2 Unix SMB/CIFS implementation.
4 test suite for schannel operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/torture_rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "../libcli/auth/schannel.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "libcli/security/security.h"
32 #include "system/filesys.h"
33 #include "param/param.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "libcli/composite/composite.h"
36 #include "lib/events/events.h"
38 #define TEST_MACHINE_NAME "schannel"
41 try a netlogon SamLogon
43 bool test_netlogon_ex_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
44 struct cli_credentials
*credentials
,
45 struct netlogon_creds_CredentialState
*creds
)
48 struct netr_LogonSamLogonEx r
;
49 struct netr_NetworkInfo ninfo
;
50 union netr_LogonLevel logon
;
51 union netr_Validation validation
;
52 uint8_t authoritative
= 0;
54 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
56 int flags
= CLI_CRED_NTLM_AUTH
;
57 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
59 struct netr_UserSessionKey key
;
60 struct netr_LMSessionKey LMSessKey
;
61 uint32_t validation_levels
[] = { 2, 3 };
62 struct netr_SamBaseInfo
*base
;
63 const char *crypto_alg
= "";
64 bool can_do_validation_6
= true;
66 if (lpcfg_client_lanman_auth(tctx
->lp_ctx
)) {
67 flags
|= CLI_CRED_LANMAN_AUTH
;
70 if (lpcfg_client_ntlmv2_auth(tctx
->lp_ctx
)) {
71 flags
|= CLI_CRED_NTLMv2_AUTH
;
74 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
75 &ninfo
.identity_info
.account_name
.string
,
76 &ninfo
.identity_info
.domain_name
.string
);
78 generate_random_buffer(ninfo
.challenge
,
79 sizeof(ninfo
.challenge
));
80 chal
= data_blob_const(ninfo
.challenge
,
81 sizeof(ninfo
.challenge
));
83 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
84 cli_credentials_get_domain(credentials
));
86 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
92 torture_assert_ntstatus_ok(tctx
, status
,
93 "cli_credentials_get_ntlm_response failed");
95 ninfo
.lm
.data
= lm_resp
.data
;
96 ninfo
.lm
.length
= lm_resp
.length
;
98 ninfo
.nt
.data
= nt_resp
.data
;
99 ninfo
.nt
.length
= nt_resp
.length
;
101 ninfo
.identity_info
.parameter_control
= 0;
102 ninfo
.identity_info
.logon_id_low
= 0;
103 ninfo
.identity_info
.logon_id_high
= 0;
104 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
106 logon
.network
= &ninfo
;
108 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
109 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
110 r
.in
.logon_level
= NetlogonNetworkInformation
;
112 r
.in
.flags
= &_flags
;
113 r
.out
.validation
= &validation
;
114 r
.out
.authoritative
= &authoritative
;
115 r
.out
.flags
= &_flags
;
119 - save usrsession and lmsession key
127 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
129 } else if (creds
->negotiate_flags
& NETLOGON_NEG_ARCFOUR
) {
130 crypto_alg
= "ARCFOUR";
134 r
.in
.validation_level
= 6;
136 torture_comment(tctx
,
137 "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
138 ninfo
.identity_info
.account_name
.string
, crypto_alg
,
139 r
.in
.validation_level
);
141 torture_assert_ntstatus_ok(tctx
,
142 dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
143 "LogonSamLogonEx failed");
144 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_INVALID_INFO_CLASS
)) {
145 can_do_validation_6
= false;
147 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
148 "LogonSamLogonEx failed");
150 key
= r
.out
.validation
->sam6
->base
.key
;
151 LMSessKey
= r
.out
.validation
->sam6
->base
.LMSessKey
;
153 DEBUG(1,("unencrypted session keys from validation_level 6:\n"));
154 dump_data(1, r
.out
.validation
->sam6
->base
.key
.key
, 16);
155 dump_data(1, r
.out
.validation
->sam6
->base
.LMSessKey
.key
, 8);
158 for (i
=0; i
< ARRAY_SIZE(validation_levels
); i
++) {
160 r
.in
.validation_level
= validation_levels
[i
];
162 torture_comment(tctx
,
163 "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
164 ninfo
.identity_info
.account_name
.string
, crypto_alg
,
165 r
.in
.validation_level
);
167 torture_assert_ntstatus_ok(tctx
,
168 dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
169 "LogonSamLogonEx failed");
