_sid null_sid, *sid;
850 ZERO_STRUCT(null_sid);
852 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
863 NTSTATUS expected_error;
864 uint32_t expected_num_results;
865 uint8_t expected_delta_type_1;
866 uint8_t expected_delta_type_2;
870 /* SAM_DATABASE_DOMAIN */
875 .db_index = SAM_DATABASE_DOMAIN,
876 .delta_type = NETR_DELTA_MODIFY_COUNT,
879 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
880 .expected_num_results = 0,
881 .comment = "NETR_DELTA_MODIFY_COUNT"
886 .db_index = SAM_DATABASE_DOMAIN,
890 .expected_error = NT_STATUS_OK,
891 .expected_num_results = 1,
892 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
893 .comment = "NULL DELTA"
898 .db_index = SAM_DATABASE_DOMAIN,
899 .delta_type = NETR_DELTA_DOMAIN,
902 .expected_error = NT_STATUS_OK,
903 .expected_num_results = 1,
904 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
905 .comment = "NETR_DELTA_DOMAIN"
908 .rid = DOMAIN_RID_ADMINISTRATOR,
910 .db_index = SAM_DATABASE_DOMAIN,
911 .delta_type = NETR_DELTA_USER,
914 .expected_error = NT_STATUS_OK,
915 .expected_num_results = 1,
916 .expected_delta_type_1 = NETR_DELTA_USER,
917 .comment = "NETR_DELTA_USER by rid 500"
920 .rid = DOMAIN_RID_GUEST,
922 .db_index = SAM_DATABASE_DOMAIN,
923 .delta_type = NETR_DELTA_USER,
926 .expected_error = NT_STATUS_OK,
927 .expected_num_results = 1,
928 .expected_delta_type_1 = NETR_DELTA_USER,
929 .comment = "NETR_DELTA_USER by rid 501"
933 .flags = NETR_CHANGELOG_SID_INCLUDED,
934 .db_index = SAM_DATABASE_DOMAIN,
935 .delta_type = NETR_DELTA_USER,
938 .expected_error = NT_STATUS_OK,
939 .expected_num_results = 1,
940 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
941 .comment = "NETR_DELTA_USER by sid and flags"
945 .flags = NETR_CHANGELOG_SID_INCLUDED,
946 .db_index = SAM_DATABASE_DOMAIN,
947 .delta_type = NETR_DELTA_USER,
950 .expected_error = NT_STATUS_OK,
951 .expected_num_results = 1,
952 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
953 .comment = "NETR_DELTA_USER by null_sid and flags"
957 .flags = NETR_CHANGELOG_NAME_INCLUDED,
958 .db_index = SAM_DATABASE_DOMAIN,
959 .delta_type = NETR_DELTA_USER,
961 .name = "administrator",
962 .expected_error = NT_STATUS_OK,
963 .expected_num_results = 1,
964 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
965 .comment = "NETR_DELTA_USER by name 'administrator'"
968 .rid = DOMAIN_RID_ADMINS,
970 .db_index = SAM_DATABASE_DOMAIN,
971 .delta_type = NETR_DELTA_GROUP,
974 .expected_error = NT_STATUS_OK,
975 .expected_num_results = 2,
976 .expected_delta_type_1 = NETR_DELTA_GROUP,
977 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
978 .comment = "NETR_DELTA_GROUP by rid 512"
981 .rid = DOMAIN_RID_ADMINS,
983 .db_index = SAM_DATABASE_DOMAIN,
984 .delta_type = NETR_DELTA_GROUP_MEMBER,
987 .expected_error = NT_STATUS_OK,
988 .expected_num_results = 2,
989 .expected_delta_type_1 = NETR_DELTA_GROUP,
990 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
991 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
995 /* SAM_DATABASE_BUILTIN */
1000 .db_index = SAM_DATABASE_BUILTIN,
1001 .delta_type = NETR_DELTA_MODIFY_COUNT,
1004 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1005 .expected_num_results = 0,
1006 .comment = "NETR_DELTA_MODIFY_COUNT"
1011 .db_index = SAM_DATABASE_BUILTIN,
1012 .delta_type = NETR_DELTA_DOMAIN,
1015 .expected_error = NT_STATUS_OK,
1016 .expected_num_results = 1,
1017 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1018 .comment = "NETR_DELTA_DOMAIN"
1021 .rid = DOMAIN_RID_ADMINISTRATOR,
1023 .db_index = SAM_DATABASE_BUILTIN,
1024 .delta_type = NETR_DELTA_USER,
1027 .expected_error = NT_STATUS_OK,
1028 .expected_num_results = 1,
1029 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1030 .comment = "NETR_DELTA_USER by rid 500"
1035 .db_index = SAM_DATABASE_BUILTIN,
1036 .delta_type = NETR_DELTA_USER,
1039 .expected_error = NT_STATUS_OK,
1040 .expected_num_results = 1,
1041 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1042 .comment = "NETR_DELTA_USER"
1047 .db_index = SAM_DATABASE_BUILTIN,
1048 .delta_type = NETR_DELTA_ALIAS,
1051 .expected_error = NT_STATUS_OK,
1052 .expected_num_results = 2,
1053 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1054 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1055 .comment = "NETR_DELTA_ALIAS by rid 544"
1060 .db_index = SAM_DATABASE_BUILTIN,
1061 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1064 .expected_error = NT_STATUS_OK,
1065 .expected_num_results = 2,
1066 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1067 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1068 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1073 .db_index = SAM_DATABASE_BUILTIN,
1077 .expected_error = NT_STATUS_OK,
1078 .expected_num_results = 1,
1079 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1080 .comment = "NULL DELTA by rid 544"
1084 .flags = NETR_CHANGELOG_SID_INCLUDED,
1085 .db_index = SAM_DATABASE_BUILTIN,
1087 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1089 .expected_error = NT_STATUS_OK,
1090 .expected_num_results = 1,
1091 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1092 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1096 .flags = NETR_CHANGELOG_SID_INCLUDED,
