2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/util/util_ldb.h"
37 #include "lib/ldb_wrap.h"
39 #define TEST_MACHINE_NAME "torturetest"
40 #define TEST_MACHINE_DNS_SUFFIX "torturedomain"
42 static bool test_LogonUasLogon(struct torture_context *tctx,
43 struct dcerpc_pipe *p)
46 struct netr_LogonUasLogon r;
47 struct netr_UasInfo *info = NULL;
49 r.in.server_name = NULL;
50 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51 r.in.workstation = TEST_MACHINE_NAME;
54 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61 struct dcerpc_pipe *p)
64 struct netr_LogonUasLogoff r;
65 struct netr_UasLogoffInfo info;
67 r.in.server_name = NULL;
68 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69 r.in.workstation = TEST_MACHINE_NAME;
72 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79 struct cli_credentials *credentials,
80 struct netlogon_creds_CredentialState **creds_out)
83 struct netr_ServerReqChallenge r;
84 struct netr_ServerAuthenticate a;
85 struct netr_Credential credentials1, credentials2, credentials3;
86 struct netlogon_creds_CredentialState *creds;
87 const struct samr_Password *mach_password;
88 const char *machine_name;
90 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91 machine_name = cli_credentials_get_workstation(credentials);
93 torture_comment(tctx, "Testing ServerReqChallenge\n");
95 r.in.server_name = NULL;
96 r.in.computer_name = machine_name;
97 r.in.credentials = &credentials1;
98 r.out.return_credentials = &credentials2;
100 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
102 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
103 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
105 a.in.server_name = NULL;
106 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
107 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
108 a.in.computer_name = machine_name;
109 a.in.credentials = &credentials3;
110 a.out.return_credentials = &credentials3;
112 creds = netlogon_creds_client_init(tctx, a.in.account_name,
114 &credentials1, &credentials2,
115 mach_password, &credentials3,
117 torture_assert(tctx, creds != NULL, "memory allocation");
120 torture_comment(tctx, "Testing ServerAuthenticate\n");
122 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
124 /* This allows the tests to continue against the more fussy windows 2008 */
125 if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
126 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
128 cli_credentials_get_secure_channel_type(credentials),
132 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
134 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
135 "Credential chaining failed");
141 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
142 uint32_t negotiate_flags,
143 struct cli_credentials *machine_credentials,
145 struct netlogon_creds_CredentialState **creds_out)
148 struct netr_ServerReqChallenge r;
149 struct netr_ServerAuthenticate2 a;
150 struct netr_Credential credentials1, credentials2, credentials3;
151 struct netlogon_creds_CredentialState *creds;
152 const struct samr_Password *mach_password;
153 const char *machine_name;
155 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
156 machine_name = cli_credentials_get_workstation(machine_credentials);
158 torture_comment(tctx, "Testing ServerReqChallenge\n");
161 r.in.server_name = NULL;
162 r.in.computer_name = machine_name;
163 r.in.credentials = &credentials1;
164 r.out.return_credentials = &credentials2;
166 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
168 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
169 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
171 a.in.server_name = NULL;
172 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
173 a.in.secure_channel_type = sec_chan_type;
174 a.in.computer_name = machine_name;
175 a.in.negotiate_flags = &negotiate_flags;
176 a.out.negotiate_flags = &negotiate_flags;
177 a.in.credentials = &credentials3;
178 a.out.return_credentials = &credentials3;
180 creds = netlogon_creds_client_init(tctx, a.in.account_name,
182 &credentials1, &credentials2,
183 mach_password, &credentials3,
186 torture_assert(tctx, creds != NULL, "memory allocation");
188 torture_comment(tctx, "Testing ServerAuthenticate2\n");
190 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
191 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
193 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
194 "Credential chaining failed");
196 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
203 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
204 uint32_t negotiate_flags,
205 struct cli_credentials *machine_credentials,
206 struct netlogon_creds_CredentialState **creds_out)
209 struct netr_ServerReqChallenge r;
210 struct netr_ServerAuthenticate3 a;
211 struct netr_Credential credentials1, credentials2, credentials3;
212 struct netlogon_creds_CredentialState *creds;
213 struct samr_Password mach_password;
215 const char *machine_name;
216 const char *plain_pass;
218 machine_name = cli_credentials_get_workstation(machine_credentials);
219 plain_pass = cli_credentials_get_password(machine_credentials);
221 torture_comment(tctx, "Testing ServerReqChallenge\n");
223 r.in.server_name = NULL;
224 r.in.computer_name = machine_name;
225 r.in.credentials = &credentials1;
226 r.out.return_credentials = &credentials2;
228 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
230 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
231 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
233 E_md4hash(plain_pass, mach_password.hash);
235 a.in.server_name = NULL;
236 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
237 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
238 a.in.computer_name = machine_name;
239 a.in.negotiate_flags = &negotiate_flags;
240 a.in.credentials = &credentials3;
241 a.out.return_credentials = &credentials3;
242 a.out.negotiate_flags = &negotiate_flags;
245 creds = netlogon_creds_client_init(tctx, a.in.account_name,
247 &credentials1, &credentials2,
248 &mach_password, &credentials3,
251 torture_assert(tctx, creds != NULL, "memory allocation");
253 torture_comment(tctx, "Testing ServerAuthenticate3\n");
255 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
256 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
257 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
259 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
261 /* Prove that requesting a challenge again won't break it */
262 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
263 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
270 try a change password for our machine account
272 static bool test_SetPassword(struct torture_context *tctx,
273 struct dcerpc_pipe *p,
274 struct cli_credentials *machine_credentials)
277 struct netr_ServerPasswordSet r;
278 const char *password;
279 struct netlogon_creds_CredentialState *creds;
280 struct netr_Authenticator credential, return_authenticator;
281 struct samr_Password new_password;
283 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
287 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
288 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
289 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
290 r.in.computer_name = TEST_MACHINE_NAME;
291 r.in.credential = &credential;
292 r.in.new_password = &new_password;
293 r.out.return_authenticator = &return_authenticator;
295 password = generate_random_str(tctx, 8);
296 E_md4hash(password, new_password.hash);
298 netlogon_creds_des_encrypt(creds, &new_password);
300 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
301 torture_comment(tctx, "Changing machine account password to '%s'\n",
304 netlogon_creds_client_authenticator(creds, &credential);
306 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
307 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
309 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
310 torture_comment(tctx, "Credential chaining failed\n");
313 /* by changing the machine password twice we test the
314 credentials chaining fully, and we verify that the server
315 allows the password to be set to the same value twice in a
316 row (match win2k3) */
317 torture_comment(tctx,
318 "Testing a second ServerPasswordSet on machine account\n");
319 torture_comment(tctx,
320 "Changing machine account password to '%s' (same as previous run)\n", password);
322 netlogon_creds_client_authenticator(creds, &credential);
324 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
325 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
327 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
328 torture_comment(tctx, "Credential chaining failed\n");
331 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
334 test_SetupCredentials(p, tctx, machine_credentials, &creds),
335 "ServerPasswordSet failed to actually change the password");
341 try a change password for our machine account
343 static bool test_SetPassword_flags(struct torture_context *tctx,
344 struct dcerpc_pipe *p,
345 struct cli_credentials *machine_credentials,
346 uint32_t negotiate_flags)
349 struct netr_ServerPasswordSet r;
350 const char *password;
351 struct netlogon_creds_CredentialState *creds;
352 struct netr_Authenticator credential, return_authenticator;
353 struct samr_Password new_password;
355 if (!test_SetupCredentials2(p, tctx, negotiate_flags,
357 cli_credentials_get_secure_channel_type(machine_credentials),
362 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
363 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
364 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
365 r.in.computer_name = TEST_MACHINE_NAME;
366 r.in.credential = &credential;
367 r.in.new_password = &new_password;
368 r.out.return_authenticator = &return_authenticator;
370 password = generate_random_str(tctx, 8);
371 E_md4hash(password, new_password.hash);
373 netlogon_creds_des_encrypt(creds, &new_password);
375 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
