2 Unix SMB/CIFS implementation.
4 test suite for schannel operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "../libcli/auth/schannel.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "libcli/security/security.h"
32 #include "system/filesys.h"
33 #include "param/param.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "auth/gensec/gensec.h"
36 #include "libcli/composite/composite.h"
37 #include "lib/events/events.h"
39 #define TEST_MACHINE_NAME "schannel"
42 try a netlogon SamLogon
44 bool test_netlogon_ex_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
45 struct cli_credentials
*credentials
,
46 struct netlogon_creds_CredentialState
*creds
)
49 struct netr_LogonSamLogonEx r
;
50 struct netr_NetworkInfo ninfo
;
51 union netr_LogonLevel logon
;
52 union netr_Validation validation
;
53 uint8_t authoritative
= 0;
55 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
57 int flags
= CLI_CRED_NTLM_AUTH
;
58 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
60 if (lp_client_lanman_auth(tctx
->lp_ctx
)) {
61 flags
|= CLI_CRED_LANMAN_AUTH
;
64 if (lp_client_ntlmv2_auth(tctx
->lp_ctx
)) {
65 flags
|= CLI_CRED_NTLMv2_AUTH
;
68 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
69 &ninfo
.identity_info
.account_name
.string
,
70 &ninfo
.identity_info
.domain_name
.string
);
72 generate_random_buffer(ninfo
.challenge
,
73 sizeof(ninfo
.challenge
));
74 chal
= data_blob_const(ninfo
.challenge
,
75 sizeof(ninfo
.challenge
));
77 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
78 cli_credentials_get_domain(credentials
));
80 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
86 torture_assert_ntstatus_ok(tctx
, status
,
87 "cli_credentials_get_ntlm_response failed");
89 ninfo
.lm
.data
= lm_resp
.data
;
90 ninfo
.lm
.length
= lm_resp
.length
;
92 ninfo
.nt
.data
= nt_resp
.data
;
93 ninfo
.nt
.length
= nt_resp
.length
;
95 ninfo
.identity_info
.parameter_control
= 0;
96 ninfo
.identity_info
.logon_id_low
= 0;
97 ninfo
.identity_info
.logon_id_high
= 0;
98 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
100 logon
.network
= &ninfo
;
102 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
103 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
104 r
.in
.logon_level
= 2;
106 r
.in
.flags
= &_flags
;
107 r
.out
.validation
= &validation
;
108 r
.out
.authoritative
= &authoritative
;
109 r
.out
.flags
= &_flags
;
111 torture_comment(tctx
,
112 "Testing LogonSamLogonEx with name %s\n",
113 ninfo
.identity_info
.account_name
.string
);
116 r
.in
.validation_level
= i
;
118 status
= dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
);
119 torture_assert_ntstatus_ok(tctx
, status
, "LogonSamLogon failed");
126 do some samr ops using the schannel connection
128 static bool test_samr_ops(struct torture_context
*tctx
,
129 struct dcerpc_binding_handle
*b
)
132 struct samr_GetDomPwInfo r
;
133 struct samr_PwInfo info
;
134 struct samr_Connect connect_r
;
135 struct samr_OpenDomain opendom
;
137 struct lsa_String name
;
138 struct policy_handle handle
;
139 struct policy_handle domain_handle
;
141 name
.string
= lp_workgroup(tctx
->lp_ctx
);
142 r
.in
.domain_name
= &name
;
145 connect_r
.in
.system_name
= 0;
146 connect_r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
147 connect_r
.out
.connect_handle
= &handle
;
149 printf("Testing Connect and OpenDomain on BUILTIN\n");
151 status
= dcerpc_samr_Connect_r(b
, tctx
, &connect_r
);
152 if (!NT_STATUS_IS_OK(status
)) {
153 if (NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
)) {
154 printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
157 printf("Connect failed - %s\n", nt_errstr(status
));
161 opendom
.in
.connect_handle
= &handle
;
162 opendom
