source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_netlogon.h"
  25
  26 #define TEST_MACHINE_NAME "schannel"
  27
  28 /*
  29   do some samr ops using the schannel connection
  30  */
  31 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  32 {
  33         NTSTATUS status;
  34         struct samr_GetDomPwInfo r;
  35         struct samr_Connect connect;
  36         struct samr_OpenDomain opendom;
  37         int i;
  38         struct lsa_String name;
  39         struct policy_handle handle;
  40         struct policy_handle domain_handle;
  41
  42         name.string = lp_workgroup();
  43         r.in.domain_name = &name;
  44
  45         connect.in.system_name = 0;
  46         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  47         connect.out.connect_handle = &handle;
  48
  49         printf("Testing Connect and OpenDomain on BUILTIN\n");
  50
  51         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
  52         if (!NT_STATUS_IS_OK(status)) {
  53                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
  54                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
  55                                nt_errstr(status));
  56                 } else {
  57                         printf("Connect failed - %s\n", nt_errstr(status));
  58                         return False;
  59                 }
  60         } else {
  61                 opendom.in.connect_handle = &handle;
  62                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  63                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
  64                 opendom.out.domain_handle = &domain_handle;
  65
  66                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
  67                 if (!NT_STATUS_IS_OK(status)) {
  68                         printf("OpenDomain failed - %s\n", nt_errstr(status));
  69                         return False;
  70                 }
  71         }
  72
  73         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  74
  75         /* do several ops to test credential chaining */
  76         for (i=0;i<5;i++) {
  77                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  78                 if (!NT_STATUS_IS_OK(status)) {
  79                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
  80                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  81                                 return False;
  82                         }
  83                 }
  84         }
  85
  86         return True;
  87 }
  88
  89
  90 /*
  91   do some lsa ops using the schannel connection
  92  */
  93 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  94 {
  95         struct lsa_GetUserName r;
  96         NTSTATUS status;
  97         BOOL ret = True;
  98         struct lsa_StringPointer authority_name_p;
  99
 100         printf("\nTesting GetUserName\n");
 101
 102         r.in.system_name = "\\";
 103         r.in.account_name = NULL;
 104         r.in.authority_name = &authority_name_p;
 105         authority_name_p.string = NULL;
 106
 107         /* do several ops to test credential chaining and various operations */
 108         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 109
 110         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 111                 printf("not considering %s to be an error\n", nt_errstr(status));
 112         } else if (!NT_STATUS_IS_OK(status)) {
 113                 printf("GetUserName failed - %s\n", nt_errstr(status));
 114                 return False;
 115         } else {
 116                 if (!r.out.account_name) {
 117                         return False;
 118                 }
 119
 120                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 121                         printf("GetUserName returned wrong user: %s, expected %s\n",
 122                                r.out.account_name->string, "ANONYMOUS LOGON");
 123                         return False;
 124                 }
 125                 if (!r.out.authority_name || !r.out.authority_name->string) {
 126                         return False;
 127                 }
 128
 129                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 130                         printf("GetUserName returned wrong user: %s, expected %s\n",
 131                                r.out.authority_name->string->string, "NT AUTHORITY");
 132                         return False;
 133                 }
 134         }
 135         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 136                 printf("LsaLookupSids3 failed!\n");
 137                 return False;
 138         }
 139
 140         return ret;
 141 }
 142
 143
 144 /*
 145   test a schannel connection with the given flags
 146  */
 147 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 148                           uint16_t acct_flags, uint32_t dcerpc_flags,
 149                           int i)
 150 {
 151         BOOL ret = True;
 152
 153         struct test_join *join_ctx;
 154         NTSTATUS status;
 155         const char *binding = lp_parm_string(-1, "torture", "binding");
 156         struct dcerpc_binding *b;
 157         struct dcerpc_pipe *p = NULL;
 158         struct dcerpc_pipe *p_netlogon = NULL;
 159         struct dcerpc_pipe *p_lsa = NULL;