170 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
171 "LogonSamLogonEx failed");
174 /* when this test is called without creds no point in
175 * testing the session keys */
179 switch (validation_levels
[i
]) {
181 base
= &r
.out
.validation
->sam2
->base
;
184 base
= &r
.out
.validation
->sam3
->base
;
190 DEBUG(1,("encrypted keys validation_level %d:\n",
191 validation_levels
[i
]));
192 dump_data(1, base
->key
.key
, 16);
193 dump_data(1, base
->LMSessKey
.key
, 8);
195 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
196 netlogon_creds_aes_decrypt(creds
, base
->key
.key
, 16);
197 netlogon_creds_aes_decrypt(creds
, base
->LMSessKey
.key
, 8);
198 } else if (creds
->negotiate_flags
& NETLOGON_NEG_ARCFOUR
) {
199 netlogon_creds_arcfour_crypt(creds
, base
->key
.key
, 16);
200 netlogon_creds_arcfour_crypt(creds
, base
->LMSessKey
.key
, 8);
203 DEBUG(1,("decryped keys validation_level %d\n",
204 validation_levels
[i
]));
206 dump_data(1, base
->key
.key
, 16);
207 dump_data(1, base
->LMSessKey
.key
, 8);
209 if (!can_do_validation_6
) {
210 /* we cant compare against unencrypted keys */
214 torture_assert_mem_equal(tctx
,
218 "unexpected user session key\n");
219 torture_assert_mem_equal(tctx
,
223 "unexpected LM session key\n");
230 do some samr ops using the schannel connection
232 static bool test_samr_ops(struct torture_context
*tctx
,
233 struct dcerpc_binding_handle
*b
)
235 struct samr_GetDomPwInfo r
;
236 struct samr_PwInfo info
;
237 struct samr_Connect connect_r
;
238 struct samr_OpenDomain opendom
;
240 struct lsa_String name
;
241 struct policy_handle handle
;
242 struct policy_handle domain_handle
;
244 name
.string
= lpcfg_workgroup(tctx
->lp_ctx
);
245 r
.in
.domain_name
= &name
;
248 connect_r
.in
.system_name
= 0;
249 connect_r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
250 connect_r
.out
.connect_handle
= &handle
;
252 torture_comment(tctx
, "Testing Connect and OpenDomain on BUILTIN\n");
254 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_Connect_r(b
, tctx
, &connect_r
),
256 if (!NT_STATUS_IS_OK(connect_r
.out
.result
)) {
257 if (NT_STATUS_EQUAL(connect_r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
258 torture_comment(tctx
, "Connect failed (expected, schannel mapped to anonymous): %s\n",
259 nt_errstr(connect_r
.out
.result
));
261 torture_comment(tctx
, "Connect failed - %s\n", nt_errstr(connect_r
.out
.result
));
265 opendom
.in
.connect_handle
= &handle
;
266 opendom
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
267 opendom
.in
.sid
= dom_sid_parse_talloc(tctx
, "S-1-5-32");
268 opendom
.out
.domain_handle
= &domain_handle
;
270 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_OpenDomain_r(b
, tctx
, &opendom
),
271 "OpenDomain failed");
272 if (!NT_STATUS_IS_OK(opendom
.out
.result
)) {
273 torture_comment(tctx
, "OpenDomain failed - %s\n", nt_errstr(opendom
.out
.result
));
278 torture_comment(tctx
, "Testing GetDomPwInfo with name %s\n", r
.in
.domain_name
->string
);
280 /* do several ops to test credential chaining */
282 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_GetDomPwInfo_r(b
, tctx
, &r
),
283 "GetDomPwInfo failed");
284 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
285 if (!NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
286 torture_comment(tctx
, "GetDomPwInfo op %d failed - %s\n", i
, nt_errstr(r
.out
.result
));
297 do some lsa ops using the schannel connection
299 static bool test_lsa_ops(struct torture_context
*tctx
, struct dcerpc_pipe
*p
)
301 struct lsa_GetUserName r
;
303 struct lsa_String
*account_name_p
= NULL
;
304 struct lsa_String
*authority_name_p
= NULL
;
305 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
307 torture_comment(tctx
, "\nTesting GetUserName\n");
309 r
.in
.system_name
= "\\";
310 r
.in
.account_name
= &account_name_p
;
311 r
.in
.authority_name
= &authority_name_p
;
312 r
.out
.account_name
= &account_name_p
;
314 /* do several ops to test credential chaining and various operations */
315 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_GetUserName_r(b
, tctx
, &r
),
316 "lsa_GetUserName failed");
318 authority_name_p
