2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc operations
5 Copyright (C) Andrew Tridgell 2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "torture/torture.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/netlogon.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "lib/events/events.h"
29 #include "libcli/security/security.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "torture/rpc/torture_rpc.h"
32 #include "param/param.h"
33 #include "../lib/crypto/crypto.h"
34 #define TEST_MACHINENAME "lsatestmach"
35 #define TRUSTPW "12345678"
37 static void init_lsa_String(struct lsa_String *name, const char *s)
42 static bool test_OpenPolicy(struct dcerpc_binding_handle *b,
43 struct torture_context *tctx,
44 bool test_fail) /* check if the tests fails! */
46 struct lsa_ObjectAttribute attr;
47 struct policy_handle handle;
48 struct lsa_QosInfo qos;
49 struct lsa_OpenPolicy r;
50 uint16_t system_name = '\\';
52 torture_comment(tctx, "\nTesting OpenPolicy\n");
55 qos.impersonation_level = 2;
57 qos.effective_only = 0;
61 attr.object_name = NULL;
66 r.in.system_name = &system_name;
68 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
69 r.out.handle = &handle;
71 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy_r(b, tctx, &r),
73 if (!NT_STATUS_IS_OK(r.out.result)) {
74 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
75 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
77 torture_comment(tctx, "not considering %s to be an error\n",
78 nt_errstr(r.out.result));
82 torture_comment(tctx, "OpenPolicy failed - %s\n",
83 nt_errstr(r.out.result));
91 bool test_lsa_OpenPolicy2_ex(struct dcerpc_binding_handle *b,
92 struct torture_context *tctx,
93 struct policy_handle **handle,
94 NTSTATUS expected_status,
97 struct lsa_ObjectAttribute attr;
98 struct lsa_QosInfo qos;
99 struct lsa_OpenPolicy2 r;
102 torture_comment(tctx, "\nTesting OpenPolicy2\n");
104 *handle = talloc(tctx, struct policy_handle);
110 qos.impersonation_level = 2;
111 qos.context_mode = 1;
112 qos.effective_only = 0;
115 attr.root_dir = NULL;
116 attr.object_name = NULL;
118 attr.sec_desc = NULL;
121 r.in.system_name = "\\";
123 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
124 r.out.handle = *handle;
126 status = dcerpc_lsa_OpenPolicy2_r(b, tctx, &r);
127 torture_assert_ntstatus_equal(tctx, status, expected_status,
128 "OpenPolicy2 failed");
129 if (!NT_STATUS_IS_OK(expected_status)) {
132 if (!NT_STATUS_IS_OK(r.out.result)) {
133 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
134 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
136 torture_comment(tctx, "not considering %s to be an error\n",
137 nt_errstr(r.out.result));
138 talloc_free(*handle);
143 torture_comment(tctx, "OpenPolicy2 failed - %s\n",
144 nt_errstr(r.out.result));
152 bool test_lsa_OpenPolicy2(struct dcerpc_binding_handle *b,
153 struct torture_context *tctx,
154 struct policy_handle **handle)
156 return test_lsa_OpenPolicy2_ex(b, tctx, handle, NT_STATUS_OK, false);
159 static bool test_LookupNames(struct dcerpc_binding_handle *b,
160 struct torture_context *tctx,
161 struct policy_handle *handle,
162 struct lsa_TransNameArray *tnames)
164 struct lsa_LookupNames r;
165 struct lsa_TransSidArray sids;
166 struct lsa_RefDomainList *domains = NULL;
167 struct lsa_String *names;
172 torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count);
180 input_idx = talloc_array(tctx, uint32_t, tnames->count);
181 names = talloc_array(tctx, struct lsa_String, tnames->count);
183 for (i=0;i<tnames->count;i++) {
184 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
185 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
186 input_idx[r.in.num_names] = i;
191 r.in.handle = handle;
196 r.out.count = &count;
198 r.out.domains = &domains;
200 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
201 "LookupNames failed");
202 if (NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED) ||
203 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
204 for (i=0;i< r.in.num_names;i++) {
205 if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
206 torture_comment(tctx, "LookupName of %s was unmapped\n",
207 tnames->names[i].name.string);
208 } else if (i >=count) {
209 torture_comment(tctx, "LookupName of %s failed to return a result\n",
210 tnames->names[i].name.string);
213 torture_comment(tctx, "LookupNames failed - %s\n",
214 nt_errstr(r.out.result));
216 } else if (!NT_STATUS_IS_OK(r.out.result)) {
217 torture_comment(tctx, "LookupNames failed - %s\n",
218 nt_errstr(r.out.result));
222 for (i=0;i< r.in.num_names;i++) {
224 if (sids.sids[i].sid_type != tnames->names[input_idx[i]].sid_type) {
225 torture_comment(tctx, "LookupName of %s got unexpected name type: %s\n",
226 tnames->names[input_idx[i]].name.string,
227 sid_type_lookup(sids.sids[i].sid_type));
230 if ((sids.sids[i].sid_type == SID_NAME_DOMAIN) &&
231 (sids.sids[i].rid != (uint32_t)-1)) {
232 torture_comment(tctx, "LookupName of %s got unexpected rid: %d\n",
233 tnames->names[input_idx[i]].name.string, sids.sids[i].rid);
236 } else if (i >=count) {
237 torture_comment(tctx, "LookupName of %s failed to return a result\n",
238 tnames->names[input_idx[i]].name.string);
242 torture_comment(tctx, "\n");
247 static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
248 struct torture_context *tctx,
249 struct policy_handle *handle)
251 struct lsa_LookupNames r;
252 struct lsa_TransSidArray sids;
253 struct lsa_RefDomainList *domains = NULL;
254 struct lsa_String names[1];
257 torture_comment(tctx, "\nTesting LookupNames with bogus name\n");
262 init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS");
264 r.in.handle = handle;
270 r.out.count = &count;
272 r.out.domains = &domains;
274 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
275 "LookupNames bogus failed");
276 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
277 torture_comment(tctx, "LookupNames failed - %s\n",
278 nt_errstr(r.out.result));
282 torture_comment(tctx, "\n");
287 static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
288 struct torture_context *tctx,
289 struct policy_handle *handle)
291 struct lsa_LookupNames r;
292 struct lsa_TransSidArray sids;
293 struct lsa_RefDomainList *domains = NULL;
294 struct lsa_String names[1];
297 torture_comment(tctx, "\nTesting LookupNames with NULL name\n");
302 names[0].string = NULL;
304 r.in.handle = handle;
310 r.out.count = &count;
312 r.out.domains = &domains;
314 /* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
315 * SID_NAME_UNKNOWN, rid 0, and sid_index -1;
317 * w2k3/w2k8 return NT_STATUS_OK with sid_type
318 * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain
321 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
322 "LookupNames with NULL name failed");
323 torture_assert_ntstatus_ok(tctx, r.out.result,
324 "LookupNames with NULL name failed");
326 torture_comment(tctx, "\n");
331 static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b,
332 struct torture_context *tctx,
333 struct policy_handle *handle)
335 struct lsa_TranslatedName name;
336 struct lsa_TransNameArray tnames;
339 torture_comment(tctx, "Testing LookupNames with well known names\n");
341 tnames.names = &name;
343 name.name.string = "NT AUTHORITY\\SYSTEM";
344 name.sid_type = SID_NAME_WKN_GRP;
345 ret &= test_LookupNames(b, tctx, handle, &tnames);
347 name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
348 name.sid_type = SID_NAME_WKN_GRP;
349 ret &= test_LookupNames(b, tctx, handle, &tnames);
351 name.name.string = "NT AUTHORITY\\Authenticated Users";
352 name.sid_type = SID_NAME_WKN_GRP;
353 ret &= test_LookupNames(b, tctx, handle, &tnames);
356 name.name.string = "NT AUTHORITY";
357 ret &= test_LookupNames(b, tctx, handle, &tnames);
359 name.name.string = "NT AUTHORITY\\";
360 ret &= test_LookupNames(b, tctx, handle, &tnames);
363 name.name.string = "BUILTIN\\";
364 name.sid_type = SID_NAME_DOMAIN;
365 ret &= test_LookupNames(b, tctx, handle, &tnames);
367 name.name.string = "BUILTIN\\Administrators";
368 name.sid_type = SID_NAME_ALIAS;
369 ret &= test_LookupNames(b, tctx, handle, &tnames);
371 name.name.string = "SYSTEM";
372 name.sid_type = SID_NAME_WKN_GRP;
373 ret &= test_LookupNames(b, tctx, handle, &tnames);
375 name.name.string = "Everyone";
376 name.sid_type = SID_NAME_WKN_GRP;
377 ret &= test_LookupNames(b, tctx, handle, &tnames);
381 static bool test_LookupNames2(struct dcerpc_binding_handle *b,
382 struct torture_context *tctx,
383 struct policy_handle *handle,
384 struct lsa_TransNameArray2 *tnames,
387 struct lsa_LookupNames2 r;
388 struct lsa_TransSidArray2 sids;
389 struct lsa_RefDomainList *domains = NULL;
390 struct lsa_String *names;
395 torture_comment(tctx, "\nTesting LookupNames2 with %d names\n", tnames->count);
402 input_idx = talloc_array(tctx, uint32_t, tnames->count);
403 names = talloc_array(tctx, struct lsa_String, tnames->count);
405 for (i=0;i<tnames->count;i++) {
406 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
407 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
408 input_idx[r.in.num_names] = i;
413 r.in.handle = handle;
418 r.in.lookup_options = 0;
419 r.in.client_revision = 0;
420 r.out.count = &count;
422 r.out.domains = &domains;
424 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames2_r(b, tctx, &r),
425 "LookupNames2 failed");
426 if (!NT_STATUS_IS_OK(r.out.result)) {
427 torture_comment(tctx, "LookupNames2 failed - %s\n",
428 nt_errstr(r.out.result));
433 torture_assert_int_equal(tctx, count, sids.count,
434 "unexpected number of results returned");
435 if (sids.count > 0) {
436 torture_assert(tctx, sids.sids, "invalid sid buffer");
440 torture_comment(tctx, "\n");
446 static bool test_LookupNames3(struct dcerpc_binding_handle *b,
447 struct torture_context *tctx,
448 struct policy_handle *handle,
449 struct lsa_TransNameArray2 *tnames,
452 struct lsa_LookupNames3 r;
453 struct lsa_TransSidArray3 sids;
454 struct lsa_RefDomainList *domains = NULL;
455 struct lsa_String *names;
460 torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count);
467 input_idx = talloc_array(tctx, uint32_t, tnames->count);
468 names = talloc_array(tctx, struct lsa_String, tnames->count);
469 for (i=0;i<tnames->count;i++) {
470 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
471 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
472 input_idx[r.in.num_names] = i;
477 r.in.handle = handle;
482 r.in.lookup_options = 0;
483 r.in.client_revision = 0;
484 r.out.count = &count;
486 r.out.domains = &domains;
488 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames3_r(b, tctx, &r),
489 "LookupNames3 failed");
490 if (!NT_STATUS_IS_OK(r.out.result)) {
491 torture_comment(tctx, "LookupNames3 failed - %s\n",
492 nt_errstr(r.out.result));
497 torture_assert_int_equal(tctx, count, sids.count,
498 "unexpected number of results returned");
499 if (sids.count > 0) {
500 torture_assert(tctx, sids.sids, "invalid sid buffer");
504 torture_comment(tctx, "\n");
509 static bool test_LookupNames4(struct dcerpc_binding_handle *b,
510 struct torture_context *tctx,
511 struct lsa_TransNameArray2 *tnames,
514 struct lsa_LookupNames4 r;
