2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
36 #include "lib/util/util_ldb.h"
38 #include "lib/replace/system/network.h"
39 #include "dsdb/samdb/samdb.h"
41 #define TEST_MACHINE_NAME "torturetest"
43 static bool test_netr_broken_binding_handle(struct torture_context
*tctx
,
44 struct dcerpc_pipe
*p
)
47 struct netr_DsRGetSiteName r
;
48 const char *site
= NULL
;
49 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
51 r
.in
.computer_name
= talloc_asprintf(tctx
, "\\\\%s",
52 dcerpc_server_name(p
));
56 "Testing netlogon request with correct binding handle: %s\n",
59 status
= dcerpc_netr_DsRGetSiteName_r(b
, tctx
, &r
);
60 torture_assert_ntstatus_ok(tctx
, status
,
61 "Netlogon request with broken binding handle");
62 torture_assert_werr_ok(tctx
, r
.out
.result
,
63 "Netlogon request with broken binding handle");
65 if (torture_setting_bool(tctx
, "samba3", false) ||
66 torture_setting_bool(tctx
, "samba4", false)) {
68 "Skipping broken binding handle check against Samba");
71 r
.in
.computer_name
= talloc_asprintf(tctx
, "\\\\\\\\%s",
72 dcerpc_server_name(p
));
75 "Testing netlogon request with broken binding handle: %s\n",
78 status
= dcerpc_netr_DsRGetSiteName_r(b
, tctx
, &r
);
79 torture_assert_ntstatus_ok(tctx
, status
,
80 "Netlogon request with broken binding handle");
81 torture_assert_werr_equal(tctx
, r
.out
.result
,
82 WERR_INVALID_COMPUTERNAME
,
83 "Netlogon request with broken binding handle");
85 r
.in
.computer_name
= "\\\\\\\\THIS_IS_NOT_VALID";
88 "Testing netlogon request with broken binding handle: %s\n",
91 status
= dcerpc_netr_DsRGetSiteName_r(b
, tctx
, &r
);
92 torture_assert_ntstatus_ok(tctx
, status
,
93 "Netlogon request with broken binding handle");
94 torture_assert_werr_equal(tctx
, r
.out
.result
,
95 WERR_INVALID_COMPUTERNAME
,
96 "Netlogon request with broken binding handle");
101 static bool test_LogonUasLogon(struct torture_context
*tctx
,
102 struct dcerpc_pipe
*p
)
105 struct netr_LogonUasLogon r
;
106 struct netr_UasInfo
*info
= NULL
;
107 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
109 r
.in
.server_name
= NULL
;
110 r
.in
.account_name
= cli_credentials_get_username(cmdline_credentials
);
111 r
.in
.workstation
= TEST_MACHINE_NAME
;
114 status
= dcerpc_netr_LogonUasLogon_r(b
, tctx
, &r
);
115 torture_assert_ntstatus_ok(tctx
, status
, "LogonUasLogon");
120 static bool test_LogonUasLogoff(struct torture_context
*tctx
,
121 struct dcerpc_pipe
*p
)
124 struct netr_LogonUasLogoff r
;
125 struct netr_UasLogoffInfo info
;
126 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
128 r
.in
.server_name
= NULL
;
129 r
.in
.account_name
= cli_credentials_get_username(cmdline_credentials
);
130 r
.in
.workstation
= TEST_MACHINE_NAME
;
133 status
= dcerpc_netr_LogonUasLogoff_r(b
, tctx
, &r
);
134 torture_assert_ntstatus_ok(tctx
, status
, "LogonUasLogoff");
139 bool test_SetupCredentials(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
140 struct cli_credentials
*credentials
,
141 struct netlogon_creds_CredentialState
**creds_out
)
143 struct netr_ServerReqChallenge r
;
144 struct netr_ServerAuthenticate a
;
145 struct netr_Credential credentials1
, credentials2
, credentials3
;
146 struct netlogon_creds_CredentialState
*creds
;
147 const struct samr_Password
*mach_password
;
148 const char *machine_name
;
149 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
151 mach_password
= cli_credentials_get_nt_hash(credentials
, tctx
);
152 machine_name
= cli_credentials_get_workstation(credentials
);
154 torture_comment(tctx
, "Testing ServerReqChallenge\n");
156 r
.in
.server_name
= NULL
;
157 r
.in
.computer_name
= machine_name
;
158 r
.in
.credentials
= &credentials1
;
159 r
.out
.return_credentials
= &credentials2
;
161 generate_random_buffer(credentials1
.data
, sizeof(credentials1
.data
));
163 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerReqChallenge_r(b
, tctx
, &r
),
164 "ServerReqChallenge failed");
165 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerReqChallenge failed");
167 a
.in
.server_name
= NULL
;
168 a
.in
.account_name
= talloc_asprintf(tctx
, "%s$", machine_name
);
169 a
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(credentials
);
170 a
.in
.computer_name
= machine_name
;
171 a
.in
.credentials
= &credentials3
;
172 a
.out
.return_credentials
= &credentials3
;
174 creds
= netlogon_creds_client_init(tctx
, a
.in
.account_name
,
176 a
.in
.secure_channel_type
,
177 &credentials1
, &credentials2
,
178 mach_password
, &credentials3
,
180 torture_assert(tctx
, creds
!= NULL
, "memory allocation");
183 torture_comment(tctx
, "Testing ServerAuthenticate\n");
185 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerAuthenticate_r(b
, tctx
, &a
),
186 "ServerAuthenticate failed");
188 /* This allows the tests to continue against the more fussy windows 2008 */
189 if (NT_STATUS_EQUAL(a
.out
.result
, NT_STATUS_DOWNGRADE_DETECTED
)) {
190 return test_SetupCredentials2(p
, tctx
, NETLOGON_NEG_AUTH2_ADS_FLAGS
,
192 cli_credentials_get_secure_channel_type(credentials
),
196 torture_assert_ntstatus_ok(tctx
, a
.out
.result
, "ServerAuthenticate");
198 torture_assert(tctx
, netlogon_creds_client_check(creds
, &credentials3
),
199 "Credential chaining failed");
205 bool test_SetupCredentials2ex(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
206 uint32_t negotiate_flags
,
207 struct cli_credentials
*machine_credentials
,
208 const char *computer_name
,
209 enum netr_SchannelType sec_chan_type
,
210 NTSTATUS expected_result
,
211 struct netlogon_creds_CredentialState
**creds_out
)
213 struct netr_ServerReqChallenge r
;
214 struct netr_ServerAuthenticate2 a
;
215 struct netr_Credential credentials1
, credentials2
, credentials3
;
216 struct netlogon_creds_CredentialState
*creds
;
217 const struct samr_Password
*mach_password
;
218 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
219 const char *account_name
= cli_credentials_get_username(machine_credentials
);
221 mach_password
= cli_credentials_get_nt_hash(machine_credentials
, tctx
);
223 torture_comment(tctx
, "Testing ServerReqChallenge\n");
225 r
.in
.server_name
= NULL
;
226 r
.in
.computer_name
= computer_name
;
227 r
.in
.credentials
= &credentials1
;
228 r
.out
.return_credentials
= &credentials2
;
230 generate_random_buffer(credentials1
.data
, sizeof(credentials1
.data
));
232 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerReqChallenge_r(b
, tctx
, &r
),
233 "ServerReqChallenge failed");
234 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerReqChallenge failed");
236 a
.in
.server_name
= NULL
;
237 a
.in
.account_name
= account_name
;
238 a
.in
.secure_channel_type
= sec_chan_type
;
239 a
.in
.computer_name
= computer_name
;
240 a
.in
.negotiate_flags
= &negotiate_flags
;
241 a
.out
.negotiate_flags
= &negotiate_flags
;
242 a
.in
.credentials
= &credentials3
;
243 a
.out
.return_credentials
= &credentials3
;
245 creds
= netlogon_creds_client_init(tctx
, a
.in
.account_name
,
247 a
.in
.secure_channel_type
,
248 &credentials1
, &credentials2
,
249 mach_password
, &credentials3
,
252 torture_assert(tctx
, creds
!= NULL
, "memory allocation");
254 torture_comment(tctx
, "Testing ServerAuthenticate2\n");
256 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerAuthenticate2_r(b
, tctx
, &a
),
257 "ServerAuthenticate2 failed");
258 torture_assert_ntstatus_equal(tctx
, a
.out
.result
, expected_result
,
259 "ServerAuthenticate2 unexpected");
261 if (NT_STATUS_IS_OK(expected_result
)) {
262 torture_assert(tctx
, netlogon_creds_client_check(creds
, &credentials3
),
263 "Credential chaining failed");
265 torture_assert(tctx
, !netlogon_creds_client_check(creds
, &credentials3
),
266 "Credential chaining passed unexptected");
269 torture_comment(tctx
, "negotiate_flags=0x%08x\n", negotiate_flags
);
275 bool test_SetupCredentials2(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
276 uint32_t negotiate_flags
,
277 struct cli_credentials
*machine_credentials
,
278 enum netr_SchannelType sec_chan_type
,
279 struct netlogon_creds_CredentialState
**creds_out
)
281 const char *computer_name
=
282 cli_credentials_get_workstation(machine_credentials
);
284 return test_SetupCredentials2ex(p
, tctx
, negotiate_flags
,
292 bool test_SetupCredentials3(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
293 uint32_t negotiate_flags
,
294 struct cli_credentials