= *r
.out
.authority_name
;
320 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
321 torture_comment(tctx
, "GetUserName failed - %s\n", nt_errstr(r
.out
.result
));
324 if (!r
.out
.account_name
) {
328 if (strcmp(account_name_p
->string
, "ANONYMOUS LOGON") != 0) {
329 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
330 account_name_p
->string
, "ANONYMOUS LOGON");
332 if (!torture_setting_bool(tctx
, "samba3", false)) {
336 if (!authority_name_p
|| !authority_name_p
->string
) {
340 if (strcmp(authority_name_p
->string
, "NT AUTHORITY") != 0) {
341 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
342 authority_name_p
->string
, "NT AUTHORITY");
344 if (!torture_setting_bool(tctx
, "samba3", false)) {
355 test a schannel connection with the given flags
357 static bool test_schannel(struct torture_context
*tctx
,
358 uint16_t acct_flags
, uint32_t dcerpc_flags
,
361 struct test_join
*join_ctx
;
363 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
364 struct dcerpc_binding
*b
;
365 struct dcerpc_pipe
*p
= NULL
;
366 struct dcerpc_pipe
*p_netlogon
= NULL
;
367 struct dcerpc_pipe
*p_netlogon2
= NULL
;
368 struct dcerpc_pipe
*p_netlogon3
= NULL
;
369 struct dcerpc_pipe
*p_samr2
= NULL
;
370 struct dcerpc_pipe
*p_lsa
= NULL
;
371 struct netlogon_creds_CredentialState
*creds
;
372 struct cli_credentials
*credentials
;
373 enum dcerpc_transport_t transport
;
375 join_ctx
= torture_join_domain(tctx
,
376 talloc_asprintf(tctx
, "%s%d", TEST_MACHINE_NAME
, i
),
377 acct_flags
, &credentials
);
378 torture_assert(tctx
, join_ctx
!= NULL
, "Failed to join domain");
380 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
381 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
383 status
= dcerpc_binding_set_flags(b
, dcerpc_flags
, DCERPC_AUTH_OPTIONS
);
384 torture_assert_ntstatus_ok(tctx
, status
, "set flags");
386 status
= dcerpc_pipe_connect_b(tctx
, &p
, b
, &ndr_table_samr
,
387 credentials
, tctx
->ev
, tctx
->lp_ctx
);
388 torture_assert_ntstatus_ok(tctx
, status
,
389 "Failed to connect to samr with schannel");
391 torture_assert(tctx
, test_samr_ops(tctx
, p
->binding_handle
),
392 "Failed to process schannel secured SAMR ops");
394 /* Also test that when we connect to the netlogon pipe, that
395 * the credentials we setup on the first pipe are valid for
398 /* Swap the binding details from SAMR to NETLOGON */
399 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
400 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
402 status
= dcerpc_secondary_connection(p
, &p_netlogon
,
404 torture_assert_ntstatus_ok(tctx
, status
, "secondary connection");
406 status
= dcerpc_bind_auth(p_netlogon
, &ndr_table_netlogon
,
407 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
408 DCERPC_AUTH_TYPE_SCHANNEL
,
409 dcerpc_auth_level(p
->conn
),
412 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
414 creds
= cli_credentials_get_netlogon_creds(credentials
);
415 torture_assert(tctx
, (creds
!= NULL
), "schannel creds");
417 /* checks the capabilities */
418 torture_assert(tctx
, test_netlogon_capabilities(p_netlogon
, tctx
, credentials
, creds
),
419 "Failed to process schannel secured capability ops (on fresh connection)");
421 /* do a couple of logins */
422 torture_assert(tctx
, test_netlogon_ops(p_netlogon
, tctx
, credentials
, creds
),
423 "Failed to process schannel secured NETLOGON ops");
425 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon
, tctx
, credentials
, creds
),
426 "Failed to process schannel secured NETLOGON EX ops");
428 /* we *MUST* use ncacn_np for openpolicy etc. */
429 transport
= dcerpc_binding_get_transport(b
);
430 status
= dcerpc_binding_set_transport(b
, NCACN_NP
);
431 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
433 /* Swap the binding details from SAMR to LSARPC */
434 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
);
435 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
437 torture_assert_ntstatus_ok(tctx
,
438 dcerpc_pipe_connect_b(tctx
, &p_lsa
, b
, &ndr_table_lsarpc
,
439 credentials
, tctx
->ev
, tctx
->lp_ctx
),
440 "failed to connect lsarpc with schannel");
442 torture_assert(tctx