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
163 opendom
.in
.sid
= dom_sid_parse_talloc(tctx
, "S-1-5-32");
164 opendom
.out
.domain_handle
= &domain_handle
;
166 status
= dcerpc_samr_OpenDomain_r(b
, tctx
, &opendom
);
167 if (!NT_STATUS_IS_OK(status
)) {
168 printf("OpenDomain failed - %s\n", nt_errstr(status
));
173 printf("Testing GetDomPwInfo with name %s\n", r
.in
.domain_name
->string
);
175 /* do several ops to test credential chaining */
177 status
= dcerpc_samr_GetDomPwInfo_r(b
, tctx
, &r
);
178 if (!NT_STATUS_IS_OK(status
)) {
179 if (!NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
)) {
180 printf("GetDomPwInfo op %d failed - %s\n", i
, nt_errstr(status
));
191 do some lsa ops using the schannel connection
193 static bool test_lsa_ops(struct torture_context
*tctx
, struct dcerpc_pipe
*p
)
195 struct lsa_GetUserName r
;
198 struct lsa_String
*account_name_p
= NULL
;
199 struct lsa_String
*authority_name_p
= NULL
;
200 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
202 printf("\nTesting GetUserName\n");
204 r
.in
.system_name
= "\\";
205 r
.in
.account_name
= &account_name_p
;
206 r
.in
.authority_name
= &authority_name_p
;
207 r
.out
.account_name
= &account_name_p
;
209 /* do several ops to test credential chaining and various operations */
210 status
= dcerpc_lsa_GetUserName_r(b
, tctx
, &r
);
212 authority_name_p
= *r
.out
.authority_name
;
214 if (NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED
)) {
215 printf("not considering %s to be an error\n", nt_errstr(status
));
216 } else if (!NT_STATUS_IS_OK(status
)) {
217 printf("GetUserName failed - %s\n", nt_errstr(status
));
220 if (!r
.out
.account_name
) {
224 if (strcmp(account_name_p
->string
, "ANONYMOUS LOGON") != 0) {
225 printf("GetUserName returned wrong user: %s, expected %s\n",
226 account_name_p
->string
, "ANONYMOUS LOGON");
228 if (!torture_setting_bool(tctx
, "samba3", false)) {
232 if (!authority_name_p
|| !authority_name_p
->string
) {
236 if (strcmp(authority_name_p
->string
, "NT AUTHORITY") != 0) {
237 printf("GetUserName returned wrong user: %s, expected %s\n",
238 authority_name_p
->string
, "NT AUTHORITY");
240 if (!torture_setting_bool(tctx
, "samba3", false)) {
245 if (!test_many_LookupSids(p
, tctx
, NULL
)) {
246 printf("LsaLookupSids3 failed!\n");
255 test a schannel connection with the given flags
257 static bool test_schannel(struct torture_context
*tctx
,
258 uint16_t acct_flags
, uint32_t dcerpc_flags
,
261 struct test_join
*join_ctx
;
263 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
264 struct dcerpc_binding
*b
;
265 struct dcerpc_pipe
*p
= NULL
;
266 struct dcerpc_pipe
*p_netlogon
= NULL
;
267 struct dcerpc_pipe
*p_netlogon2
= NULL
;
268 struct dcerpc_pipe
*p_netlogon3
= NULL
;
269 struct dcerpc_pipe
*p_samr2
= NULL
;
270 struct dcerpc_pipe
*p_lsa
= NULL
;
271 struct netlogon_creds_CredentialState
*creds
;
272 struct cli_credentials
*credentials
;
274 join_ctx
= torture_join_domain(tctx
,
275 talloc_asprintf(tctx
, "%s%d", TEST_MACHINE_NAME
, i
),
276 acct_flags
, &credentials
);
277 torture_assert(tctx
, join_ctx
!= NULL
, "Failed to join domain");
279 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
280 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
282 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
283 b
->flags
|= dcerpc_flags
;
285 status
= dcerpc_pipe_connect_b(tctx
, &p
, b
, &ndr_table_samr
,
286 credentials
, tctx
->ev
, tctx
->lp_ctx
);
287 torture_assert_ntstatus_ok(tctx
, status
,
288 "Failed to connect with schannel");
290 torture_assert(tctx
, test_samr_ops(tctx
, p
->binding_handle
),
291 "Failed to process schannel secured SAMR ops");