376 torture_comment(tctx, "Changing machine account password to '%s'\n",
379 netlogon_creds_client_authenticator(creds, &credential);
381 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
382 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
384 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
385 torture_comment(tctx, "Credential chaining failed\n");
388 /* by changing the machine password twice we test the
389 credentials chaining fully, and we verify that the server
390 allows the password to be set to the same value twice in a
391 row (match win2k3) */
392 torture_comment(tctx,
393 "Testing a second ServerPasswordSet on machine account\n");
394 torture_comment(tctx,
395 "Changing machine account password to '%s' (same as previous run)\n", password);
397 netlogon_creds_client_authenticator(creds, &credential);
399 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
400 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
402 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
403 torture_comment(tctx, "Credential chaining failed\n");
406 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
409 test_SetupCredentials(p, tctx, machine_credentials, &creds),
410 "ServerPasswordSet failed to actually change the password");
417 generate a random password for password change tests
419 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
422 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
423 generate_random_buffer(password.data, password.length);
425 for (i=0; i < len; i++) {
426 if (((uint16_t *)password.data)[i] == 0) {
427 ((uint16_t *)password.data)[i] = 1;
435 try a change password for our machine account
437 static bool test_SetPassword2(struct torture_context *tctx,
438 struct dcerpc_pipe *p,
439 struct cli_credentials *machine_credentials)
442 struct netr_ServerPasswordSet2 r;
443 const char *password;
444 DATA_BLOB new_random_pass;
445 struct netlogon_creds_CredentialState *creds;
446 struct samr_CryptPassword password_buf;
447 struct samr_Password nt_hash;
448 struct netr_Authenticator credential, return_authenticator;
449 struct netr_CryptPassword new_password;
451 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
455 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
456 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
457 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
458 r.in.computer_name = TEST_MACHINE_NAME;
459 r.in.credential = &credential;
460 r.in.new_password = &new_password;
461 r.out.return_authenticator = &return_authenticator;
463 password = generate_random_str(tctx, 8);
464 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
465 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
467 memcpy(new_password.data, password_buf.data, 512);
468 new_password.length = IVAL(password_buf.data, 512);
470 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
471 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
473 netlogon_creds_client_authenticator(creds, &credential);
475 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
476 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
478 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
479 torture_comment(tctx, "Credential chaining failed\n");
482 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
484 if (!torture_setting_bool(tctx, "dangerous", false)) {
485 torture_comment(tctx,
486 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
488 /* by changing the machine password to ""
489 * we check if the server uses password restrictions
490 * for ServerPasswordSet2
491 * (win2k3 accepts "")
494 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
495 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
497 memcpy(new_password.data, password_buf.data, 512);
498 new_password.length = IVAL(password_buf.data, 512);
500 torture_comment(tctx,
501 "Testing ServerPasswordSet2 on machine account\n");
502 torture_comment(tctx,
503 "Changing machine account password to '%s'\n", password);
505 netlogon_creds_client_authenticator(creds, &credential);
507 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
508 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
510 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
511 torture_comment(tctx, "Credential chaining failed\n");
514 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
517 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
518 "ServerPasswordSet failed to actually change the password");
520 /* now try a random password */
521 password = generate_random_str(tctx, 8);
522 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
523 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
525 memcpy(new_password.data, password_buf.data, 512);
526 new_password.length = IVAL(password_buf.data, 512);
528 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
529 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
531 netlogon_creds_client_authenticator(creds, &credential);
533 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
534 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
536 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
537 torture_comment(tctx, "Credential chaining failed\n");
540 /* by changing the machine password twice we test the
541 credentials chaining fully, and we verify that the server
542 allows the password to be set to the same value twice in a
543 row (match win2k3) */
544 torture_comment(tctx,
545 "Testing a second ServerPasswordSet2 on machine account\n");
546 torture_comment(tctx,
547 "Changing machine account password to '%s' (same as previous run)\n", password);
549 netlogon_creds_client_authenticator(creds, &credential);
551 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
552 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
554 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
555 torture_comment(tctx, "Credential chaining failed\n");
558 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
560 torture_assert (tctx,
561 test_SetupCredentials(p, tctx, machine_credentials, &creds),
562 "ServerPasswordSet failed to actually change the password");
564 new_random_pass = netlogon_very_rand_pass(tctx, 128);
566 /* now try a random stream of bytes for a password */
567 set_pw_in_buffer(password_buf.data, &new_random_pass);
569 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
571 memcpy(new_password.data, password_buf.data, 512);
572 new_password.length = IVAL(password_buf.data, 512);
574 torture_comment(tctx,
575 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
577 netlogon_creds_client_authenticator(creds, &credential);
579 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
580 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
582 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
583 torture_comment(tctx, "Credential chaining failed\n");
586 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
588 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
589 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
591 torture_assert (tctx,
592 test_SetupCredentials(p, tctx, machine_credentials, &creds),
593 "ServerPasswordSet failed to actually change the password");
598 static bool test_GetPassword(struct torture_context *tctx,
599 struct dcerpc_pipe *p,
600 struct cli_credentials *machine_credentials)
602 struct netr_ServerPasswordGet r;
603 struct netlogon_creds_CredentialState *creds;
604 struct netr_Authenticator credential;
606 struct netr_Authenticator return_authenticator;
607 struct samr_Password password;
609 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
613 netlogon_creds_client_authenticator(creds, &credential);
615 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
616 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
617 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
618 r.in.computer_name = TEST_MACHINE_NAME;
619 r.in.credential = &credential;
620 r.out.return_authenticator = &return_authenticator;
621 r.out.password = &password;
623 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
624 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
629 static bool test_GetTrustPasswords(struct torture_context *tctx,
630 struct dcerpc_pipe *p,
631 struct cli_credentials *machine_credentials)
633 struct netr_ServerTrustPasswordsGet r;
634 struct netlogon_creds_CredentialState *creds;
635 struct netr_Authenticator credential;
637 struct netr_Authenticator return_authenticator;
638 struct samr_Password password, password2;
640 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
644 netlogon_creds_client_authenticator(creds, &credential);
646 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
647 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
648 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
649 r.in.computer_name = TEST_MACHINE_NAME;
650 r.in.credential = &credential;
651 r.out.return_authenticator = &return_authenticator;
652 r.out.password = &password;
653 r.out.password2 = &password2;
655 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
656 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
662 try a netlogon SamLogon
664 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
665 struct cli_credentials *credentials,
666 struct netlogon_creds_CredentialState *creds)
669 struct netr_LogonSamLogon r;
670 struct netr_Authenticator auth, auth2;
671 union netr_LogonLevel logon;
672 union netr_Validation validation;
673 uint8_t authoritative;
674 struct netr_NetworkInfo ninfo;
675 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
677 int flags = CLI_CRED_NTLM_AUTH;
678 if (lp_client_lanman_auth(tctx->lp_ctx)) {
679 flags |= CLI_CRED_LANMAN_AUTH;
682 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
683 flags |= CLI_CRED_NTLMv2_AUTH;
686 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
687 &ninfo.identity_info.account_name.string,
688 &ninfo.identity_info.domain_name.string);
690 generate_random_buffer(ninfo.challenge,
691 sizeof(ninfo.challenge));
692 chal = data_blob_const(ninfo.challenge,
