Copyright (C) Andrew Tridgell 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+ Copyright (C) Guenther Deschner 2008,2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
TORTURE_SAMR_PASSWORDS,
TORTURE_SAMR_PASSWORDS_PWDLASTSET,
TORTURE_SAMR_USER_ATTRIBUTES,
- TORTURE_SAMR_OTHER
+ TORTURE_SAMR_USER_PRIVILEGES,
+ TORTURE_SAMR_OTHER,
+ TORTURE_SAMR_MANY_ACCOUNTS,
+ TORTURE_SAMR_MANY_GROUPS,
+ TORTURE_SAMR_MANY_ALIASES
};
static bool test_QueryUserInfo(struct dcerpc_pipe *p,
string->string = s;
}
+static void init_lsa_StringLarge(struct lsa_StringLarge *string, const char *s)
+{
+ string->string = s;
+}
+
static void init_lsa_BinaryString(struct lsa_BinaryString *string, const char *s, uint32_t length)
{
string->length = length;
return true;
}
-static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct cli_credentials *machine_credentials,
- struct cli_credentials *test_credentials,
- struct netlogon_creds_CredentialState *creds,
- NTSTATUS expected_result)
+static bool test_SamLogon(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *test_credentials,
+ NTSTATUS expected_result)
{
NTSTATUS status;
- struct netr_LogonSamLogon r;
- struct netr_Authenticator auth, auth2;
+ struct netr_LogonSamLogonEx r;
union netr_LogonLevel logon;
union netr_Validation validation;
uint8_t authoritative;
struct netr_NetworkInfo ninfo;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int flags = CLI_CRED_NTLM_AUTH;
+ uint32_t samlogon_flags = 0;
if (lp_client_lanman_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
chal = data_blob_const(ninfo.challenge,
sizeof(ninfo.challenge));
- names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(machine_credentials),
- cli_credentials_get_domain(machine_credentials));
+ names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(test_credentials),
+ cli_credentials_get_domain(test_credentials));
status = cli_credentials_get_ntlm_response(test_credentials, tctx,
&flags,
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
- ninfo.identity_info.workstation.string = cli_credentials_get_workstation(machine_credentials);
+ ninfo.identity_info.workstation.string = cli_credentials_get_workstation(test_credentials);
logon.network = &ninfo;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
- r.in.computer_name = cli_credentials_get_workstation(machine_credentials);
- r.in.credential = &auth;
- r.in.return_authenticator = &auth2;
- r.in.logon_level = 2;
+ r.in.computer_name = cli_credentials_get_workstation(test_credentials);
+ r.in.logon_level = NetlogonNetworkInformation;
r.in.logon = &logon;
+ r.in.flags = &samlogon_flags;
+ r.out.flags = &samlogon_flags;
r.out.validation = &validation;
r.out.authoritative = &authoritative;
d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
- ZERO_STRUCT(auth2);
- netlogon_creds_client_authenticator(creds, &auth);
+ r.in.validation_level = 6;
- r.in.validation_level = 2;
-
- status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
+ status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
+ r.in.validation_level = 3;
+ status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
+ }
if (!NT_STATUS_IS_OK(status)) {
- torture_assert_ntstatus_equal(tctx, status, expected_result, "LogonSamLogon failed");
+ torture_assert_ntstatus_equal(tctx, status, expected_result, "LogonSamLogonEx failed");
return true;
} else {
- torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
+ torture_assert_ntstatus_ok(tctx, status, "LogonSamLogonEx failed");
}
- torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
- "Credential chaining failed");
-
return true;
}
-static bool test_SamLogon(struct torture_context *tctx,
- struct dcerpc_pipe *p,
- struct cli_credentials *machine_credentials,
- struct cli_credentials *test_credentials,
- NTSTATUS expected_result)
-{
- struct netlogon_creds_CredentialState *creds;
-
- if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
- return false;
- }
-
- return test_SamLogon_Creds(p, tctx, machine_credentials, test_credentials,
- creds, expected_result);
-}
-
static bool test_SamLogon_with_creds(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct cli_credentials *machine_creds,
test_credentials = cli_credentials_init(tctx);
cli_credentials_set_workstation(test_credentials,
- TEST_ACCOUNT_NAME_PWD, CRED_SPECIFIED);
+ cli_credentials_get_workstation(machine_creds), CRED_SPECIFIED);
cli_credentials_set_domain(test_credentials,
- lp_workgroup(tctx->lp_ctx), CRED_SPECIFIED);
+ cli_credentials_get_domain(machine_creds), CRED_SPECIFIED);
cli_credentials_set_username(test_credentials,
acct_name, CRED_SPECIFIED);
cli_credentials_set_password(test_credentials,
password, CRED_SPECIFIED);
- cli_credentials_set_secure_channel_type(test_credentials, SEC_CHAN_BDC);
- printf("testing samlogon as %s@%s password: %s\n",
- acct_name, TEST_ACCOUNT_NAME_PWD, password);