, test_lsa_ops(tctx
, p_lsa
),
443 "Failed to process schannel secured LSA ops");
448 /* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */
449 status
= dcerpc_binding_set_transport(b
, NCACN_IP_TCP
);
450 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
452 torture_assert_ntstatus_ok(tctx
,
453 dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
),
454 "failed to call epm map");
456 torture_assert_ntstatus_ok(tctx
,
457 dcerpc_pipe_connect_b(tctx
, &p_lsa
, b
, &ndr_table_lsarpc
,
458 credentials
, tctx
->ev
, tctx
->lp_ctx
),
459 "failed to connect lsarpc with schannel");
462 test_many_LookupSids(p_lsa
, tctx
, NULL
),
463 "LsaLookupSids3 failed!\n");
465 status
= dcerpc_binding_set_transport(b
, transport
);
466 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
469 /* Drop the socket, we want to start from scratch */
473 /* Now see what we are still allowed to do */
475 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
476 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
478 status
= dcerpc_binding_set_flags(b
, dcerpc_flags
, DCERPC_AUTH_OPTIONS
);
479 torture_assert_ntstatus_ok(tctx
, status
, "set flags");
481 status
= dcerpc_pipe_connect_b(tctx
, &p_samr2
, b
, &ndr_table_samr
,
482 credentials
, tctx
->ev
, tctx
->lp_ctx
);
483 torture_assert_ntstatus_ok(tctx
, status
,
484 "Failed to connect with schannel");
486 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
487 torture_assert (tctx
, test_samr_ops(tctx
, p_samr2
->binding_handle
),
488 "Failed to process schannel secured SAMR ops (on fresh connection)");
490 /* Swap the binding details from SAMR to NETLOGON */
491 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
492 torture_assert_ntstatus_ok(tctx
, status
, "epm");
494 status
= dcerpc_secondary_connection(p_samr2
, &p_netlogon2
,
496 torture_assert_ntstatus_ok(tctx
, status
, "secondary connection");
498 /* and now setup an SCHANNEL bind on netlogon */
499 status
= dcerpc_bind_auth(p_netlogon2
, &ndr_table_netlogon
,
500 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
501 DCERPC_AUTH_TYPE_SCHANNEL
,
502 dcerpc_auth_level(p_samr2
->conn
),
505 torture_assert_ntstatus_ok(tctx
, status
, "auth failed");
507 /* checks the capabilities */
508 torture_assert(tctx
, test_netlogon_capabilities(p_netlogon2
, tctx
, credentials
, creds
),
509 "Failed to process schannel secured capability ops (on fresh connection)");
511 /* Try the schannel-only SamLogonEx operation */
512 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon2
, tctx
, credentials
, creds
),
513 "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
516 /* And the more traditional style, proving that the
517 * credentials chaining state is fully present */
518 torture_assert(tctx
, test_netlogon_ops(p_netlogon2
, tctx
, credentials
, creds
),
519 "Failed to process schannel secured NETLOGON ops (on fresh connection)");
521 /* Drop the socket, we want to start from scratch (again) */
522 talloc_free(p_samr2
);
524 /* We don't want schannel for this test */
525 status
= dcerpc_binding_set_flags(b
, 0, DCERPC_AUTH_OPTIONS
);
526 torture_assert_ntstatus_ok(tctx
, status
, "set flags");
528 status
= dcerpc_pipe_connect_b(tctx
, &p_netlogon3
, b
, &ndr_table_netlogon
,
529 credentials
, tctx
->ev
, tctx
->lp_ctx
);
530 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
532 torture_assert(tctx
, !test_netlogon_ex_ops(p_netlogon3
, tctx
, credentials
, creds
),
533 "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
535 /* Required because the previous call will mark the current context as having failed */
536 tctx
->last_result
= TORTURE_OK
;
537 tctx
->last_reason
= NULL
;
539 torture_assert(tctx
, test_netlogon_ops(p_netlogon3
, tctx
, credentials
, creds
),
540 "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
542 torture_leave_domain(tctx
, join_ctx
);
547 * Purpose of this test is to demonstrate that a netlogon server carefully deals
548 * with anonymous attempts to set passwords, in particular when the server
549 * enforces the use of schannel. This test makes most sense to be run in an
550 * environment where the netlogon server enforces use of schannel.