693 sizeof(ninfo.challenge));
695 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
696 cli_credentials_get_domain(credentials));
698 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
704 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
706 ninfo.lm.data = lm_resp.data;
707 ninfo.lm.length = lm_resp.length;
709 ninfo.nt.data = nt_resp.data;
710 ninfo.nt.length = nt_resp.length;
712 ninfo.identity_info.parameter_control = 0;
713 ninfo.identity_info.logon_id_low = 0;
714 ninfo.identity_info.logon_id_high = 0;
715 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
717 logon.network = &ninfo;
719 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
720 r.in.computer_name = cli_credentials_get_workstation(credentials);
721 r.in.credential = &auth;
722 r.in.return_authenticator = &auth2;
723 r.in.logon_level = 2;
725 r.out.validation = &validation;
726 r.out.authoritative = &authoritative;
728 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
732 netlogon_creds_client_authenticator(creds, &auth);
734 r.in.validation_level = i;
736 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
737 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
739 torture_assert(tctx, netlogon_creds_client_check(creds,
740 &r.out.return_authenticator->cred),
741 "Credential chaining failed");
744 r.in.credential = NULL;
748 r.in.validation_level = i;
750 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
752 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
753 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
754 "LogonSamLogon expected INVALID_PARAMETER");
762 try a netlogon SamLogon
764 static bool test_SamLogon(struct torture_context *tctx,
765 struct dcerpc_pipe *p,
766 struct cli_credentials *credentials)
768 struct netlogon_creds_CredentialState *creds;
770 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
774 return test_netlogon_ops(p, tctx, credentials, creds);
777 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
778 static uint64_t sequence_nums[3];
781 try a netlogon DatabaseSync
783 static bool test_DatabaseSync(struct torture_context *tctx,
784 struct dcerpc_pipe *p,
785 struct cli_credentials *machine_credentials)
788 struct netr_DatabaseSync r;
789 struct netlogon_creds_CredentialState *creds;
790 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
792 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
793 struct netr_Authenticator credential, return_authenticator;
795 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
799 ZERO_STRUCT(return_authenticator);
801 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
802 r.in.computername = TEST_MACHINE_NAME;
803 r.in.preferredmaximumlength = (uint32_t)-1;
804 r.in.return_authenticator = &return_authenticator;
805 r.out.delta_enum_array = &delta_enum_array;
806 r.out.return_authenticator = &return_authenticator;
808 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
810 uint32_t sync_context = 0;
812 r.in.database_id = database_ids[i];
813 r.in.sync_context = &sync_context;
814 r.out.sync_context = &sync_context;
816 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
819 netlogon_creds_client_authenticator(creds, &credential);
821 r.in.credential = &credential;
823 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
824 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
827 /* Native mode servers don't do this */
828 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
831 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
833 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
834 torture_comment(tctx, "Credential chaining failed\n");
837 if (delta_enum_array &&
838 delta_enum_array->num_deltas > 0 &&
839 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
840 delta_enum_array->delta_enum[0].delta_union.domain) {
841 sequence_nums[r.in.database_id] =
842 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
843 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
845 (unsigned long long)sequence_nums[r.in.database_id]);
847 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
855 try a netlogon DatabaseDeltas
857 static bool test_DatabaseDeltas(struct torture_context *tctx,
858 struct dcerpc_pipe *p,
859 struct cli_credentials *machine_credentials)
862 struct netr_DatabaseDeltas r;
863 struct netlogon_creds_CredentialState *creds;
864 struct netr_Authenticator credential;
865 struct netr_Authenticator return_authenticator;
866 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
867 const uint32_t database_ids[] = {0, 1, 2};
870 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
874 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
875 r.in.computername = TEST_MACHINE_NAME;
876 r.in.preferredmaximumlength = (uint32_t)-1;
877 ZERO_STRUCT(r.in.return_authenticator);
878 r.out.return_authenticator = &return_authenticator;
879 r.out.delta_enum_array = &delta_enum_array;
881 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
882 r.in.database_id = database_ids[i];
883 r.in.sequence_num = &sequence_nums[r.in.database_id];
885 if (*r.in.sequence_num == 0) continue;
887 *r.in.sequence_num -= 1;
889 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
890 r.in.database_id, (unsigned long long)*r.in.sequence_num);
893 netlogon_creds_client_authenticator(creds, &credential);
895 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
896 if (NT_STATUS_EQUAL(status,
897 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
898 torture_comment(tctx, "not considering %s to be an error\n",
902 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
905 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
907 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
908 torture_comment(tctx, "Credential chaining failed\n");
911 (*r.in.sequence_num)++;
912 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
918 static bool test_DatabaseRedo(struct torture_context *tctx,
919 struct dcerpc_pipe *p,
920 struct cli_credentials *machine_credentials)
923 struct netr_DatabaseRedo r;
924 struct netlogon_creds_CredentialState *creds;
925 struct netr_Authenticator credential;
926 struct netr_Authenticator return_authenticator;
927 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
928 struct netr_ChangeLogEntry e;
929 struct dom_sid null_sid, *sid;
932 ZERO_STRUCT(null_sid);
934 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
945 NTSTATUS expected_error;
946 uint32_t expected_num_results;
947 uint8_t expected_delta_type_1;
948 uint8_t expected_delta_type_2;
952 /* SAM_DATABASE_DOMAIN */
957 .db_index = SAM_DATABASE_DOMAIN,
958 .delta_type = NETR_DELTA_MODIFY_COUNT,
961 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
962 .expected_num_results = 0,
963 .comment = "NETR_DELTA_MODIFY_COUNT"
968 .db_index = SAM_DATABASE_DOMAIN,
972 .expected_error = NT_STATUS_OK,
973 .expected_num_results = 1,
974 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
975 .comment = "NULL DELTA"
980 .db_index = SAM_DATABASE_DOMAIN,
981 .delta_type = NETR_DELTA_DOMAIN,
984 .expected_error = NT_STATUS_OK,
985 .expected_num_results = 1,
986 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
987 .comment = "NETR_DELTA_DOMAIN"
990 .rid = DOMAIN_RID_ADMINISTRATOR,
992 .db_index = SAM_DATABASE_DOMAIN,
993 .delta_type = NETR_DELTA_USER,
996 .expected_error = NT_STATUS_OK,
997 .expected_num_results = 1,
998 .expected_delta_type_1 = NETR_DELTA_USER,
999 .comment = "NETR_DELTA_USER by rid 500"
1002 .rid = DOMAIN_RID_GUEST,
1004 .db_index = SAM_DATABASE_DOMAIN,
1005 .delta_type = NETR_DELTA_USER,
1008 .expected_error = NT_STATUS_OK,
1009 .expected_num_results = 1,
1010 .expected_delta_type_1 = NETR_DELTA_USER,
1011 .comment = "NETR_DELTA_USER by rid 501"
1015 .flags = NETR_CHANGELOG_SID_INCLUDED,
1016 .db_index = SAM_DATABASE_DOMAIN,
1017 .delta_type = NETR_DELTA_USER,
1020 .expected_error = NT_STATUS_OK,
1021 .expected_num_results = 1,
1022 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1023 .comment = "NETR_DELTA_USER by sid and flags"
1027 .flags = NETR_CHANGELOG_SID_INCLUDED,
1028 .db_index = SAM_DATABASE_DOMAIN,
1029 .delta_type = NETR_DELTA_USER,
1032 .expected_error = NT_STATUS_OK,
1033 .expected_num_results = 1,
1034 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1035 .comment = "NETR_DELTA_USER by null_sid and flags"
1039 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1040 .db_index = SAM_DATABASE_DOMAIN,
1041 .delta_type = NETR_DELTA_USER,
1043 .name = "administrator",
1044 .expected_error = NT_STATUS_OK,
1045 .expected_num_results = 1,
1046 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1047 .comment = "NETR_DELTA_USER by name 'administrator'"
1050 .rid = DOMAIN_RID_ADMINS,
1052 .db_index = SAM_DATABASE_DOMAIN,
1053 .delta_type = NETR_DELTA_GROUP,
1056 .expected_error = NT_STATUS_OK,
1057 .expected_num_results = 2,
1058 .expected_delta_type_1 = NETR_DELTA_GROUP,
1059 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1060 .comment = "NETR_DELTA_GROUP by rid 512"
1063 .rid = DOMAIN_RID_ADMINS,
1065 .db_index = SAM_DATABASE_DOMAIN,
1066 .delta_type = NETR_DELTA_GROUP_MEMBER,
1069 .expected_error = NT_STATUS_OK,
1070 .expected_num_results = 2,
1071 .expected_delta_type_1 = NETR_DELTA_GROUP,
1072 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1073 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
1077 /* SAM_DATABASE_BUILTIN */
1082 .db_index = SAM_DATABASE_BUILTIN,
1083 .delta_type = NETR_DELTA_MODIFY_COUNT,
1086 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1087 .expected_num_results = 0,
1088 .comment = "NETR_DELTA_MODIFY_COUNT"
1093 .db_index = SAM_DATABASE_BUILTIN,
1094 .delta_type = NETR_DELTA_DOMAIN,
1097 .expected_error = NT_STATUS_OK,
1098 .expected_num_results = 1,
1099 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1100 .comment = "NETR_DELTA_DOMAIN"
1103 .rid = DOMAIN_RID_ADMINISTRATOR,
1105 .db_index = SAM_DATABASE_BUILTIN,
1106 .delta_type = NETR_DELTA_USER,
1109 .expected_error = NT_STATUS_OK,
1110 .expected_num_results = 1,