 160         struct creds_CredentialState *creds;
 161         struct cli_credentials *credentials;
 162
 163         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 164
 165         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 166                                        acct_flags, &credentials);
 167         if (!join_ctx) {
 168                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 169                 talloc_free(test_ctx);
 170                 return False;
 171         }
 172
 173         status = dcerpc_parse_binding(test_ctx, binding, &b);
 174         if (!NT_STATUS_IS_OK(status)) {
 175                 printf("Bad binding string %s\n", binding);
 176                 goto failed;
 177         }
 178
 179         b->flags &= ~DCERPC_AUTH_OPTIONS;
 180         b->flags |= dcerpc_flags;
 181
 182         status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
 183                                        credentials, NULL);
 184         if (!NT_STATUS_IS_OK(status)) {
 185                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 186                 goto failed;
 187         }
 188
 189         if (!test_samr_ops(p, test_ctx)) {
 190                 printf("Failed to process schannel secured SAMR ops\n");
 191                 ret = False;
 192         }
 193
 194         /* Also test that when we connect to the netlogon pipe, that
 195          * the credentials we setup on the first pipe are valid for
 196          * the second */
 197
 198         /* Swap the binding details from SAMR to NETLOGON */
 199         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 200         if (!NT_STATUS_IS_OK(status)) {
 201                 goto failed;
 202         }
 203
 204         status = dcerpc_secondary_connection(p, &p_netlogon,
 205                                              b);
 206
 207         if (!NT_STATUS_IS_OK(status)) {
 208                 goto failed;
 209         }
 210
 211         status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
 212                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 213                                   NULL);
 214
 215         if (!NT_STATUS_IS_OK(status)) {
 216                 goto failed;
 217         }
 218
 219         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 220         if (!NT_STATUS_IS_OK(status)) {
 221                 goto failed;
 222         }
 223
 224         /* do a couple of logins */
 225         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 226                 printf("Failed to process schannel secured NETLOGON ops\n");
 227                 ret = False;
 228         }
 229
 230         /* Swap the binding details from SAMR to LSARPC */
 231         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
 232         if (!NT_STATUS_IS_OK(status)) {
 233                 goto failed;
 234         }
 235
 236         status = dcerpc_secondary_connection(p, &p_lsa,
 237                                              b);
 238
 239         if (!NT_STATUS_IS_OK(status)) {
 240                 goto failed;
 241         }
 242
 243         status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
 244                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 245                                   NULL);
 246
 247         if (!NT_STATUS_IS_OK(status)) {
 248                 goto failed;
 249         }
 250
 251         if (!test_lsa_ops(p_lsa, test_ctx)) {
 252                 printf("Failed to process schannel secured LSA ops\n");
 253                 ret = False;
 254         }
 255
 256         torture_leave_domain(join_ctx);
 257         talloc_free(test_ctx);
 258         return ret;
 259
 260 failed:
 261         torture_leave_domain(join_ctx);
 262         talloc_free(test_ctx);
 263         return False;
 264 }
 265
 266 /*
 267   a schannel test suite
 268  */
 269 BOOL torture_rpc_schannel(void)
 270 {
 271         TALLOC_CTX *mem_ctx;
 272         BOOL ret = True;
 273         struct {
 274                 uint16_t acct_flags;
 275                 uint32_t dcerpc_flags;
 276         } tests[] = {
 277                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 278                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 279                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 280                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 281                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 282                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 283                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 284                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 285         };
 286         int i;
 287
 288         mem_ctx = talloc_init("torture_rpc_schannel");
 289
 290         for (i=0;i<ARRAY_SIZE(tests);i++) {
 291                 if (!test_schannel(mem_ctx,
 292                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 293                                    i)) {
 294                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 295                                tests[i].acct_flags, tests[i].dcerpc_flags);
 296                         ret = False;
 297                         break;
 298                 }
 299         }
 300
 301         talloc_free(mem_ctx);
 302
 303         return ret;
 304 }