*machine_credentials
,
295 struct netlogon_creds_CredentialState
**creds_out
)
297 struct netr_ServerReqChallenge r
;
298 struct netr_ServerAuthenticate3 a
;
299 struct netr_Credential credentials1
, credentials2
, credentials3
;
300 struct netlogon_creds_CredentialState
*creds
;
301 struct samr_Password mach_password
;
303 const char *machine_name
;
304 const char *plain_pass
;
305 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
307 machine_name
= cli_credentials_get_workstation(machine_credentials
);
308 plain_pass
= cli_credentials_get_password(machine_credentials
);
310 torture_comment(tctx
, "Testing ServerReqChallenge\n");
312 r
.in
.server_name
= NULL
;
313 r
.in
.computer_name
= machine_name
;
314 r
.in
.credentials
= &credentials1
;
315 r
.out
.return_credentials
= &credentials2
;
317 generate_random_buffer(credentials1
.data
, sizeof(credentials1
.data
));
319 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerReqChallenge_r(b
, tctx
, &r
),
320 "ServerReqChallenge failed");
321 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerReqChallenge failed");
323 E_md4hash(plain_pass
, mach_password
.hash
);
325 a
.in
.server_name
= NULL
;
326 a
.in
.account_name
= talloc_asprintf(tctx
, "%s$", machine_name
);
327 a
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
328 a
.in
.computer_name
= machine_name
;
329 a
.in
.negotiate_flags
= &negotiate_flags
;
330 a
.in
.credentials
= &credentials3
;
331 a
.out
.return_credentials
= &credentials3
;
332 a
.out
.negotiate_flags
= &negotiate_flags
;
335 creds
= netlogon_creds_client_init(tctx
, a
.in
.account_name
,
337 a
.in
.secure_channel_type
,
338 &credentials1
, &credentials2
,
339 &mach_password
, &credentials3
,
342 torture_assert(tctx
, creds
!= NULL
, "memory allocation");
344 torture_comment(tctx
, "Testing ServerAuthenticate3\n");
346 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerAuthenticate3_r(b
, tctx
, &a
),
347 "ServerAuthenticate3 failed");
348 torture_assert_ntstatus_ok(tctx
, a
.out
.result
, "ServerAuthenticate3 failed");
349 torture_assert(tctx
, netlogon_creds_client_check(creds
, &credentials3
), "Credential chaining failed");
351 torture_comment(tctx
, "negotiate_flags=0x%08x\n", negotiate_flags
);
353 /* Prove that requesting a challenge again won't break it */
354 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerReqChallenge_r(b
, tctx
, &r
),
355 "ServerReqChallenge failed");
356 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerReqChallenge failed");
363 try a change password for our machine account
365 static bool test_SetPassword(struct torture_context
*tctx
,
366 struct dcerpc_pipe
*p
,
367 struct cli_credentials
*machine_credentials
)
369 struct netr_ServerPasswordSet r
;
370 const char *password
;
371 struct netlogon_creds_CredentialState
*creds
;
372 struct netr_Authenticator credential
, return_authenticator
;
373 struct samr_Password new_password
;
374 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
376 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
380 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
381 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
382 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
383 r
.in
.computer_name
= TEST_MACHINE_NAME
;
384 r
.in
.credential
= &credential
;
385 r
.in
.new_password
= &new_password
;
386 r
.out
.return_authenticator
= &return_authenticator
;
388 password
= generate_random_password(tctx
, 8, 255);
389 E_md4hash(password
, new_password
.hash
);
391 netlogon_creds_des_encrypt(creds
, &new_password
);
393 torture_comment(tctx
, "Testing ServerPasswordSet on machine account\n");
394 torture_comment(tctx
, "Changing machine account password to '%s'\n",
397 netlogon_creds_client_authenticator(creds
, &credential
);
399 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet_r(b
, tctx
, &r
),
400 "ServerPasswordSet failed");
401 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet failed");
403 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
404 torture_comment(tctx
, "Credential chaining failed\n");
407 /* by changing the machine password twice we test the
408 credentials chaining fully, and we verify that the server
409 allows the password to be set to the same value twice in a
410 row (match win2k3) */
411 torture_comment(tctx
,
412 "Testing a second ServerPasswordSet on machine account\n");
413 torture_comment(tctx
,
414 "Changing machine account password to '%s' (same as previous run)\n", password
);
416 netlogon_creds_client_authenticator(creds
, &credential
);
418 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet_r(b
, tctx
, &r
),
419 "ServerPasswordSet (2) failed");
420 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet (2) failed");
422 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
423 torture_comment(tctx
, "Credential chaining failed\n");
426 cli_credentials_set_password(machine_credentials
, password
, CRED_SPECIFIED
);
429 test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
),
430 "ServerPasswordSet failed to actually change the password");
436 try a change password for our machine account
438 static bool test_SetPassword_flags(struct torture_context
*tctx
,
439 struct dcerpc_pipe
*p
,
440 struct cli_credentials
*machine_credentials
,
441 uint32_t negotiate_flags
)
443 struct netr_ServerPasswordSet r
;
444 const char *password
;
445 struct netlogon_creds_CredentialState
*creds
;
446 struct netr_Authenticator credential
, return_authenticator
;
447 struct samr_Password new_password
;
448 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
450 if (!test_SetupCredentials2(p
, tctx
, negotiate_flags
,
452 cli_credentials_get_secure_channel_type(machine_credentials
),
457 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
458 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
459 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
460 r
.in
.computer_name
= TEST_MACHINE_NAME
;
461 r
.in
.credential
= &credential
;
462 r
.in
.new_password
= &new_password
;
463 r
.out
.return_authenticator
= &return_authenticator
;
465 password
= generate_random_password(tctx
, 8, 255);
466 E_md4hash(password
, new_password
.hash
);
468 netlogon_creds_des_encrypt(creds
, &new_password
);
470 torture_comment(tctx
, "Testing ServerPasswordSet on machine account\n");
471 torture_comment(tctx
, "Changing machine account password to '%s'\n",
474 netlogon_creds_client_authenticator(creds
, &credential
);
476 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet_r(b
, tctx
, &r
),
477 "ServerPasswordSet failed");
478 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet failed");
480 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
481 torture_comment(tctx
, "Credential chaining failed\n");
484 /* by changing the machine password twice we test the
485 credentials chaining fully, and we verify that the server
486 allows the password to be set to the same value twice in a
487 row (match win2k3) */
488 torture_comment(tctx
,
489 "Testing a second ServerPasswordSet on machine account\n");
490 torture_comment(tctx
,
491 "Changing machine account password to '%s' (same as previous run)\n", password
);
493 netlogon_creds_client_authenticator(creds
, &credential
);
495 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet_r(b
, tctx
, &r
),
496 "ServerPasswordSet (2) failed");
497 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet (2) failed");
499 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
500 torture_comment(tctx
, "Credential chaining failed\n");
503 cli_credentials_set_password(machine_credentials
, password
, CRED_SPECIFIED
);
506 test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
),
507 "ServerPasswordSet failed to actually change the password");
514 generate a random password for password change tests
516 static DATA_BLOB
netlogon_very_rand_pass(TALLOC_CTX
*mem_ctx
, int len
)
519 DATA_BLOB password
= data_blob_talloc(mem_ctx
, NULL
, len
* 2 /* number of unicode chars */);
520 generate_random_buffer(password
.data
, password
.length
);
522 for (i
=0; i
< len
; i
++) {
523 if (((uint16_t *)password
.data
)[i
] == 0) {
524 ((uint16_t *)password
.data
)[i
] = 1;
532 try a change password for our machine account
534 static bool test_SetPassword2_with_flags(struct torture_context
*tctx
,
535 struct dcerpc_pipe
*p
,
536 struct cli_credentials
*machine_credentials
,
539 struct netr_ServerPasswordSet2 r