1111 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1112 .comment = "NETR_DELTA_USER by rid 500"
1117 .db_index = SAM_DATABASE_BUILTIN,
1118 .delta_type = NETR_DELTA_USER,
1121 .expected_error = NT_STATUS_OK,
1122 .expected_num_results = 1,
1123 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1124 .comment = "NETR_DELTA_USER"
1129 .db_index = SAM_DATABASE_BUILTIN,
1130 .delta_type = NETR_DELTA_ALIAS,
1133 .expected_error = NT_STATUS_OK,
1134 .expected_num_results = 2,
1135 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1136 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1137 .comment = "NETR_DELTA_ALIAS by rid 544"
1142 .db_index = SAM_DATABASE_BUILTIN,
1143 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1146 .expected_error = NT_STATUS_OK,
1147 .expected_num_results = 2,
1148 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1149 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1150 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1155 .db_index = SAM_DATABASE_BUILTIN,
1159 .expected_error = NT_STATUS_OK,
1160 .expected_num_results = 1,
1161 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1162 .comment = "NULL DELTA by rid 544"
1166 .flags = NETR_CHANGELOG_SID_INCLUDED,
1167 .db_index = SAM_DATABASE_BUILTIN,
1169 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1171 .expected_error = NT_STATUS_OK,
1172 .expected_num_results = 1,
1173 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1174 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1178 .flags = NETR_CHANGELOG_SID_INCLUDED,
1179 .db_index = SAM_DATABASE_BUILTIN,
1180 .delta_type = NETR_DELTA_ALIAS,
1181 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1183 .expected_error = NT_STATUS_OK,
1184 .expected_num_results = 2,
1185 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1186 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1187 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1191 .flags = NETR_CHANGELOG_SID_INCLUDED,
1192 .db_index = SAM_DATABASE_BUILTIN,
1193 .delta_type = NETR_DELTA_ALIAS,
1194 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1196 .expected_error = NT_STATUS_OK,
1197 .expected_num_results = 1,
1198 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1199 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1202 /* SAM_DATABASE_PRIVS */
1207 .db_index = SAM_DATABASE_PRIVS,
1211 .expected_error = NT_STATUS_ACCESS_DENIED,
1212 .expected_num_results = 0,
1213 .comment = "NULL DELTA"
1218 .db_index = SAM_DATABASE_PRIVS,
1219 .delta_type = NETR_DELTA_MODIFY_COUNT,
1222 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1223 .expected_num_results = 0,
1224 .comment = "NETR_DELTA_MODIFY_COUNT"
1229 .db_index = SAM_DATABASE_PRIVS,
1230 .delta_type = NETR_DELTA_POLICY,
1233 .expected_error = NT_STATUS_OK,
1234 .expected_num_results = 1,
1235 .expected_delta_type_1 = NETR_DELTA_POLICY,
1236 .comment = "NETR_DELTA_POLICY"
1240 .flags = NETR_CHANGELOG_SID_INCLUDED,
1241 .db_index = SAM_DATABASE_PRIVS,
1242 .delta_type = NETR_DELTA_POLICY,
1245 .expected_error = NT_STATUS_OK,
1246 .expected_num_results = 1,
1247 .expected_delta_type_1 = NETR_DELTA_POLICY,
1248 .comment = "NETR_DELTA_POLICY by null sid and flags"
1252 .flags = NETR_CHANGELOG_SID_INCLUDED,
1253 .db_index = SAM_DATABASE_PRIVS,
1254 .delta_type = NETR_DELTA_POLICY,
1255 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1257 .expected_error = NT_STATUS_OK,
1258 .expected_num_results = 1,
1259 .expected_delta_type_1 = NETR_DELTA_POLICY,
1260 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1263 .rid = DOMAIN_RID_ADMINISTRATOR,
1265 .db_index = SAM_DATABASE_PRIVS,
1266 .delta_type = NETR_DELTA_ACCOUNT,
1269 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1270 .expected_num_results = 0,
1271 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1275 .flags = NETR_CHANGELOG_SID_INCLUDED,
1276 .db_index = SAM_DATABASE_PRIVS,
1277 .delta_type = NETR_DELTA_ACCOUNT,
1278 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1280 .expected_error = NT_STATUS_OK,
1281 .expected_num_results = 1,
1282 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1283 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1287 .flags = NETR_CHANGELOG_SID_INCLUDED |
1288 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1289 .db_index = SAM_DATABASE_PRIVS,
1290 .delta_type = NETR_DELTA_ACCOUNT,
1291 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1293 .expected_error = NT_STATUS_OK,
1294 .expected_num_results = 1,
1295 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1296 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1300 .flags = NETR_CHANGELOG_SID_INCLUDED |
1301 NETR_CHANGELOG_NAME_INCLUDED,
1302 .db_index = SAM_DATABASE_PRIVS,
1303 .delta_type = NETR_DELTA_ACCOUNT,
1304 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1306 .expected_error = NT_STATUS_INVALID_PARAMETER,
1307 .expected_num_results = 0,
1308 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1311 .rid = DOMAIN_RID_ADMINISTRATOR,
1312 .flags = NETR_CHANGELOG_SID_INCLUDED,
1313 .db_index = SAM_DATABASE_PRIVS,
1314 .delta_type = NETR_DELTA_ACCOUNT,
1317 .expected_error = NT_STATUS_OK,
1318 .expected_num_results = 1,
1319 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1320 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1324 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1325 .db_index = SAM_DATABASE_PRIVS,
1326 .delta_type = NETR_DELTA_SECRET,
1328 .name = "IsurelydontexistIhope",
1329 .expected_error = NT_STATUS_OK,
1330 .expected_num_results = 1,
1331 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1332 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1336 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1337 .db_index = SAM_DATABASE_PRIVS,
1338 .delta_type = NETR_DELTA_SECRET,
1340 .name = "G$BCKUPKEY_P",
1341 .expected_error = NT_STATUS_OK,
1342 .expected_num_results = 1,
1343 .expected_delta_type_1 = NETR_DELTA_SECRET,
1344 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1348 ZERO_STRUCT(return_authenticator);
1350 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1351 r.in.computername = TEST_MACHINE_NAME;
1352 r.in.return_authenticator = &return_authenticator;
1353 r.out.return_authenticator = &return_authenticator;
1354 r.out.delta_enum_array = &delta_enum_array;
1356 for (d=0; d<3; d++) {
1358 const char *database;
1365 database = "BUILTIN";
1374 torture_comment(tctx, "Testing DatabaseRedo\n");
1376 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1380 for (i=0;i<ARRAY_SIZE(changes);i++) {
1382 if (d != changes[i].db_index) {
1386 netlogon_creds_client_authenticator(creds, &credential);
1388 r.in.credential = &credential;
1390 e.serial_number1 = 0;
1391 e.serial_number2 = 0;
1392 e.object_rid = changes[i].rid;
1393 e.flags = changes[i].flags;
1394 e.db_index = changes[i].db_index;
1395 e.delta_type = changes[i].delta_type;
1397 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1398 case NETR_CHANGELOG_SID_INCLUDED:
1399 e.object.object_sid = changes[i].sid;
1401 case NETR_CHANGELOG_NAME_INCLUDED:
1402 e.object.object_name = changes[i].name;
1408 r.in.change_log_entry = e;
1410 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1411 database, changes[i].comment);
1413 status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1414 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1418 torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1419 if (delta_enum_array) {
1420 torture_assert_int_equal(tctx,
1421 delta_enum_array->num_deltas,
1422 changes[i].expected_num_results,
1423 changes[i].comment);
1424 if (delta_enum_array->num_deltas > 0) {
1425 torture_assert_int_equal(tctx,
1426 delta_enum_array->delta_enum[0].delta_type,
1427 changes[i].expected_delta_type_1,
1428 changes[i].comment);
1430 if (delta_enum_array->num_deltas > 1) {
1431 torture_assert_int_equal(tctx,
1432 delta_enum_array->delta_enum[1].delta_type,
1433 changes[i].expected_delta_type_2,
1434 changes[i].comment);
1438 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1439 torture_comment(tctx, "Credential chaining failed\n");
1440 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1452 try a netlogon AccountDeltas
1454 static bool test_AccountDeltas(struct torture_context *tctx,
1455 struct dcerpc_pipe *p,
1456 struct cli_credentials *machine_credentials)
1459 struct netr_AccountDeltas r;
1460 struct netlogon_creds_CredentialState *creds;
1462 struct netr_AccountBuffer buffer;
1463 uint32_t count_returned = 0;
1464 uint32_t total_entries = 0;
1465 struct netr_UAS_INFO_0 recordid;
1466 struct netr_Authenticator return_authenticator;
1468 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1472 ZERO_STRUCT(return_authenticator);
1474 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1475 r.in.computername = TEST_MACHINE_NAME;
1476 r.in.return_authenticator = &return_authenticator;
1477 netlogon_creds_client_authenticator(creds, &r.in.credential);
1478 ZERO_STRUCT(r.in.uas);
1481 r.in.buffersize=100;
1482 r.out.buffer = &buffer;
1483 r.out.count_returned = &count_returned;
1484 r.out.total_entries = &total_entries;
1485 r.out.recordid = &recordid;
1486 r.out.return_authenticator = &return_authenticator;
1488 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1489 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1490 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1496 try a netlogon AccountSync
1498 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1499 struct cli_credentials *machine_credentials)
1502 struct netr_AccountSync r;
1503 struct netlogon_creds_CredentialState *creds;
1505 struct netr_AccountBuffer buffer;
1506 uint32_t count_returned = 0;
1507 uint32_t total_entries = 0;
1508 uint32_t next_reference = 0;
1509 struct netr_UAS_INFO_0 recordid;
1510 struct netr_Authenticator return_authenticator;
1512 ZERO_STRUCT(recordid);
1513 ZERO_STRUCT(return_authenticator);
1515 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1519 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1520 r.in.computername = TEST_MACHINE_NAME;