515 struct lsa_TransSidArray3 sids;
516 struct lsa_RefDomainList *domains = NULL;
517 struct lsa_String *names;
522 torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count);
529 input_idx = talloc_array(tctx, uint32_t, tnames->count);
530 names = talloc_array(tctx, struct lsa_String, tnames->count);
531 for (i=0;i<tnames->count;i++) {
532 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
533 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
534 input_idx[r.in.num_names] = i;
539 r.in.num_names = tnames->count;
544 r.in.lookup_options = 0;
545 r.in.client_revision = 0;
546 r.out.count = &count;
548 r.out.domains = &domains;
550 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames4_r(b, tctx, &r),
551 "LookupNames4 failed");
553 torture_assert_ntstatus_ok(tctx,
555 "LookupNames4 failed");
558 torture_assert_int_equal(tctx, count, sids.count,
559 "unexpected number of results returned");
560 if (sids.count > 0) {
561 torture_assert(tctx, sids.sids, "invalid sid buffer");
565 torture_comment(tctx, "\n");
570 static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b,
571 struct torture_context *tctx)
573 struct lsa_LookupNames4 r;
574 struct lsa_TransSidArray3 sids;
575 struct lsa_RefDomainList *domains = NULL;
576 struct lsa_String *names;
580 torture_comment(tctx, "\nTesting LookupNames4_fail");
587 r.in.num_names = count;
592 r.in.lookup_options = 0;
593 r.in.client_revision = 0;
594 r.out.count = &count;
596 r.out.domains = &domains;
598 status = dcerpc_lsa_LookupNames4_r(b, tctx, &r);
599 if (!NT_STATUS_IS_OK(status)) {
600 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
601 torture_comment(tctx,
602 "LookupNames4 correctly returned with "
608 torture_assert_ntstatus_equal(tctx,
610 NT_STATUS_ACCESS_DENIED,
611 "LookupNames4 return value should "
616 if (!NT_STATUS_IS_OK(r.out.result)) {
617 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
618 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
619 torture_comment(tctx,
620 "LookupSids3 correctly returned with "
622 nt_errstr(r.out.result));
627 torture_assert_ntstatus_equal(tctx,
630 "LookupNames4 return value should be "
637 static bool test_LookupSids(struct dcerpc_binding_handle *b,
638 struct torture_context *tctx,
639 struct policy_handle *handle,
640 struct lsa_SidArray *sids)
642 struct lsa_LookupSids r;
643 struct lsa_TransNameArray names;
644 struct lsa_RefDomainList *domains = NULL;
645 uint32_t count = sids->num_sids;
647 torture_comment(tctx, "\nTesting LookupSids\n");
652 r.in.handle = handle;
657 r.out.count = &count;
658 r.out.names = &names;
659 r.out.domains = &domains;
661 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
662 "LookupSids failed");
663 if (!NT_STATUS_IS_OK(r.out.result) &&
664 !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
665 torture_comment(tctx, "LookupSids failed - %s\n",
666 nt_errstr(r.out.result));
670 torture_comment(tctx, "\n");
672 if (!test_LookupNames(b, tctx, handle, &names)) {
680 static bool test_LookupSids2(struct dcerpc_binding_handle *b,
681 struct torture_context *tctx,
682 struct policy_handle *handle,
683 struct lsa_SidArray *sids)
685 struct lsa_LookupSids2 r;
686 struct lsa_TransNameArray2 names;
687 struct lsa_RefDomainList *domains = NULL;
688 uint32_t count = sids->num_sids;
690 torture_comment(tctx, "\nTesting LookupSids2\n");
695 r.in.handle = handle;
700 r.in.lookup_options = 0;
701 r.in.client_revision = 0;
702 r.out.count = &count;
703 r.out.names = &names;
704 r.out.domains = &domains;
706 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids2_r(b, tctx, &r),
707 "LookupSids2 failed");
708 if (!NT_STATUS_IS_OK(r.out.result) &&
709 !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
710 torture_comment(tctx, "LookupSids2 failed - %s\n",
711 nt_errstr(r.out.result));
715 torture_comment(tctx, "\n");
717 if (!test_LookupNames2(b, tctx, handle, &names, false)) {
721 if (!test_LookupNames3(b, tctx, handle, &names, false)) {
728 static bool test_LookupSids3(struct dcerpc_binding_handle *b,
729 struct torture_context *tctx,
730 struct lsa_SidArray *sids)
732 struct lsa_LookupSids3 r;
733 struct lsa_TransNameArray2 names;
734 struct lsa_RefDomainList *domains = NULL;
735 uint32_t count = sids->num_sids;
737 torture_comment(tctx, "\nTesting LookupSids3\n");
746 r.in.lookup_options = 0;
747 r.in.client_revision = 0;
748 r.out.domains = &domains;
749 r.out.count = &count;
750 r.out.names = &names;
752 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids3_r(b, tctx, &r),
753 "LookupSids3 failed");
755 torture_assert_ntstatus_ok(tctx,
757 "LookupSids3 failed");
759 torture_comment(tctx, "\n");
764 static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
765 struct torture_context *tctx,
766 struct lsa_SidArray *sids)
768 struct lsa_LookupSids3 r;
769 struct lsa_TransNameArray2 names;
770 struct lsa_RefDomainList *domains = NULL;
771 uint32_t count = sids->num_sids;
774 torture_comment(tctx, "\nTesting LookupSids3\n");
783 r.in.lookup_options = 0;
784 r.in.client_revision = 0;
785 r.out.domains = &domains;
786 r.out.count = &count;
787 r.out.names = &names;
789 status = dcerpc_lsa_LookupSids3_r(b, tctx, &r);
790 if (!NT_STATUS_IS_OK(status)) {
791 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
792 torture_comment(tctx,
793 "LookupSids3 correctly returned with "
799 torture_assert_ntstatus_equal(tctx,
801 NT_STATUS_ACCESS_DENIED,
802 "LookupSids3 return value should "
807 if (!NT_STATUS_IS_OK(r.out.result)) {
808 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
809 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
810 torture_comment(tctx,
811 "LookupNames4 correctly returned with "
813 nt_errstr(r.out.result));
818 torture_assert_ntstatus_equal(tctx,
821 "LookupSids3 return value should be "
827 bool test_many_LookupSids(struct dcerpc_pipe *p,
828 struct torture_context *tctx,
829 struct policy_handle *handle)
832 struct lsa_SidArray sids;
834 struct dcerpc_binding_handle *b = p->binding_handle;
836 torture_comment(tctx, "\nTesting LookupSids with lots of SIDs\n");
840 sids.sids = talloc_array(tctx, struct lsa_SidPtr, sids.num_sids);
842 for (i=0; i<sids.num_sids; i++) {
843 const char *sidstr = "S-1-5-32-545";
844 sids.sids[i].sid = dom_sid_parse_talloc(tctx, sidstr);
847 count = sids.num_sids;
850 struct lsa_LookupSids r;
851 struct lsa_TransNameArray names;
852 struct lsa_RefDomainList *domains = NULL;
856 r.in.handle = handle;
860 r.in.count = &names.count;
861 r.out.count = &count;
862 r.out.names = &names;
863 r.out.domains = &domains;
865 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
866 "LookupSids failed");
867 if (!NT_STATUS_IS_OK(r.out.result)) {
868 torture_comment(tctx, "LookupSids failed - %s\n",
869 nt_errstr(r.out.result));
873 torture_comment(tctx, "\n");
875 if (!test_LookupNames(b, tctx, handle, &names)) {
880 if (p->binding->transport == NCACN_NP) {
881 if (!test_LookupSids3_fail(b, tctx, &sids)) {
884 if (!test_LookupNames4_fail(b, tctx)) {
887 } else if (p->binding->transport == NCACN_IP_TCP) {
888 struct lsa_TransNameArray2 names;
893 if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
894 p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
895 if (!test_LookupSids3(b, tctx, &sids)) {
898 if (!test_LookupNames4(b, tctx, &names, true)) {
903 * If we don't have a secure channel these tests must
904 * fail with ACCESS_DENIED.
906 if (!test_LookupSids3_fail(b, tctx, &sids)) {
909 if (!test_LookupNames4_fail(b, tctx)) {
915 torture_comment(tctx, "\n");
922 static void lookupsids_cb(struct tevent_req *subreq)
924 int *replies = (int *)tevent_req_callback_data_void(subreq);
927 status = dcerpc_lsa_LookupSids_r_recv(subreq, subreq);
929 if (!NT_STATUS_IS_OK(status)) {
930 printf("lookupsids returned %s\n", nt_errstr(status));
939 static bool test_LookupSids_async(struct dcerpc_binding_handle *b,
940 struct torture_context *tctx,
941 struct policy_handle *handle)
943 struct lsa_SidArray sids;
944 struct lsa_SidPtr sidptr;
946 struct lsa_TransNameArray *names;
947 struct lsa_LookupSids *r;
948 struct lsa_RefDomainList *domains = NULL;
949 struct tevent_req **req;
952 const int num_async_requests = 50;
954 count = talloc_array(tctx, uint32_t, num_async_requests);
955 names = talloc_array(tctx, struct lsa_TransNameArray, num_async_requests);
956 r = talloc_array(tctx, struct lsa_LookupSids, num_async_requests);
958 torture_comment(tctx, "\nTesting %d async lookupsids request\n", num_async_requests);
960 req = talloc_array(tctx, struct tevent_req *, num_async_requests);
964 sidptr.sid = dom_sid_parse_talloc(tctx, "S-1-5-32-545");
968 for (i=0; i<num_async_requests; i++) {
971 names[i].names = NULL;
973 r[i].in.handle = handle;
974 r[i].in.sids = &sids;
975 r[i].in.names = &names[i];
977 r[i].in.count = &names[i].count;
978 r[i].out.count = &count[i];
979 r[i].out.names = &names[i];
980 r[i].out.domains = &domains;
982 req[i] = dcerpc_lsa_LookupSids_r_send(tctx, tctx->ev, b, &r[i]);
983 if (req[i] == NULL) {
988 tevent_req_set_callback(req[i], lookupsids_cb, &replies);
991 while (replies >= 0 && replies < num_async_requests) {
992 tevent_loop_once(tctx->ev);
1004 static bool test_LookupPrivValue(struct dcerpc_binding_handle *b,
1005 struct torture_context *tctx,
1006 struct policy_handle *handle,
1007 struct lsa_String *name)
1009 struct lsa_LookupPrivValue r;
1010 struct lsa_LUID luid;
1012 r.in.handle = handle;
1016 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivValue_r(b, tctx, &r),
1017 "LookupPrivValue failed");
1018 if (!NT_STATUS_IS_OK(r.out.result)) {
1019 torture_comment(tctx, "\nLookupPrivValue failed - %s\n",
1020 nt_errstr(r.out.result));
1027 static bool test_LookupPrivName(struct dcerpc_binding_handle *b,
1028 struct torture_context *tctx,
1029 struct policy_handle *handle,
1030 struct lsa_LUID *luid)
1032 struct lsa_LookupPrivName r;
1033 struct lsa_StringLarge *name = NULL;
1035 r.in.handle = handle;
1039 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r),
1040 "LookupPrivName failed");
1041 if (!NT_STATUS_IS_OK(r.out.result)) {
1042 torture_comment(tctx, "\nLookupPrivName failed - %s\n",
1043 nt_errstr(r.out.result));
1050 static bool test_RemovePrivilegesFromAccount(struct dcerpc_binding_handle *b,
1051 struct torture_context *tctx,
1052 struct policy_handle *handle,
1053 struct policy_handle *acct_handle,
1054 struct lsa_LUID *luid)
1056 struct lsa_RemovePrivilegesFromAccount r;
1057 struct lsa_PrivilegeSet privs;
1060 torture_comment(tctx, "\nTesting RemovePrivilegesFromAccount\n");
1062 r.in.handle = acct_handle;
1063 r.in.remove_all = 0;
1064 r.in.privs = &privs;
1068 privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
1069 privs.set[0].luid = *luid;
1070 privs.set[0].attribute = 0;
1072 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_RemovePrivilegesFromAccount_r(b, tctx, &r),
1073 "RemovePrivilegesFromAccount failed");
1074 if (!NT_STATUS_IS_OK(r.out.result)) {
1076 struct lsa_LookupPrivName r_name;
1077 struct lsa_StringLarge *name = NULL;
1079 r_name.in.handle = handle;
1080 r_name.in.luid = luid;
1081 r_name.out.name = &name;