+ printf("testing samlogon as %s password: %s\n",
+ acct_name, password);
- if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
+ if (!test_SamLogon(tctx, p, test_credentials,
expected_samlogon_result)) {
torture_warning(tctx, "new password did not work\n");
ret = false;
struct cli_credentials *machine_credentials)
{
int s = 0, q = 0, f = 0, l = 0, z = 0;
+ struct dcerpc_binding *b;
bool ret = true;
- int delay = 500000;
+ int delay = 50000;
bool set_levels[] = { false, true };
bool query_levels[] = { false, true };
- uint32_t levels[] = { 18, 21, 23, 24, 25, 26 };
+ uint32_t levels[] = { 18, 21, 26, 23, 24, 25 }; /* Second half only used when TEST_ALL_LEVELS defined */
uint32_t nonzeros[] = { 1, 24 };
uint32_t fields_present[] = {
0,
struct dcerpc_pipe *np = NULL;
if (torture_setting_bool(tctx, "samba3", false)) {
- delay = 1000000;
+ delay = 999999;
printf("Samba3 has second granularity, setting delay to: %d\n",
delay);
}
- status = torture_rpc_connection(tctx, &np, &ndr_table_netlogon);
+ status = torture_rpc_binding(tctx, &b);
if (!NT_STATUS_IS_OK(status)) {
- return false;
+ ret = false;
+ return ret;
+ }
+
+ /* We have to use schannel, otherwise the SamLogonEx fails
+ * with INTERNAL_ERROR */
+
+ b->flags &= ~DCERPC_AUTH_OPTIONS;
+ b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+
+ status = dcerpc_pipe_connect_b(tctx, &np, b,
+ &ndr_table_netlogon,
+ machine_credentials, tctx->ev, tctx->lp_ctx);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
+ ret = false;
+ return ret;
}
/* set to 1 to enable testing for all possible opcode
(SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2)
combinations */
#if 0
+#define TEST_ALL_LEVELS 1
#define TEST_SET_LEVELS 1
#define TEST_QUERY_LEVELS 1
#endif
+#ifdef TEST_ALL_LEVELS
for (l=0; l<ARRAY_SIZE(levels); l++) {
+#else
+ for (l=0; l<(ARRAY_SIZE(levels))/2; l++) {
+#endif
for (z=0; z<ARRAY_SIZE(nonzeros); z++) {
for (f=0; f<ARRAY_SIZE(fields_present); f++) {
#ifdef TEST_SET_LEVELS
return ret;
}
+static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
+ struct dcerpc_pipe *lp,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ struct policy_handle *lsa_handle,
+ struct policy_handle *user_handle,
+ const struct dom_sid *domain_sid,
+ uint32_t rid,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ bool ret = true;
+
+ struct policy_handle lsa_acct_handle;
+ struct dom_sid *user_sid;
+
+ user_sid = dom_sid_add_rid(tctx, domain_sid, rid);
+
+ {
+ struct lsa_EnumAccountRights r;
+ struct lsa_RightSet rights;
+
+ torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.out.rights = &rights;
+
+ status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ "Expected enum rights for account to fail");
+ }
+
+ {
+ struct lsa_RightSet rights;
+ struct lsa_StringLarge names[2];
+ struct lsa_AddAccountRights r;
+
+ torture_comment(tctx, "Testing LSA AddAccountRights\n");
+
+ init_lsa_StringLarge(&names[0], "SeMachineAccountPrivilege");
+ init_lsa_StringLarge(&names[1], NULL);
+
+ rights.count = 1;
+ rights.names = names;
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.in.rights = &rights;
+
+ status = dcerpc_lsa_AddAccountRights(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to add privileges");
+ }
+
+ {
+ struct lsa_EnumAccounts r;
+ uint32_t resume_handle = 0;
+ struct lsa_SidArray lsa_sid_array;
+ int i;
+ bool found_sid = false;
+
+ torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+ r.in.handle = lsa_handle;
+ r.in.num_entries = 0x1000;
+ r.in.resume_handle = &resume_handle;
+ r.out.sids = &lsa_sid_array;
+ r.out.resume_handle = &resume_handle;
+
+ status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to enum accounts");
+
+ for (i=0; i < lsa_sid_array.num_sids; i++) {
+ if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+ found_sid = true;
+ }
+ }
+
+ torture_assert(tctx, found_sid,
+ "failed to list privileged account");
+ }
+
+ {
+ struct lsa_EnumAccountRights r;
+ struct lsa_RightSet user_rights;
+
+ torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.out.rights = &user_rights;
+
+ status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to enum rights for account");
+
+ if (user_rights.count < 1) {
+ torture_warning(tctx, "failed to find newly added rights");
+ return false;
+ }
+ }
+
+ {
+ struct lsa_OpenAccount r;
+
+ torture_comment(tctx, "Testing LSA OpenAccount\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.out.acct_handle = &lsa_acct_handle;
+
+ status = dcerpc_lsa_OpenAccount(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to open lsa account");
+ }
+
+ {
+ struct lsa_GetSystemAccessAccount r;
+ uint32_t access_mask;
+
+ torture_comment(tctx, "Testing LSA GetSystemAccessAccount\n");
+
+ r.in.handle = &lsa_acct_handle;
+ r.out.access_mask = &access_mask;
+