;
540 const char *password
;
541 DATA_BLOB new_random_pass
;
542 struct netlogon_creds_CredentialState
*creds
;
543 struct samr_CryptPassword password_buf
;
544 struct samr_Password nt_hash
;
545 struct netr_Authenticator credential
, return_authenticator
;
546 struct netr_CryptPassword new_password
;
547 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
549 if (!test_SetupCredentials2(p
, tctx
, flags
, machine_credentials
, cli_credentials_get_secure_channel_type(machine_credentials
), &creds
)) {
553 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
554 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
555 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
556 r
.in
.computer_name
= TEST_MACHINE_NAME
;
557 r
.in
.credential
= &credential
;
558 r
.in
.new_password
= &new_password
;
559 r
.out
.return_authenticator
= &return_authenticator
;
561 password
= generate_random_password(tctx
, 8, 255);
562 encode_pw_buffer(password_buf
.data
, password
, STR_UNICODE
);
563 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
564 netlogon_creds_aes_encrypt(creds
, password_buf
.data
, 516);
566 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
569 memcpy(new_password
.data
, password_buf
.data
, 512);
570 new_password
.length
= IVAL(password_buf
.data
, 512);
572 torture_comment(tctx
, "Testing ServerPasswordSet2 on machine account\n");
573 torture_comment(tctx
, "Changing machine account password to '%s'\n", password
);
575 netlogon_creds_client_authenticator(creds
, &credential
);
577 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet2_r(b
, tctx
, &r
),
578 "ServerPasswordSet2 failed");
579 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet2 failed");
581 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
582 torture_comment(tctx
, "Credential chaining failed\n");
585 cli_credentials_set_password(machine_credentials
, password
, CRED_SPECIFIED
);
587 if (!torture_setting_bool(tctx
, "dangerous", false)) {
588 torture_comment(tctx
,
589 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
591 /* by changing the machine password to ""
592 * we check if the server uses password restrictions
593 * for ServerPasswordSet2
594 * (win2k3 accepts "")
597 encode_pw_buffer(password_buf
.data
, password
, STR_UNICODE
);
598 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
599 netlogon_creds_aes_encrypt(creds
, password_buf
.data
, 516);
601 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
603 memcpy(new_password
.data
, password_buf
.data
, 512);
604 new_password
.length
= IVAL(password_buf
.data
, 512);
606 torture_comment(tctx
,
607 "Testing ServerPasswordSet2 on machine account\n");
608 torture_comment(tctx
,
609 "Changing machine account password to '%s'\n", password
);
611 netlogon_creds_client_authenticator(creds
, &credential
);
613 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet2_r(b
, tctx
, &r
),
614 "ServerPasswordSet2 failed");
615 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet2 failed");
617 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
618 torture_comment(tctx
, "Credential chaining failed\n");
621 cli_credentials_set_password(machine_credentials
, password
, CRED_SPECIFIED
);
624 torture_assert(tctx
, test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
),
625 "ServerPasswordSet failed to actually change the password");
627 /* now try a random password */
628 password
= generate_random_password(tctx
, 8, 255);
629 encode_pw_buffer(password_buf
.data
, password
, STR_UNICODE
);
630 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
631 netlogon_creds_aes_encrypt(creds
, password_buf
.data
, 516);
633 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
635 memcpy(new_password
.data
, password_buf
.data
, 512);
636 new_password
.length
= IVAL(password_buf
.data
, 512);
638 torture_comment(tctx
, "Testing second ServerPasswordSet2 on machine account\n");
639 torture_comment(tctx
, "Changing machine account password to '%s'\n", password
);
641 netlogon_creds_client_authenticator(creds
, &credential
);
643 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet2_r(b
, tctx
, &r
),
644 "ServerPasswordSet2 (2) failed");
645 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet2 (2) failed");
647 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
648 torture_comment(tctx
, "Credential chaining failed\n");
651 /* by changing the machine password twice we test the
652 credentials chaining fully, and we verify that the server
653 allows the password to be set to the same value twice in a
654 row (match win2k3) */
655 torture_comment(tctx
,
656 "Testing a second ServerPasswordSet2 on machine account\n");
657 torture_comment(tctx
,
658 "Changing machine account password to '%s' (same as previous run)\n", password
);
660 netlogon_creds_client_authenticator(creds
, &credential
);
662 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet2_r(b
, tctx
, &r
),
663 "ServerPasswordSet (3) failed");
664 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet (3) failed");
666 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
667 torture_comment(tctx
, "Credential chaining failed\n");
670 cli_credentials_set_password(machine_credentials
, password
, CRED_SPECIFIED
);
672 torture_assert (tctx
,
673 test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
),
674 "ServerPasswordSet failed to actually change the password");
676 new_random_pass
= netlogon_very_rand_pass(tctx
, 128);
678 /* now try a random stream of bytes for a password */
679 set_pw_in_buffer(password_buf
.data
, &new_random_pass
);
681 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
682 netlogon_creds_aes_encrypt(creds
, password_buf
.data
, 516);
684 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
687 memcpy(new_password
.data
, password_buf
.data
, 512);
688 new_password
.length
= IVAL(password_buf
.data
, 512);
690 torture_comment(tctx
,
691 "Testing a third ServerPasswordSet2 on machine account, with a completely random password\n");
693 netlogon_creds_client_authenticator(creds
, &credential
);
695 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerPasswordSet2_r(b
, tctx
, &r
),
696 "ServerPasswordSet (3) failed");
697 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerPasswordSet (3) failed");
699 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
700 torture_comment(tctx
, "Credential chaining failed\n");
703 mdfour(nt_hash
.hash
, new_random_pass
.data
, new_random_pass
.length
);
705 cli_credentials_set_password(machine_credentials
, NULL
, CRED_UNINITIALISED
);
706 cli_credentials_set_nt_hash(machine_credentials
, &nt_hash
, CRED_SPECIFIED
);
708 torture_assert (tctx
,
709 test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
),
710 "ServerPasswordSet failed to actually change the password");
715 static bool test_SetPassword2(struct torture_context
*tctx
,
716 struct dcerpc_pipe
*p
,
717 struct cli_credentials
*machine_credentials
)
719 return test_SetPassword2_with_flags(tctx
, p
, machine_credentials
, NETLOGON_NEG_AUTH2_ADS_FLAGS
);
722 static bool test_SetPassword2_AES(struct torture_context
*tctx
,
723 struct dcerpc_pipe
*p
,
724 struct cli_credentials
*machine_credentials
)
726 return test_SetPassword2_with_flags(tctx
, p
, machine_credentials
, NETLOGON_NEG_AUTH2_ADS_FLAGS
| NETLOGON_NEG_SUPPORTS_AES
);
729 static bool test_GetPassword(struct torture_context
*tctx
,
730 struct dcerpc_pipe
*p
,
731 struct cli_credentials
*machine_credentials
)
733 struct netr_ServerPasswordGet r
;
734 struct netlogon_creds_CredentialState
*creds
;
735 struct netr_Authenticator credential
;
737 struct netr_Authenticator return_authenticator
;
738 struct samr_Password password
;
739 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
741 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
745 netlogon_creds_client_authenticator(creds
, &credential
);
747 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
748 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
749 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
750 r
.in
.computer_name
= TEST_MACHINE_NAME
;
751 r
.in
.credential
= &credential
;
752 r
.out
.return_authenticator
= &return_authenticator
;
753 r
.out
.password
= &password
;
755 status
= dcerpc_netr_ServerPasswordGet_r(b
, tctx
, &r
);
756 torture_assert_ntstatus_ok(tctx
, status
, "ServerPasswordGet");
761 static bool test_GetTrustPasswords(struct torture_context