553 static bool test_schannel_anonymous_setPassword(struct torture_context
*tctx
,
554 uint32_t dcerpc_flags
,
557 struct test_join
*join_ctx
;
558 NTSTATUS status
, result
;
559 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
560 struct dcerpc_binding
*b
;
561 struct dcerpc_pipe
*p
= NULL
;
562 struct cli_credentials
*credentials
;
565 credentials
= cli_credentials_init(NULL
);
566 torture_assert(tctx
, credentials
!= NULL
, "Bad credentials");
567 cli_credentials_set_anonymous(credentials
);
569 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
570 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
572 status
= dcerpc_binding_set_flags(b
, dcerpc_flags
, DCERPC_AUTH_OPTIONS
);
573 torture_assert_ntstatus_ok(tctx
, status
, "set flags");
575 status
= dcerpc_pipe_connect_b(tctx
,
582 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
585 struct netr_ServerPasswordSet2 r
= {};
586 struct netr_Authenticator credential
= {};
587 struct netr_Authenticator return_authenticator
= {};
588 struct netr_CryptPassword new_password
= {};
590 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
591 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
592 r
.in
.secure_channel_type
= 0;
593 r
.in
.computer_name
= TEST_MACHINE_NAME
;
594 r
.in
.credential
= &credential
;
595 r
.in
.new_password
= &new_password
;
596 r
.out
.return_authenticator
= &return_authenticator
;
598 status
= dcerpc_netr_ServerPasswordSet2_r(p
->binding_handle
, tctx
, &r
);
599 result
= r
.out
.result
;
601 struct netr_ServerPasswordSet r
= {};
602 struct netr_Authenticator credential
= {};
603 struct netr_Authenticator return_authenticator
= {};
604 struct samr_Password new_password
= {};
606 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
607 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
608 r
.in
.secure_channel_type
= 0;
609 r
.in
.computer_name
= TEST_MACHINE_NAME
;
610 r
.in
.credential
= &credential
;
611 r
.in
.new_password
= &new_password
;
612 r
.out
.return_authenticator
= &return_authenticator
;
614 status
= dcerpc_netr_ServerPasswordSet_r(p
->binding_handle
, tctx
, &r
);
615 result
= r
.out
.result
;
618 torture_assert_ntstatus_ok(tctx
, status
, "ServerPasswordSet failed");
620 if (NT_STATUS_IS_OK(result
)) {
621 torture_fail(tctx
, "unexpectedly received NT_STATUS_OK");
629 a schannel test suite
631 bool torture_rpc_schannel(struct torture_context
*torture
)
636 uint32_t dcerpc_flags
;
638 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AUTO
},
639 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AUTO
},
640 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
641 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
642 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AES
},
643 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AES
},
644 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AUTO
},
645 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AUTO
},
646 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
647 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
648 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AES
},
649 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AES
}
653 for (i
=0;i
<ARRAY_SIZE(tests
);i
++) {
654 torture_comment(torture
, "Testing with acct_flags=0x%x dcerpc_flags=0x%x \n",
655 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
657 if (!test_schannel(torture
,
658 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
,
660 torture_comment(torture
, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
661 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
669 bool torture_rpc_schannel_anon_setpw(struct torture_context
*torture
)
673 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AUTO
;
675 ok
= test_schannel_anonymous_setPassword(torture
,
679 torture_comment(torture
,
680 "Failed with dcerpc_flags=0x%x\n",
685 ok
= test_schannel_anonymous_setPassword(torture
,
689 torture_comment(torture
,
690 "Failed with dcerpc_flags=0x%x\n",
699 test two schannel connections
701 bool torture_rpc_schannel2(struct torture_context
*torture
)
703 struct test_join
*join_ctx
;
705 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
706 struct dcerpc_binding
*b
;
707 struct dcerpc_pipe
*p1
= NULL
, *p2
= NULL
;
708 struct cli_credentials
*credentials1
, *credentials2
;
709 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
;
711 join_ctx
= torture_join_domain(torture
, talloc_asprintf(torture
, "%s2", TEST_MACHINE_NAME
),
712 ACB_WSTRUST
, &credentials1