1521 r.in.return_authenticator = &return_authenticator;
1522 netlogon_creds_client_authenticator(creds, &r.in.credential);
1523 r.in.recordid = &recordid;
1526 r.in.buffersize=100;
1527 r.out.buffer = &buffer;
1528 r.out.count_returned = &count_returned;
1529 r.out.total_entries = &total_entries;
1530 r.out.next_reference = &next_reference;
1531 r.out.recordid = &recordid;
1532 r.out.return_authenticator = &return_authenticator;
1534 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1535 status = dcerpc_netr_AccountSync(p, tctx, &r);
1536 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1542 try a netlogon GetDcName
1544 static bool test_GetDcName(struct torture_context *tctx,
1545 struct dcerpc_pipe *p)
1548 struct netr_GetDcName r;
1549 const char *dcname = NULL;
1551 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1552 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1553 r.out.dcname = &dcname;
1555 status = dcerpc_netr_GetDcName(p, tctx, &r);
1556 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1557 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1559 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1564 static const char *function_code_str(TALLOC_CTX *mem_ctx,
1565 enum netr_LogonControlCode function_code)
1567 switch (function_code) {
1568 case NETLOGON_CONTROL_QUERY:
1569 return "NETLOGON_CONTROL_QUERY";
1570 case NETLOGON_CONTROL_REPLICATE:
1571 return "NETLOGON_CONTROL_REPLICATE";
1572 case NETLOGON_CONTROL_SYNCHRONIZE:
1573 return "NETLOGON_CONTROL_SYNCHRONIZE";
1574 case NETLOGON_CONTROL_PDC_REPLICATE:
1575 return "NETLOGON_CONTROL_PDC_REPLICATE";
1576 case NETLOGON_CONTROL_REDISCOVER:
1577 return "NETLOGON_CONTROL_REDISCOVER";
1578 case NETLOGON_CONTROL_TC_QUERY:
1579 return "NETLOGON_CONTROL_TC_QUERY";
1580 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1581 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1582 case NETLOGON_CONTROL_FIND_USER:
1583 return "NETLOGON_CONTROL_FIND_USER";
1584 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1585 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1586 case NETLOGON_CONTROL_TC_VERIFY:
1587 return "NETLOGON_CONTROL_TC_VERIFY";
1588 case NETLOGON_CONTROL_FORCE_DNS_REG:
1589 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1590 case NETLOGON_CONTROL_QUERY_DNS_REG:
1591 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1592 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1593 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1594 case NETLOGON_CONTROL_TRUNCATE_LOG:
1595 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1596 case NETLOGON_CONTROL_SET_DBFLAG:
1597 return "NETLOGON_CONTROL_SET_DBFLAG";
1598 case NETLOGON_CONTROL_BREAKPOINT:
1599 return "NETLOGON_CONTROL_BREAKPOINT";
1601 return talloc_asprintf(mem_ctx, "unknown function code: %d",
1608 try a netlogon LogonControl
1610 static bool test_LogonControl(struct torture_context *tctx,
1611 struct dcerpc_pipe *p,
1612 struct cli_credentials *machine_credentials)
1616 struct netr_LogonControl r;
1617 union netr_CONTROL_QUERY_INFORMATION query;
1619 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
1621 uint32_t function_codes[] = {
1622 NETLOGON_CONTROL_QUERY,
1623 NETLOGON_CONTROL_REPLICATE,
1624 NETLOGON_CONTROL_SYNCHRONIZE,
1625 NETLOGON_CONTROL_PDC_REPLICATE,
1626 NETLOGON_CONTROL_REDISCOVER,
1627 NETLOGON_CONTROL_TC_QUERY,
1628 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
1629 NETLOGON_CONTROL_FIND_USER,
1630 NETLOGON_CONTROL_CHANGE_PASSWORD,
1631 NETLOGON_CONTROL_TC_VERIFY,
1632 NETLOGON_CONTROL_FORCE_DNS_REG,
1633 NETLOGON_CONTROL_QUERY_DNS_REG,
1634 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
1635 NETLOGON_CONTROL_TRUNCATE_LOG,
1636 NETLOGON_CONTROL_SET_DBFLAG,
1637 NETLOGON_CONTROL_BREAKPOINT
1640 if (machine_credentials) {
1641 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1644 torture_comment(tctx, "testing LogonControl with secure channel type: %d\n",
1645 secure_channel_type);
1647 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1648 r.in.function_code = 1;
1649 r.out.query = &query;
1651 for (f=0;f<ARRAY_SIZE(function_codes); f++) {
1654 r.in.function_code = function_codes[f];
1657 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1658 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1660 status = dcerpc_netr_LogonControl(p, tctx, &r);
1661 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1663 switch (r.in.level) {
1665 switch (r.in.function_code) {
1666 case NETLOGON_CONTROL_REPLICATE:
1667 case NETLOGON_CONTROL_SYNCHRONIZE:
1668 case NETLOGON_CONTROL_PDC_REPLICATE:
1669 case NETLOGON_CONTROL_BREAKPOINT:
1670 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1671 if ((secure_channel_type == SEC_CHAN_BDC) ||
1672 (secure_channel_type == SEC_CHAN_WKSTA)) {
1673 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1674 "LogonControl returned unexpected error code");
1676 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1677 "LogonControl returned unexpected error code");
1681 case NETLOGON_CONTROL_REDISCOVER:
1682 case NETLOGON_CONTROL_TC_QUERY:
1683 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1684 case NETLOGON_CONTROL_FIND_USER:
1685 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1686 case NETLOGON_CONTROL_TC_VERIFY:
1687 case NETLOGON_CONTROL_FORCE_DNS_REG:
1688 case NETLOGON_CONTROL_QUERY_DNS_REG:
1689 case NETLOGON_CONTROL_SET_DBFLAG:
1690 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1691 "LogonControl returned unexpected error code");
1693 case NETLOGON_CONTROL_TRUNCATE_LOG:
1694 if ((secure_channel_type == SEC_CHAN_BDC) ||
1695 (secure_channel_type == SEC_CHAN_WKSTA)) {
1696 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1697 "LogonControl returned unexpected error code");
1699 torture_assert_werr_ok(tctx, r.out.result,
1700 "LogonControl returned unexpected result");
1704 torture_assert_werr_ok(tctx, r.out.result,
1705 "LogonControl returned unexpected result");
1710 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1711 "LogonControl returned unexpected error code");
1714 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
1715 "LogonControl returned unexpected error code");
1726 try a netlogon GetAnyDCName
1728 static bool test_GetAnyDCName(struct torture_context *tctx,
1729 struct dcerpc_pipe *p)
1732 struct netr_GetAnyDCName r;
1733 const char *dcname = NULL;
1735 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1736 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1737 r.out.dcname = &dcname;
1739 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1740 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1741 torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1744 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1752 try a netlogon LogonControl2
1754 static bool test_LogonControl2(struct torture_context *tctx,
1755 struct dcerpc_pipe *p,
1756 struct cli_credentials *machine_credentials)
1760 struct netr_LogonControl2 r;
1761 union netr_CONTROL_DATA_INFORMATION data;
1762 union netr_CONTROL_QUERY_INFORMATION query;
1765 data.domain = lp_workgroup(tctx->lp_ctx);
1767 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1769 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1771 r.out.query = &query;
1776 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1777 i, r.in.function_code);
1779 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1780 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1783 data.domain = lp_workgroup(tctx->lp_ctx);
1785 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1791 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1792 i, r.in.function_code);
1794 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1795 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1798 data.domain = lp_workgroup(tctx->lp_ctx);
1800 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1806 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1807 i, r.in.function_code);
1809 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1810 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1813 data.debug_level = ~0;
1815 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1821 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1822 i, r.in.function_code);
1824 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1825 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1832 try a netlogon DatabaseSync2
1834 static bool test_DatabaseSync2(struct torture_context *tctx,
1835 struct dcerpc_pipe *p,
1836 struct cli_credentials *machine_credentials)
1839 struct netr_DatabaseSync2 r;
1840 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1841 struct netr_Authenticator return_authenticator, credential;
1843 struct netlogon_creds_CredentialState *creds;
1844 const uint32_t database_ids[] = {0, 1, 2};
1847 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1848 machine_credentials,
1849 cli_credentials_get_secure_channel_type(machine_credentials),
1854 ZERO_STRUCT(return_authenticator);
1856 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1857 r.in.computername = TEST_MACHINE_NAME;
1858 r.in.preferredmaximumlength = (uint32_t)-1;
1859 r.in.return_authenticator = &return_authenticator;
1860 r.out.return_authenticator = &return_authenticator;
1861 r.out.delta_enum_array = &delta_enum_array;
1863 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1865 uint32_t sync_context = 0;
1867 r.in.database_id = database_ids[i];
1868 r.in.sync_context = &sync_context;
1869 r.out.sync_context = &sync_context;
1870 r.in.restart_state = 0;
1872 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1875 netlogon_creds_client_authenticator(creds, &credential);
1877 r.in.credential = &credential;
1879 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1880 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1883 /* Native mode servers don't do this */