*tctx
,
762 struct dcerpc_pipe
*p
,
763 struct cli_credentials
*machine_credentials
)
765 struct netr_ServerTrustPasswordsGet r
;
766 struct netlogon_creds_CredentialState
*creds
;
767 struct netr_Authenticator credential
;
768 struct netr_Authenticator return_authenticator
;
769 struct samr_Password password
, password2
;
770 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
772 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
776 netlogon_creds_client_authenticator(creds
, &credential
);
778 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
779 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
780 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
781 r
.in
.computer_name
= TEST_MACHINE_NAME
;
782 r
.in
.credential
= &credential
;
783 r
.out
.return_authenticator
= &return_authenticator
;
784 r
.out
.password
= &password
;
785 r
.out
.password2
= &password2
;
787 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerTrustPasswordsGet_r(b
, tctx
, &r
),
788 "ServerTrustPasswordsGet failed");
789 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerTrustPasswordsGet failed");
795 try a netlogon SamLogon
797 static bool test_netlogon_ops_args(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
798 struct cli_credentials
*credentials
,
799 struct netlogon_creds_CredentialState
*creds
,
803 struct netr_LogonSamLogon r
;
804 struct netr_Authenticator auth
, auth2
;
805 static const struct netr_Authenticator auth_zero
;
806 union netr_LogonLevel logon
;
807 union netr_Validation validation
;
808 uint8_t authoritative
;
809 struct netr_NetworkInfo ninfo
;
810 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
812 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
813 int flags
= CLI_CRED_NTLM_AUTH
;
814 if (lpcfg_client_lanman_auth(tctx
->lp_ctx
)) {
815 flags
|= CLI_CRED_LANMAN_AUTH
;
818 if (lpcfg_client_ntlmv2_auth(tctx
->lp_ctx
) && !null_domain
) {
819 flags
|= CLI_CRED_NTLMv2_AUTH
;
822 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
823 &ninfo
.identity_info
.account_name
.string
,
824 &ninfo
.identity_info
.domain_name
.string
);
827 ninfo
.identity_info
.domain_name
.string
= NULL
;
830 generate_random_buffer(ninfo
.challenge
,
831 sizeof(ninfo
.challenge
));
832 chal
= data_blob_const(ninfo
.challenge
,
833 sizeof(ninfo
.challenge
));
835 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
836 cli_credentials_get_domain(credentials
));
838 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
844 torture_assert_ntstatus_ok(tctx
, status
, "cli_credentials_get_ntlm_response failed");
846 ninfo
.lm
.data
= lm_resp
.data
;
847 ninfo
.lm
.length
= lm_resp
.length
;
849 ninfo
.nt
.data
= nt_resp
.data
;
850 ninfo
.nt
.length
= nt_resp
.length
;
852 ninfo
.identity_info
.parameter_control
= 0;
853 ninfo
.identity_info
.logon_id_low
= 0;
854 ninfo
.identity_info
.logon_id_high
= 0;
855 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
857 logon
.network
= &ninfo
;
859 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
860 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
861 r
.in
.credential
= &auth
;
862 r
.in
.return_authenticator
= &auth2
;
863 r
.in
.logon_level
= NetlogonNetworkInformation
;
865 r
.out
.validation
= &validation
;
866 r
.out
.authoritative
= &authoritative
;
868 d_printf("Testing LogonSamLogon with name %s\n", ninfo
.identity_info
.account_name
.string
);
872 netlogon_creds_client_authenticator(creds
, &auth
);
874 r
.in
.validation_level
= i
;
876 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
877 "LogonSamLogon failed");
878 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonSamLogon failed");
880 torture_assert(tctx
, netlogon_creds_client_check(creds
,
881 &r
.out
.return_authenticator
->cred
),
882 "Credential chaining failed");
883 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
884 "LogonSamLogon invalid *r.out.authoritative");
887 /* this makes sure we get the unmarshalling right for invalid levels */
888 for (i
=52;i
<53;i
++) {
890 /* the authenticator should be ignored by the server */
891 generate_random_buffer((uint8_t *) &auth
, sizeof(auth
));
893 r
.in
.validation_level
= i
;
895 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
896 "LogonSamLogon failed");
897 torture_assert_ntstatus_equal(tctx
, r
.out
.result
,
898 NT_STATUS_INVALID_INFO_CLASS
,
899 "LogonSamLogon failed");
901 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
902 "LogonSamLogon invalid *r.out.authoritative");
904 memcmp(&auth2
, &auth_zero
, sizeof(auth2
)) == 0,
905 "Return authenticator non zero");
910 netlogon_creds_client_authenticator(creds
, &auth
);
912 r
.in
.validation_level
= i
;
914 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
915 "LogonSamLogon failed");
916 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonSamLogon failed");
918 torture_assert(tctx
, netlogon_creds_client_check(creds
,
919 &r
.out
.return_authenticator
->cred
),
920 "Credential chaining failed");
921 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
922 "LogonSamLogon invalid *r.out.authoritative");
925 r
.in
.logon_level
= 52;
929 /* the authenticator should be ignored by the server */
930 generate_random_buffer((uint8_t *) &auth
, sizeof(auth
));
932 r
.in
.validation_level
= i
;
934 torture_comment(tctx
, "Testing SamLogon with validation level %d and a NULL credential\n", i
);
936 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
937 "LogonSamLogon failed");
938 torture_assert_ntstatus_equal(tctx
, r
.out
.result
, NT_STATUS_INVALID_PARAMETER
,
939 "LogonSamLogon expected INVALID_PARAMETER");
942 memcmp(&auth2
, &auth_zero
, sizeof(auth2
)) == 0,
943 "Return authenticator non zero");
944 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
945 "LogonSamLogon invalid *r.out.authoritative");
948 r
.in
.credential
= NULL
;
953 r
.in
.validation_level
= i
;
955 torture_comment(tctx
, "Testing SamLogon with validation level %d and a NULL credential\n", i
);
957 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
958 "LogonSamLogon failed");
959 torture_assert_ntstatus_equal(tctx
, r
.out
.result
, NT_STATUS_INVALID_PARAMETER
,
960 "LogonSamLogon expected INVALID_PARAMETER");
963 memcmp(&auth2
, &auth_zero
, sizeof(auth2
)) == 0,
964 "Return authenticator non zero");
965 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
966 "LogonSamLogon invalid *r.out.authoritative");
969 r
.in
.logon_level
= NetlogonNetworkInformation
;
970 r
.in
.credential
= &auth
;
974 netlogon_creds_client_authenticator(creds
, &auth
);
976 r
.in
.validation_level
= i
;
978 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogon_r(b
, tctx
, &r
),
979 "LogonSamLogon failed");
980 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonSamLogon failed");
982 torture_assert(tctx
, netlogon_creds_client_check(creds
,
983 &r
.out
.return_authenticator
->cred
),
984 "Credential chaining failed");
985 torture_assert_int_equal(tctx
, *r
.out
.authoritative
, 1,
986 "LogonSamLogon invalid *r.out.authoritative");
992 bool test_netlogon_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
993 struct cli_credentials
*credentials
,
994 struct netlogon_creds_CredentialState
*creds
)
996 return test_netlogon_ops_args(p
, tctx
, credentials
, creds
, false);
1000 try a netlogon GetCapabilities
1002 bool test_netlogon_capabilities(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
1003 struct cli_credentials
*credentials
,
1004 struct netlogon_creds_CredentialState
*creds
)
1007 struct netr_LogonGetCapabilities r
;
1008 union netr_Capabilities capabilities
;
1009 struct netr_Authenticator auth
, return_auth
;
1010 struct netlogon_creds_CredentialState tmp_creds
;
1011 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1013 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1014 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
1015 r
.in
.credential
= &auth
;
1016 r
.in
.return_authenticator
= &return_auth
;
1017 r
.in
.query_level
= 1;
1018 r
.out
.capabilities
= &capabilities
;
1019 r
.out
.return_authenticator
= &return_auth
;
1021 torture_comment(tctx
, "Testing LogonGetCapabilities\n");
1023 ZERO_STRUCT(return_auth
);
1026 * we need to operate on a temporary copy of creds
1027 * because dcerpc_netr_LogonGetCapabilities was
1028 * dcerpc_netr_DummyFunction and returns NT_STATUS_NOT_IMPLEMENTED
1029 * without looking a the authenticator.