+ status = dcerpc_lsa_GetSystemAccessAccount(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to get lsa system access account");
+ }
+
+ {
+ struct lsa_Close r;
+
+ torture_comment(tctx, "Testing LSA Close\n");
+
+ r.in.handle = &lsa_acct_handle;
+ r.out.handle = &lsa_acct_handle;
+
+ status = dcerpc_lsa_Close(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to close lsa");
+ }
+
+ {
+ struct samr_DeleteUser r;
+
+ torture_comment(tctx, "Testing SAMR DeleteUser\n");
+
+ r.in.user_handle = user_handle;
+ r.out.user_handle = user_handle;
+
+ status = dcerpc_samr_DeleteUser(p, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "Delete User failed");
+ }
+
+ {
+ struct lsa_EnumAccounts r;
+ uint32_t resume_handle = 0;
+ struct lsa_SidArray lsa_sid_array;
+ int i;
+ bool found_sid = false;
+
+ torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+ r.in.handle = lsa_handle;
+ r.in.num_entries = 0x1000;
+ r.in.resume_handle = &resume_handle;
+ r.out.sids = &lsa_sid_array;
+ r.out.resume_handle = &resume_handle;
+
+ status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to enum accounts");
+
+ for (i=0; i < lsa_sid_array.num_sids; i++) {
+ if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+ found_sid = true;
+ }
+ }
+
+ torture_assert(tctx, found_sid,
+ "failed to list privileged account");
+ }
+
+ {
+ struct lsa_EnumAccountRights r;
+ struct lsa_RightSet user_rights;
+
+ torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.out.rights = &user_rights;
+
+ status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to enum rights for account");
+
+ if (user_rights.count < 1) {
+ torture_warning(tctx, "failed to find newly added rights");
+ return false;
+ }
+ }
+
+ {
+ struct lsa_OpenAccount r;
+
+ torture_comment(tctx, "Testing LSA OpenAccount\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.out.acct_handle = &lsa_acct_handle;
+
+ status = dcerpc_lsa_OpenAccount(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to open lsa account");
+ }
+
+ {
+ struct lsa_GetSystemAccessAccount r;
+ uint32_t access_mask;
+
+ torture_comment(tctx, "Testing LSA GetSystemAccessAccount\n");
+
+ r.in.handle = &lsa_acct_handle;
+ r.out.access_mask = &access_mask;
+
+ status = dcerpc_lsa_GetSystemAccessAccount(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to get lsa system access account");
+ }
+
+ {
+ struct lsa_DeleteObject r;
+
+ torture_comment(tctx, "Testing LSA DeleteObject\n");
+
+ r.in.handle = &lsa_acct_handle;
+ r.out.handle = &lsa_acct_handle;
+
+ status = dcerpc_lsa_DeleteObject(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to delete object");
+ }
+
+ {
+ struct lsa_EnumAccounts r;
+ uint32_t resume_handle = 0;
+ struct lsa_SidArray lsa_sid_array;
+ int i;
+ bool found_sid = false;
+
+ torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+ r.in.handle = lsa_handle;
+ r.in.num_entries = 0x1000;
+ r.in.resume_handle = &resume_handle;
+ r.out.sids = &lsa_sid_array;
+ r.out.resume_handle = &resume_handle;
+
+ status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to enum accounts");
+
+ for (i=0; i < lsa_sid_array.num_sids; i++) {
+ if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+ found_sid = true;
+ }
+ }
+
+ torture_assert(tctx, !found_sid,
+ "should not have listed privileged account");
+ }
+
+ {
+ struct lsa_EnumAccountRights r;
+ struct lsa_RightSet user_rights;
+
+ torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+ r.in.handle = lsa_handle;
+ r.in.sid = user_sid;
+ r.out.rights = &user_rights;
+
+ status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ "Failed to enum rights for account");
+ }
+
+ return ret;
+}
+
static bool test_user_ops(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *user_handle,
struct policy_handle *domain_handle,
+ const struct dom_sid *domain_sid,
uint32_t base_acct_flags,
const char *base_acct_name, enum torture_samr_choice which_ops,
struct cli_credentials *machine_credentials)
break;
+ case TORTURE_SAMR_USER_PRIVILEGES: {
+
+ struct dcerpc_pipe *lp;
+ struct policy_handle *lsa_handle;
+
+ status = torture_rpc_connection(tctx, &lp, &ndr_table_lsarpc);
+ torture_assert_ntstatus_ok(tctx, status, "Failed to open LSA pipe");
+
+ if (!test_lsa_OpenPolicy2(lp, tctx, &lsa_handle)) {
+ ret = false;
+ }
+
+ if (!test_DeleteUser_with_privs(p, lp, tctx,
+ domain_handle, lsa_handle, user_handle,
+ domain_sid, rid,
+ machine_credentials)) {
+ ret = false;
+ }
+
+ if (!test_lsa_Close(lp, tctx, lsa_handle)) {
+ ret = false;
+ }
+
+ if (!ret) {
+ torture_warning(tctx, "privileged user delete test failed\n");
+ }
+
+ break;
+ }
case TORTURE_SAMR_OTHER:
/* We just need the account to exist */
break;
{
bool ret = true;
- if (!test_QuerySecurity(p, tctx, alias_handle)) {
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ if (!test_QuerySecurity(p, tctx, alias_handle)) {
+ ret = false;
+ }
}
if (!test_QueryAliasInfo(p, tctx, alias_handle)) {