1884 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1888 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1890 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1891 torture_comment(tctx, "Credential chaining failed\n");
1894 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1902 try a netlogon LogonControl2Ex
1904 static bool test_LogonControl2Ex(struct torture_context *tctx,
1905 struct dcerpc_pipe *p,
1906 struct cli_credentials *machine_credentials)
1910 struct netr_LogonControl2Ex r;
1911 union netr_CONTROL_DATA_INFORMATION data;
1912 union netr_CONTROL_QUERY_INFORMATION query;
1915 data.domain = lp_workgroup(tctx->lp_ctx);
1917 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1919 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1921 r.out.query = &query;
1926 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1927 i, r.in.function_code);
1929 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1930 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1933 data.domain = lp_workgroup(tctx->lp_ctx);
1935 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1941 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1942 i, r.in.function_code);
1944 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1945 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1948 data.domain = lp_workgroup(tctx->lp_ctx);
1950 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1956 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1957 i, r.in.function_code);
1959 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1960 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1963 data.debug_level = ~0;
1965 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1971 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1972 i, r.in.function_code);
1974 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1975 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1981 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1982 struct dcerpc_pipe *p, const char *trusted_domain_name)
1985 struct netr_DsRGetForestTrustInformation r;
1986 struct lsa_ForestTrustInformation info, *info_ptr;
1990 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1991 r.in.trusted_domain_name = trusted_domain_name;
1993 r.out.forest_trust_info = &info_ptr;
1995 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1997 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1998 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1999 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
2005 try a netlogon netr_DsrEnumerateDomainTrusts
2007 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
2008 struct dcerpc_pipe *p)
2011 struct netr_DsrEnumerateDomainTrusts r;
2012 struct netr_DomainTrustList trusts;
2015 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2016 r.in.trust_flags = 0x3f;
2017 r.out.trusts = &trusts;
2019 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
2020 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2021 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2023 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2024 * will show non-forest trusts and all UPN suffixes of the own forest
2025 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2027 if (r.out.trusts->count) {
2028 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2033 for (i=0; i<r.out.trusts->count; i++) {
2035 /* get info for transitive forest trusts */
2037 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2038 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
2039 r.out.trusts->array[i].dns_name)) {
2048 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2049 struct dcerpc_pipe *p)
2052 struct netr_NetrEnumerateTrustedDomains r;
2053 struct netr_Blob trusted_domains_blob;
2055 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2056 r.out.trusted_domains_blob = &trusted_domains_blob;
2058 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
2059 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2060 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2065 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2066 struct dcerpc_pipe *p)
2069 struct netr_NetrEnumerateTrustedDomainsEx r;
2070 struct netr_DomainTrustList dom_trust_list;
2072 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2073 r.out.dom_trust_list = &dom_trust_list;
2075 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
2076 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2077 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2083 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2084 const char *computer_name,
2085 const char *expected_site)
2088 struct netr_DsRGetSiteName r;
2089 const char *site = NULL;
2091 if (torture_setting_bool(tctx, "samba4", false))
2092 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
2094 r.in.computer_name = computer_name;
2096 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2098 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
2099 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2100 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2101 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2103 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
2104 torture_comment(tctx,
2105 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
2107 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
2108 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2109 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
2115 try a netlogon netr_DsRGetDCName
2117 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
2118 struct dcerpc_pipe *p)
2121 struct netr_DsRGetDCName r;
2122 struct netr_DsRGetDCNameInfo *info = NULL;
2124 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2125 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2126 r.in.domain_guid = NULL;
2127 r.in.site_guid = NULL;
2128 r.in.flags = DS_RETURN_DNS_NAME;
2131 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
2132 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2133 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2134 return test_netr_DsRGetSiteName(p, tctx,
2136 info->dc_site_name);
2140 try a netlogon netr_DsRGetDCNameEx
2142 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
2143 struct dcerpc_pipe *p)
2146 struct netr_DsRGetDCNameEx r;
2147 struct netr_DsRGetDCNameInfo *info = NULL;
2149 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2150 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2151 r.in.domain_guid = NULL;
2152 r.in.site_name = NULL;
2153 r.in.flags = DS_RETURN_DNS_NAME;
2156 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
2157 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2158 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2160 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2161 info->dc_site_name);
2165 try a netlogon netr_DsRGetDCNameEx2
2167 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
2168 struct dcerpc_pipe *p)
2171 struct netr_DsRGetDCNameEx2 r;
2172 struct netr_DsRGetDCNameInfo *info = NULL;
2174 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2175 r.in.client_account = NULL;
2176 r.in.mask = 0x00000000;
2177 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2178 r.in.domain_guid = NULL;
2179 r.in.site_name = NULL;
2180 r.in.flags = DS_RETURN_DNS_NAME;
2183 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2185 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
2186 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2187 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2189 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
2190 r.in.client_account = TEST_MACHINE_NAME"$";
2191 r.in.mask = ACB_SVRTRUST;
2192 r.in.flags = DS_RETURN_FLAT_NAME;
2195 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
2196 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2197 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2198 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2199 info->dc_site_name);
2202 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
2203 struct dcerpc_pipe *p)
2206 struct netr_DsrGetDcSiteCoverageW r;
2207 struct DcSitesCtr *ctr = NULL;
2209 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2212 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
2213 torture_assert_ntstatus_ok(tctx, status, "failed");
2214 torture_assert_werr_ok(tctx, r.out.result, "failed");
2219 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2220 struct dcerpc_pipe *p)
2223 struct netr_DsRAddressToSitenamesW r;
2224 struct netr_DsRAddress addr;
2225 struct netr_DsRAddressToSitenamesWCtr *ctr;
2227 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2230 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2232 addr.buffer[0] = 2; /* AF_INET */
2233 addr.buffer[4] = 127;
2238 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2240 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2241 r.in.addresses[0] = addr;
2244 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2245 torture_assert_ntstatus_ok(tctx, status, "failed");
2246 torture_assert_werr_ok(tctx, r.out.result, "failed");
2251 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2252 struct dcerpc_pipe *p)
2255 struct netr_DsRAddressToSitenamesExW r;
2256 struct netr_DsRAddress addr;
2257 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2259 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2262 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2264 addr.buffer[0] = 2; /* AF_INET */
2265 addr.buffer[4] = 127;
2270 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2272 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2273 r.in.addresses[0] = addr;
2276 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2277 torture_assert_ntstatus_ok(tctx, status, "failed");
2278 torture_assert_werr_ok(tctx, r.out.result, "failed");
2283 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2284 struct dcerpc_pipe *p,
2285 struct cli_credentials *machine_credentials)
2288 struct netr_ServerGetTrustInfo r;
2290 struct netr_Authenticator a;
2291 struct netr_Authenticator return_authenticator;
2292 struct samr_Password new_owf_password;