1097 .db_index = SAM_DATABASE_BUILTIN,
1098 .delta_type = NETR_DELTA_ALIAS,
1099 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1101 .expected_error = NT_STATUS_OK,
1102 .expected_num_results = 2,
1103 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1104 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1105 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1109 .flags = NETR_CHANGELOG_SID_INCLUDED,
1110 .db_index = SAM_DATABASE_BUILTIN,
1111 .delta_type = NETR_DELTA_ALIAS,
1112 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1114 .expected_error = NT_STATUS_OK,
1115 .expected_num_results = 1,
1116 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1117 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1120 /* SAM_DATABASE_PRIVS */
1125 .db_index = SAM_DATABASE_PRIVS,
1129 .expected_error = NT_STATUS_ACCESS_DENIED,
1130 .expected_num_results = 0,
1131 .comment = "NULL DELTA"
1136 .db_index = SAM_DATABASE_PRIVS,
1137 .delta_type = NETR_DELTA_MODIFY_COUNT,
1140 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1141 .expected_num_results = 0,
1142 .comment = "NETR_DELTA_MODIFY_COUNT"
1147 .db_index = SAM_DATABASE_PRIVS,
1148 .delta_type = NETR_DELTA_POLICY,
1151 .expected_error = NT_STATUS_OK,
1152 .expected_num_results = 1,
1153 .expected_delta_type_1 = NETR_DELTA_POLICY,
1154 .comment = "NETR_DELTA_POLICY"
1158 .flags = NETR_CHANGELOG_SID_INCLUDED,
1159 .db_index = SAM_DATABASE_PRIVS,
1160 .delta_type = NETR_DELTA_POLICY,
1163 .expected_error = NT_STATUS_OK,
1164 .expected_num_results = 1,
1165 .expected_delta_type_1 = NETR_DELTA_POLICY,
1166 .comment = "NETR_DELTA_POLICY by null sid and flags"
1170 .flags = NETR_CHANGELOG_SID_INCLUDED,
1171 .db_index = SAM_DATABASE_PRIVS,
1172 .delta_type = NETR_DELTA_POLICY,
1173 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1175 .expected_error = NT_STATUS_OK,
1176 .expected_num_results = 1,
1177 .expected_delta_type_1 = NETR_DELTA_POLICY,
1178 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1181 .rid = DOMAIN_RID_ADMINISTRATOR,
1183 .db_index = SAM_DATABASE_PRIVS,
1184 .delta_type = NETR_DELTA_ACCOUNT,
1187 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1188 .expected_num_results = 0,
1189 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1193 .flags = NETR_CHANGELOG_SID_INCLUDED,
1194 .db_index = SAM_DATABASE_PRIVS,
1195 .delta_type = NETR_DELTA_ACCOUNT,
1196 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1198 .expected_error = NT_STATUS_OK,
1199 .expected_num_results = 1,
1200 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1201 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1205 .flags = NETR_CHANGELOG_SID_INCLUDED |
1206 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1207 .db_index = SAM_DATABASE_PRIVS,
1208 .delta_type = NETR_DELTA_ACCOUNT,
1209 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1211 .expected_error = NT_STATUS_OK,
1212 .expected_num_results = 1,
1213 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1214 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1218 .flags = NETR_CHANGELOG_SID_INCLUDED |
1219 NETR_CHANGELOG_NAME_INCLUDED,
1220 .db_index = SAM_DATABASE_PRIVS,
1221 .delta_type = NETR_DELTA_ACCOUNT,
1222 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1224 .expected_error = NT_STATUS_INVALID_PARAMETER,
1225 .expected_num_results = 0,
1226 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1229 .rid = DOMAIN_RID_ADMINISTRATOR,
1230 .flags = NETR_CHANGELOG_SID_INCLUDED,
1231 .db_index = SAM_DATABASE_PRIVS,
1232 .delta_type = NETR_DELTA_ACCOUNT,
1235 .expected_error = NT_STATUS_OK,
1236 .expected_num_results = 1,
1237 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1238 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1242 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1243 .db_index = SAM_DATABASE_PRIVS,
1244 .delta_type = NETR_DELTA_SECRET,
1246 .name = "IsurelydontexistIhope",
1247 .expected_error = NT_STATUS_OK,
1248 .expected_num_results = 1,
1249 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1250 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1254 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1255 .db_index = SAM_DATABASE_PRIVS,
1256 .delta_type = NETR_DELTA_SECRET,
1258 .name = "G$BCKUPKEY_P",
1259 .expected_error = NT_STATUS_OK,
1260 .expected_num_results = 1,
1261 .expected_delta_type_1 = NETR_DELTA_SECRET,
1262 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1266 ZERO_STRUCT(return_authenticator);
1268 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1269 r.in.computername = TEST_MACHINE_NAME;
1270 r.in.return_authenticator = &return_authenticator;
1271 r.out.return_authenticator = &return_authenticator;
1272 r.out.delta_enum_array = &delta_enum_array;
1274 for (d=0; d<3; d++) {
1276 const char *database;
1283 database = "BUILTIN";
1292 torture_comment(tctx, "Testing DatabaseRedo\n");
1294 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1298 for (i=0;i<ARRAY_SIZE(changes);i++) {
1300 if (d != changes[i].db_index) {
1304 creds_client_authenticator(creds, &credential);
1306 r.in.credential = &credential;
1308 e.serial_number1 = 0;
1309 e.serial_number2 = 0;