ret = false;
}
- if (torture_setting_bool(tctx, "samba4", false)) {
- printf("skipping MultipleMembers Alias tests against Samba4\n");
+ if (torture_setting_bool(tctx, "samba3", false) ||
+ torture_setting_bool(tctx, "samba4", false)) {
+ printf("skipping MultipleMembers Alias tests against Samba\n");
return ret;
}
}
static bool test_CreateAlias(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *domain_handle,
+ struct policy_handle *domain_handle,
+ const char *alias_name,
struct policy_handle *alias_handle,
- const struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid,
+ bool test_alias)
{
NTSTATUS status;
struct samr_CreateDomAlias r;
uint32_t rid;
bool ret = true;
- init_lsa_String(&name, TEST_ALIASNAME);
+ init_lsa_String(&name, alias_name);
r.in.domain_handle = domain_handle;
r.in.alias_name = &name;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
return false;
}
+ if (!test_alias) {
+ return ret;
+ }
+
if (!test_alias_ops(p, tctx, alias_handle, domain_sid)) {
ret = false;
}
static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *domain_handle,
+ const char *user_name,
struct policy_handle *user_handle_out,
struct dom_sid *domain_sid,
enum torture_samr_choice which_ops,
- struct cli_credentials *machine_credentials)
+ struct cli_credentials *machine_credentials,
+ bool test_user)
{
TALLOC_CTX *user_ctx;
struct policy_handle user_handle;
user_ctx = talloc_named(tctx, 0, "test_CreateUser2 per-user context");
- init_lsa_String(&name, TEST_ACCOUNT_NAME);
+ init_lsa_String(&name, user_name);
r.in.domain_handle = domain_handle;
r.in.account_name = &name;
}
status = dcerpc_samr_CreateUser(p, user_ctx, &r);
}
+
if (!NT_STATUS_IS_OK(status)) {
talloc_free(user_ctx);
printf("CreateUser failed - %s\n", nt_errstr(status));
return false;
- } else {
+ }
+
+ if (!test_user) {
+ if (user_handle_out) {
+ *user_handle_out = user_handle;
+ }
+ return ret;
+ }
+
+ {
q.in.user_handle = &user_handle;
q.in.level = 16;
q.out.info = &info;
}
if (!test_user_ops(p, tctx, &user_handle, domain_handle,
- acct_flags, name.string, which_ops,
+ domain_sid, acct_flags, name.string, which_ops,
machine_credentials)) {
ret = false;
}
{ ACB_SVRTRUST, TEST_MACHINENAME, NT_STATUS_OK },
{ ACB_SVRTRUST | ACB_DISABLED, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_SVRTRUST | ACB_PWNOEXP, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
- { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_OK },
+ { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_ACCESS_DENIED },
{ ACB_DOMTRUST | ACB_DISABLED, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_DOMTRUST | ACB_PWNOEXP, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ 0, TEST_ACCOUNT_NAME, NT_STATUS_INVALID_PARAMETER },
}
if (!test_user_ops(p, tctx, &user_handle, domain_handle,
- acct_flags, name.string, which_ops,
+ domain_sid, acct_flags, name.string, which_ops,
machine_credentials)) {
ret = false;
}
- printf("Testing DeleteUser (createuser2 test)\n");
+ if (!policy_handle_empty(&user_handle)) {
+ printf("Testing DeleteUser (createuser2 test)\n");
- d.in.user_handle = &user_handle;
- d.out.user_handle = &user_handle;
+ d.in.user_handle = &user_handle;
+ d.out.user_handle = &user_handle;
- status = dcerpc_samr_DeleteUser(p, user_ctx, &d);
- if (!NT_STATUS_IS_OK(status)) {
- printf("DeleteUser failed - %s\n", nt_errstr(status));
- ret = false;
+ status = dcerpc_samr_DeleteUser(p, user_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("DeleteUser failed - %s\n", nt_errstr(status));
+ ret = false;
+ }
}
}
talloc_free(user_ctx);
return false;
}
- if (!test_QuerySecurity(p, tctx, &group_handle)) {
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ if (!test_QuerySecurity(p, tctx, &group_handle)) {
+ ret = false;
+ }
}
if (!test_QueryGroupInfo(p, tctx, &group_handle)) {
return false;
}
- if (!test_QuerySecurity(p, tctx, &alias_handle)) {
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ if (!test_QuerySecurity(p, tctx, &alias_handle)) {
+ ret = false;
+ }
}
if (!test_QueryAliasInfo(p, tctx, &alias_handle)) {
return ret;
}
-static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *handle)
+static bool test_EnumDomainUsers_all(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
{
NTSTATUS status = STATUS_MORE_ENTRIES;
struct samr_EnumDomainUsers r;
return true;
}
-static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
- struct torture_context *tctx,
- struct policy_handle *handle)
+static bool test_EnumDomainGroups_all(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
{
NTSTATUS status;
struct samr_EnumDomainGroups r;
return ret;
}
-static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
- struct torture_context *tctx,
- struct policy_handle *handle)
+static bool test_EnumDomainAliases_all(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