2293 struct samr_Password old_owf_password;
2294 struct netr_TrustInfo *trust_info;
2296 struct netlogon_creds_CredentialState *creds;
2298 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2299 machine_credentials, &creds)) {
2303 netlogon_creds_client_authenticator(creds, &a);
2305 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2306 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2307 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2308 r.in.computer_name = TEST_MACHINE_NAME;
2309 r.in.credential = &a;
2311 r.out.return_authenticator = &return_authenticator;
2312 r.out.new_owf_password = &new_owf_password;
2313 r.out.old_owf_password = &old_owf_password;
2314 r.out.trust_info = &trust_info;
2316 status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2317 torture_assert_ntstatus_ok(tctx, status, "failed");
2318 torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2324 static bool test_GetDomainInfo(struct torture_context *tctx,
2325 struct dcerpc_pipe *p,
2326 struct cli_credentials *machine_credentials)
2329 struct netr_LogonGetDomainInfo r;
2330 struct netr_WorkstationInformation q1;
2331 struct netr_Authenticator a;
2332 struct netlogon_creds_CredentialState *creds;
2333 struct netr_OsVersion os;
2334 union netr_WorkstationInfo query;
2335 union netr_DomainInfo info;
2336 const char* const attrs[] = { "dNSHostName", "operatingSystem",
2337 "operatingSystemServicePack", "operatingSystemVersion",
2338 "servicePrincipalName", NULL };
2340 struct ldb_context *sam_ctx = NULL;
2341 struct ldb_message **res;
2342 struct ldb_message_element *spn_el;
2345 const char *old_dnsname = NULL;
2350 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2352 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2353 machine_credentials, &creds)) {
2357 /* We won't double-check this when we are over 'local' transports */
2358 if (dcerpc_server_name(p)) {
2359 /* Set up connection to SAMDB on DC */
2360 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2361 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2363 cmdline_credentials,
2366 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2369 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
2370 netlogon_creds_client_authenticator(creds, &a);
2373 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2374 r.in.computer_name = TEST_MACHINE_NAME;
2375 r.in.credential = &a;
2377 r.in.return_authenticator = &a;
2378 r.in.query = &query;
2379 r.out.return_authenticator = &a;
2383 os.os.MajorVersion = 123;
2384 os.os.MinorVersion = 456;
2385 os.os.BuildNumber = 789;
2386 os.os.CSDVersion = "Service Pack 10";
2387 os.os.ServicePackMajor = 10;
2388 os.os.ServicePackMinor = 1;
2389 os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
2390 os.os.ProductType = NETR_VER_NT_SERVER;
2393 version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
2394 os.os.MinorVersion, os.os.BuildNumber);
2397 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2398 TEST_MACHINE_DNS_SUFFIX);
2399 q1.sitename = "Default-First-Site-Name";
2400 q1.os_version.os = &os;
2401 q1.os_name.string = talloc_asprintf(tctx,
2402 "Tortured by Samba4 RPC-NETLOGON: %s",
2403 timestring(tctx, time(NULL)));
2405 /* The workstation handles the "servicePrincipalName" and DNS hostname
2407 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2409 query.workstation_info = &q1;
2412 /* Gets back the old DNS hostname in AD */
2413 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2414 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2416 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
2418 /* Gets back the "servicePrincipalName"s in AD */
2419 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2420 if (spn_el != NULL) {
2421 for (i=0; i < spn_el->num_values; i++) {
2422 spns = talloc_realloc(tctx, spns, char *, i + 1);
2423 spns[i] = (char *) spn_el->values[i].data;
2429 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2430 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2431 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2436 /* AD workstation infos entry check */
2437 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2438 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2439 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2440 torture_assert_str_equal(tctx,
2441 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2442 q1.os_name.string, "'operatingSystem' wrong!");
2443 torture_assert_str_equal(tctx,
2444 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
2445 os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
2446 torture_assert_str_equal(tctx,
2447 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
2448 version_str, "'operatingSystemVersion' wrong!");
2450 if (old_dnsname != NULL) {
2451 /* If before a DNS hostname was set then it should remain
2452 the same in combination with the "servicePrincipalName"s.
2453 The DNS hostname should also be returned by our
2454 "LogonGetDomainInfo" call (in the domain info structure). */
2456 torture_assert_str_equal(tctx,
2457 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2458 old_dnsname, "'DNS hostname' was not set!");
2460 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2461 torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
2462 "'servicePrincipalName's not set!");
2463 torture_assert(tctx, spn_el->num_values == num_spns,
2464 "'servicePrincipalName's incorrect!");
2465 for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
2466 torture_assert_str_equal(tctx,
2467 (char *) spn_el->values[i].data,
2468 spns[i], "'servicePrincipalName's incorrect!");
2470 torture_assert_str_equal(tctx,
2471 info.domain_info->dns_hostname.string,
2473 "Out 'DNS hostname' doesn't match the old one!");
2475 /* If no DNS hostname was set then also now none should be set,
2476 the "servicePrincipalName"s should remain empty and no DNS
2477 hostname should be returned by our "LogonGetDomainInfo"
2478 call (in the domain info structure). */
2480 torture_assert(tctx,
2481 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
2482 "'DNS hostname' was set!");
2484 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2485 torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
2486 "'servicePrincipalName's were set!");
2488 torture_assert(tctx,
2489 info.domain_info->dns_hostname.string == NULL,
2490 "Out 'DNS host name' was set!");
2494 /* Checks "workstation flags" */
2495 torture_assert(tctx,
2496 info.domain_info->workstation_flags
2497 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2498 "Out 'workstation flags' don't match!");
2501 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname)\n");
2502 netlogon_creds_client_authenticator(creds, &a);
2504 /* Wipe out the osVersion, and prove which values still 'stick' */
2505 q1.os_version.os = NULL;
2507 /* Change also the DNS hostname to test differences in behaviour */
2508 q1.dns_hostname = talloc_asprintf(tctx, "%s.newdomain",
2511 /* Let the DC handle the "servicePrincipalName" and DNS hostname
2513 q1.workstation_flags = 0;
2515 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2516 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2517 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2522 /* AD workstation infos entry check */
2523 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2524 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2525 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2526 torture_assert_str_equal(tctx,
2527 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2528 q1.os_name.string, "'operatingSystem' should stick!");
2529 torture_assert(tctx,
2530 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2531 "'operatingSystemServicePack' shouldn't stick!");
2532 torture_assert(tctx,
2533 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2534 "'operatingSystemVersion' shouldn't stick!");
2536 /* The DNS host name should have been updated now by the server */
2537 torture_assert_str_equal(tctx,
2538 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2539 q1.dns_hostname, "'DNS host name' didn't change!");
2541 /* Find the two "servicePrincipalName"s which the DC should have been
2542 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2544 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2545 torture_assert(tctx, spn_el != NULL,
2546 "There should exist 'servicePrincipalName's in AD!");
2547 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
2548 for (i=0; i < spn_el->num_values; i++)
2549 if (strcmp((char *) spn_el->values[i].data, temp_str) == 0)
2551 torture_assert(tctx, i != spn_el->num_values,
2552 "'servicePrincipalName' HOST/<Netbios name> not found!");
2553 temp_str = talloc_asprintf(tctx, "HOST/%s", q1.dns_hostname);
2554 for (i=0; i < spn_el->num_values; i++)
2555 if (strcmp((char *) spn_el->values[i].data, temp_str) == 0)
2557 torture_assert(tctx, i != spn_el->num_values,
2558 "'servicePrincipalName' HOST/<FQDN name> not found!");
2560 /* Check that the out DNS hostname was set properly */
2561 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
2562 old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
2565 /* Checks "workstation flags" */
2566 torture_assert(tctx,
2567 info.domain_info->workstation_flags == 0,
2568 "Out 'workstation flags' don't match!");
2571 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (verification of DNS hostname and check for trusted domains)\n");
2572 netlogon_creds_client_authenticator(creds, &a);
2574 /* The workstation handles the "servicePrincipalName" and DNS hostname
2576 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2578 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2579 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2580 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2584 /* Now the in/out DNS hostnames should be the same */
2585 torture_assert_str_equal(tctx,
2586 info.domain_info->dns_hostname.string,
2587 query.workstation_info->dns_hostname,
2588 "In/Out 'DNS hostnames' don't match!");