293 /* Also test that when we connect to the netlogon pipe, that
294 * the credentials we setup on the first pipe are valid for
297 /* Swap the binding details from SAMR to NETLOGON */
298 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
299 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
301 status
= dcerpc_secondary_connection(p
, &p_netlogon
,
303 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
305 status
= dcerpc_bind_auth(p_netlogon
, &ndr_table_netlogon
,
306 credentials
, lp_gensec_settings(tctx
, tctx
->lp_ctx
),
307 DCERPC_AUTH_TYPE_SCHANNEL
,
308 dcerpc_auth_level(p
->conn
),
311 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
313 status
= dcerpc_schannel_creds(p_netlogon
->conn
->security_state
.generic_state
, tctx
, &creds
);
314 torture_assert_ntstatus_ok(tctx
, status
, "schannel creds");
316 /* do a couple of logins */
317 torture_assert(tctx
, test_netlogon_ops(p_netlogon
, tctx
, credentials
, creds
),
318 "Failed to process schannel secured NETLOGON ops");
320 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon
, tctx
, credentials
, creds
),
321 "Failed to process schannel secured NETLOGON EX ops");
323 /* Swap the binding details from SAMR to LSARPC */
324 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
);
325 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
327 status
= dcerpc_secondary_connection(p
, &p_lsa
,
330 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
332 status
= dcerpc_bind_auth(p_lsa
, &ndr_table_lsarpc
,
333 credentials
, lp_gensec_settings(tctx
, tctx
->lp_ctx
),
334 DCERPC_AUTH_TYPE_SCHANNEL
,
335 dcerpc_auth_level(p
->conn
),
338 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
340 torture_assert(tctx
, test_lsa_ops(tctx
, p_lsa
),
341 "Failed to process schannel secured LSA ops");
343 /* Drop the socket, we want to start from scratch */
347 /* Now see what we are still allowed to do */
349 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
350 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
352 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
353 b
->flags
|= dcerpc_flags
;
355 status
= dcerpc_pipe_connect_b(tctx
, &p_samr2
, b
, &ndr_table_samr
,
356 credentials
, tctx
->ev
, tctx
->lp_ctx
);
357 torture_assert_ntstatus_ok(tctx
, status
,
358 "Failed to connect with schannel");
360 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
361 torture_assert (tctx
, test_samr_ops(tctx
, p_samr2
->binding_handle
),
362 "Failed to process schannel secured SAMR ops (on fresh connection)");
364 /* Swap the binding details from SAMR to NETLOGON */
365 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
366 torture_assert_ntstatus_ok(tctx
, status
, "epm");
368 status
= dcerpc_secondary_connection(p_samr2
, &p_netlogon2
,
370 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
372 /* and now setup an SCHANNEL bind on netlogon */
373 status
= dcerpc_bind_auth(p_netlogon2
, &ndr_table_netlogon
,
374 credentials
, lp_gensec_settings(tctx
, tctx
->lp_ctx
),
375 DCERPC_AUTH_TYPE_SCHANNEL
,
376 dcerpc_auth_level(p_samr2
->conn
),
379 torture_assert_ntstatus_ok(tctx
, status
, "auth failed");
381 /* Try the schannel-only SamLogonEx operation */
382 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon2
, tctx
, credentials
, creds
),
383 "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
386 /* And the more traditional style, proving that the
387 * credentials chaining state is fully present */
388 torture_assert(tctx
, test_netlogon_ops(p_netlogon2
, tctx
, credentials
, creds
),
389 "Failed to process schannel secured NETLOGON ops (on fresh connection)");
391 /* Drop the socket, we want to start from scratch (again) */
392 talloc_free(p_samr2
);