);
713 torture_assert(torture
, join_ctx
!= NULL
,
714 "Failed to join domain with acct_flags=ACB_WSTRUST");
716 credentials2
= cli_credentials_shallow_copy(torture
, credentials1
);
717 cli_credentials_set_netlogon_creds(credentials1
, NULL
);
718 cli_credentials_set_netlogon_creds(credentials2
, NULL
);
720 status
= dcerpc_parse_binding(torture
, binding
, &b
);
721 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
723 status
= dcerpc_binding_set_flags(b
, dcerpc_flags
, DCERPC_AUTH_OPTIONS
);
724 torture_assert_ntstatus_ok(torture
, status
, "set flags");
726 torture_comment(torture
, "Opening first connection\n");
727 status
= dcerpc_pipe_connect_b(torture
, &p1
, b
, &ndr_table_netlogon
,
728 credentials1
, torture
->ev
, torture
->lp_ctx
);
729 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
731 torture_comment(torture
, "Opening second connection\n");
732 status
= dcerpc_pipe_connect_b(torture
, &p2
, b
, &ndr_table_netlogon
,
733 credentials2
, torture
->ev
, torture
->lp_ctx
);
734 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
736 cli_credentials_set_netlogon_creds(credentials1
, NULL
);
737 cli_credentials_set_netlogon_creds(credentials2
, NULL
);
739 torture_comment(torture
, "Testing logon on pipe1\n");
740 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
743 torture_comment(torture
, "Testing logon on pipe2\n");
744 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
747 torture_comment(torture
, "Again on pipe1\n");
748 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
751 torture_comment(torture
, "Again on pipe2\n");
752 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
755 torture_leave_domain(torture
, join_ctx
);
759 struct torture_schannel_bench
;
761 struct torture_schannel_bench_conn
{
762 struct torture_schannel_bench
*s
;
764 struct cli_credentials
*wks_creds
;
765 struct dcerpc_pipe
*pipe
;
766 struct netr_LogonSamLogonEx r
;
767 struct netr_NetworkInfo ninfo
;
773 struct torture_schannel_bench
{
774 struct torture_context
*tctx
;
779 struct torture_schannel_bench_conn
*conns
;
780 struct test_join
*join_ctx1
;
781 struct cli_credentials
*wks_creds1
;
782 struct test_join
*join_ctx2
;
783 struct cli_credentials
*wks_creds2
;
784 struct cli_credentials
*user1_creds
;
785 struct cli_credentials
*user2_creds
;
786 struct dcerpc_binding
*b
;
793 static void torture_schannel_bench_connected(struct composite_context
*c
)
795 struct torture_schannel_bench_conn
*conn
=
796 (struct torture_schannel_bench_conn
*)c
->async
.private_data
;
797 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
798 struct torture_schannel_bench
);
800 s
->error
= dcerpc_pipe_connect_b_recv(c
, s
->conns
, &conn
->pipe
);
801 torture_comment(s
->tctx
, "conn[%u]: %s\n", conn
->index
, nt_errstr(s
->error
));
802 if (NT_STATUS_IS_OK(s
->error
)) {
807 static void torture_schannel_bench_recv(struct tevent_req
*subreq
);
809 static bool torture_schannel_bench_start(struct torture_schannel_bench_conn
*conn
)
811 struct torture_schannel_bench
*s
= conn
->s
;
813 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
814 int flags
= CLI_CRED_NTLM_AUTH
;
815 struct tevent_req
*subreq
;
816 struct cli_credentials
*user_creds
;
818 if (conn
->total
% 2) {
819 user_creds
= s
->user1_creds
;
821 user_creds
= s
->user2_creds
;
824 if (lpcfg_client_lanman_auth(s
->tctx
->lp_ctx
)) {
825 flags
|= CLI_CRED_LANMAN_AUTH
;
828 if (lpcfg_client_ntlmv2_auth(s
->tctx
->lp_ctx
)) {
829 flags
|= CLI_CRED_NTLMv2_AUTH
;
832 talloc_free(conn
->tmp
);
833 conn
->tmp
= talloc_new(s
);
834 ZERO_STRUCT(conn
->ninfo
);
835 ZERO_STRUCT(conn
->r
);
837 cli_credentials_get_ntlm_username_domain(user_creds
, conn
->tmp
,
838 &conn
->ninfo
.identity_info
.account_name
.string
,
839 &conn
->ninfo
.identity_info
.domain_name
.string
);
841 generate_random_buffer(conn
->ninfo
.challenge
,
842 sizeof(conn
->ninfo
.challenge
));
843 chal
= data_blob_const(conn
->ninfo
.challenge
,
844 sizeof(conn
->ninfo
.challenge
));
846 names_blob
= NTLMv2_generate_names_blob(conn
->tmp
,
847 cli_credentials_get_workstation(conn
->wks_creds
),
848 cli_credentials_get_domain(conn
->wks_creds
));
850 status
= cli_credentials_get_ntlm_response(user_creds
, conn
->tmp
,
856 torture_assert_ntstatus_ok(s
->tctx
, status
,
857 "cli_credentials_get_ntlm_response failed");
859 conn
->ninfo
.lm
.data
= lm_resp
.data
;
860 conn
->ninfo
.lm
.length
= lm_resp
.length
;
862 conn
->ninfo
.nt
.data
= nt_resp
.data
;
863 conn
->ninfo
.nt
.length
= nt_resp
.length