1083 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r_name),
1084 "LookupPrivName failed");
1085 if (!NT_STATUS_IS_OK(r_name.out.result)) {
1086 torture_comment(tctx, "\nLookupPrivName failed - %s\n",
1087 nt_errstr(r_name.out.result));
1090 /* Windows 2008 does not allow this to be removed */
1091 if (strcmp("SeAuditPrivilege", name->string) == 0) {
1095 torture_comment(tctx, "RemovePrivilegesFromAccount failed to remove %s - %s\n",
1097 nt_errstr(r.out.result));
1104 static bool test_AddPrivilegesToAccount(struct dcerpc_binding_handle *b,
1105 struct torture_context *tctx,
1106 struct policy_handle *acct_handle,
1107 struct lsa_LUID *luid)
1109 struct lsa_AddPrivilegesToAccount r;
1110 struct lsa_PrivilegeSet privs;
1113 torture_comment(tctx, "\nTesting AddPrivilegesToAccount\n");
1115 r.in.handle = acct_handle;
1116 r.in.privs = &privs;
1120 privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
1121 privs.set[0].luid = *luid;
1122 privs.set[0].attribute = 0;
1124 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_AddPrivilegesToAccount_r(b, tctx, &r),
1125 "AddPrivilegesToAccount failed");
1126 if (!NT_STATUS_IS_OK(r.out.result)) {
1127 torture_comment(tctx, "AddPrivilegesToAccount failed - %s\n",
1128 nt_errstr(r.out.result));
1135 static bool test_EnumPrivsAccount(struct dcerpc_binding_handle *b,
1136 struct torture_context *tctx,
1137 struct policy_handle *handle,
1138 struct policy_handle *acct_handle)
1140 struct lsa_EnumPrivsAccount r;
1141 struct lsa_PrivilegeSet *privs = NULL;
1144 torture_comment(tctx, "\nTesting EnumPrivsAccount\n");
1146 r.in.handle = acct_handle;
1147 r.out.privs = &privs;
1149 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivsAccount_r(b, tctx, &r),
1150 "EnumPrivsAccount failed");
1151 if (!NT_STATUS_IS_OK(r.out.result)) {
1152 torture_comment(tctx, "EnumPrivsAccount failed - %s\n",
1153 nt_errstr(r.out.result));
1157 if (privs && privs->count > 0) {
1159 for (i=0;i<privs->count;i++) {
1160 test_LookupPrivName(b, tctx, handle,
1161 &privs->set[i].luid);
1164 ret &= test_RemovePrivilegesFromAccount(b, tctx, handle, acct_handle,
1165 &privs->set[0].luid);
1166 ret &= test_AddPrivilegesToAccount(b, tctx, acct_handle,
1167 &privs->set[0].luid);
1173 static bool test_GetSystemAccessAccount(struct dcerpc_binding_handle *b,
1174 struct torture_context *tctx,
1175 struct policy_handle *handle,
1176 struct policy_handle *acct_handle)
1178 uint32_t access_mask;
1179 struct lsa_GetSystemAccessAccount r;
1181 torture_comment(tctx, "\nTesting GetSystemAccessAccount\n");
1183 r.in.handle = acct_handle;
1184 r.out.access_mask = &access_mask;
1186 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetSystemAccessAccount_r(b, tctx, &r),
1187 "GetSystemAccessAccount failed");
1188 if (!NT_STATUS_IS_OK(r.out.result)) {
1189 torture_comment(tctx, "GetSystemAccessAccount failed - %s\n",
1190 nt_errstr(r.out.result));
1194 if (r.out.access_mask != NULL) {
1195 torture_comment(tctx, "Rights:");
1196 if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE)
1197 torture_comment(tctx, " LSA_POLICY_MODE_INTERACTIVE");
1198 if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK)
1199 torture_comment(tctx, " LSA_POLICY_MODE_NETWORK");
1200 if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH)
1201 torture_comment(tctx, " LSA_POLICY_MODE_BATCH");
1202 if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE)
1203 torture_comment(tctx, " LSA_POLICY_MODE_SERVICE");
1204 if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY)
1205 torture_comment(tctx, " LSA_POLICY_MODE_PROXY");
1206 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE)
1207 torture_comment(tctx, " LSA_POLICY_MODE_DENY_INTERACTIVE");
1208 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK)
1209 torture_comment(tctx, " LSA_POLICY_MODE_DENY_NETWORK");
1210 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH)
1211 torture_comment(tctx, " LSA_POLICY_MODE_DENY_BATCH");
1212 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE)
1213 torture_comment(tctx, " LSA_POLICY_MODE_DENY_SERVICE");
1214 if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE)
1215 torture_comment(tctx, " LSA_POLICY_MODE_REMOTE_INTERACTIVE");
1216 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE)
1217 torture_comment(tctx, " LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE");
1218 if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL)
1219 torture_comment(tctx, " LSA_POLICY_MODE_ALL");
1220 if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4)
1221 torture_comment(tctx, " LSA_POLICY_MODE_ALL_NT4");
1222 torture_comment(tctx, "\n");
1228 static bool test_Delete(struct dcerpc_binding_handle *b,
1229 struct torture_context *tctx,
1230 struct policy_handle *handle)
1232 struct lsa_Delete r;
1234 torture_comment(tctx, "\nTesting Delete\n");
1236 r.in.handle = handle;
1237 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Delete_r(b, tctx, &r),
1239 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1240 torture_comment(tctx, "Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(r.out.result));
1247 static bool test_DeleteObject(struct dcerpc_binding_handle *b,
1248 struct torture_context *tctx,
1249 struct policy_handle *handle)
1251 struct lsa_DeleteObject r;
1253 torture_comment(tctx, "\nTesting DeleteObject\n");
1255 r.in.handle = handle;
1256 r.out.handle = handle;
1257 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &r),
1258 "DeleteObject failed");
1259 if (!NT_STATUS_IS_OK(r.out.result)) {
1260 torture_comment(tctx, "DeleteObject failed - %s\n",
1261 nt_errstr(r.out.result));
1269 static bool test_CreateAccount(struct dcerpc_binding_handle *b,
1270 struct torture_context *tctx,
1271 struct policy_handle *handle)
1273 struct lsa_CreateAccount r;
1274 struct dom_sid2 *newsid;
1275 struct policy_handle acct_handle;
1277 newsid = dom_sid_parse_talloc(tctx, "S-1-5-12349876-4321-2854");
1279 torture_comment(tctx, "\nTesting CreateAccount\n");
1281 r.in.handle = handle;
1283 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1284 r.out.acct_handle = &acct_handle;
1286 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateAccount_r(b, tctx, &r),
1287 "CreateAccount failed");
1288 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
1289 struct lsa_OpenAccount r_o;
1290 r_o.in.handle = handle;
1291 r_o.in.sid = newsid;
1292 r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1293 r_o.out.acct_handle = &acct_handle;
1295 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r_o),
1296 "OpenAccount failed");
1297 if (!NT_STATUS_IS_OK(r_o.out.result)) {
1298 torture_comment(tctx, "OpenAccount failed - %s\n",
1299 nt_errstr(r_o.out.result));
1302 } else if (!NT_STATUS_IS_OK(r.out.result)) {
1303 torture_comment(tctx, "CreateAccount failed - %s\n",
1304 nt_errstr(r.out.result));
1308 if (!test_Delete(b, tctx, &acct_handle)) {
1312 if (!test_DeleteObject(b, tctx, &acct_handle)) {
1319 static bool test_DeleteTrustedDomain(struct dcerpc_binding_handle *b,
1320 struct torture_context *tctx,
1321 struct policy_handle *handle,
1322 struct lsa_StringLarge name)
1324 struct lsa_OpenTrustedDomainByName r;
1325 struct policy_handle trustdom_handle;
1327 r.in.handle = handle;
1328 r.in.name.string = name.string;
1329 r.in.access_mask = SEC_STD_DELETE;
1330 r.out.trustdom_handle = &trustdom_handle;
1332 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &r),
1333 "OpenTrustedDomainByName failed");
1334 if (!NT_STATUS_IS_OK(r.out.result)) {
1335 torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(r.out.result));
1339 if (!test_Delete(b, tctx, &trustdom_handle)) {
1343 if (!test_DeleteObject(b, tctx, &trustdom_handle)) {
1350 static bool test_DeleteTrustedDomainBySid(struct dcerpc_binding_handle *b,
1351 struct torture_context *tctx,
1352 struct policy_handle *handle,
1353 struct dom_sid *sid)
1355 struct lsa_DeleteTrustedDomain r;
1357 r.in.handle = handle;
1360 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteTrustedDomain_r(b, tctx, &r),
1361 "DeleteTrustedDomain failed");
1362 if (!NT_STATUS_IS_OK(r.out.result)) {
1363 torture_comment(tctx, "DeleteTrustedDomain failed - %s\n", nt_errstr(r.out.result));
1371 static bool test_CreateSecret(struct dcerpc_pipe *p,
1372 struct torture_context *tctx,
1373 struct policy_handle *handle)
1376 struct lsa_CreateSecret r;
1377 struct lsa_OpenSecret r2;
1378 struct lsa_SetSecret r3;
1379 struct lsa_QuerySecret r4;
1380 struct lsa_SetSecret r5;
1381 struct lsa_QuerySecret r6;
1382 struct lsa_SetSecret r7;
1383 struct lsa_QuerySecret r8;
1384 struct policy_handle sec_handle, sec_handle2, sec_handle3;
1385 struct lsa_DeleteObject d_o;
1386 struct lsa_DATA_BUF buf1;
1387 struct lsa_DATA_BUF_PTR bufp1;
1388 struct lsa_DATA_BUF_PTR bufp2;
1391 DATA_BLOB session_key;
1392 NTTIME old_mtime, new_mtime;
1394 const char *secret1 = "abcdef12345699qwerty";
1396 const char *secret3 = "ABCDEF12345699QWERTY";
1398 const char *secret5 = "NEW-SAMBA4-SECRET";
1402 const int LOCAL = 0;
1403 const int GLOBAL = 1;
1404 struct dcerpc_binding_handle *b = p->binding_handle;
1406 secname[LOCAL] = talloc_asprintf(tctx, "torturesecret-%u", (unsigned int)random());
1407 secname[GLOBAL] = talloc_asprintf(tctx, "G$torturesecret-%u", (unsigned int)random());
1409 for (i=0; i< 2; i++) {
1410 torture_comment(tctx, "\nTesting CreateSecret of %s\n", secname[i]);
1412 init_lsa_String(&r.in.name, secname[i]);
1414 r.in.handle = handle;
1415 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1416 r.out.sec_handle = &sec_handle;
1418 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
1419 "CreateSecret failed");
1420 if (!NT_STATUS_IS_OK(r.out.result)) {
1421 torture_comment(tctx, "CreateSecret failed - %s\n", nt_errstr(r.out.result));
1425 r.in.handle = handle;
1426 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1427 r.out.sec_handle = &sec_handle3;
1429 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
1430 "CreateSecret failed");
1431 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
1432 torture_comment(tctx, "CreateSecret should have failed OBJECT_NAME_COLLISION - %s\n", nt_errstr(r.out.result));
1436 r2.in.handle = handle;
1437 r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1438 r2.in.name = r.in.name;
1439 r2.out.sec_handle = &sec_handle2;
1441 torture_comment(tctx, "Testing OpenSecret\n");
1443 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
1444 "OpenSecret failed");
1445 if (!NT_STATUS_IS_OK(r2.out.result)) {
1446 torture_comment(tctx, "OpenSecret failed - %s\n", nt_errstr(r2.out.result));
1450 status = dcerpc_fetch_session_key(p, &session_key);
1451 if (!NT_STATUS_IS_OK(status)) {
1452 torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
1456 enc_key = sess_encrypt_string(secret1, &session_key);
1458 r3.in.sec_handle = &sec_handle;
1459 r3.in.new_val = &buf1;
1460 r3.in.old_val = NULL;
1461 r3.in.new_val->data = enc_key.data;
1462 r3.in.new_val->length = enc_key.length;
1463 r3.in.new_val->size = enc_key.length;
1465 torture_comment(tctx, "Testing SetSecret\n");
1467 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
1468 "SetSecret failed");
1469 if (!NT_STATUS_IS_OK(r3.out.result)) {