2590 /* Checks "workstation flags" */
2591 torture_assert(tctx,
2592 info.domain_info->workstation_flags
2593 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2594 "Out 'workstation flags' don't match!");
2596 /* Checks for trusted domains */
2597 torture_assert(tctx,
2598 (info.domain_info->trusted_domain_count != 0)
2599 && (info.domain_info->trusted_domains != NULL),
2600 "Trusted domains have been requested!");
2603 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (check for trusted domains)\n");
2604 netlogon_creds_client_authenticator(creds, &a);
2606 /* The workstation handles the "servicePrincipalName" and DNS hostname
2607 updates and requests inbound trusts */
2608 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
2609 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
2611 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2612 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2613 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2617 /* Checks "workstation flags" */
2618 torture_assert(tctx,
2619 info.domain_info->workstation_flags
2620 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
2621 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
2622 "Out 'workstation flags' don't match!");
2624 /* Checks for trusted domains */
2625 torture_assert(tctx,
2626 (info.domain_info->trusted_domain_count != 0)
2627 && (info.domain_info->trusted_domains != NULL),
2628 "Trusted domains have been requested!");
2634 static void async_callback(struct rpc_request *req)
2636 int *counter = (int *)req->async.private_data;
2637 if (NT_STATUS_IS_OK(req->status)) {
2642 static bool test_GetDomainInfo_async(struct torture_context *tctx,
2643 struct dcerpc_pipe *p,
2644 struct cli_credentials *machine_credentials)
2647 struct netr_LogonGetDomainInfo r;
2648 struct netr_WorkstationInformation q1;
2649 struct netr_Authenticator a;
2650 #define ASYNC_COUNT 100
2651 struct netlogon_creds_CredentialState *creds;
2652 struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
2653 struct rpc_request *req[ASYNC_COUNT];
2655 int *async_counter = talloc(tctx, int);
2656 union netr_WorkstationInfo query;
2657 union netr_DomainInfo info;
2659 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2661 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2662 machine_credentials, &creds)) {
2667 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2668 r.in.computer_name = TEST_MACHINE_NAME;
2669 r.in.credential = &a;
2671 r.in.return_authenticator = &a;
2672 r.in.query = &query;
2673 r.out.return_authenticator = &a;
2677 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2678 TEST_MACHINE_DNS_SUFFIX);
2679 q1.sitename = "Default-First-Site-Name";
2680 q1.os_name.string = "UNIX/Linux or similar";
2682 query.workstation_info = &q1;
2686 for (i=0;i<ASYNC_COUNT;i++) {
2687 netlogon_creds_client_authenticator(creds, &a);
2689 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2690 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2692 req[i]->async.callback = async_callback;
2693 req[i]->async.private_data = async_counter;
2695 /* even with this flush per request a w2k3 server seems to
2696 clag with multiple outstanding requests. bleergh. */
2697 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2698 "event_loop_once failed");
2701 for (i=0;i<ASYNC_COUNT;i++) {
2702 status = dcerpc_ndr_request_recv(req[i]);
2704 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2705 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2707 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
2708 "Credential chaining failed at async");
2711 torture_comment(tctx,
2712 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2714 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2719 static bool test_ManyGetDCName(struct torture_context *tctx,
2720 struct dcerpc_pipe *p)
2723 struct dcerpc_pipe *p2;
2724 struct lsa_ObjectAttribute attr;
2725 struct lsa_QosInfo qos;
2726 struct lsa_OpenPolicy2 o;
2727 struct policy_handle lsa_handle;
2728 struct lsa_DomainList domains;
2730 struct lsa_EnumTrustDom t;
2731 uint32_t resume_handle = 0;
2732 struct netr_GetAnyDCName d;
2733 const char *dcname = NULL;
2737 if (p->conn->transport.transport != NCACN_NP) {
2741 torture_comment(tctx, "Torturing GetDCName\n");
2743 status = dcerpc_secondary_connection(p, &p2, p->binding);
2744 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2746 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2747 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2750 qos.impersonation_level = 2;
2751 qos.context_mode = 1;
2752 qos.effective_only = 0;
2755 attr.root_dir = NULL;
2756 attr.object_name = NULL;
2757 attr.attributes = 0;
2758 attr.sec_desc = NULL;
2759 attr.sec_qos = &qos;
2761 o.in.system_name = "\\";
2763 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2764 o.out.handle = &lsa_handle;
2766 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2767 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2769 t.in.handle = &lsa_handle;
2770 t.in.resume_handle = &resume_handle;
2771 t.in.max_size = 1000;
2772 t.out.domains = &domains;
2773 t.out.resume_handle = &resume_handle;
2775 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2777 if ((!NT_STATUS_IS_OK(status) &&
2778 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2779 torture_fail(tctx, "Could not list domains");
2783 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2784 dcerpc_server_name(p));
2785 d.out.dcname = &dcname;
2787 for (i=0; i<domains.count * 4; i++) {
2788 struct lsa_DomainInfo *info =
2789 &domains.domains[rand()%domains.count];
2791 d.in.domainname = info->name.string;
2793 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2794 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2796 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2797 dcname ? dcname : "unknown");
2803 static bool test_SetPassword_with_flags(struct torture_context *tctx,
2804 struct dcerpc_pipe *p,
2805 struct cli_credentials *machine_credentials)
2807 uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
2808 struct netlogon_creds_CredentialState *creds;
2811 if (!test_SetupCredentials2(p, tctx, 0,
2812 machine_credentials,
2813 cli_credentials_get_secure_channel_type(machine_credentials),
2815 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
2818 for (i=0; i < ARRAY_SIZE(flags); i++) {
2819 torture_assert(tctx,
2820 test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
2821 talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
2827 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2829 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2830 struct torture_rpc_tcase *tcase;
2831 struct torture_test *test;
2833 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2834 &ndr_table_netlogon, TEST_MACHINE_NAME);
2836 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2837 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2838 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2839 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2840 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2841 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2842 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2843 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2844 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2845 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2846 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2847 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2848 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2849 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2850 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2851 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2852 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2853 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2854 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2855 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2856 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2857 test->dangerous = true;
2858 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2859 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2860 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2861 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2862 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2863 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2864 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
2869 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
2871 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-S3");
2872 struct torture_rpc_tcase *tcase;
2874 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2875 &ndr_table_netlogon, TEST_MACHINE_NAME);
2877 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2878 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2879 torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
2880 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2881 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2886 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
2888 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
2889 struct torture_rpc_tcase *tcase;
2891 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2892 &ndr_table_netlogon, TEST_MACHINE_NAME);
2893 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2894 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2895 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2897 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
2898 &ndr_table_netlogon, TEST_MACHINE_NAME);
2899 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2900 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2901 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2903 tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
2904 &ndr_table_netlogon);
2905 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2906 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2907 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);