{
NTSTATUS status;
struct samr_EnumDomainAliases r;
if (strcmp(info->general.oem_information.string, domain_comment) != 0) {
printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
levels[i], info->general.oem_information.string, domain_comment);
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret = false;
+ }
}
if (!info->general.primary.string) {
printf("QueryDomainInfo level %u returned no PDC name\n",
if (strcmp(info->oem.oem_information.string, domain_comment) != 0) {
printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
levels[i], info->oem.oem_information.string, domain_comment);
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret = false;
+ }
}
break;
case 6:
if (strcmp(info->general2.general.oem_information.string, domain_comment) != 0) {
printf("QueryDomainInfo level %u returned different comment (%s, expected %s)\n",
levels[i], info->general2.general.oem_information.string, domain_comment);
- ret = false;
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret = false;
+ }
}
break;
}
struct samr_RidTypeArray *rids = NULL;
struct samr_SetMemberAttributesOfGroup s;
uint32_t rid;
+ bool found_member = false;
+ int i;
status = test_LookupName(p, tctx, domain_handle, TEST_ACCOUNT_NAME, &rid);
torture_assert_ntstatus_ok(tctx, status, "test_AddGroupMember looking up name " TEST_ACCOUNT_NAME);
r.in.rid = rid;
r.in.flags = 0; /* ??? */
- torture_comment(tctx, "Testing AddGroupMember and DeleteGroupMember\n");
+ torture_comment(tctx, "Testing AddGroupMember, QueryGroupMember and DeleteGroupMember\n");
d.in.group_handle = group_handle;
d.in.rid = rid;
status = dcerpc_samr_AddGroupMember(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, NT_STATUS_MEMBER_IN_GROUP, status, "AddGroupMember");
- if (torture_setting_bool(tctx, "samba4", false)) {
- torture_comment(tctx, "skipping SetMemberAttributesOfGroup test against Samba4\n");
+ if (torture_setting_bool(tctx, "samba4", false) ||
+ torture_setting_bool(tctx, "samba3", false)) {
+ torture_comment(tctx, "skipping SetMemberAttributesOfGroup test against Samba\n");
} else {
/* this one is quite strange. I am using random inputs in the
hope of triggering an error that might give us a clue */
status = dcerpc_samr_QueryGroupMember(p, tctx, &q);
torture_assert_ntstatus_ok(tctx, status, "QueryGroupMember");
+ torture_assert(tctx, rids, "QueryGroupMember did not fill in rids structure");
+
+ for (i=0; i < rids->count; i++) {
+ if (rids->rids[i] == rid) {
+ found_member = true;
+ }
+ }
+
+ torture_assert(tctx, found_member, "QueryGroupMember did not list newly added member");
status = dcerpc_samr_DeleteGroupMember(p, tctx, &d);
torture_assert_ntstatus_ok(tctx, status, "DeleteGroupMember");
+ rids = NULL;
+ found_member = false;
+
+ status = dcerpc_samr_QueryGroupMember(p, tctx, &q);
+ torture_assert_ntstatus_ok(tctx, status, "QueryGroupMember");
+ torture_assert(tctx, rids, "QueryGroupMember did not fill in rids structure");
+
+ for (i=0; i < rids->count; i++) {
+ if (rids->rids[i] == rid) {
+ found_member = true;
+ }
+ }
+
+ torture_assert(tctx, !found_member, "QueryGroupMember does still list removed member");
+
status = dcerpc_samr_AddGroupMember(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "AddGroupMember");
static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
- struct torture_context *tctx,
+ struct torture_context *tctx,
struct policy_handle *domain_handle,
+ const char *group_name,
struct policy_handle *group_handle,
- struct dom_sid *domain_sid)
+ struct dom_sid *domain_sid,
+ bool test_group)
{
NTSTATUS status;
struct samr_CreateDomainGroup r;
struct lsa_String name;
bool ret = true;
- init_lsa_String(&name, TEST_GROUPNAME);
+ init_lsa_String(&name, group_name);
r.in.domain_handle = domain_handle;
r.in.name = &name;
}
torture_assert_ntstatus_ok(tctx, status, "CreateDomainGroup");
- if (!test_AddGroupMember(p, tctx, domain_handle, group_handle)) {
+ if (!test_group) {
+ return ret;
+ }
+
+ if (!test_AddGroupMember(p, tctx, domain_handle, group_handle)) {
printf("CreateDomainGroup failed - %s\n", nt_errstr(status));
ret = false;
}
return true;
}
+static bool test_EnumDomainUsers(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ uint32_t *total_num_entries_p)
+{
+ NTSTATUS status;
+ struct samr_EnumDomainUsers r;
+ uint32_t resume_handle = 0;
+ uint32_t num_entries = 0;
+ uint32_t total_num_entries = 0;
+ struct samr_SamArray *sam;
+
+ r.in.domain_handle = domain_handle;
+ r.in.acct_flags = 0;
+ r.in.max_size = (uint32_t)-1;
+ r.in.resume_handle = &resume_handle;
+
+ r.out.sam = &sam;
+ r.out.num_entries = &num_entries;
+ r.out.resume_handle = &resume_handle;
+
+ printf("Testing EnumDomainUsers\n");
+
+ do {
+ status = dcerpc_samr_EnumDomainUsers(p, tctx, &r);
+ if (NT_STATUS_IS_ERR(status)) {
+ torture_assert_ntstatus_ok(tctx, status,
+ "failed to enumerate users");