1470 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r3.out.result));
1474 r3.in.sec_handle = &sec_handle;
1475 r3.in.new_val = &buf1;
1476 r3.in.old_val = NULL;
1477 r3.in.new_val->data = enc_key.data;
1478 r3.in.new_val->length = enc_key.length;
1479 r3.in.new_val->size = enc_key.length;
1481 /* break the encrypted data */
1484 torture_comment(tctx, "Testing SetSecret with broken key\n");
1486 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
1487 "SetSecret failed");
1488 if (!NT_STATUS_EQUAL(r3.out.result, NT_STATUS_UNKNOWN_REVISION)) {
1489 torture_comment(tctx, "SetSecret should have failed UNKNOWN_REVISION - %s\n", nt_errstr(r3.out.result));
1493 data_blob_free(&enc_key);
1495 ZERO_STRUCT(new_mtime);
1496 ZERO_STRUCT(old_mtime);
1498 /* fetch the secret back again */
1499 r4.in.sec_handle = &sec_handle;
1500 r4.in.new_val = &bufp1;
1501 r4.in.new_mtime = &new_mtime;
1502 r4.in.old_val = NULL;
1503 r4.in.old_mtime = NULL;
1507 torture_comment(tctx, "Testing QuerySecret\n");
1508 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r4),
1509 "QuerySecret failed");
1510 if (!NT_STATUS_IS_OK(r4.out.result)) {
1511 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r4.out.result));
1514 if (r4.out.new_val == NULL || r4.out.new_val->buf == NULL) {
1515 torture_comment(tctx, "No secret buffer returned\n");
1518 blob1.data = r4.out.new_val->buf->data;
1519 blob1.length = r4.out.new_val->buf->size;
1521 secret2 = sess_decrypt_string(tctx,
1522 &blob1, &session_key);
1524 if (strcmp(secret1, secret2) != 0) {
1525 torture_comment(tctx, "Returned secret (r4) '%s' doesn't match '%s'\n",
1532 enc_key = sess_encrypt_string(secret3, &session_key);
1534 r5.in.sec_handle = &sec_handle;
1535 r5.in.new_val = &buf1;
1536 r5.in.old_val = NULL;
1537 r5.in.new_val->data = enc_key.data;
1538 r5.in.new_val->length = enc_key.length;
1539 r5.in.new_val->size = enc_key.length;
1543 torture_comment(tctx, "Testing SetSecret (existing value should move to old)\n");
1545 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r5),
1546 "SetSecret failed");
1547 if (!NT_STATUS_IS_OK(r5.out.result)) {
1548 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r5.out.result));
1552 data_blob_free(&enc_key);
1554 ZERO_STRUCT(new_mtime);
1555 ZERO_STRUCT(old_mtime);
1557 /* fetch the secret back again */
1558 r6.in.sec_handle = &sec_handle;
1559 r6.in.new_val = &bufp1;
1560 r6.in.new_mtime = &new_mtime;
1561 r6.in.old_val = &bufp2;
1562 r6.in.old_mtime = &old_mtime;
1567 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r6),
1568 "QuerySecret failed");
1569 if (!NT_STATUS_IS_OK(r6.out.result)) {
1570 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r6.out.result));
1575 if (r6.out.new_val->buf == NULL || r6.out.old_val->buf == NULL
1576 || r6.out.new_mtime == NULL || r6.out.old_mtime == NULL) {
1577 torture_comment(tctx, "Both secret buffers and both times not returned\n");
1581 blob1.data = r6.out.new_val->buf->data;
1582 blob1.length = r6.out.new_val->buf->size;
1584 secret4 = sess_decrypt_string(tctx,
1585 &blob1, &session_key);
1587 if (strcmp(secret3, secret4) != 0) {
1588 torture_comment(tctx, "Returned NEW secret %s doesn't match %s\n", secret4, secret3);
1592 blob1.data = r6.out.old_val->buf->data;
1593 blob1.length = r6.out.old_val->buf->length;
1595 secret2 = sess_decrypt_string(tctx,
1596 &blob1, &session_key);
1598 if (strcmp(secret1, secret2) != 0) {
1599 torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret2, secret1);
1603 if (*r6.out.new_mtime == *r6.out.old_mtime) {
1604 torture_comment(tctx, "Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n",
1607 nt_time_string(tctx, *r6.out.old_mtime),
1608 nt_time_string(tctx, *r6.out.new_mtime));
1614 enc_key = sess_encrypt_string(secret5, &session_key);
1616 r7.in.sec_handle = &sec_handle;
1617 r7.in.old_val = &buf1;
1618 r7.in.old_val->data = enc_key.data;
1619 r7.in.old_val->length = enc_key.length;
1620 r7.in.old_val->size = enc_key.length;
1621 r7.in.new_val = NULL;
1623 torture_comment(tctx, "Testing SetSecret of old Secret only\n");
1625 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r7),
1626 "SetSecret failed");
1627 if (!NT_STATUS_IS_OK(r7.out.result)) {
1628 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r7.out.result));
1632 data_blob_free(&enc_key);
1634 /* fetch the secret back again */
1635 r8.in.sec_handle = &sec_handle;
1636 r8.in.new_val = &bufp1;
1637 r8.in.new_mtime = &new_mtime;
1638 r8.in.old_val = &bufp2;
1639 r8.in.old_mtime = &old_mtime;
1644 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r8),
1645 "QuerySecret failed");
1646 if (!NT_STATUS_IS_OK(r8.out.result)) {
1647 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r8.out.result));
1650 if (!r8.out.new_val || !r8.out.old_val) {
1651 torture_comment(tctx, "in/out pointers not returned, despite being set on in for QuerySecret\n");
1653 } else if (r8.out.new_val->buf != NULL) {
1654 torture_comment(tctx, "NEW secret buffer must not be returned after OLD set\n");
1656 } else if (r8.out.old_val->buf == NULL) {
1657 torture_comment(tctx, "OLD secret buffer was not returned after OLD set\n");
1659 } else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
1660 torture_comment(tctx, "Both times not returned after OLD set\n");
1663 blob1.data = r8.out.old_val->buf->data;
1664 blob1.length = r8.out.old_val->buf->size;
1666 secret6 = sess_decrypt_string(tctx,
1667 &blob1, &session_key);
1669 if (strcmp(secret5, secret6) != 0) {
1670 torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret5, secret6);
1674 if (*r8.out.new_mtime != *r8.out.old_mtime) {
1675 torture_comment(tctx, "Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n",
1677 nt_time_string(tctx, *r8.out.old_mtime),
1678 nt_time_string(tctx, *r8.out.new_mtime));
1684 if (!test_Delete(b, tctx, &sec_handle)) {
1688 if (!test_DeleteObject(b, tctx, &sec_handle)) {
1692 d_o.in.handle = &sec_handle2;
1693 d_o.out.handle = &sec_handle2;
1694 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &d_o),
1695 "DeleteObject failed");
1696 if (!NT_STATUS_EQUAL(d_o.out.result, NT_STATUS_INVALID_HANDLE)) {
1697 torture_comment(tctx, "Second delete expected INVALID_HANDLE - %s\n", nt_errstr(d_o.out.result));
1701 torture_comment(tctx, "Testing OpenSecret of just-deleted secret\n");
1703 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
1704 "OpenSecret failed");
1705 if (!NT_STATUS_EQUAL(r2.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1706 torture_comment(tctx, "OpenSecret expected OBJECT_NAME_NOT_FOUND - %s\n", nt_errstr(r2.out.result));
1717 static bool test_EnumAccountRights(struct dcerpc_binding_handle *b,
1718 struct torture_context *tctx,
1719 struct policy_handle *acct_handle,
1720 struct dom_sid *sid)
1722 struct lsa_EnumAccountRights r;
1723 struct lsa_RightSet rights;
1725 torture_comment(tctx, "\nTesting EnumAccountRights\n");
1727 r.in.handle = acct_handle;
1729 r.out.rights = &rights;
1731 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountRights_r(b, tctx, &r),
1732 "EnumAccountRights failed");
1733 if (!NT_STATUS_IS_OK(r.out.result)) {
1734 torture_comment(tctx, "EnumAccountRights of %s failed - %s\n",
1735 dom_sid_string(tctx, sid), nt_errstr(r.out.result));
1743 static bool test_QuerySecurity(struct dcerpc_binding_handle *b,
1744 struct torture_context *tctx,
1745 struct policy_handle *handle,
1746 struct policy_handle *acct_handle)
1748 struct lsa_QuerySecurity r;
1749 struct sec_desc_buf *sdbuf = NULL;
1751 if (torture_setting_bool(tctx, "samba4", false)) {
1752 torture_comment(tctx, "\nskipping QuerySecurity test against Samba4\n");
1756 torture_comment(tctx, "\nTesting QuerySecurity\n");
1758 r.in.handle = acct_handle;
1759 r.in.sec_info = SECINFO_OWNER |
1762 r.out.sdbuf = &sdbuf;
1764 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecurity_r(b, tctx, &r),
1765 "QuerySecurity failed");
1766 if (!NT_STATUS_IS_OK(r.out.result)) {
1767 torture_comment(tctx, "QuerySecurity failed - %s\n", nt_errstr(r.out.result));
1774 static bool test_OpenAccount(struct dcerpc_binding_handle *b,
1775 struct torture_context *tctx,
1776 struct policy_handle *handle,
1777 struct dom_sid *sid)
1779 struct lsa_OpenAccount r;
1780 struct policy_handle acct_handle;
1782 torture_comment(tctx, "\nTesting OpenAccount\n");
1784 r.in.handle = handle;
1786 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1787 r.out.acct_handle = &acct_handle;
1789 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r),
1790 "OpenAccount failed");
1791 if (!NT_STATUS_IS_OK(r.out.result)) {
1792 torture_comment(tctx, "OpenAccount failed - %s\n", nt_errstr(r.out.result));
1796 if (!test_EnumPrivsAccount(b, tctx, handle, &acct_handle)) {
1800 if (!test_GetSystemAccessAccount(b, tctx, handle, &acct_handle)) {
1804 if (!test_QuerySecurity(b, tctx, handle, &acct_handle)) {
1811 static bool test_EnumAccounts(struct dcerpc_binding_handle *b,
1812 struct torture_context *tctx,
1813 struct policy_handle *handle)
1815 struct lsa_EnumAccounts r;
1816 struct lsa_SidArray sids1, sids2;
1817 uint32_t resume_handle = 0;
1821 torture_comment(tctx, "\nTesting EnumAccounts\n");
1823 r.in.handle = handle;
1824 r.in.resume_handle = &resume_handle;
1825 r.in.num_entries = 100;
1826 r.out.resume_handle = &resume_handle;
1827 r.out.sids = &sids1;
1831 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
1832 "EnumAccounts failed");
1833 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
1836 if (!NT_STATUS_IS_OK(r.out.result)) {
1837 torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(r.out.result));
1841 if (!test_LookupSids(b, tctx, handle, &sids1)) {
1845 if (!test_LookupSids2(b, tctx, handle, &sids1)) {
1849 /* Can't test lookupSids3 here, as clearly we must not
1850 * be on schannel, or we would not be able to do the
1853 torture_comment(tctx, "Testing all accounts\n");
1854 for (i=0;i<sids1.num_sids;i++) {
1855 ret &= test_OpenAccount(b, tctx, handle, sids1.sids[i].sid);
1856 ret &= test_EnumAccountRights(b, tctx, handle, sids1.sids[i].sid);
1858 torture_comment(tctx, "\n");
1861 if (sids1.num_sids < 3) {
1865 torture_comment(tctx, "Trying EnumAccounts partial listing (asking for 1 at 2)\n");
1867 r.in.num_entries = 1;
1868 r.out.sids = &sids2;
1870 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
1871 "EnumAccounts failed");
1872 if (!NT_STATUS_IS_OK(r.out.result)) {
1873 torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(r.out.result));
1877 if (sids2.num_sids != 1) {
1878 torture_comment(tctx, "Returned wrong number of entries (%d)\n", sids2.num_sids);
1885 static bool test_LookupPrivDisplayName(struct dcerpc_binding_handle *b,
1886 struct torture_context *tctx,
1887 struct policy_handle *handle,
1888 struct lsa_String *priv_name)
1890 struct lsa_LookupPrivDisplayName r;
1891 /* produce a reasonable range of language output without screwing up
1893 uint16_t language_id = (random() % 4) + 0x409;
1894 uint16_t returned_language_id = 0;
1895 struct lsa_StringLarge *disp_name = NULL;
1897 torture_comment(tctx, "\nTesting LookupPrivDisplayName(%s)\n", priv_name->string);
1899 r.in.handle = handle;
1900 r.in.name = priv_name;