394 /* We don't want schannel for this test */
395 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
397 status
= dcerpc_pipe_connect_b(tctx
, &p_netlogon3
, b
, &ndr_table_netlogon
,
398 credentials
, tctx
->ev
, tctx
->lp_ctx
);
399 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
401 torture_assert(tctx
, !test_netlogon_ex_ops(p_netlogon3
, tctx
, credentials
, creds
),
402 "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
404 /* Required because the previous call will mark the current context as having failed */
405 tctx
->last_result
= TORTURE_OK
;
406 tctx
->last_reason
= NULL
;
408 torture_assert(tctx
, test_netlogon_ops(p_netlogon3
, tctx
, credentials
, creds
),
409 "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
411 torture_leave_domain(tctx
, join_ctx
);
418 a schannel test suite
420 bool torture_rpc_schannel(struct torture_context
*torture
)
425 uint32_t dcerpc_flags
;
427 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
428 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
429 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
430 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
431 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
432 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
433 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
434 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
}
438 for (i
=0;i
<ARRAY_SIZE(tests
);i
++) {
439 if (!test_schannel(torture
,
440 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
,
442 torture_comment(torture
, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
443 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
452 test two schannel connections
454 bool torture_rpc_schannel2(struct torture_context
*torture
)
456 struct test_join
*join_ctx
;
458 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
459 struct dcerpc_binding
*b
;
460 struct dcerpc_pipe
*p1
= NULL
, *p2
= NULL
;
461 struct cli_credentials
*credentials1
, *credentials2
;
462 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
;
464 join_ctx
= torture_join_domain(torture
, talloc_asprintf(torture
, "%s2", TEST_MACHINE_NAME
),
465 ACB_WSTRUST
, &credentials1
);
466 torture_assert(torture
, join_ctx
!= NULL
,
467 "Failed to join domain with acct_flags=ACB_WSTRUST");
469 credentials2
= (struct cli_credentials
*)talloc_memdup(torture
, credentials1
, sizeof(*credentials1
));
470 credentials1
->netlogon_creds
= NULL
;
471 credentials2
->netlogon_creds
= NULL
;
473 status
= dcerpc_parse_binding(torture
, binding
, &b
);
474 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
476 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
477 b
->flags
|= dcerpc_flags
;
479 printf("Opening first connection\n");
480 status
= dcerpc_pipe_connect_b(torture
, &p1
, b
, &ndr_table_netlogon
,
481 credentials1
, torture
->ev
, torture
->lp_ctx
);
482 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
484 torture_comment(torture
, "Opening second connection\n");
485 status
= dcerpc_pipe_connect_b(torture
, &p2
, b
, &ndr_table_netlogon
,
486 credentials2
, torture
->ev
, torture
->lp_ctx
);
487 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
489 credentials1
->netlogon_creds
= NULL
;
490 credentials2
->netlogon_creds
= NULL
;
492 torture_comment(torture
, "Testing logon on pipe1\n");
493 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
496 torture_comment(torture
, "Testing logon on pipe2\n");
497 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
500 torture_comment(torture
, "Again on pipe1\n");
501 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
504 torture_comment(torture
, "Again on pipe2\n");
505 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