+ }
+
+ total_num_entries += num_entries;
+ } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+ if (total_num_entries_p) {
+ *total_num_entries_p = total_num_entries;
+ }
+
+ return true;
+}
+
+static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ uint32_t *total_num_entries_p)
+{
+ NTSTATUS status;
+ struct samr_EnumDomainGroups r;
+ uint32_t resume_handle = 0;
+ uint32_t num_entries = 0;
+ uint32_t total_num_entries = 0;
+ struct samr_SamArray *sam;
+
+ r.in.domain_handle = domain_handle;
+ r.in.max_size = (uint32_t)-1;
+ r.in.resume_handle = &resume_handle;
+
+ r.out.sam = &sam;
+ r.out.num_entries = &num_entries;
+ r.out.resume_handle = &resume_handle;
+
+ printf("Testing EnumDomainGroups\n");
+
+ do {
+ status = dcerpc_samr_EnumDomainGroups(p, tctx, &r);
+ if (NT_STATUS_IS_ERR(status)) {
+ torture_assert_ntstatus_ok(tctx, status,
+ "failed to enumerate groups");
+ }
+
+ total_num_entries += num_entries;
+ } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+ if (total_num_entries_p) {
+ *total_num_entries_p = total_num_entries;
+ }
+
+ return true;
+}
+
+static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ uint32_t *total_num_entries_p)
+{
+ NTSTATUS status;
+ struct samr_EnumDomainAliases r;
+ uint32_t resume_handle = 0;
+ uint32_t num_entries = 0;
+ uint32_t total_num_entries = 0;
+ struct samr_SamArray *sam;
+
+ r.in.domain_handle = domain_handle;
+ r.in.max_size = (uint32_t)-1;
+ r.in.resume_handle = &resume_handle;
+
+ r.out.sam = &sam;
+ r.out.num_entries = &num_entries;
+ r.out.resume_handle = &resume_handle;
+
+ printf("Testing EnumDomainAliases\n");
+
+ do {
+ status = dcerpc_samr_EnumDomainAliases(p, tctx, &r);
+ if (NT_STATUS_IS_ERR(status)) {
+ torture_assert_ntstatus_ok(tctx, status,
+ "failed to enumerate aliases");
+ }
+
+ total_num_entries += num_entries;
+ } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+ if (total_num_entries_p) {
+ *total_num_entries_p = total_num_entries;
+ }
+
+ return true;
+}
+
+static bool test_QueryDisplayInfo_level(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint16_t level,
+ uint32_t *total_num_entries_p)
+{
+ NTSTATUS status;
+ struct samr_QueryDisplayInfo r;
+ uint32_t total_num_entries = 0;
+
+ r.in.domain_handle = handle;
+ r.in.level = level;
+ r.in.start_idx = 0;
+ r.in.max_entries = (uint32_t)-1;
+ r.in.buf_size = (uint32_t)-1;
+
+ printf("Testing QueryDisplayInfo\n");
+
+ do {
+ uint32_t total_size;
+ uint32_t returned_size;
+ union samr_DispInfo info;
+
+ r.out.total_size = &total_size;
+ r.out.returned_size = &returned_size;
+ r.out.info = &info;
+
+ status = dcerpc_samr_QueryDisplayInfo(p, tctx, &r);
+ if (NT_STATUS_IS_ERR(status)) {
+ torture_assert_ntstatus_ok(tctx, status,
+ "failed to query displayinfo");
+ }
+
+ if (*r.out.returned_size == 0) {
+ break;
+ }
+
+ switch (r.in.level) {
+ case 1:
+ total_num_entries += info.info1.count;
+ r.in.start_idx += info.info1.entries[info.info1.count - 1].idx + 1;
+ break;
+ case 2:
+ total_num_entries += info.info2.count;
+ r.in.start_idx += info.info2.entries[info.info2.count - 1].idx + 1;
+ break;
+ case 3:
+ total_num_entries += info.info3.count;
+ r.in.start_idx += info.info3.entries[info.info3.count - 1].idx + 1;
+ break;
+ case 4:
+ total_num_entries += info.info4.count;
+ r.in.start_idx += info.info4.entries[info.info4.count - 1].idx + 1;
+ break;
+ case 5:
+ total_num_entries += info.info5.count;
+ r.in.start_idx += info.info5.entries[info.info5.count - 1].idx + 1;
+ break;
+ default:
+ return false;
+ }
+
+ } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+ if (total_num_entries_p) {
+ *total_num_entries_p = total_num_entries;
+ }
+
+ return true;
+}
+
+static bool test_ManyObjects(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ struct dom_sid *domain_sid,
+ enum torture_samr_choice which_ops)
+{
+ uint32_t num_total = 1500;
+ uint32_t num_enum = 0;
+ uint32_t num_disp = 0;
+ uint32_t num_created = 0;
+ uint32_t num_anounced = 0;
+ bool ret = true;
+ NTSTATUS status;
+ uint32_t i;
+
+ struct policy_handle *handles = talloc_zero_array(tctx, struct policy_handle, num_total);
+
+ /* query */
+
+ {
+ struct samr_QueryDomainInfo2 r;
+ union samr_DomainInfo *info;
+ r.in.domain_handle = domain_handle;
+ r.in.level = 2;
+ r.out.info = &info;
+
+ status = dcerpc_samr_QueryDomainInfo2(p, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "failed to query domain info");
+
+ switch (which_ops) {
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ num_anounced = info->general.num_users;
+ break;
+ case TORTURE_SAMR_MANY_GROUPS:
+ num_anounced = info->general.num_groups;
+ break;
+ case TORTURE_SAMR_MANY_ALIASES:
+ num_anounced = info->general.num_aliases;
+ break;
+ default:
+ return false;
+ }
+ }
+
+ /* create */
+ for (i=0; i < num_total; i++) {
+
+ const char *name = NULL;
+