1901 r.in.language_id = language_id;
1902 r.in.language_id_sys = 0;
1903 r.out.returned_language_id = &returned_language_id;
1904 r.out.disp_name = &disp_name;
1906 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivDisplayName_r(b, tctx, &r),
1907 "LookupPrivDisplayName failed");
1908 if (!NT_STATUS_IS_OK(r.out.result)) {
1909 torture_comment(tctx, "LookupPrivDisplayName failed - %s\n", nt_errstr(r.out.result));
1912 torture_comment(tctx, "%s -> \"%s\" (language 0x%x/0x%x)\n",
1913 priv_name->string, disp_name->string,
1914 r.in.language_id, *r.out.returned_language_id);
1919 static bool test_EnumAccountsWithUserRight(struct dcerpc_binding_handle *b,
1920 struct torture_context *tctx,
1921 struct policy_handle *handle,
1922 struct lsa_String *priv_name)
1924 struct lsa_EnumAccountsWithUserRight r;
1925 struct lsa_SidArray sids;
1929 torture_comment(tctx, "\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string);
1931 r.in.handle = handle;
1932 r.in.name = priv_name;
1935 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountsWithUserRight_r(b, tctx, &r),
1936 "EnumAccountsWithUserRight failed");
1938 /* NT_STATUS_NO_MORE_ENTRIES means noone has this privilege */
1939 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
1943 if (!NT_STATUS_IS_OK(r.out.result)) {
1944 torture_comment(tctx, "EnumAccountsWithUserRight failed - %s\n", nt_errstr(r.out.result));
1952 static bool test_EnumPrivs(struct dcerpc_binding_handle *b,
1953 struct torture_context *tctx,
1954 struct policy_handle *handle)
1956 struct lsa_EnumPrivs r;
1957 struct lsa_PrivArray privs1;
1958 uint32_t resume_handle = 0;
1962 torture_comment(tctx, "\nTesting EnumPrivs\n");
1964 r.in.handle = handle;
1965 r.in.resume_handle = &resume_handle;
1966 r.in.max_count = 100;
1967 r.out.resume_handle = &resume_handle;
1968 r.out.privs = &privs1;
1971 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivs_r(b, tctx, &r),
1972 "EnumPrivs failed");
1973 if (!NT_STATUS_IS_OK(r.out.result)) {
1974 torture_comment(tctx, "EnumPrivs failed - %s\n", nt_errstr(r.out.result));
1978 for (i = 0; i< privs1.count; i++) {
1979 test_LookupPrivDisplayName(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1980 test_LookupPrivValue(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1981 if (!test_EnumAccountsWithUserRight(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name)) {
1989 static bool test_QueryForestTrustInformation(struct dcerpc_binding_handle *b,
1990 struct torture_context *tctx,
1991 struct policy_handle *handle,
1992 const char *trusted_domain_name)
1995 struct lsa_lsaRQueryForestTrustInformation r;
1996 struct lsa_String string;
1997 struct lsa_ForestTrustInformation info, *info_ptr;
1999 torture_comment(tctx, "\nTesting lsaRQueryForestTrustInformation\n");
2001 if (torture_setting_bool(tctx, "samba4", false)) {
2002 torture_comment(tctx, "skipping QueryForestTrustInformation against Samba4\n");
2006 ZERO_STRUCT(string);
2008 if (trusted_domain_name) {
2009 init_lsa_String(&string, trusted_domain_name);
2014 r.in.handle = handle;
2015 r.in.trusted_domain_name = &string;
2017 r.out.forest_trust_info = &info_ptr;
2019 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_lsaRQueryForestTrustInformation_r(b, tctx, &r),
2020 "lsaRQueryForestTrustInformation failed");
2022 if (!NT_STATUS_IS_OK(r.out.result)) {
2023 torture_comment(tctx, "lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(r.out.result));
2030 static bool test_query_each_TrustDomEx(struct dcerpc_binding_handle *b,
2031 struct torture_context *tctx,
2032 struct policy_handle *handle,
2033 struct lsa_DomainListEx *domains)
2038 for (i=0; i< domains->count; i++) {
2040 if (domains->domains[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2041 ret &= test_QueryForestTrustInformation(b, tctx, handle,
2042 domains->domains[i].domain_name.string);
2049 static bool test_query_each_TrustDom(struct dcerpc_binding_handle *b,
2050 struct torture_context *tctx,
2051 struct policy_handle *handle,
2052 struct lsa_DomainList *domains)
2057 torture_comment(tctx, "\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n");
2058 for (i=0; i< domains->count; i++) {
2059 struct lsa_OpenTrustedDomain trust;
2060 struct lsa_OpenTrustedDomainByName trust_by_name;
2061 struct policy_handle trustdom_handle;
2062 struct policy_handle handle2;
2064 struct lsa_CloseTrustedDomainEx c_trust;
2065 int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
2066 int ok[] = {1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1};
2068 if (domains->domains[i].sid) {
2069 trust.in.handle = handle;
2070 trust.in.sid = domains->domains[i].sid;
2071 trust.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2072 trust.out.trustdom_handle = &trustdom_handle;
2074 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomain_r(b, tctx, &trust),
2075 "OpenTrustedDomain failed");
2077 if (!NT_STATUS_IS_OK(trust.out.result)) {
2078 torture_comment(tctx, "OpenTrustedDomain failed - %s\n", nt_errstr(trust.out.result));
2082 c.in.handle = &trustdom_handle;
2083 c.out.handle = &handle2;
2085 c_trust.in.handle = &trustdom_handle;
2086 c_trust.out.handle = &handle2;
2088 for (j=0; j < ARRAY_SIZE(levels); j++) {
2089 struct lsa_QueryTrustedDomainInfo q;
2090 union lsa_TrustedDomainInfo *info = NULL;
2091 q.in.trustdom_handle = &trustdom_handle;
2092 q.in.level = levels[j];
2094 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2095 "QueryTrustedDomainInfo failed");
2096 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2097 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
2098 levels[j], nt_errstr(q.out.result));
2100 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2101 torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
2102 levels[j], nt_errstr(q.out.result));
2107 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CloseTrustedDomainEx_r(b, tctx, &c_trust),
2108 "CloseTrustedDomainEx failed");
2109 if (!NT_STATUS_EQUAL(c_trust.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
2110 torture_comment(tctx, "Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(c_trust.out.result));
2114 c.in.handle = &trustdom_handle;
2115 c.out.handle = &handle2;
2117 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
2119 if (!NT_STATUS_IS_OK(c.out.result)) {
2120 torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
2124 for (j=0; j < ARRAY_SIZE(levels); j++) {
2125 struct lsa_QueryTrustedDomainInfoBySid q;
2126 union lsa_TrustedDomainInfo *info = NULL;
2128 if (!domains->domains[i].sid) {
2132 q.in.handle = handle;
2133 q.in.dom_sid = domains->domains[i].sid;
2134 q.in.level = levels[j];
2137 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoBySid_r(b, tctx, &q),
2138 "lsa_QueryTrustedDomainInfoBySid failed");
2139 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2140 torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d failed - %s\n",
2141 levels[j], nt_errstr(q.out.result));
2143 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2144 torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n",
2145 levels[j], nt_errstr(q.out.result));
2151 trust_by_name.in.handle = handle;
2152 trust_by_name.in.name.string = domains->domains[i].name.string;
2153 trust_by_name.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2154 trust_by_name.out.trustdom_handle = &trustdom_handle;
2156 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &trust_by_name),
2157 "OpenTrustedDomainByName failed");
2159 if (!NT_STATUS_IS_OK(trust_by_name.out.result)) {
2160 torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(trust_by_name.out.result));
2164 for (j=0; j < ARRAY_SIZE(levels); j++) {
2165 struct lsa_QueryTrustedDomainInfo q;
2166 union lsa_TrustedDomainInfo *info = NULL;
2167 q.in.trustdom_handle = &trustdom_handle;
2168 q.in.level = levels[j];
2170 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2171 "QueryTrustedDomainInfo failed");
2172 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2173 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
2174 levels[j], nt_errstr(q.out.result));
2176 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2177 torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
2178 levels[j], nt_errstr(q.out.result));
2183 c.in.handle = &trustdom_handle;
2184 c.out.handle = &handle2;
2186 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
2188 if (!NT_STATUS_IS_OK(c.out.result)) {
2189 torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
2193 for (j=0; j < ARRAY_SIZE(levels); j++) {
2194 struct lsa_QueryTrustedDomainInfoByName q;
2195 union lsa_TrustedDomainInfo *info = NULL;
2196 struct lsa_String name;
2198 name.string = domains->domains[i].name.string;
2200 q.in.handle = handle;
2201 q.in.trusted_domain = &name;
2202 q.in.level = levels[j];
2204 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoByName_r(b, tctx, &q),
2205 "QueryTrustedDomainInfoByName failed");
2206 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2207 torture_comment(tctx, "QueryTrustedDomainInfoByName level %d failed - %s\n",
2208 levels[j], nt_errstr(q.out.result));
2210 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2211 torture_comment(tctx, "QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n",
2212 levels[j], nt_errstr(q.out.result));
2220 static bool test_EnumTrustDom(struct dcerpc_binding_handle *b,
2221 struct torture_context *tctx,
2222 struct policy_handle *handle)
2224 struct lsa_EnumTrustDom r;
2225 uint32_t in_resume_handle = 0;
2226 uint32_t out_resume_handle;
2227 struct lsa_DomainList domains;
2230 torture_comment(tctx, "\nTesting EnumTrustDom\n");
2232 r.in.handle = handle;
2233 r.in.resume_handle = &in_resume_handle;
2235 r.out.domains = &domains;
2236 r.out.resume_handle = &out_resume_handle;
2238 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
2239 "lsa_EnumTrustDom failed");
2241 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
2242 * always be larger than the previous input resume handle, in
2243 * particular when hitting the last query it is vital to set the
2244 * resume handle correctly to avoid infinite client loops, as
2245 * seen e.g. with Windows XP SP3 when resume handle is 0 and
2246 * status is NT_STATUS_OK - gd */
2248 if (NT_STATUS_IS_OK(r.out.result) ||
2249 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
2250 NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2252 if (out_resume_handle <= in_resume_handle) {
2253 torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
2254 out_resume_handle, in_resume_handle);
2259 if (NT_STATUS_IS_OK(r.out.result)) {
2260 if (domains.count == 0) {
2261 torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2264 } else if (!(NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
2265 torture_comment(tctx, "EnumTrustDom of zero size failed - %s\n", nt_errstr(r.out.result));
2269 /* Start from the bottom again */
2270 in_resume_handle = 0;
2273 r.in.handle = handle;
2274 r.in.resume_handle = &in_resume_handle;
2275 r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
2276 r.out.domains = &domains;
2277 r.out.resume_handle = &out_resume_handle;