508 torture_leave_domain(torture
, join_ctx
);
512 struct torture_schannel_bench
;
514 struct torture_schannel_bench_conn
{
515 struct torture_schannel_bench
*s
;
517 struct cli_credentials
*wks_creds
;
518 struct dcerpc_pipe
*pipe
;
519 struct netr_LogonSamLogonEx r
;
520 struct netr_NetworkInfo ninfo
;
526 struct torture_schannel_bench
{
527 struct torture_context
*tctx
;
532 struct torture_schannel_bench_conn
*conns
;
533 struct test_join
*join_ctx1
;
534 struct cli_credentials
*wks_creds1
;
535 struct test_join
*join_ctx2
;
536 struct cli_credentials
*wks_creds2
;
537 struct cli_credentials
*user1_creds
;
538 struct cli_credentials
*user2_creds
;
539 struct dcerpc_binding
*b
;
546 static void torture_schannel_bench_connected(struct composite_context
*c
)
548 struct torture_schannel_bench_conn
*conn
=
549 (struct torture_schannel_bench_conn
*)c
->async
.private_data
;
550 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
551 struct torture_schannel_bench
);
553 s
->error
= dcerpc_pipe_connect_b_recv(c
, s
->conns
, &conn
->pipe
);
554 torture_comment(s
->tctx
, "conn[%u]: %s\n", conn
->index
, nt_errstr(s
->error
));
555 if (NT_STATUS_IS_OK(s
->error
)) {
560 static void torture_schannel_bench_recv(struct tevent_req
*subreq
);
562 static bool torture_schannel_bench_start(struct torture_schannel_bench_conn
*conn
)
564 struct torture_schannel_bench
*s
= conn
->s
;
566 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
567 int flags
= CLI_CRED_NTLM_AUTH
;
568 struct tevent_req
*subreq
;
569 struct cli_credentials
*user_creds
;
571 if (conn
->total
% 2) {
572 user_creds
= s
->user1_creds
;
574 user_creds
= s
->user2_creds
;
577 if (lp_client_lanman_auth(s
->tctx
->lp_ctx
)) {
578 flags
|= CLI_CRED_LANMAN_AUTH
;
581 if (lp_client_ntlmv2_auth(s
->tctx
->lp_ctx
)) {
582 flags
|= CLI_CRED_NTLMv2_AUTH
;
585 talloc_free(conn
->tmp
);
586 conn
->tmp
= talloc_new(s
);
587 ZERO_STRUCT(conn
->ninfo
);
588 ZERO_STRUCT(conn
->r
);
590 cli_credentials_get_ntlm_username_domain(user_creds
, conn
->tmp
,
591 &conn
->ninfo
.identity_info
.account_name
.string
,
592 &conn
->ninfo
.identity_info
.domain_name
.string
);
594 generate_random_buffer(conn
->ninfo
.challenge
,
595 sizeof(conn
->ninfo
.challenge
));
596 chal
= data_blob_const(conn
->ninfo
.challenge
,
597 sizeof(conn
->ninfo
.challenge
));
599 names_blob
= NTLMv2_generate_names_blob(conn
->tmp
,
600 cli_credentials_get_workstation(conn
->wks_creds
),
601 cli_credentials_get_domain(conn
->wks_creds
));
603 status
= cli_credentials_get_ntlm_response(user_creds
, conn
->tmp
,
609 torture_assert_ntstatus_ok(s
->tctx
, status
,
610 "cli_credentials_get_ntlm_response failed");
612 conn
->ninfo
.lm
.data
= lm_resp
.data
;
613 conn
->ninfo
.lm
.length
= lm_resp
.length
;
615 conn
->ninfo
.nt
.data
= nt_resp
.data
;
616 conn
->ninfo
.nt
.length
= nt_resp
.length
;
618 conn
->ninfo
.identity_info
.parameter_control
= 0;
619 conn
->ninfo
.identity_info
.logon_id_low
= 0;
620 conn
->ninfo
.identity_info
.logon_id_high
= 0;
621 conn
->ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(conn
->wks_creds
);
623 conn
->r
.in
.server_name
= talloc_asprintf(conn
->tmp
, "\\\\%s", dcerpc_server_name(conn
->pipe
));
624 conn
->r
.in
.computer_name
= cli_credentials_get_workstation(conn
->wks_creds
);
625 conn
->r
.in
.logon_level
= 2;
626 conn
->r
.in
.logon
= talloc(conn
->tmp
, union netr_LogonLevel
);
627 conn
->r
.in
.logon
->network
= &conn
->ninfo
;
628 conn
->r
.in
.flags
= talloc(conn
->tmp
, uint32_t);
629 conn
->r
.in
.validation_level
= 2;
630 conn
->r
.out
.validation
= talloc(conn
->tmp
, union netr_Validation
);
631 conn
->r
.out
.authoritative
= talloc(conn
->tmp
, uint8_t);
632 conn
->r
.out