;
865 conn
->ninfo
.identity_info
.parameter_control
= 0;
866 conn
->ninfo
.identity_info
.logon_id_low
= 0;
867 conn
->ninfo
.identity_info
.logon_id_high
= 0;
868 conn
->ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(conn
->wks_creds
);
870 conn
->r
.in
.server_name
= talloc_asprintf(conn
->tmp
, "\\\\%s", dcerpc_server_name(conn
->pipe
));
871 conn
->r
.in
.computer_name
= cli_credentials_get_workstation(conn
->wks_creds
);
872 conn
->r
.in
.logon_level
= NetlogonNetworkInformation
;
873 conn
->r
.in
.logon
= talloc(conn
->tmp
, union netr_LogonLevel
);
874 conn
->r
.in
.logon
->network
= &conn
->ninfo
;
875 conn
->r
.in
.flags
= talloc(conn
->tmp
, uint32_t);
876 conn
->r
.in
.validation_level
= 2;
877 conn
->r
.out
.validation
= talloc(conn
->tmp
, union netr_Validation
);
878 conn
->r
.out
.authoritative
= talloc(conn
->tmp
, uint8_t);
879 conn
->r
.out
.flags
= conn
->r
.in
.flags
;
881 subreq
= dcerpc_netr_LogonSamLogonEx_r_send(s
, s
->tctx
->ev
,
882 conn
->pipe
->binding_handle
,
884 torture_assert(s
->tctx
, subreq
, "Failed to setup LogonSamLogonEx request");
886 tevent_req_set_callback(subreq
, torture_schannel_bench_recv
, conn
);
891 static void torture_schannel_bench_recv(struct tevent_req
*subreq
)
894 struct torture_schannel_bench_conn
*conn
=
895 (struct torture_schannel_bench_conn
*)tevent_req_callback_data_void(subreq
);
896 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
897 struct torture_schannel_bench
);
899 s
->error
= dcerpc_netr_LogonSamLogonEx_r_recv(subreq
, subreq
);
901 if (!NT_STATUS_IS_OK(s
->error
)) {
912 ret
= torture_schannel_bench_start(conn
);
914 s
->error
= NT_STATUS_INTERNAL_ERROR
;
919 test multiple schannel connection in parallel
921 bool torture_rpc_schannel_bench1(struct torture_context
*torture
)
925 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
926 struct torture_schannel_bench
*s
;
927 struct timeval start
;
932 s
= talloc_zero(torture
, struct torture_schannel_bench
);
934 s
->progress
= torture_setting_bool(torture
, "progress", true);
935 s
->timelimit
= torture_setting_int(torture
, "timelimit", 10);
936 s
->nprocs
= torture_setting_int(torture
, "nprocs", 4);
937 s
->conns
= talloc_zero_array(s
, struct torture_schannel_bench_conn
, s
->nprocs
);
939 s
->user1_creds
= cli_credentials_shallow_copy(s
, cmdline_credentials
);
940 tmp
= torture_setting_string(s
->tctx
, "extra_user1", NULL
);
942 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
944 s
->user2_creds
= cli_credentials_shallow_copy(s
, cmdline_credentials
);
945 tmp
= torture_setting_string(s
->tctx
, "extra_user2", NULL
);
947 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
950 s
->join_ctx1
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sb", TEST_MACHINE_NAME
),
951 ACB_WSTRUST
, &s
->wks_creds1
);
952 torture_assert(torture
, s
->join_ctx1
!= NULL
,
953 "Failed to join domain with acct_flags=ACB_WSTRUST");
954 s
->join_ctx2
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sc", TEST_MACHINE_NAME
),
955 ACB_WSTRUST
, &s
->wks_creds2
);
956 torture_assert(torture
, s
->join_ctx2
!= NULL
,
957 "Failed to join domain with acct_flags=ACB_WSTRUST");
959 cli_credentials_set_kerberos_state(s
->wks_creds1
, CRED_DONT_USE_KERBEROS
);
960 cli_credentials_set_kerberos_state(s
->wks_creds2
, CRED_DONT_USE_KERBEROS
);
962 for (i
=0; i
< s
->nprocs
; i
++) {
963 struct cli_credentials
*wks
= s
->wks_creds1
;
965 if ((i
% 2) && (torture_setting_bool(torture
, "multijoin", false))) {
970 s
->conns
[i
].index
= i
;
971 s
->conns
[i
].wks_creds
= cli_credentials_shallow_copy(s
->conns
, wks
);
972 cli_credentials_set_netlogon_creds(s
->conns
[i
].wks_creds
, NULL
);
975 status
= dcerpc_parse_binding(s
, binding
, &s
->b
);
976 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
978 status
= dcerpc_binding_set_flags(s
->b
, DCERPC_SCHANNEL
| DCERPC_SIGN
,
979 DCERPC_AUTH_OPTIONS
);
980 torture_assert_ntstatus_ok(torture
, status
, "set flags");
982 torture_comment(torture
, "Opening %d connections in parallel\n", s
->nprocs
);
983 for (i
=0; i
< s
->nprocs
; i
++) {
985 s
->error
= dcerpc_pipe_connect_b(s
->conns
, &s
->conns
[i
].pipe
, s
->b
,
987 s
->conns
[i
].wks_creds
,
988 torture
->ev
, torture
->lp_ctx
);
989 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed to connect with schannel");
992 * This path doesn't work against windows,
993 * because of windows drops the connections
994 * which haven't reached a session setup yet
996 * The same as the reset on zero vc stuff.