2279 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
2280 "EnumTrustDom failed");
2282 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
2283 * always be larger than the previous input resume handle, in
2284 * particular when hitting the last query it is vital to set the
2285 * resume handle correctly to avoid infinite client loops, as
2286 * seen e.g. with Windows XP SP3 when resume handle is 0 and
2287 * status is NT_STATUS_OK - gd */
2289 if (NT_STATUS_IS_OK(r.out.result) ||
2290 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
2291 NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2293 if (out_resume_handle <= in_resume_handle) {
2294 torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
2295 out_resume_handle, in_resume_handle);
2300 /* NO_MORE_ENTRIES is allowed */
2301 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
2302 if (domains.count == 0) {
2305 torture_comment(tctx, "EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2307 } else if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)) {
2308 /* Windows 2003 gets this off by one on the first run */
2309 if (r.out.domains->count < 3 || r.out.domains->count > 4) {
2310 torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
2311 "asked it to (got %d, expected %d / %d == %d entries)\n",
2312 r.out.domains->count, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3,
2313 LSA_ENUM_TRUST_DOMAIN_MULTIPLIER, r.in.max_size);
2316 } else if (!NT_STATUS_IS_OK(r.out.result)) {
2317 torture_comment(tctx, "EnumTrustDom failed - %s\n", nt_errstr(r.out.result));
2321 if (domains.count == 0) {
2322 torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2326 ret &= test_query_each_TrustDom(b, tctx, handle, &domains);
2328 in_resume_handle = out_resume_handle;
2330 } while ((NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)));
2335 static bool test_EnumTrustDomEx(struct dcerpc_binding_handle *b,
2336 struct torture_context *tctx,
2337 struct policy_handle *handle)
2339 struct lsa_EnumTrustedDomainsEx r_ex;
2340 uint32_t resume_handle = 0;
2341 struct lsa_DomainListEx domains_ex;
2344 torture_comment(tctx, "\nTesting EnumTrustedDomainsEx\n");
2346 r_ex.in.handle = handle;
2347 r_ex.in.resume_handle = &resume_handle;
2348 r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2349 r_ex.out.domains = &domains_ex;
2350 r_ex.out.resume_handle = &resume_handle;
2352 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
2353 "EnumTrustedDomainsEx failed");
2355 if (!(NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
2356 torture_comment(tctx, "EnumTrustedDomainEx of zero size failed - %s\n", nt_errstr(r_ex.out.result));
2362 r_ex.in.handle = handle;
2363 r_ex.in.resume_handle = &resume_handle;
2364 r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2365 r_ex.out.domains = &domains_ex;
2366 r_ex.out.resume_handle = &resume_handle;
2368 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
2369 "EnumTrustedDomainsEx failed");
2371 /* NO_MORE_ENTRIES is allowed */
2372 if (NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
2373 if (domains_ex.count == 0) {
2376 torture_comment(tctx, "EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2378 } else if (NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES)) {
2379 /* Windows 2003 gets this off by one on the first run */
2380 if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) {
2381 torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
2382 "asked it to (got %d, expected %d / %d == %d entries)\n",
2383 r_ex.out.domains->count,
2385 LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER,
2386 r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
2388 } else if (!NT_STATUS_IS_OK(r_ex.out.result)) {
2389 torture_comment(tctx, "EnumTrustedDomainEx failed - %s\n", nt_errstr(r_ex.out.result));
2393 if (domains_ex.count == 0) {
2394 torture_comment(tctx, "EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2398 ret &= test_query_each_TrustDomEx(b, tctx, handle, &domains_ex);
2400 } while ((NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES)));
2406 static bool test_CreateTrustedDomain(struct dcerpc_binding_handle *b,
2407 struct torture_context *tctx,
2408 struct policy_handle *handle,
2409 uint32_t num_trusts)
2412 struct lsa_CreateTrustedDomain r;
2413 struct lsa_DomainInfo trustinfo;
2414 struct dom_sid **domsid;
2415 struct policy_handle *trustdom_handle;
2416 struct lsa_QueryTrustedDomainInfo q;
2417 union lsa_TrustedDomainInfo *info = NULL;
2420 torture_comment(tctx, "\nTesting CreateTrustedDomain for %d domains\n", num_trusts);
2422 if (!test_EnumTrustDom(b, tctx, handle)) {
2426 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2430 domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
2431 trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
2433 for (i=0; i< num_trusts; i++) {
2434 char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2435 char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2437 domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2439 trustinfo.sid = domsid[i];
2440 init_lsa_String((struct lsa_String *)&trustinfo.name, trust_name);
2442 r.in.policy_handle = handle;
2443 r.in.info = &trustinfo;
2444 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2445 r.out.trustdom_handle = &trustdom_handle[i];
2447 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
2448 "CreateTrustedDomain failed");
2449 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
2450 test_DeleteTrustedDomain(b, tctx, handle, trustinfo.name);
2451 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
2452 "CreateTrustedDomain failed");
2454 if (!NT_STATUS_IS_OK(r.out.result)) {
2455 torture_comment(tctx, "CreateTrustedDomain failed - %s\n", nt_errstr(r.out.result));
2459 q.in.trustdom_handle = &trustdom_handle[i];
2460 q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2462 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2463 "QueryTrustedDomainInfo failed");
2464 if (!NT_STATUS_IS_OK(q.out.result)) {
2465 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n", q.in.level, nt_errstr(q.out.result));
2467 } else if (!q.out.info) {
2470 if (strcmp(info->info_ex.netbios_name.string, trustinfo.name.string) != 0) {
2471 torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
2472 info->info_ex.netbios_name.string, trustinfo.name.string);
2475 if (info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
2476 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2477 trust_name, info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL);
2480 if (info->info_ex.trust_attributes != 0) {
2481 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2482 trust_name, info->info_ex.trust_attributes, 0);
2485 if (info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) {
2486 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2487 trust_name, info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND);
2494 /* now that we have some domains to look over, we can test the enum calls */
2495 if (!test_EnumTrustDom(b, tctx, handle)) {
2499 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2503 for (i=0; i<num_trusts; i++) {
2504 if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
2512 static bool gen_authinfo_internal(TALLOC_CTX *mem_ctx, const char *password,
2513 DATA_BLOB session_key,
2514 struct lsa_TrustDomainInfoAuthInfoInternal **_authinfo_internal)
2516 struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal;
2517 struct trustDomainPasswords auth_struct;
2518 struct AuthenticationInformation *auth_info_array;
2519 size_t converted_size;
2520 DATA_BLOB auth_blob;
2521 enum ndr_err_code ndr_err;
2523 authinfo_internal = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoAuthInfoInternal);
2524 if (authinfo_internal == NULL) {
2528 auth_info_array = talloc_array(mem_ctx,
2529 struct AuthenticationInformation, 1);
2530 if (auth_info_array == NULL) {
2534 generate_random_buffer(auth_struct.confounder, sizeof(auth_struct.confounder));
2536 auth_info_array[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
2538 if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16, password,
2540 &auth_info_array[0].AuthInfo.clear.password,
2545 auth_info_array[0].AuthInfo.clear.size = converted_size;
2547 auth_struct.outgoing.count = 1;
2548 auth_struct.outgoing.current.count = 1;
2549 auth_struct.outgoing.current.array = auth_info_array;
2550 auth_struct.outgoing.previous.count = 0;
2551 auth_struct.outgoing.previous.array = NULL;
2553 auth_struct.incoming.count = 1;
2554 auth_struct.incoming.current.count = 1;
2555 auth_struct.incoming.current.array = auth_info_array;
2556 auth_struct.incoming.previous.count = 0;
2557 auth_struct.incoming.previous.array = NULL;
2560 ndr_err = ndr_push_struct_blob(&auth_blob, mem_ctx, &auth_struct,
2561 (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
2562 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2566 arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
2568 authinfo_internal->auth_blob.size = auth_blob.length;
2569 authinfo_internal->auth_blob.data = auth_blob.data;
2571 *_authinfo_internal = authinfo_internal;
2576 static bool gen_authinfo(TALLOC_CTX *mem_ctx, const char *password,
2577 struct lsa_TrustDomainInfoAuthInfo **_authinfo)
2579 struct lsa_TrustDomainInfoAuthInfo *authinfo;
2580 struct lsa_TrustDomainInfoBuffer *info_buffer;
2581 size_t converted_size;
2583 authinfo = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoAuthInfo);
2584 if (authinfo == NULL) {
2588 info_buffer = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoBuffer);
2589 if (info_buffer == NULL) {
2593 info_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
2595 if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16, password,
2597 &info_buffer->data.data,
2602 info_buffer->data.size = converted_size;
2604 authinfo->incoming_count = 1;
2605 authinfo->incoming_current_auth_info = info_buffer;
2606 authinfo->incoming_previous_auth_info = NULL;
2607 authinfo->outgoing_count = 1;
2608 authinfo->outgoing_current_auth_info = info_buffer;
2609 authinfo->outgoing_previous_auth_info = NULL;
2611 *_authinfo = authinfo;
2616 static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
2617 struct torture_context *tctx,
2618 uint32_t negotiate_flags,
2619 struct cli_credentials *machine_credentials,
2620 struct netlogon_creds_CredentialState **creds_out)
2622 struct netr_ServerReqChallenge r;
2623 struct netr_ServerAuthenticate3 a;
2624 struct netr_Credential credentials1, credentials2, credentials3;
2625 struct netlogon_creds_CredentialState *creds;
2626 struct samr_Password mach_password;
2628 const char *machine_name;
2629 const char *plain_pass;
2630 struct dcerpc_binding_handle *b = p->binding_handle;
2632 machine_name = cli_credentials_get_workstation(machine_credentials);
2633 plain_pass = cli_credentials_get_password(machine_credentials);
2635 r.in.server_name = NULL;
2636 r.in.computer_name = machine_name;
2637 r.in.credentials = &credentials1;
2638 r.out.return_credentials = &credentials2;
2640 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
2642 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2643 "ServerReqChallenge failed");