.flags
= conn
->r
.in
.flags
;
634 subreq
= dcerpc_netr_LogonSamLogonEx_r_send(s
, s
->tctx
->ev
,
635 conn
->pipe
->binding_handle
,
637 torture_assert(s
->tctx
, subreq
, "Failed to setup LogonSamLogonEx request");
639 tevent_req_set_callback(subreq
, torture_schannel_bench_recv
, conn
);
644 static void torture_schannel_bench_recv(struct tevent_req
*subreq
)
647 struct torture_schannel_bench_conn
*conn
=
648 (struct torture_schannel_bench_conn
*)tevent_req_callback_data_void(subreq
);
649 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
650 struct torture_schannel_bench
);
652 s
->error
= dcerpc_netr_LogonSamLogonEx_r_recv(subreq
, subreq
);
654 if (!NT_STATUS_IS_OK(s
->error
)) {
665 ret
= torture_schannel_bench_start(conn
);
667 s
->error
= NT_STATUS_INTERNAL_ERROR
;
672 test multiple schannel connection in parallel
674 bool torture_rpc_schannel_bench1(struct torture_context
*torture
)
678 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
679 struct torture_schannel_bench
*s
;
680 struct timeval start
;
685 s
= talloc_zero(torture
, struct torture_schannel_bench
);
687 s
->progress
= torture_setting_bool(torture
, "progress", true);
688 s
->timelimit
= torture_setting_int(torture
, "timelimit", 10);
689 s
->nprocs
= torture_setting_int(torture
, "nprocs", 4);
690 s
->conns
= talloc_zero_array(s
, struct torture_schannel_bench_conn
, s
->nprocs
);
692 s
->user1_creds
= (struct cli_credentials
*)talloc_memdup(s
,
694 sizeof(*s
->user1_creds
));
695 tmp
= torture_setting_string(s
->tctx
, "extra_user1", NULL
);
697 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
699 s
->user2_creds
= (struct cli_credentials
*)talloc_memdup(s
,
701 sizeof(*s
->user1_creds
));
702 tmp
= torture_setting_string(s
->tctx
, "extra_user2", NULL
);
704 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
707 s
->join_ctx1
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sb", TEST_MACHINE_NAME
),
708 ACB_WSTRUST
, &s
->wks_creds1
);
709 torture_assert(torture
, s
->join_ctx1
!= NULL
,
710 "Failed to join domain with acct_flags=ACB_WSTRUST");
711 s
->join_ctx2
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sc", TEST_MACHINE_NAME
),
712 ACB_WSTRUST
, &s
->wks_creds2
);
713 torture_assert(torture
, s
->join_ctx2
!= NULL
,
714 "Failed to join domain with acct_flags=ACB_WSTRUST");
716 cli_credentials_set_kerberos_state(s
->wks_creds1
, CRED_DONT_USE_KERBEROS
);
717 cli_credentials_set_kerberos_state(s
->wks_creds2
, CRED_DONT_USE_KERBEROS
);
719 for (i
=0; i
< s
->nprocs
; i
++) {
721 s
->conns
[i
].index
= i
;
722 s
->conns
[i
].wks_creds
= (struct cli_credentials
*)talloc_memdup(
723 s
->conns
, s
->wks_creds1
,sizeof(*s
->wks_creds1
));
724 if ((i
% 2) && (torture_setting_bool(torture
, "multijoin", false))) {
725 memcpy(s
->conns
[i
].wks_creds
, s
->wks_creds2
,
726 talloc_get_size(s
->conns
[i
].wks_creds
));
728 s
->conns
[i
].wks_creds
->netlogon_creds
= NULL
;
731 status
= dcerpc_parse_binding(s
, binding
, &s
->b
);
732 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
733 s
->b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
734 s
->b
->flags
|= DCERPC_SCHANNEL
| DCERPC_SIGN
;
736 torture_comment(torture
, "Opening %d connections in parallel\n", s
->nprocs
);
737 for (i
=0; i
< s
->nprocs
; i
++) {
739 s
->error
= dcerpc_pipe_connect_b(s
->conns
, &s
->conns
[i
].pipe
, s
->b
,
741 s
->conns
[i
].wks_creds
,
742 torture
->ev
, torture
->lp_ctx
);
743 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed to connect with schannel");
746 * This path doesn't work against windows,
747 * because of windows drops the connections
748 * which haven't reached a session setup yet
750 * The same as the reset on zero vc stuff.