+ switch (which_ops) {
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ name = talloc_asprintf(tctx, "%s%04d", TEST_ACCOUNT_NAME, i);
+ ret &= test_CreateUser(p, tctx, domain_handle, name, &handles[i], domain_sid, 0, NULL, false);
+ break;
+ case TORTURE_SAMR_MANY_GROUPS:
+ name = talloc_asprintf(tctx, "%s%04d", TEST_GROUPNAME, i);
+ ret &= test_CreateDomainGroup(p, tctx, domain_handle, name, &handles[i], domain_sid, false);
+ break;
+ case TORTURE_SAMR_MANY_ALIASES:
+ name = talloc_asprintf(tctx, "%s%04d", TEST_ALIASNAME, i);
+ ret &= test_CreateAlias(p, tctx, domain_handle, name, &handles[i], domain_sid, false);
+ break;
+ default:
+ return false;
+ }
+ if (!policy_handle_empty(&handles[i])) {
+ num_created++;
+ }
+ }
+
+ /* enum */
+
+ switch (which_ops) {
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ ret &= test_EnumDomainUsers(p, tctx, domain_handle, &num_enum);
+ break;
+ case TORTURE_SAMR_MANY_GROUPS:
+ ret &= test_EnumDomainGroups(p, tctx, domain_handle, &num_enum);
+ break;
+ case TORTURE_SAMR_MANY_ALIASES:
+ ret &= test_EnumDomainAliases(p, tctx, domain_handle, &num_enum);
+ break;
+ default:
+ return false;
+ }
+
+ /* dispinfo */
+
+ switch (which_ops) {
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ ret &= test_QueryDisplayInfo_level(p, tctx, domain_handle, 1, &num_disp);
+ break;
+ case TORTURE_SAMR_MANY_GROUPS:
+ ret &= test_QueryDisplayInfo_level(p, tctx, domain_handle, 3, &num_disp);
+ break;
+ case TORTURE_SAMR_MANY_ALIASES:
+ /* no aliases in dispinfo */
+ break;
+ default:
+ return false;
+ }
+
+ /* close or delete */
+
+ for (i=0; i < num_total; i++) {
+
+ if (policy_handle_empty(&handles[i])) {
+ continue;
+ }
+
+ if (torture_setting_bool(tctx, "samba3", false)) {
+ ret &= test_samr_handle_Close(p, tctx, &handles[i]);
+ } else {
+ switch (which_ops) {
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ ret &= test_DeleteUser(p, tctx, &handles[i]);
+ break;
+ case TORTURE_SAMR_MANY_GROUPS:
+ ret &= test_DeleteDomainGroup(p, tctx, &handles[i]);
+ break;
+ case TORTURE_SAMR_MANY_ALIASES:
+ ret &= test_DeleteAlias(p, tctx, &handles[i]);
+ break;
+ default:
+ return false;
+ }
+ }
+ }
+
+ talloc_free(handles);
+
+ if (which_ops == TORTURE_SAMR_MANY_ACCOUNTS && num_enum != num_anounced + num_created) {
+ torture_comment(tctx,
+ "unexpected number of results (%u) returned in enum call, expected %u\n",
+ num_enum, num_anounced + num_created);
+
+ torture_comment(tctx,
+ "unexpected number of results (%u) returned in dispinfo, call, expected %u\n",
+ num_disp, num_anounced + num_created);
+ }
+ return ret;
+}
static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *handle);
/* run the domain tests with the main handle closed - this tests
the servers reference counting */
- ret &= test_samr_handle_Close(p, tctx, handle);
+ torture_assert(tctx, test_samr_handle_Close(p, tctx, handle), "Failed to close SAMR handle");
switch (which_ops) {
- case TORTURE_SAMR_USER_ATTRIBUTES:
case TORTURE_SAMR_PASSWORDS:
+ case TORTURE_SAMR_USER_PRIVILEGES:
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
+ }
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
+ if (!ret) {
+ printf("Testing PASSWORDS or PRIVILAGES on domain %s failed!\n", dom_sid_string(tctx, sid));
+ }
+ break;
+ case TORTURE_SAMR_USER_ATTRIBUTES:
if (!torture_setting_bool(tctx, "samba3", false)) {
ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
}
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
/* This test needs 'complex' users to validate */
ret &= test_QueryDisplayInfo(p, tctx, &domain_handle);
if (!ret) {
- printf("Testing PASSWORDS or ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
+ printf("Testing ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
if (!torture_setting_bool(tctx, "samba3", false)) {
ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, machine_credentials);
}
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, machine_credentials);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, machine_credentials, true);
if (!ret) {
printf("Testing PASSWORDS PWDLASTSET on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
+ case TORTURE_SAMR_MANY_ACCOUNTS:
+ case TORTURE_SAMR_MANY_GROUPS:
+ case TORTURE_SAMR_MANY_ALIASES:
+ ret &= test_ManyObjects(p, tctx, &domain_handle, sid, which_ops);
+ if (!ret) {
+ printf("Testing MANY-{ACCOUNTS,GROUPS,ALIASES} on domain %s failed!\n", dom_sid_string(tctx, sid));
+ }
+ break;
case TORTURE_SAMR_OTHER:
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
if (!ret) {
printf("Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
}
- ret &= test_QuerySecurity(p, tctx, &domain_handle);
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret &= test_QuerySecurity(p, tctx, &domain_handle);
+ }
ret &= test_RemoveMemberFromForeignDomain(p, tctx, &domain_handle);