1032 netlogon_creds_client_authenticator(&tmp_creds
, &auth
);
1034 status
= dcerpc_netr_LogonGetCapabilities_r(b
, tctx
, &r
);
1035 torture_assert_ntstatus_ok(tctx
, status
, "LogonGetCapabilities failed");
1036 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_NOT_IMPLEMENTED
)) {
1042 torture_assert(tctx
, netlogon_creds_client_check(creds
,
1043 &r
.out
.return_authenticator
->cred
),
1044 "Credential chaining failed");
1046 torture_assert_int_equal(tctx
, creds
->negotiate_flags
,
1047 capabilities
.server_capabilities
,
1054 try a netlogon SamLogon
1056 static bool test_SamLogon(struct torture_context
*tctx
,
1057 struct dcerpc_pipe
*p
,
1058 struct cli_credentials
*credentials
)
1060 struct netlogon_creds_CredentialState
*creds
;
1062 if (!test_SetupCredentials(p
, tctx
, credentials
, &creds
)) {
1066 return test_netlogon_ops(p
, tctx
, credentials
, creds
);
1069 static bool test_invalidAuthenticate2(struct torture_context
*tctx
,
1070 struct dcerpc_pipe
*p
,
1071 struct cli_credentials
*credentials
)
1073 struct netlogon_creds_CredentialState
*creds
;
1074 uint32_t flags
= NETLOGON_NEG_AUTH2_FLAGS
| NETLOGON_NEG_SUPPORTS_AES
;
1076 torture_comment(tctx
, "Testing invalidAuthenticate2\n");
1078 if (!test_SetupCredentials2(p
, tctx
, flags
,
1080 cli_credentials_get_secure_channel_type(credentials
),
1085 if (!test_SetupCredentials2ex(p
, tctx
, flags
,
1088 cli_credentials_get_secure_channel_type(credentials
),
1089 STATUS_BUFFER_OVERFLOW
,
1094 if (!test_SetupCredentials2ex(p
, tctx
, flags
,
1097 cli_credentials_get_secure_channel_type(credentials
),
1106 static bool test_SamLogon_NULL_domain(struct torture_context
*tctx
,
1107 struct dcerpc_pipe
*p
,
1108 struct cli_credentials
*credentials
)
1110 struct netlogon_creds_CredentialState
*creds
;
1112 if (!test_SetupCredentials(p
, tctx
, credentials
, &creds
)) {
1116 return test_netlogon_ops_args(p
, tctx
, credentials
, creds
, true);
1119 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
1120 static uint64_t sequence_nums
[3];
1123 try a netlogon DatabaseSync
1125 static bool test_DatabaseSync(struct torture_context
*tctx
,
1126 struct dcerpc_pipe
*p
,
1127 struct cli_credentials
*machine_credentials
)
1129 struct netr_DatabaseSync r
;
1130 struct netlogon_creds_CredentialState
*creds
;
1131 const uint32_t database_ids
[] = {SAM_DATABASE_DOMAIN
, SAM_DATABASE_BUILTIN
, SAM_DATABASE_PRIVS
};
1133 struct netr_DELTA_ENUM_ARRAY
*delta_enum_array
= NULL
;
1134 struct netr_Authenticator credential
, return_authenticator
;
1135 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1137 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1141 ZERO_STRUCT(return_authenticator
);
1143 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1144 r
.in
.computername
= TEST_MACHINE_NAME
;
1145 r
.in
.preferredmaximumlength
= (uint32_t)-1;
1146 r
.in
.return_authenticator
= &return_authenticator
;
1147 r
.out
.delta_enum_array
= &delta_enum_array
;
1148 r
.out
.return_authenticator
= &return_authenticator
;
1150 for (i
=0;i
<ARRAY_SIZE(database_ids
);i
++) {
1152 uint32_t sync_context
= 0;
1154 r
.in
.database_id
= database_ids
[i
];
1155 r
.in
.sync_context
= &sync_context
;
1156 r
.out
.sync_context
= &sync_context
;
1158 torture_comment(tctx
, "Testing DatabaseSync of id %d\n", r
.in
.database_id
);
1161 netlogon_creds_client_authenticator(creds
, &credential
);
1163 r
.in
.credential
= &credential
;
1165 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_DatabaseSync_r(b
, tctx
, &r
),
1166 "DatabaseSync failed");
1167 if (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
))
1170 /* Native mode servers don't do this */
1171 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_NOT_SUPPORTED
)) {
1174 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "DatabaseSync");
1176 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
1177 torture_comment(tctx
, "Credential chaining failed\n");
1180 if (delta_enum_array
&&
1181 delta_enum_array
->num_deltas
> 0 &&
1182 delta_enum_array
->delta_enum
[0].delta_type
== NETR_DELTA_DOMAIN
&&
1183 delta_enum_array
->delta_enum
[0].delta_union
.domain
) {
1184 sequence_nums
[r
.in
.database_id
] =
1185 delta_enum_array
->delta_enum
[0].delta_union
.domain
->sequence_num
;
1186 torture_comment(tctx
, "\tsequence_nums[%d]=%llu\n",
1188 (unsigned long long)sequence_nums
[r
.in
.database_id
]);
1190 } while (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
));
1198 try a netlogon DatabaseDeltas
1200 static bool test_DatabaseDeltas(struct torture_context
*tctx
,
1201 struct dcerpc_pipe
*p
,
1202 struct cli_credentials
*machine_credentials
)
1204 struct netr_DatabaseDeltas r
;
1205 struct netlogon_creds_CredentialState
*creds
;
1206 struct netr_Authenticator credential
;
1207 struct netr_Authenticator return_authenticator
;
1208 struct netr_DELTA_ENUM_ARRAY
*delta_enum_array
= NULL
;
1209 const uint32_t database_ids
[] = {0, 1, 2};
1211 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1213 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1217 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1218 r
.in
.computername
= TEST_MACHINE_NAME
;
1219 r
.in
.preferredmaximumlength
= (uint32_t)-1;
1220 ZERO_STRUCT(r
.in
.return_authenticator
);
1221 r
.out
.return_authenticator
= &return_authenticator
;
1222 r
.out
.delta_enum_array
= &delta_enum_array
;
1224 for (i
=0;i
<ARRAY_SIZE(database_ids
);i
++) {
1225 r
.in
.database_id
= database_ids
[i
];
1226 r
.in
.sequence_num
= &sequence_nums
[r
.in
.database_id
];
1228 if (*r
.in
.sequence_num
== 0) continue;
1230 *r
.in
.sequence_num
-= 1;
1232 torture_comment(tctx
, "Testing DatabaseDeltas of id %d at %llu\n",
1233 r
.in
.database_id
, (unsigned long long)*r
.in
.sequence_num
);
1236 netlogon_creds_client_authenticator(creds
, &credential
);
1238 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_DatabaseDeltas_r(b
, tctx
, &r
),
1239 "DatabaseDeltas failed");
1240 if (NT_STATUS_EQUAL(r
.out
.result
,
1241 NT_STATUS_SYNCHRONIZATION_REQUIRED
)) {
1242 torture_comment(tctx
, "not considering %s to be an error\n",
1243 nt_errstr(r
.out
.result
));
1246 if (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
))
1249 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "DatabaseDeltas");
1251 if (!netlogon_creds_client_check(creds
, &return_authenticator