1310 e.object_rid = changes[i].rid;
1311 e.flags = changes[i].flags;
1312 e.db_index = changes[i].db_index;
1313 e.delta_type = changes[i].delta_type;
1315 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1316 case NETR_CHANGELOG_SID_INCLUDED:
1317 e.object.object_sid = changes[i].sid;
1319 case NETR_CHANGELOG_NAME_INCLUDED:
1320 e.object.object_name = changes[i].name;
1326 r.in.change_log_entry = e;
1328 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1329 database, changes[i].comment);
1331 status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1332 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1336 torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1337 if (delta_enum_array) {
1338 torture_assert_int_equal(tctx,
1339 delta_enum_array->num_deltas,
1340 changes[i].expected_num_results,
1341 changes[i].comment);
1342 if (delta_enum_array->num_deltas > 0) {
1343 torture_assert_int_equal(tctx,
1344 delta_enum_array->delta_enum[0].delta_type,
1345 changes[i].expected_delta_type_1,
1346 changes[i].comment);
1348 if (delta_enum_array->num_deltas > 1) {
1349 torture_assert_int_equal(tctx,
1350 delta_enum_array->delta_enum[1].delta_type,
1351 changes[i].expected_delta_type_2,
1352 changes[i].comment);
1356 if (!creds_client_check(creds, &return_authenticator.cred)) {
1357 torture_comment(tctx, "Credential chaining failed\n");
1358 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1370 try a netlogon AccountDeltas
1372 static bool test_AccountDeltas(struct torture_context *tctx,
1373 struct dcerpc_pipe *p,
1374 struct cli_credentials *machine_credentials)
1377 struct netr_AccountDeltas r;
1378 struct creds_CredentialState *creds;
1380 struct netr_AccountBuffer buffer;
1381 uint32_t count_returned = 0;
1382 uint32_t total_entries = 0;
1383 struct netr_UAS_INFO_0 recordid;
1384 struct netr_Authenticator return_authenticator;
1386 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1390 ZERO_STRUCT(return_authenticator);
1392 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1393 r.in.computername = TEST_MACHINE_NAME;
1394 r.in.return_authenticator = &return_authenticator;
1395 creds_client_authenticator(creds, &r.in.credential);
1396 ZERO_STRUCT(r.in.uas);
1399 r.in.buffersize=100;
1400 r.out.buffer = &buffer;
1401 r.out.count_returned = &count_returned;
1402 r.out.total_entries = &total_entries;
1403 r.out.recordid = &recordid;
1404 r.out.return_authenticator = &return_authenticator;
1406 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1407 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1408 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1414 try a netlogon AccountSync
1416 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1417 struct cli_credentials *machine_credentials)
1420 struct netr_AccountSync r;
1421 struct creds_CredentialState *creds;
1423 struct netr_AccountBuffer buffer;
1424 uint32_t count_returned = 0;
1425 uint32_t total_entries = 0;
1426 uint32_t next_reference = 0;
1427 struct netr_UAS_INFO_0 recordid;
1428 struct netr_Authenticator return_authenticator;
1430 ZERO_STRUCT(recordid);
1431 ZERO_STRUCT(return_authenticator);
1433 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1437 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1438 r.in.computername = TEST_MACHINE_NAME;
1439 r.in.return_authenticator = &return_authenticator;
1440 creds_client_authenticator(creds, &r.in.credential);
1441 r.in.recordid = &recordid;
1444 r.in.buffersize=100;
1445 r.out.buffer = &buffer;
1446 r.out.count_returned = &count_returned;
1447 r.out.total_entries = &total_entries;
1448 r.out.next_reference = &next_reference;
1449 r.out.recordid = &recordid;
1450 r.out.return_authenticator = &return_authenticator;
1452 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1453 status = dcerpc_netr_AccountSync(p, tctx, &r);
1454 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1460 try a netlogon GetDcName
1462 static bool test_GetDcName(struct torture_context *tctx,
1463 struct dcerpc_pipe *p)
1466 struct netr_GetDcName r;
1467 const char *dcname = NULL;
1469 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1470 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1471 r.out.dcname = &dcname;
1473 status = dcerpc_netr_GetDcName(p, tctx, &r);
1474 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1475 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1477 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1483 try a netlogon LogonControl
1485 static bool test_LogonControl(struct torture_context *tctx,
1486 struct dcerpc_pipe *p)
1489 struct netr_LogonControl r;
1490 union netr_CONTROL_QUERY_INFORMATION info;
1493 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1494 r.in.function_code = 1;
1500 torture_comment(tctx, "Testing LogonControl level %d\n", i);
1502 status = dcerpc_netr_LogonControl(p, tctx, &r);
1503 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1511 try a netlogon GetAnyDCName
1513 static bool test_GetAnyDCName(struct torture_context *tctx,
1514 struct dcerpc_pipe *p)
1517 struct netr_GetAnyDCName r;
1518 const char *dcname = NULL;
1520 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1521 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1522 r.out.dcname = &dcname;