998 struct composite_context
*c
;
999 c
= dcerpc_pipe_connect_b_send(s
->conns
, s
->b
,
1000 &ndr_table_netlogon
,
1001 s
->conns
[i
].wks_creds
,
1004 torture_assert(torture
, c
!= NULL
, "Failed to setup connect");
1005 c
->async
.fn
= torture_schannel_bench_connected
;
1006 c
->async
.private_data
= &s
->conns
[i
];
1009 while (NT_STATUS_IS_OK(s
->error
) && s
->nprocs
!= s
->nconns
) {
1010 int ev_ret
= tevent_loop_once(torture
->ev
);
1011 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
1014 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed establish a connect");
1017 * Change the workstation password after establishing the netlogon
1018 * schannel connections to prove that existing connections are not
1019 * affected by a wks pwchange.
1023 struct netr_ServerPasswordSet pwset
;
1024 char *password
= generate_random_password(s
->join_ctx1
, 8, 255);
1025 struct netlogon_creds_CredentialState
*creds_state
;
1026 struct dcerpc_pipe
*net_pipe
;
1027 struct netr_Authenticator credential
, return_authenticator
;
1028 struct samr_Password new_password
;
1030 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
1031 &ndr_table_netlogon
,
1033 torture
->ev
, torture
->lp_ctx
);
1035 torture_assert_ntstatus_ok(torture
, status
,
1036 "dcerpc_pipe_connect_b failed");
1038 pwset
.in
.server_name
= talloc_asprintf(
1039 net_pipe
, "\\\\%s", dcerpc_server_name(net_pipe
));
1040 pwset
.in
.computer_name
=
1041 cli_credentials_get_workstation(s
->wks_creds1
);
1042 pwset
.in
.account_name
= talloc_asprintf(
1043 net_pipe
, "%s$", pwset
.in
.computer_name
);
1044 pwset
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
1045 pwset
.in
.credential
= &credential
;
1046 pwset
.in
.new_password
= &new_password
;
1047 pwset
.out
.return_authenticator
= &return_authenticator
;
1049 E_md4hash(password
, new_password
.hash
);
1051 creds_state
= cli_credentials_get_netlogon_creds(
1053 netlogon_creds_des_encrypt(creds_state
, &new_password
);
1054 netlogon_creds_client_authenticator(creds_state
, &credential
);
1056 torture_assert_ntstatus_ok(torture
, dcerpc_netr_ServerPasswordSet_r(net_pipe
->binding_handle
, torture
, &pwset
),
1057 "ServerPasswordSet failed");
1058 torture_assert_ntstatus_ok(torture
, pwset
.out
.result
,
1059 "ServerPasswordSet failed");
1061 if (!netlogon_creds_client_check(creds_state
,
1062 &pwset
.out
.return_authenticator
->cred
)) {
1063 torture_comment(torture
, "Credential chaining failed\n");
1066 cli_credentials_set_password(s
->wks_creds1
, password
,
1069 talloc_free(net_pipe
);
1071 /* Just as a test, connect with the new creds */
1073 cli_credentials_set_netlogon_creds(s
->wks_creds1
, NULL
);
1075 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
1076 &ndr_table_netlogon
,
1078 torture
->ev
, torture
->lp_ctx
);
1080 torture_assert_ntstatus_ok(torture
, status
,
1081 "dcerpc_pipe_connect_b failed");
1083 talloc_free(net_pipe
);
1086 torture_comment(torture
, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
1087 s
->nprocs
, s
->timelimit
);
1088 for (i
=0; i
< s
->nprocs
; i
++) {
1089 ret
= torture_schannel_bench_start(&s
->conns
[i
]);
1090 torture_assert(torture
, ret
, "Failed to setup LogonSamLogonEx");
1093 start
= timeval_current();
1094 end
= timeval_add(&start
, s
->timelimit
, 0);
1096 while (NT_STATUS_IS_OK(s
->error
) && !timeval_expired(&end
)) {
1097 int ev_ret
= tevent_loop_once(torture
->ev
);
1098 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
1100 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed some request");
1102 talloc_free(s
->conns
);
1104 for (i
=0; i
< s
->nprocs
; i
++) {
1105 s
->total
+= s
->conns
[i
].total
;
1108 torture_comment(torture
,
1109 "Total ops[%llu] (%u ops/s)\n",
1110 (unsigned long long)s
->total
,
1111 (unsigned)s
->total
/s
->timelimit
);
1113 torture_leave_domain(torture
, s
->join_ctx1
);
1114 torture_leave_domain(torture
, s
->join_ctx2
);