.cred
)) {
1252 torture_comment(tctx
, "Credential chaining failed\n");
1255 (*r
.in
.sequence_num
)++;
1256 } while (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
));
1262 static bool test_DatabaseRedo(struct torture_context
*tctx
,
1263 struct dcerpc_pipe
*p
,
1264 struct cli_credentials
*machine_credentials
)
1266 struct netr_DatabaseRedo r
;
1267 struct netlogon_creds_CredentialState
*creds
;
1268 struct netr_Authenticator credential
;
1269 struct netr_Authenticator return_authenticator
;
1270 struct netr_DELTA_ENUM_ARRAY
*delta_enum_array
= NULL
;
1271 struct netr_ChangeLogEntry e
;
1272 struct dom_sid null_sid
, *sid
;
1274 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1276 ZERO_STRUCT(null_sid
);
1278 sid
= dom_sid_parse_talloc(tctx
, "S-1-5-21-1111111111-2222222222-333333333-500");
1289 NTSTATUS expected_error
;
1290 uint32_t expected_num_results
;
1291 uint8_t expected_delta_type_1
;
1292 uint8_t expected_delta_type_2
;
1293 const char *comment
;
1296 /* SAM_DATABASE_DOMAIN */
1301 .db_index
= SAM_DATABASE_DOMAIN
,
1302 .delta_type
= NETR_DELTA_MODIFY_COUNT
,
1305 .expected_error
= NT_STATUS_SYNCHRONIZATION_REQUIRED
,
1306 .expected_num_results
= 0,
1307 .comment
= "NETR_DELTA_MODIFY_COUNT"
1312 .db_index
= SAM_DATABASE_DOMAIN
,
1316 .expected_error
= NT_STATUS_OK
,
1317 .expected_num_results
= 1,
1318 .expected_delta_type_1
= NETR_DELTA_DOMAIN
,
1319 .comment
= "NULL DELTA"
1324 .db_index
= SAM_DATABASE_DOMAIN
,
1325 .delta_type
= NETR_DELTA_DOMAIN
,
1328 .expected_error
= NT_STATUS_OK
,
1329 .expected_num_results
= 1,
1330 .expected_delta_type_1
= NETR_DELTA_DOMAIN
,
1331 .comment
= "NETR_DELTA_DOMAIN"
1334 .rid
= DOMAIN_RID_ADMINISTRATOR
,
1336 .db_index
= SAM_DATABASE_DOMAIN
,
1337 .delta_type
= NETR_DELTA_USER
,
1340 .expected_error
= NT_STATUS_OK
,
1341 .expected_num_results
= 1,
1342 .expected_delta_type_1
= NETR_DELTA_USER
,
1343 .comment
= "NETR_DELTA_USER by rid 500"
1346 .rid
= DOMAIN_RID_GUEST
,
1348 .db_index
= SAM_DATABASE_DOMAIN
,
1349 .delta_type
= NETR_DELTA_USER
,
1352 .expected_error
= NT_STATUS_OK
,
1353 .expected_num_results
= 1,
1354 .expected_delta_type_1
= NETR_DELTA_USER
,
1355 .comment
= "NETR_DELTA_USER by rid 501"
1359 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1360 .db_index
= SAM_DATABASE_DOMAIN
,
1361 .delta_type
= NETR_DELTA_USER
,
1364 .expected_error
= NT_STATUS_OK
,
1365 .expected_num_results
= 1,
1366 .expected_delta_type_1
= NETR_DELTA_DELETE_USER
,
1367 .comment
= "NETR_DELTA_USER by sid and flags"
1371 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1372 .db_index
= SAM_DATABASE_DOMAIN
,
1373 .delta_type
= NETR_DELTA_USER
,
1376 .expected_error
= NT_STATUS_OK
,
1377 .expected_num_results
= 1,
1378 .expected_delta_type_1
= NETR_DELTA_DELETE_USER
,
1379 .comment
= "NETR_DELTA_USER by null_sid and flags"
1383 .flags
= NETR_CHANGELOG_NAME_INCLUDED
,
1384 .db_index
= SAM_DATABASE_DOMAIN
,
1385 .delta_type
= NETR_DELTA_USER
,
1387 .name
= "administrator",
1388 .expected_error
= NT_STATUS_OK
,
1389 .expected_num_results
= 1,
1390 .expected_delta_type_1
= NETR_DELTA_DELETE_USER
,
1391 .comment
= "NETR_DELTA_USER by name 'administrator'"
1394 .rid
= DOMAIN_RID_ADMINS
,
1396 .db_index
= SAM_DATABASE_DOMAIN
,
1397 .delta_type
= NETR_DELTA_GROUP
,
1400 .expected_error
= NT_STATUS_OK
,
1401 .expected_num_results
= 2,
1402 .expected_delta_type_1
= NETR_DELTA_GROUP
,
1403 .expected_delta_type_2
= NETR_DELTA_GROUP_MEMBER
,
1404 .comment
= "NETR_DELTA_GROUP by rid 512"
1407 .rid
= DOMAIN_RID_ADMINS
,
1409 .db_index
= SAM_DATABASE_DOMAIN
,
1410 .delta_type
= NETR_DELTA_GROUP_MEMBER
,
1413 .expected_error
= NT_STATUS_OK
,
1414 .expected_num_results
= 2,
1415 .expected_delta_type_1
= NETR_DELTA_GROUP
,
1416 .expected_delta_type_2
= NETR_DELTA_GROUP_MEMBER
,
1417 .comment
= "NETR_DELTA_GROUP_MEMBER by rid 512"
1421 /* SAM_DATABASE_BUILTIN */
1426 .db_index
= SAM_DATABASE_BUILTIN
,
1427 .delta_type
= NETR_DELTA_MODIFY_COUNT
,
1430 .expected_error
= NT_STATUS_SYNCHRONIZATION_REQUIRED
,
1431 .expected_num_results
= 0,
1432 .comment
= "NETR_DELTA_MODIFY_COUNT"
1437 .db_index
= SAM_DATABASE_BUILTIN
,
1438 .delta_type
= NETR_DELTA_DOMAIN
,
1441 .expected_error
= NT_STATUS_OK
,
1442 .expected_num_results
= 1,
1443 .expected_delta_type_1
= NETR_DELTA_DOMAIN
,
1444 .comment
= "NETR_DELTA_DOMAIN"
1447 .rid
= DOMAIN_RID_ADMINISTRATOR
,
1449 .db_index
= SAM_DATABASE_BUILTIN
,
1450 .delta_type
= NETR_DELTA_USER
,
1453 .expected_error
= NT_STATUS_OK
,
1454 .expected_num_results
= 1,
1455 .expected_delta_type_1
= NETR_DELTA_DELETE_USER
,
1456 .comment
= "NETR_DELTA_USER by rid 500"
1461 .db_index
= SAM_DATABASE_BUILTIN
,
1462 .delta_type
= NETR_DELTA_USER
,
1465 .expected_error
= NT_STATUS_OK
,
1466 .expected_num_results
= 1,
1467 .expected_delta_type_1
= NETR_DELTA_DELETE_USER
,
1468 .comment
= "NETR_DELTA_USER"
1473 .db_index
= SAM_DATABASE_BUILTIN
,
1474 .delta_type
= NETR_DELTA_ALIAS
,
1477 .expected_error
= NT_STATUS_OK
,
1478 .expected_num_results
= 2,
1479 .expected_delta_type_1
= NETR_DELTA_ALIAS
,
1480 .expected_delta_type_2
= NETR_DELTA_ALIAS_MEMBER
,
1481 .comment
= "NETR_DELTA_ALIAS by rid 544"
1486 .db_index
= SAM_DATABASE_BUILTIN
,
1487 .delta_type
= NETR_DELTA_ALIAS_MEMBER
,
1490 .expected_error
= NT_STATUS_OK
,
1491 .expected_num_results
= 2,
1492 .expected_delta_type_1
= NETR_DELTA_ALIAS
,
1493 .expected_delta_type_2
= NETR_DELTA_ALIAS_MEMBER
,
1494 .comment
= "NETR_DELTA_ALIAS_MEMBER by rid 544"
1499 .db_index
= SAM_DATABASE_BUILTIN
,
1503 .expected_error
= NT_STATUS_OK
,
1504 .expected_num_results
= 1,
1505 .expected_delta_type_1
= NETR_DELTA_DOMAIN
,
1506 .comment
= "NULL DELTA by rid 544"
1510 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1511 .db_index
= SAM_DATABASE_BUILTIN
,
1513 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-5-32-544"),
1515 .expected_error
= NT_STATUS_OK
,
1516 .expected_num_results
= 1,
1517 .expected_delta_type_1
= NETR_DELTA_DOMAIN
,
1518 .comment
= "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1522 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1523 .db_index
= SAM_DATABASE_BUILTIN
,
1524 .delta_type
= NETR_DELTA_ALIAS
,
1525 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-5-32-544"),
1527 .expected_error
= NT_STATUS_OK
,
1528 .expected_num_results
= 2,
1529 .expected_delta_type_1