1524 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1525 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1528 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1536 try a netlogon LogonControl2
1538 static bool test_LogonControl2(struct torture_context *tctx,
1539 struct dcerpc_pipe *p)
1542 struct netr_LogonControl2 r;
1543 union netr_CONTROL_DATA_INFORMATION data;
1544 union netr_CONTROL_QUERY_INFORMATION query;
1547 data.domain = lp_workgroup(tctx->lp_ctx);
1549 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1551 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1553 r.out.query = &query;
1558 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1559 i, r.in.function_code);
1561 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1562 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1565 data.domain = lp_workgroup(tctx->lp_ctx);
1567 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1573 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1574 i, r.in.function_code);
1576 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1577 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1580 data.domain = lp_workgroup(tctx->lp_ctx);
1582 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1588 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1589 i, r.in.function_code);
1591 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1592 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1595 data.debug_level = ~0;
1597 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1603 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1604 i, r.in.function_code);
1606 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1607 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1614 try a netlogon DatabaseSync2
1616 static bool test_DatabaseSync2(struct torture_context *tctx,
1617 struct dcerpc_pipe *p,
1618 struct cli_credentials *machine_credentials)
1621 struct netr_DatabaseSync2 r;
1622 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1623 struct netr_Authenticator return_authenticator, credential;
1625 struct creds_CredentialState *creds;
1626 const uint32_t database_ids[] = {0, 1, 2};
1629 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1630 machine_credentials,
1631 SEC_CHAN_BDC, &creds)) {
1635 ZERO_STRUCT(return_authenticator);
1637 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1638 r.in.computername = TEST_MACHINE_NAME;
1639 r.in.preferredmaximumlength = (uint32_t)-1;
1640 r.in.return_authenticator = &return_authenticator;
1641 r.out.return_authenticator = &return_authenticator;
1642 r.out.delta_enum_array = &delta_enum_array;
1644 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1646 uint32_t sync_context = 0;
1648 r.in.database_id = database_ids[i];
1649 r.in.sync_context = &sync_context;
1650 r.out.sync_context = &sync_context;
1651 r.in.restart_state = 0;
1653 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1656 creds_client_authenticator(creds, &credential);
1658 r.in.credential = &credential;
1660 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1661 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1664 /* Native mode servers don't do this */
1665 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1669 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1671 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
1672 torture_comment(tctx, "Credential chaining failed\n");
1675 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1683 try a netlogon LogonControl2Ex
1685 static bool test_LogonControl2Ex(struct torture_context *tctx,
1686 struct dcerpc_pipe *p)
1689 struct netr_LogonControl2Ex r;
1690 union netr_CONTROL_QUERY_INFORMATION query;
1693 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1695 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1696 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1697 r.out.query = &query;
1702 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1703 i, r.in.function_code);
1705 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1706 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1709 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1710 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1715 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1716 i, r.in.function_code);
1718 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1719 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1722 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1723 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1728 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1729 i, r.in.function_code);
1731 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1732 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1735 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1736 r.in.data.debug_level = ~0;
1741 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1742 i, r.in.function_code);
1744 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1745 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1751 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1752 struct dcerpc_pipe *p, const char *trusted_domain_name)
1755 struct netr_DsRGetForestTrustInformation r;