752 struct composite_context
*c
;
753 c
= dcerpc_pipe_connect_b_send(s
->conns
, s
->b
,
755 s
->conns
[i
].wks_creds
,
758 torture_assert(torture
, c
!= NULL
, "Failed to setup connect");
759 c
->async
.fn
= torture_schannel_bench_connected
;
760 c
->async
.private_data
= &s
->conns
[i
];
763 while (NT_STATUS_IS_OK(s
->error
) && s
->nprocs
!= s
->nconns
) {
764 int ev_ret
= event_loop_once(torture
->ev
);
765 torture_assert(torture
, ev_ret
== 0, "event_loop_once failed");
768 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed establish a connect");
771 * Change the workstation password after establishing the netlogon
772 * schannel connections to prove that existing connections are not
773 * affected by a wks pwchange.
777 struct netr_ServerPasswordSet pwset
;
778 char *password
= generate_random_password(s
->join_ctx1
, 8, 255);
779 struct netlogon_creds_CredentialState
*creds_state
;
780 struct dcerpc_pipe
*net_pipe
;
781 struct netr_Authenticator credential
, return_authenticator
;
782 struct samr_Password new_password
;
784 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
787 torture
->ev
, torture
->lp_ctx
);
789 torture_assert_ntstatus_ok(torture
, status
,
790 "dcerpc_pipe_connect_b failed");
792 pwset
.in
.server_name
= talloc_asprintf(
793 net_pipe
, "\\\\%s", dcerpc_server_name(net_pipe
));
794 pwset
.in
.computer_name
=
795 cli_credentials_get_workstation(s
->wks_creds1
);
796 pwset
.in
.account_name
= talloc_asprintf(
797 net_pipe
, "%s$", pwset
.in
.computer_name
);
798 pwset
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
799 pwset
.in
.credential
= &credential
;
800 pwset
.in
.new_password
= &new_password
;
801 pwset
.out
.return_authenticator
= &return_authenticator
;
803 E_md4hash(password
, new_password
.hash
);
805 creds_state
= cli_credentials_get_netlogon_creds(
807 netlogon_creds_des_encrypt(creds_state
, &new_password
);
808 netlogon_creds_client_authenticator(creds_state
, &credential
);
810 status
= dcerpc_netr_ServerPasswordSet_r(net_pipe
->binding_handle
, torture
, &pwset
);
811 torture_assert_ntstatus_ok(torture
, status
,
812 "ServerPasswordSet failed");
814 if (!netlogon_creds_client_check(creds_state
,
815 &pwset
.out
.return_authenticator
->cred
)) {
816 printf("Credential chaining failed\n");
819 cli_credentials_set_password(s
->wks_creds1
, password
,
822 talloc_free(net_pipe
);
824 /* Just as a test, connect with the new creds */
826 talloc_free(s
->wks_creds1
->netlogon_creds
);
827 s
->wks_creds1
->netlogon_creds
= NULL
;
829 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
832 torture
->ev
, torture
->lp_ctx
);
834 torture_assert_ntstatus_ok(torture
, status
,
835 "dcerpc_pipe_connect_b failed");
837 talloc_free(net_pipe
);
840 torture_comment(torture
, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
841 s
->nprocs
, s
->timelimit
);
842 for (i
=0; i
< s
->nprocs
; i
++) {
843 ret
= torture_schannel_bench_start(&s
->conns
[i
]);
844 torture_assert(torture
, ret
, "Failed to setup LogonSamLogonEx");
847 start
= timeval_current();
848 end
= timeval_add(&start
, s
->timelimit
, 0);
850 while (NT_STATUS_IS_OK(s
->error
) && !timeval_expired(&end
)) {
851 int ev_ret
= event_loop_once(torture
->ev
);
852 torture_assert(torture
, ev_ret
== 0, "event_loop_once failed");
854 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed some request");
856 talloc_free(s
->conns
);
858 for (i
=0; i
< s
->nprocs
; i
++) {
859 s
->total
+= s
->conns
[i
].total
;
862 torture_comment(torture
,
863 "Total ops[%llu] (%u ops/s)\n",
864 (unsigned long long)s
->total
,
865 (unsigned)s
->total
/s
->timelimit
);
867 torture_leave_domain(torture
, s
->join_ctx1
);
868 torture_leave_domain(torture
, s
->join_ctx2
);