- ret &= test_CreateAlias(p, tctx, &domain_handle, &alias_handle, sid);
- ret &= test_CreateDomainGroup(p, tctx, &domain_handle, &group_handle, sid);
+ ret &= test_CreateAlias(p, tctx, &domain_handle, TEST_ALIASNAME, &alias_handle, sid, true);
+ ret &= test_CreateDomainGroup(p, tctx, &domain_handle, TEST_GROUPNAME, &group_handle, sid, true);
ret &= test_QueryDomainInfo(p, tctx, &domain_handle);
ret &= test_QueryDomainInfo2(p, tctx, &domain_handle);
- ret &= test_EnumDomainUsers(p, tctx, &domain_handle);
+ ret &= test_EnumDomainUsers_all(p, tctx, &domain_handle);
ret &= test_EnumDomainUsers_async(p, tctx, &domain_handle);
- ret &= test_EnumDomainGroups(p, tctx, &domain_handle);
- ret &= test_EnumDomainAliases(p, tctx, &domain_handle);
+ ret &= test_EnumDomainGroups_all(p, tctx, &domain_handle);
+ ret &= test_EnumDomainAliases_all(p, tctx, &domain_handle);
ret &= test_QueryDisplayInfo2(p, tctx, &domain_handle);
ret &= test_QueryDisplayInfo3(p, tctx, &domain_handle);
ret &= test_QueryDisplayInfo_continue(p, tctx, &domain_handle);
ret = false;
}
- ret &= test_samr_handle_Close(p, tctx, &domain_handle);
+ torture_assert(tctx, test_samr_handle_Close(p, tctx, &domain_handle), "Failed to close SAMR domain handle");
+ torture_assert(tctx, test_Connect(p, tctx, handle), "Faile to re-connect SAMR handle");
/* reconnect the main handle */
- ret &= test_Connect(p, tctx, handle);
if (!ret) {
printf("Testing domain %s failed!\n", dom_sid_string(tctx, sid));
ret &= test_Connect(p, torture, &handle);
- ret &= test_QuerySecurity(p, torture, &handle);
+ if (!torture_setting_bool(torture, "samba3", false)) {
+ ret &= test_QuerySecurity(p, torture, &handle);
+ }
ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_OTHER, NULL);
return ret;
}
-struct torture_suite *torture_rpc_samr_passwords_pwdlastset(struct torture_context *tctx)
+struct torture_suite *torture_rpc_samr_passwords_pwdlastset(TALLOC_CTX *mem_ctx)
{
- struct torture_suite *suite = torture_suite_create(tctx, "SAMR-PASSWORDS-PWDLASTSET");
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-PWDLASTSET");
struct torture_rpc_tcase *tcase;
- tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "samr",
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
&ndr_table_samr,
TEST_ACCOUNT_NAME_PWD);
return suite;
}
+
+static bool torture_rpc_samr_users_privileges_delete_user(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct policy_handle handle;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ret &= test_Connect(p, torture, &handle);
+
+ ret &= test_EnumDomains(p, torture, &handle,
+ TORTURE_SAMR_USER_PRIVILEGES,
+ machine_credentials);
+
+ ret &= test_samr_handle_Close(p, torture, &handle);
+
+ return ret;
+}
+
+struct torture_suite *torture_rpc_samr_user_privileges(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-USERS-PRIVILEGES");
+ struct torture_rpc_tcase *tcase;
+
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
+ &ndr_table_samr,
+ TEST_ACCOUNT_NAME_PWD);
+
+ torture_rpc_tcase_add_test_creds(tcase, "delete_privileged_user",
+ torture_rpc_samr_users_privileges_delete_user);
+
+ return suite;
+}
+
+static bool torture_rpc_samr_many_accounts(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct policy_handle handle;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ret &= test_Connect(p, torture, &handle);
+
+ ret &= test_EnumDomains(p, torture, &handle,
+ TORTURE_SAMR_MANY_ACCOUNTS,
+ machine_credentials);
+
+ ret &= test_samr_handle_Close(p, torture, &handle);
+
+ return ret;
+}
+
+static bool torture_rpc_samr_many_groups(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct policy_handle handle;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ret &= test_Connect(p, torture, &handle);
+
+ ret &= test_EnumDomains(p, torture, &handle,
+ TORTURE_SAMR_MANY_GROUPS,
+ machine_credentials);
+
+ ret &= test_samr_handle_Close(p, torture, &handle);
+
+ return ret;
+}
+
+static bool torture_rpc_samr_many_aliases(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct policy_handle handle;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ret &= test_Connect(p, torture, &handle);
+
+ ret &= test_EnumDomains(p, torture, &handle,
+ TORTURE_SAMR_MANY_ALIASES,
+ machine_credentials);
+
+ ret &= test_samr_handle_Close(p, torture, &handle);
+
+ return ret;
+}
+
+struct torture_suite *torture_rpc_samr_large_dc(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-LARGE-DC");
+ struct torture_rpc_tcase *tcase;
+
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
+ &ndr_table_samr,
+ TEST_ACCOUNT_NAME);
+
+ torture_rpc_tcase_add_test_creds(tcase, "many_aliases",
+ torture_rpc_samr_many_aliases);
+ torture_rpc_tcase_add_test_creds(tcase, "many_groups",
+ torture_rpc_samr_many_groups);
+ torture_rpc_tcase_add_test_creds(tcase, "many_accounts",
+ torture_rpc_samr_many_accounts);
+
+ return suite;
+}