1756 struct lsa_ForestTrustInformation info, *info_ptr;
1760 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1761 r.in.trusted_domain_name = trusted_domain_name;
1763 r.out.forest_trust_info = &info_ptr;
1765 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1767 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1768 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1769 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1775 try a netlogon netr_DsrEnumerateDomainTrusts
1777 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1778 struct dcerpc_pipe *p)
1781 struct netr_DsrEnumerateDomainTrusts r;
1782 struct netr_DomainTrustList trusts;
1785 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1786 r.in.trust_flags = 0x3f;
1787 r.out.trusts = &trusts;
1789 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1790 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1791 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1793 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1794 * will show non-forest trusts and all UPN suffixes of the own forest
1795 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1797 if (r.out.trusts->count) {
1798 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1803 for (i=0; i<r.out.trusts->count; i++) {
1805 /* get info for transitive forest trusts */
1807 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1808 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1809 r.out.trusts->array[i].dns_name)) {
1818 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1819 struct dcerpc_pipe *p)
1822 struct netr_NetrEnumerateTrustedDomains r;
1823 struct netr_Blob trusted_domains_blob;
1825 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1826 r.out.trusted_domains_blob = &trusted_domains_blob;
1828 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1829 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1830 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1835 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1836 struct dcerpc_pipe *p)
1839 struct netr_NetrEnumerateTrustedDomainsEx r;
1840 struct netr_DomainTrustList dom_trust_list;
1842 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1843 r.out.dom_trust_list = &dom_trust_list;
1845 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1846 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1847 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1853 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1854 const char *computer_name,
1855 const char *expected_site)
1858 struct netr_DsRGetSiteName r;
1859 const char *site = NULL;
1861 if (torture_setting_bool(tctx, "samba4", false))
1862 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1864 r.in.computer_name = computer_name;
1866 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1868 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1869 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1870 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1871 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1873 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1874 torture_comment(tctx,
1875 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1877 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1878 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1879 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1885 try a netlogon netr_DsRGetDCName
1887 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1888 struct dcerpc_pipe *p)
1891 struct netr_DsRGetDCName r;
1892 struct netr_DsRGetDCNameInfo *info = NULL;
1894 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1895 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1896 r.in.domain_guid = NULL;
1897 r.in.site_guid = NULL;
1898 r.in.flags = DS_RETURN_DNS_NAME;
1901 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1902 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1903 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1904 return test_netr_DsRGetSiteName(p, tctx,
1906 info->dc_site_name);
1910 try a netlogon netr_DsRGetDCNameEx
1912 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1913 struct dcerpc_pipe *p)
1916 struct netr_DsRGetDCNameEx r;
1917 struct netr_DsRGetDCNameInfo *info = NULL;
1919 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1920 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1921 r.in.domain_guid = NULL;
1922 r.in.site_name = NULL;
1923 r.in.flags = DS_RETURN_DNS_NAME;
1926 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1927 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1928 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1930 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1931 info->dc_site_name);
1935 try a netlogon netr_DsRGetDCNameEx2
1937 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1938 struct dcerpc_pipe *p)
1941 struct netr_DsRGetDCNameEx2 r;
1942 struct netr_DsRGetDCNameInfo *info = NULL;
1944 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1945 r.in.client_account = NULL;
1946 r.in.mask = 0x00000000;
1947 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1948 r.in.domain_guid = NULL;
1949 r.in.site_name = NULL;
1950 r.in.flags = DS_RETURN_DNS_NAME;