= NETR_DELTA_ALIAS
,
1530 .expected_delta_type_2
= NETR_DELTA_ALIAS_MEMBER
,
1531 .comment
= "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1535 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1536 .db_index
= SAM_DATABASE_BUILTIN
,
1537 .delta_type
= NETR_DELTA_ALIAS
,
1538 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-5-32-544"),
1540 .expected_error
= NT_STATUS_OK
,
1541 .expected_num_results
= 1,
1542 .expected_delta_type_1
= NETR_DELTA_DELETE_ALIAS
,
1543 .comment
= "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1546 /* SAM_DATABASE_PRIVS */
1551 .db_index
= SAM_DATABASE_PRIVS
,
1555 .expected_error
= NT_STATUS_ACCESS_DENIED
,
1556 .expected_num_results
= 0,
1557 .comment
= "NULL DELTA"
1562 .db_index
= SAM_DATABASE_PRIVS
,
1563 .delta_type
= NETR_DELTA_MODIFY_COUNT
,
1566 .expected_error
= NT_STATUS_SYNCHRONIZATION_REQUIRED
,
1567 .expected_num_results
= 0,
1568 .comment
= "NETR_DELTA_MODIFY_COUNT"
1573 .db_index
= SAM_DATABASE_PRIVS
,
1574 .delta_type
= NETR_DELTA_POLICY
,
1577 .expected_error
= NT_STATUS_OK
,
1578 .expected_num_results
= 1,
1579 .expected_delta_type_1
= NETR_DELTA_POLICY
,
1580 .comment
= "NETR_DELTA_POLICY"
1584 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1585 .db_index
= SAM_DATABASE_PRIVS
,
1586 .delta_type
= NETR_DELTA_POLICY
,
1589 .expected_error
= NT_STATUS_OK
,
1590 .expected_num_results
= 1,
1591 .expected_delta_type_1
= NETR_DELTA_POLICY
,
1592 .comment
= "NETR_DELTA_POLICY by null sid and flags"
1596 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1597 .db_index
= SAM_DATABASE_PRIVS
,
1598 .delta_type
= NETR_DELTA_POLICY
,
1599 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-5-32"),
1601 .expected_error
= NT_STATUS_OK
,
1602 .expected_num_results
= 1,
1603 .expected_delta_type_1
= NETR_DELTA_POLICY
,
1604 .comment
= "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1607 .rid
= DOMAIN_RID_ADMINISTRATOR
,
1609 .db_index
= SAM_DATABASE_PRIVS
,
1610 .delta_type
= NETR_DELTA_ACCOUNT
,
1613 .expected_error
= NT_STATUS_SYNCHRONIZATION_REQUIRED
, /* strange */
1614 .expected_num_results
= 0,
1615 .comment
= "NETR_DELTA_ACCOUNT by rid 500"
1619 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1620 .db_index
= SAM_DATABASE_PRIVS
,
1621 .delta_type
= NETR_DELTA_ACCOUNT
,
1622 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-1-0"),
1624 .expected_error
= NT_STATUS_OK
,
1625 .expected_num_results
= 1,
1626 .expected_delta_type_1
= NETR_DELTA_ACCOUNT
,
1627 .comment
= "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1631 .flags
= NETR_CHANGELOG_SID_INCLUDED
|
1632 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED
,
1633 .db_index
= SAM_DATABASE_PRIVS
,
1634 .delta_type
= NETR_DELTA_ACCOUNT
,
1635 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-1-0"),
1637 .expected_error
= NT_STATUS_OK
,
1638 .expected_num_results
= 1,
1639 .expected_delta_type_1
= NETR_DELTA_ACCOUNT
,
1640 .comment
= "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1644 .flags
= NETR_CHANGELOG_SID_INCLUDED
|
1645 NETR_CHANGELOG_NAME_INCLUDED
,
1646 .db_index
= SAM_DATABASE_PRIVS
,
1647 .delta_type
= NETR_DELTA_ACCOUNT
,
1648 .sid
= *dom_sid_parse_talloc(tctx
, "S-1-1-0"),
1650 .expected_error
= NT_STATUS_INVALID_PARAMETER
,
1651 .expected_num_results
= 0,
1652 .comment
= "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1655 .rid
= DOMAIN_RID_ADMINISTRATOR
,
1656 .flags
= NETR_CHANGELOG_SID_INCLUDED
,
1657 .db_index
= SAM_DATABASE_PRIVS
,
1658 .delta_type
= NETR_DELTA_ACCOUNT
,
1661 .expected_error
= NT_STATUS_OK
,
1662 .expected_num_results
= 1,
1663 .expected_delta_type_1
= NETR_DELTA_DELETE_ACCOUNT
,
1664 .comment
= "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1668 .flags
= NETR_CHANGELOG_NAME_INCLUDED
,
1669 .db_index
= SAM_DATABASE_PRIVS
,
1670 .delta_type
= NETR_DELTA_SECRET
,
1672 .name
= "IsurelydontexistIhope",
1673 .expected_error
= NT_STATUS_OK
,
1674 .expected_num_results
= 1,
1675 .expected_delta_type_1
= NETR_DELTA_DELETE_SECRET
,
1676 .comment
= "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1680 .flags
= NETR_CHANGELOG_NAME_INCLUDED
,
1681 .db_index
= SAM_DATABASE_PRIVS
,
1682 .delta_type
= NETR_DELTA_SECRET
,
1684 .name
= "G$BCKUPKEY_P",
1685 .expected_error
= NT_STATUS_OK
,
1686 .expected_num_results
= 1,
1687 .expected_delta_type_1
= NETR_DELTA_SECRET
,
1688 .comment
= "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1692 ZERO_STRUCT(return_authenticator
);
1694 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1695 r
.in
.computername
= TEST_MACHINE_NAME
;
1696 r
.in
.return_authenticator
= &return_authenticator
;
1697 r
.out
.return_authenticator
= &return_authenticator
;
1698 r
.out
.delta_enum_array
= &delta_enum_array
;
1700 for (d
=0; d
<3; d
++) {
1701 const char *database
= NULL
;
1708 database
= "BUILTIN";
1717 torture_comment(tctx
, "Testing DatabaseRedo\n");
1719 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1723 for (i
=0;i
<ARRAY_SIZE(changes
);i
++) {
1725 if (d
!= changes
[i
].db_index
) {
1729 netlogon_creds_client_authenticator(creds
, &credential
);
1731 r
.in
.credential
= &credential
;
1733 e
.serial_number1
= 0;
1734 e
.serial_number2
= 0;
1735 e
.object_rid
= changes
[i
].rid
;
1736 e
.flags
= changes
[i
].flags
;
1737 e
.db_index
= changes
[i
].db_index
;
1738 e
.delta_type
= changes
[i
].delta_type
;
1740 switch (changes
[i
].flags
& (NETR_CHANGELOG_NAME_INCLUDED
| NETR_CHANGELOG_SID_INCLUDED
)) {
1741 case NETR_CHANGELOG_SID_INCLUDED
:
1742 e
.object
.object_sid
= changes
[i
].sid
;
1744 case NETR_CHANGELOG_NAME_INCLUDED
:
1745 e
.object
.object_name
= changes
[i
].name
;
1751 r
.in
.change_log_entry
= e
;
1753 torture_comment(tctx
, "Testing DatabaseRedo with database %s and %s\n",
1754 database
, changes
[i
].comment
);
1756 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_DatabaseRedo_r(b
, tctx
, &r
),
1757 "DatabaseRedo failed");
1758 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_NOT_SUPPORTED
)) {
1762 torture_assert_ntstatus_equal(tctx
, r
.out
.result
, changes
[i
].expected_error
, changes
[i
].comment
);
1763 if (delta_enum_array
) {
1764 torture_assert_int_equal(tctx
,
1765 delta_enum_array
->num_deltas
,
1766 changes
[i
].expected_num_results
,
1767 changes
[i
].comment
);
1768 if (delta_enum_array
->num_deltas
> 0) {
1769 torture_assert_int_equal(tctx