2644 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
2646 E_md4hash(plain_pass, mach_password.hash);
2648 a.in.server_name = NULL;
2649 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
2650 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2651 a.in.computer_name = machine_name;
2652 a.in.negotiate_flags = &negotiate_flags;
2653 a.in.credentials = &credentials3;
2654 a.out.return_credentials = &credentials3;
2655 a.out.negotiate_flags = &negotiate_flags;
2658 creds = netlogon_creds_client_init(tctx, a.in.account_name,
2660 &credentials1, &credentials2,
2661 &mach_password, &credentials3,
2664 torture_assert(tctx, creds != NULL, "memory allocation");
2666 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
2667 "ServerAuthenticate3 failed");
2668 if (!NT_STATUS_IS_OK(a.out.result)) {
2669 if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_ACCESS_DENIED)) {
2670 torture_assert_ntstatus_ok(tctx, a.out.result,
2671 "ServerAuthenticate3 failed");
2675 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
2677 /* Prove that requesting a challenge again won't break it */
2678 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2679 "ServerReqChallenge failed");
2680 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
2686 static bool check_dom_trust_pw(struct dcerpc_pipe *p,
2687 struct torture_context *tctx,
2688 const char *trusted_dom_name,
2689 const char *password)
2691 struct cli_credentials *credentials;
2693 struct netlogon_creds_CredentialState *creds;
2694 struct dcerpc_pipe *pipe;
2698 credentials = cli_credentials_init(tctx);
2699 if (credentials == NULL) {
2703 dummy = talloc_asprintf(tctx, "%s$", trusted_dom_name);
2704 if (dummy == NULL) {
2708 cli_credentials_set_username(credentials, dummy, CRED_SPECIFIED);
2709 cli_credentials_set_password(credentials, password, CRED_SPECIFIED);
2710 cli_credentials_set_workstation(credentials,
2711 trusted_dom_name, CRED_SPECIFIED);
2712 cli_credentials_set_secure_channel_type(credentials, SEC_CHAN_DOMAIN);
2714 status = dcerpc_pipe_connect_b(tctx, &pipe, p->binding,
2715 &ndr_table_netlogon,
2716 cli_credentials_init_anon(tctx),
2717 tctx->ev, tctx->lp_ctx);
2718 if (!NT_STATUS_IS_OK(status)) {
2719 torture_comment(tctx, "dcerpc_pipe_connect_b failed.\n");
2723 ok = check_pw_with_ServerAuthenticate3(pipe, tctx,
2724 NETLOGON_NEG_AUTH2_ADS_FLAGS,
2725 credentials, &creds);
2731 static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
2732 struct torture_context *tctx,
2733 struct policy_handle *handle,
2734 uint32_t num_trusts,
2739 struct lsa_CreateTrustedDomainEx r;
2740 struct lsa_CreateTrustedDomainEx2 r2;
2741 struct lsa_TrustDomainInfoInfoEx trustinfo;
2742 struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal;
2743 struct lsa_TrustDomainInfoAuthInfo *authinfo;
2744 struct dom_sid **domsid;
2745 struct policy_handle *trustdom_handle;
2746 struct lsa_QueryTrustedDomainInfo q;
2747 union lsa_TrustedDomainInfo *info = NULL;
2748 DATA_BLOB session_key;
2750 struct dcerpc_binding_handle *b = p->binding_handle;
2753 torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts);
2755 torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d domains\n", num_trusts);
2758 domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
2759 trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
2761 status = dcerpc_fetch_session_key(p, &session_key);
2762 if (!NT_STATUS_IS_OK(status)) {
2763 torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
2767 for (i=0; i< num_trusts; i++) {
2768 char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2769 char *trust_name_dns = talloc_asprintf(tctx, "torturedom%02d.samba.example.com", i);
2770 char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2772 domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2774 trustinfo.sid = domsid[i];
2775 trustinfo.netbios_name.string = trust_name;
2776 trustinfo.domain_name.string = trust_name_dns;
2778 /* Create inbound, some outbound, and some
2779 * bi-directional trusts in a repeating pattern based
2782 /* 1 == inbound, 2 == outbound, 3 == both */
2783 trustinfo.trust_direction = (i % 3) + 1;
2785 /* Try different trust types too */
2787 /* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
2788 trustinfo.trust_type = (((i / 3) + 1) % 3) + 1;
2790 trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
2792 if (!gen_authinfo_internal(tctx, TRUSTPW, session_key, &authinfo_internal)) {
2793 torture_comment(tctx, "gen_authinfo_internal failed");
2797 if (!gen_authinfo(tctx, TRUSTPW, &authinfo)) {
2798 torture_comment(tctx, "gen_authinfonfo failed");
2804 r2.in.policy_handle = handle;
2805 r2.in.info = &trustinfo;
2806 r2.in.auth_info_internal = authinfo_internal;
2807 r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2808 r2.out.trustdom_handle = &trustdom_handle[i];
2810 torture_assert_ntstatus_ok(tctx,
2811 dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
2812 "CreateTrustedDomainEx2 failed");
2814 status = r2.out.result;
2817 r.in.policy_handle = handle;
2818 r.in.info = &trustinfo;
2819 r.in.auth_info = authinfo;
2820 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2821 r.out.trustdom_handle = &trustdom_handle[i];
2823 torture_assert_ntstatus_ok(tctx,
2824 dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
2825 "CreateTrustedDomainEx failed");
2827 status = r.out.result;
2830 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
2831 test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);
2833 torture_assert_ntstatus_ok(tctx,
2834 dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
2835 "CreateTrustedDomainEx2 failed");
2836 status = r2.out.result;
2838 torture_assert_ntstatus_ok(tctx,
2839 dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
2840 "CreateTrustedDomainEx2 failed");
2841 status = r.out.result;
2844 if (!NT_STATUS_IS_OK(status)) {
2845 torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
2848 /* For outbound and MIT trusts there is no trust account */
2849 if (trustinfo.trust_direction != 2 &&
2850 trustinfo.trust_type != 3) {
2852 if (torture_setting_bool(tctx, "samba3", false) ||
2853 torture_setting_bool(tctx, "samba4", false)) {
2854 torture_comment(tctx, "skipping trusted domain auth tests against samba");
2856 if (check_dom_trust_pw(p, tctx, trust_name,
2858 torture_comment(tctx, "Password check passed unexpectedly\n");
2861 if (!check_dom_trust_pw(p, tctx, trust_name,
2863 torture_comment(tctx, "Password check failed\n");
2869 q.in.trustdom_handle = &trustdom_handle[i];
2870 q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2872 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2873 "QueryTrustedDomainInfo failed");
2874 if (!NT_STATUS_IS_OK(q.out.result)) {
2875 torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(q.out.result));
2877 } else if (!q.out.info) {
2878 torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed to return an info pointer\n");
2881 if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) {
2882 torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
2883 info->info_ex.netbios_name.string, trustinfo.netbios_name.string);
2886 if (info->info_ex.trust_type != trustinfo.trust_type) {
2887 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2888 trust_name, info->info_ex.trust_type, trustinfo.trust_type);
2891 if (info->info_ex.trust_attributes != LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION) {
2892 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2893 trust_name, info->info_ex.trust_attributes, LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION);
2896 if (info->info_ex.trust_direction != trustinfo.trust_direction) {
2897 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2898 trust_name, info->info_ex.trust_direction, trustinfo.trust_direction);
2905 /* now that we have some domains to look over, we can test the enum calls */
2906 if (!test_EnumTrustDom(b, tctx, handle)) {
2907 torture_comment(tctx, "test_EnumTrustDom failed\n");
2911 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2912 torture_comment(tctx, "test_EnumTrustDomEx failed\n");
2916 for (i=0; i<num_trusts; i++) {
2917 if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
2918 torture_comment(tctx, "test_DeleteTrustedDomainBySid failed\n");
2926 static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
2927 struct torture_context *tctx,
2928 struct policy_handle *handle,
2929 uint32_t num_trusts)
2931 return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, true);
2934 static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
2935 struct torture_context *tctx,
2936 struct policy_handle *handle,
2937 uint32_t num_trusts)
2939 return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, false);
2942 static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
2943 struct torture_context *tctx,
2944 struct policy_handle *handle)
2946 struct lsa_QueryDomainInformationPolicy r;
2947 union lsa_DomainInformationPolicy *info = NULL;
2951 if (torture_setting_bool(tctx, "samba3", false)) {
2952 torture_skip(tctx, "skipping QueryDomainInformationPolicy test\n");
2955 torture_comment(tctx, "\nTesting QueryDomainInformationPolicy\n");
2958 r.in.handle = handle;
2962 torture_comment(tctx, "\nTrying QueryDomainInformationPolicy level %d\n", i);
2964 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryDomainInformationPolicy_r(b, tctx, &r),
2965 "QueryDomainInformationPolicy failed");
2967 /* If the server does not support EFS, then this is the correct return */
2968 if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2970 } else if (!NT_STATUS_IS_OK(r.out.result)) {
2971 torture_comment(tctx, "QueryDomainInformationPolicy failed - %s\n", nt_errstr(r.out.result));
2981 static bool test_QueryInfoPolicyCalls( bool version2,
2982 struct dcerpc_binding_handle *b,
2983 struct torture_context *tctx,
2984 struct policy_handle *handle)
2986 struct lsa_QueryInfoPolicy r;
2987 union lsa_PolicyInformation *info = NULL;
2990 const char *call = talloc_asprintf(tctx, "QueryInfoPolicy%s", version2 ? "2":"");
2992 torture_comment(tctx, "\nTesting %s\n", call);
2994 if (version2 && torture_setting_bool(tctx, "samba3", false)) {
2995 torture_skip(tctx, "skipping QueryInfoPolicy2 tests\n");
2998 for (i=1;i<=14;i++) {
2999 r.in.handle = handle;
3003 torture_comment(tctx, "\nTrying %s level %d\n", call, i);
3006 /* We can perform the cast, because both types are
3007 structurally equal */
3008 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy2_r(b, tctx,
3009 (struct lsa_QueryInfoPolicy2*) &r),
3010 "QueryInfoPolicy2 failed");
3012 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy_r(b, tctx, &r),
3013 "QueryInfoPolicy2 failed");
3016 case LSA_POLICY_INFO_MOD:
3017 case LSA_POLICY_INFO_AUDIT_FULL_SET:
3018 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
3019 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
3020 torture_comment(tctx, "Server should have failed level %u: %s\n", i, nt_errstr(r.out.result));
3024 case LSA_POLICY_INFO_DOMAIN:
3025 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
3026 case LSA_POLICY_INFO_REPLICA:
3027 case LSA_POLICY_INFO_QUOTA:
3028 case LSA_POLICY_INFO_ROLE:
3029 case LSA_POLICY_INFO_AUDIT_LOG:
3030 case LSA_POLICY_INFO_AUDIT_EVENTS:
3031 case LSA_POLICY_INFO_PD:
3032 if (!NT_STATUS_IS_OK(r.out.result)) {
3033 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3037 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
3038 case LSA_POLICY_INFO_DNS_INT:
3039 case LSA_POLICY_INFO_DNS:
3040 if (torture_setting_bool(tctx, "samba3", false)) {
3041 /* Other levels not implemented yet */
3042 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
3043 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3046 } else if (!NT_STATUS_IS_OK(r.out.result)) {
3047 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3052 if (torture_setting_bool(tctx, "samba4", false)) {
3053 /* Other levels not implemented yet */
3054 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
3055 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3058 } else if (!NT_STATUS_IS_OK(r.out.result)) {
3059 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3065 if (NT_STATUS_IS_OK(r.out.result) && (i == LSA_POLICY_INFO_DNS
3066 || i == LSA_POLICY_INFO_DNS_INT)) {
3067 /* Let's look up some of these names */
3069 struct lsa_TransNameArray tnames;
3071 tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count);
3072 tnames.names[0].name.string = info->dns.name.string;
3073 tnames.names[0].sid_type = SID_NAME_DOMAIN;
3074 tnames.names[1].name.string = info->dns.dns_domain.string;
3075 tnames.names[1].sid_type = SID_NAME_DOMAIN;
3076 tnames.names[2].name.string = talloc_asprintf(tctx, "%s\\", info->dns.name.string);
3077 tnames.names[2].sid_type = SID_NAME_DOMAIN;
3078 tnames.names[3].name.string = talloc_asprintf(tctx, "%s\\", info->dns.dns_domain.string);
3079 tnames.names[3].sid_type = SID_NAME_DOMAIN;
3080 tnames.names[4].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.name.string);
3081 tnames.names[4].sid_type = SID_NAME_USER;
3082 tnames.names[5].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.name.string);
3083 tnames.names[5].sid_type = SID_NAME_USER;
3084 tnames.names[6].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.dns_domain.string);
3085 tnames.names[6].sid_type = SID_NAME_USER;
3086 tnames.names[7].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.dns_domain.string);
3087 tnames.names[7].sid_type = SID_NAME_USER;
3088 tnames.names[8].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.name.string);
3089 tnames.names[8].sid_type = SID_NAME_USER;
3090 tnames.names[9].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.dns_domain.string);
3091 tnames.names[9].sid_type = SID_NAME_USER;
3092 tnames.names[10].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
3093 tnames.names[10].sid_type = SID_NAME_USER;
3094 tnames.names[11].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.dns_domain.string);
3095 tnames.names[11].sid_type = SID_NAME_USER;
3096 tnames.names[12].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.name.string);
3097 tnames.names[12].sid_type = SID_NAME_USER;
3098 tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string);
3099 tnames.names[13].sid_type = SID_NAME_USER;
3100 ret &= test_LookupNames(b, tctx, handle, &tnames);
3108 static bool test_QueryInfoPolicy(struct dcerpc_binding_handle *b,
3109 struct torture_context *tctx,
3110 struct policy_handle *handle)
3112 return test_QueryInfoPolicyCalls(false, b, tctx, handle);
3115 static bool test_QueryInfoPolicy2(struct dcerpc_binding_handle *b,
3116 struct torture_context *tctx,
3117 struct policy_handle *handle)
3119 return test_QueryInfoPolicyCalls(true, b, tctx, handle);
3122 static bool test_GetUserName(struct dcerpc_binding_handle *b,
3123 struct torture_context *tctx)
3125 struct lsa_GetUserName r;
3127 struct lsa_String *authority_name_p = NULL;
3128 struct lsa_String *account_name_p = NULL;
3130 torture_comment(tctx, "\nTesting GetUserName\n");
3132 r.in.system_name = "\\";
3133 r.in.account_name = &account_name_p;
3134 r.in.authority_name = NULL;
3135 r.out.account_name = &account_name_p;
3137 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
3138 "GetUserName failed");
3140 if (!NT_STATUS_IS_OK(r.out.result)) {
3141 torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(r.out.result));
3145 account_name_p = NULL;
3146 r.in.account_name = &account_name_p;
3147 r.in.authority_name = &authority_name_p;
3148 r.out.account_name = &account_name_p;
3150 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
3151 "GetUserName failed");
3153 if (!NT_STATUS_IS_OK(r.out.result)) {
3154 torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(r.out.result));
3161 bool test_lsa_Close(struct dcerpc_binding_handle *b,
3162 struct torture_context *tctx,
3163 struct policy_handle *handle)
3166 struct policy_handle handle2;
3168 torture_comment(tctx, "\nTesting Close\n");
3170 r.in.handle = handle;
3171 r.out.handle = &handle2;
3173 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
3175 if (!NT_STATUS_IS_OK(r.out.result)) {
3176 torture_comment(tctx, "Close failed - %s\n",
3177 nt_errstr(r.out.result));
3181 torture_assert_ntstatus_equal(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
3182 NT_STATUS_RPC_SS_CONTEXT_MISMATCH, "Close should failed");
3184 torture_comment(tctx, "\n");
3189 bool torture_rpc_lsa(struct torture_context *tctx)
3192 struct dcerpc_pipe *p;
3194 struct policy_handle *handle = NULL;
3195 struct test_join *join = NULL;
3196 struct cli_credentials *machine_creds;
3197 struct dcerpc_binding_handle *b;
3199 status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
3200 if (!NT_STATUS_IS_OK(status)) {
3203 b = p->binding_handle;
3205 /* Test lsaLookupSids3 and lsaLookupNames4 over tcpip */
3206 if (p->binding->transport == NCACN_IP_TCP) {
3207 if (!test_OpenPolicy(b, tctx, true)) {
3211 if (!test_lsa_OpenPolicy2_ex(b, tctx, &handle,
3212 NT_STATUS_OK, true)) {
3216 if (!test_many_LookupSids(p, tctx, handle)) {
3223 if (!test_OpenPolicy(b, tctx, false)) {
3227 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3232 join = torture_join_domain(tctx, TEST_MACHINENAME, ACB_WSTRUST, &machine_creds);
3237 if (!test_LookupSids_async(b, tctx, handle)) {
3241 if (!test_QueryDomainInfoPolicy(b, tctx, handle)) {
3245 if (!test_CreateSecret(p, tctx, handle)) {
3249 if (!test_QueryInfoPolicy(b, tctx, handle)) {
3253 if (!test_QueryInfoPolicy2(b, tctx, handle)) {
3257 if (!test_Delete(b, tctx, handle)) {
3261 if (!test_many_LookupSids(p, tctx, handle)) {
3265 if (!test_lsa_Close(b, tctx, handle)) {
3269 torture_leave_domain(tctx, join);
3272 if (!test_many_LookupSids(p, tctx, handle)) {
3277 if (!test_GetUserName(b, tctx)) {
3284 bool torture_rpc_lsa_get_user(struct torture_context *tctx)
3287 struct dcerpc_pipe *p;
3289 struct dcerpc_binding_handle *b;
3291 status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
3292 if (!NT_STATUS_IS_OK(status)) {
3295 b = p->binding_handle;
3297 if (!test_GetUserName(b, tctx)) {
3304 static bool testcase_LookupNames(struct torture_context *tctx,
3305 struct dcerpc_pipe *p)
3308 struct policy_handle *handle;
3309 struct lsa_TransNameArray tnames;
3310 struct lsa_TransNameArray2 tnames2;
3311 struct dcerpc_binding_handle *b = p->binding_handle;
3313 if (p->binding->transport != NCACN_NP &&
3314 p->binding->transport != NCALRPC) {
3315 torture_comment(tctx, "testcase_LookupNames is only available "
3316 "over NCACN_NP or NCALRPC");
3320 if (!test_OpenPolicy(b, tctx, false)) {
3324 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3333 tnames.names = talloc_array(tctx, struct lsa_TranslatedName, tnames.count);
3334 ZERO_STRUCT(tnames.names[0]);
3335 tnames.names[0].name.string = "BUILTIN";
3336 tnames.names[0].sid_type = SID_NAME_DOMAIN;
3338 if (!test_LookupNames(b, tctx, handle, &tnames)) {
3343 tnames2.names = talloc_array(tctx, struct lsa_TranslatedName2, tnames2.count);
3344 ZERO_STRUCT(tnames2.names[0]);
3345 tnames2.names[0].name.string = "BUILTIN";
3346 tnames2.names[0].sid_type = SID_NAME_DOMAIN;
3348 if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) {
3352 if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) {
3356 if (!test_LookupNames_wellknown(b, tctx, handle)) {
3360 if (!test_LookupNames_NULL(b, tctx, handle)) {
3364 if (!test_LookupNames_bogus(b, tctx, handle)) {
3368 if (!test_lsa_Close(b, tctx, handle)) {
3375 struct torture_suite *torture_rpc_lsa_lookup_names(TALLOC_CTX *mem_ctx)
3377 struct torture_suite *suite;
3378 struct torture_rpc_tcase *tcase;
3380 suite = torture_suite_create(mem_ctx, "lsa.lookupnames");
3382 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3384 torture_rpc_tcase_add_test(tcase, "LookupNames",
3385 testcase_LookupNames);
3390 struct lsa_trustdom_state {
3391 uint32_t num_trusts;
3394 static bool testcase_TrustedDomains(struct torture_context *tctx,
3395 struct dcerpc_pipe *p,
3399 struct policy_handle *handle;
3400 struct lsa_trustdom_state *state =
3401 talloc_get_type_abort(data, struct lsa_trustdom_state);
3402 struct dcerpc_binding_handle *b = p->binding_handle;
3404 if (p->binding->transport != NCACN_NP &&
3405 p->binding->transport != NCALRPC) {
3406 torture_comment(tctx, "testcase_TrustedDomains is only available "
3407 "over NCACN_NP or NCALRPC");
3411 torture_comment(tctx, "Testing %d domains\n", state->num_trusts);
3413 if (!test_OpenPolicy(b, tctx, false)) {
3417 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3425 if (!test_CreateTrustedDomain(b, tctx, handle, state->num_trusts)) {
3429 if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) {
3433 if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) {
3437 if (!test_lsa_Close(b, tctx, handle)) {
3444 struct torture_suite *torture_rpc_lsa_trusted_domains(TALLOC_CTX *mem_ctx)
3446 struct torture_suite *suite;
3447 struct torture_rpc_tcase *tcase;
3448 struct lsa_trustdom_state *state;
3450 state = talloc(mem_ctx, struct lsa_trustdom_state);
3452 state->num_trusts = 12;
3454 suite = torture_suite_create(mem_ctx, "lsa.trusted.domains");
3456 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3458 torture_rpc_tcase_add_test_ex(tcase, "TrustedDomains",
3459 testcase_TrustedDomains,
3465 static bool testcase_Privileges(struct torture_context *tctx,
3466 struct dcerpc_pipe *p)
3469 struct policy_handle *handle;
3470 struct dcerpc_binding_handle *b = p->binding_handle;
3472 if (p->binding->transport != NCACN_NP &&
3473 p->binding->transport != NCALRPC) {
3474 torture_comment(tctx, "testcase_Privileges is only available "
3475 "over NCACN_NP or NCALRPC");
3479 if (!test_OpenPolicy(b, tctx, false)) {
3483 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3491 if (!test_CreateAccount(b, tctx, handle)) {
3495 if (!test_EnumAccounts(b, tctx, handle)) {
3499 if (!test_EnumPrivs(b, tctx, handle)) {
3503 if (!test_lsa_Close(b, tctx, handle)) {
3511 struct torture_suite *torture_rpc_lsa_privileges(TALLOC_CTX *mem_ctx)
3513 struct torture_suite *suite;
3514 struct torture_rpc_tcase *tcase;
3516 suite = torture_suite_create(mem_ctx, "lsa.privileges");
3518 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3520 torture_rpc_tcase_add_test(tcase, "Privileges",
3521 testcase_Privileges);