1953 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1955 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1956 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1957 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1959 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1960 r.in.client_account = TEST_MACHINE_NAME"$";
1961 r.in.mask = ACB_SVRTRUST;
1962 r.in.flags = DS_RETURN_FLAT_NAME;
1965 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1966 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1967 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1968 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1969 info->dc_site_name);
1972 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1973 struct dcerpc_pipe *p)
1976 struct netr_DsrGetDcSiteCoverageW r;
1977 struct DcSitesCtr *ctr = NULL;
1979 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1982 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1983 torture_assert_ntstatus_ok(tctx, status, "failed");
1984 torture_assert_werr_ok(tctx, r.out.result, "failed");
1989 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
1990 struct dcerpc_pipe *p)
1993 struct netr_DsRAddressToSitenamesW r;
1994 struct netr_DsRAddress addr;
1995 struct netr_DsRAddressToSitenamesWCtr *ctr;
1997 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2000 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2002 addr.buffer[0] = 2; /* AF_INET */
2003 addr.buffer[4] = 127;
2008 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2010 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2011 r.in.addresses[0] = addr;
2014 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2015 torture_assert_ntstatus_ok(tctx, status, "failed");
2016 torture_assert_werr_ok(tctx, r.out.result, "failed");
2021 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2022 struct dcerpc_pipe *p)
2025 struct netr_DsRAddressToSitenamesExW r;
2026 struct netr_DsRAddress addr;
2027 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2029 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2032 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2034 addr.buffer[0] = 2; /* AF_INET */
2035 addr.buffer[4] = 127;
2040 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2042 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2043 r.in.addresses[0] = addr;
2046 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2047 torture_assert_ntstatus_ok(tctx, status, "failed");
2048 torture_assert_werr_ok(tctx, r.out.result, "failed");
2053 static bool test_GetDomainInfo(struct torture_context *tctx,
2054 struct dcerpc_pipe *p,
2055 struct cli_credentials *machine_credentials)
2058 struct netr_LogonGetDomainInfo r;
2059 struct netr_DomainQuery1 q1;
2060 struct netr_Authenticator a;
2061 struct creds_CredentialState *creds;
2062 union netr_DomainInfo info;
2064 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2065 machine_credentials, &creds)) {
2071 creds_client_authenticator(creds, &a);
2073 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2074 r.in.computer_name = TEST_MACHINE_NAME;
2076 r.in.credential = &a;
2077 r.in.return_authenticator = &a;
2078 r.out.return_authenticator = &a;
2081 r.in.query.query1 = &q1;
2084 /* this should really be the fully qualified name */
2085 q1.workstation_domain = TEST_MACHINE_NAME;
2086 q1.workstation_site = "Default-First-Site-Name";
2087 q1.blob2.length = 0;
2089 q1.blob2.data = NULL;
2090 q1.product.string = "product string";
2092 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2094 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2095 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2096 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2098 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2099 creds_client_authenticator(creds, &a);
2101 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2102 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2103 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2109 static void async_callback(struct rpc_request *req)
2111 int *counter = (int *)req->async.private_data;
2112 if (NT_STATUS_IS_OK(req->status)) {
2117 static bool test_GetDomainInfo_async(struct torture_context *tctx,
2118 struct dcerpc_pipe *p,
2119 struct cli_credentials *machine_credentials)
2122 struct netr_LogonGetDomainInfo r;
2123 struct netr_DomainQuery1 q1;
2124 struct netr_Authenticator a;
2125 #define ASYNC_COUNT 100
2126 struct creds_CredentialState *creds;
2127 struct creds_CredentialState *creds_async[ASYNC_COUNT];
2128 struct rpc_request *req[ASYNC_COUNT];
2130 int *async_counter = talloc(tctx, int);
2131 union netr_DomainInfo info;
2133 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2134 machine_credentials, &creds)) {
2139 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2140 r.in.computer_name = TEST_MACHINE_NAME;
2142 r.in.credential = &a;
2143 r.in.return_authenticator = &a;
2144 r.out.return_authenticator = &a;
2147 r.in.query.query1 = &q1;
2150 /* this should really be the fully qualified name */
2151 q1.workstation_domain = TEST_MACHINE_NAME;
2152 q1.workstation_site = "Default-First-Site-Name";
2153 q1.blob2.length = 0;
2155 q1.blob2.data = NULL;
2156 q1.product.string = "product string";
2158 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2162 for (i=0;i<ASYNC_COUNT;i++) {
2163 creds_client_authenticator(creds, &a);
2165 creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2166 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2168 req[i]->async.callback = async_callback;
2169 req[i]->async.private_data = async_counter;
2171 /* even with this flush per request a w2k3 server seems to
2172 clag with multiple outstanding requests. bleergh. */
2173 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2174 "event_loop_once failed");
2177 for (i=0;i<ASYNC_COUNT;i++) {
2178 status = dcerpc_ndr_request_recv(req[i]);
2180 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2181 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2183 torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
2184 "Credential chaining failed at async");
2187 torture_comment(tctx,
2188 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2190 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2195 static bool test_ManyGetDCName(struct torture_context *tctx,
2196 struct dcerpc_pipe *p)
2199 struct dcerpc_pipe *p2;
2200 struct lsa_ObjectAttribute attr;
2201 struct lsa_QosInfo qos;
2202 struct lsa_OpenPolicy2 o;
2203 struct policy_handle lsa_handle;
2204 struct lsa_DomainList domains;
2206 struct lsa_EnumTrustDom t;
2207 uint32_t resume_handle = 0;
2208 struct netr_GetAnyDCName d;
2209 const char *dcname = NULL;
2213 if (p->conn->transport.transport != NCACN_NP) {
2217 torture_comment(tctx, "Torturing GetDCName\n");
2219 status = dcerpc_secondary_connection(p, &p2, p->binding);
2220 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2222 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2223 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2226 qos.impersonation_level = 2;
2227 qos.context_mode = 1;
2228 qos.effective_only = 0;
2231 attr.root_dir = NULL;
2232 attr.object_name = NULL;
2233 attr.attributes = 0;
2234 attr.sec_desc = NULL;
2235 attr.sec_qos = &qos;
2237 o.in.system_name = "\\";
2239 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2240 o.out.handle = &lsa_handle;
2242 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2243 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2245 t.in.handle = &lsa_handle;
2246 t.in.resume_handle = &resume_handle;
2247 t.in.max_size = 1000;
2248 t.out.domains = &domains;
2249 t.out.resume_handle = &resume_handle;
2251 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2253 if ((!NT_STATUS_IS_OK(status) &&
2254 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2255 torture_fail(tctx, "Could not list domains");
2259 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2260 dcerpc_server_name(p));
2261 d.out.dcname = &dcname;
2263 for (i=0; i<domains.count * 4; i++) {
2264 struct lsa_DomainInfo *info =
2265 &domains.domains[rand()%domains.count];
2267 d.in.domainname = info->name.string;
2269 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2270 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2272 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2273 dcname ? dcname : "unknown");
2279 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2281 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2282 struct torture_rpc_tcase *tcase;
2283 struct torture_test *test;
2285 tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
2286 &ndr_table_netlogon, TEST_MACHINE_NAME);
2288 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2289 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2290 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2291 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2292 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2293 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2294 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2295 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2296 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2297 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2298 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2299 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2300 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2301 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2302 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2303 torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2304 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2305 torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2306 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2307 torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2308 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2309 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2310 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2311 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2312 test->dangerous = true;
2313 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2314 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2315 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2316 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2317 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2318 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);