,
1770 delta_enum_array
->delta_enum
[0].delta_type
,
1771 changes
[i
].expected_delta_type_1
,
1772 changes
[i
].comment
);
1774 if (delta_enum_array
->num_deltas
> 1) {
1775 torture_assert_int_equal(tctx
,
1776 delta_enum_array
->delta_enum
[1].delta_type
,
1777 changes
[i
].expected_delta_type_2
,
1778 changes
[i
].comment
);
1782 if (!netlogon_creds_client_check(creds
, &return_authenticator
.cred
)) {
1783 torture_comment(tctx
, "Credential chaining failed\n");
1784 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1796 try a netlogon AccountDeltas
1798 static bool test_AccountDeltas(struct torture_context
*tctx
,
1799 struct dcerpc_pipe
*p
,
1800 struct cli_credentials
*machine_credentials
)
1802 struct netr_AccountDeltas r
;
1803 struct netlogon_creds_CredentialState
*creds
;
1805 struct netr_AccountBuffer buffer
;
1806 uint32_t count_returned
= 0;
1807 uint32_t total_entries
= 0;
1808 struct netr_UAS_INFO_0 recordid
;
1809 struct netr_Authenticator return_authenticator
;
1810 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1812 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1816 ZERO_STRUCT(return_authenticator
);
1818 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1819 r
.in
.computername
= TEST_MACHINE_NAME
;
1820 r
.in
.return_authenticator
= &return_authenticator
;
1821 netlogon_creds_client_authenticator(creds
, &r
.in
.credential
);
1822 ZERO_STRUCT(r
.in
.uas
);
1825 r
.in
.buffersize
=100;
1826 r
.out
.buffer
= &buffer
;
1827 r
.out
.count_returned
= &count_returned
;
1828 r
.out
.total_entries
= &total_entries
;
1829 r
.out
.recordid
= &recordid
;
1830 r
.out
.return_authenticator
= &return_authenticator
;
1832 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1833 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_AccountDeltas_r(b
, tctx
, &r
),
1834 "AccountDeltas failed");
1835 torture_assert_ntstatus_equal(tctx
, r
.out
.result
, NT_STATUS_NOT_IMPLEMENTED
, "AccountDeltas");
1841 try a netlogon AccountSync
1843 static bool test_AccountSync(struct torture_context
*tctx
, struct dcerpc_pipe
*p
,
1844 struct cli_credentials
*machine_credentials
)
1846 struct netr_AccountSync r
;
1847 struct netlogon_creds_CredentialState
*creds
;
1849 struct netr_AccountBuffer buffer
;
1850 uint32_t count_returned
= 0;
1851 uint32_t total_entries
= 0;
1852 uint32_t next_reference
= 0;
1853 struct netr_UAS_INFO_0 recordid
;
1854 struct netr_Authenticator return_authenticator
;
1855 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1857 ZERO_STRUCT(recordid
);
1858 ZERO_STRUCT(return_authenticator
);
1860 if (!test_SetupCredentials(p
, tctx
, machine_credentials
, &creds
)) {
1864 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1865 r
.in
.computername
= TEST_MACHINE_NAME
;
1866 r
.in
.return_authenticator
= &return_authenticator
;
1867 netlogon_creds_client_authenticator(creds
, &r
.in
.credential
);
1868 r
.in
.recordid
= &recordid
;
1871 r
.in
.buffersize
=100;
1872 r
.out
.buffer
= &buffer
;
1873 r
.out
.count_returned
= &count_returned
;
1874 r
.out
.total_entries
= &total_entries
;
1875 r
.out
.next_reference
= &next_reference
;
1876 r
.out
.recordid
= &recordid
;
1877 r
.out
.return_authenticator
= &return_authenticator
;
1879 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1880 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_AccountSync_r(b
, tctx
, &r
),
1881 "AccountSync failed");
1882 torture_assert_ntstatus_equal(tctx
, r
.out
.result
, NT_STATUS_NOT_IMPLEMENTED
, "AccountSync");
1888 try a netlogon GetDcName
1890 static bool test_GetDcName(struct torture_context
*tctx
,
1891 struct dcerpc_pipe
*p
)
1893 struct netr_GetDcName r
;
1894 const char *dcname
= NULL
;
1895 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1897 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1898 r
.in
.domainname
= lpcfg_workgroup(tctx
->lp_ctx
);
1899 r
.out
.dcname
= &dcname
;
1901 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_GetDcName_r(b
, tctx
, &r
),
1902 "GetDcName failed");
1903 torture_assert_werr_ok(tctx
, r
.out
.result
, "GetDcName failed");
1905 torture_comment(tctx
, "\tDC is at '%s'\n", dcname
);
1910 static const char *function_code_str(TALLOC_CTX
*mem_ctx
,
1911 enum netr_LogonControlCode function_code
)
1913 switch (function_code
) {
1914 case NETLOGON_CONTROL_QUERY
:
1915 return "NETLOGON_CONTROL_QUERY";
1916 case NETLOGON_CONTROL_REPLICATE
:
1917 return "NETLOGON_CONTROL_REPLICATE";
1918 case NETLOGON_CONTROL_SYNCHRONIZE
:
1919 return "NETLOGON_CONTROL_SYNCHRONIZE";
1920 case NETLOGON_CONTROL_PDC_REPLICATE
:
1921 return "NETLOGON_CONTROL_PDC_REPLICATE";
1922 case NETLOGON_CONTROL_REDISCOVER
:
1923 return "NETLOGON_CONTROL_REDISCOVER";
1924 case NETLOGON_CONTROL_TC_QUERY
:
1925 return "NETLOGON_CONTROL_TC_QUERY";
1926 case NETLOGON_CONTROL_TRANSPORT_NOTIFY
:
1927 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1928 case NETLOGON_CONTROL_FIND_USER
:
1929 return "NETLOGON_CONTROL_FIND_USER";
1930 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
1931 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1932 case NETLOGON_CONTROL_TC_VERIFY
:
1933 return "NETLOGON_CONTROL_TC_VERIFY";
1934 case NETLOGON_CONTROL_FORCE_DNS_REG
:
1935 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1936 case NETLOGON_CONTROL_QUERY_DNS_REG
:
1937 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1938 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG
:
1939 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1940 case NETLOGON_CONTROL_TRUNCATE_LOG
:
1941 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1942 case NETLOGON_CONTROL_SET_DBFLAG
:
1943 return "NETLOGON_CONTROL_SET_DBFLAG";
1944 case NETLOGON_CONTROL_BREAKPOINT
:
1945 return "NETLOGON_CONTROL_BREAKPOINT";
1947 return talloc_asprintf(mem_ctx
, "unknown function code: %d",
1954 try a netlogon LogonControl
1956 static bool test_LogonControl(struct torture_context
*tctx
,
1957 struct dcerpc_pipe
*p
,
1958 struct cli_credentials
*machine_credentials
)
1962 struct netr_LogonControl r
;
1963 union netr_CONTROL_QUERY_INFORMATION query
;
1965 enum netr_SchannelType secure_channel_type
= SEC_CHAN_NULL
;
1966 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
1968 uint32_t function_codes
[] = {
1969 NETLOGON_CONTROL_QUERY
,
1970 NETLOGON_CONTROL_REPLICATE
,
1971 NETLOGON_CONTROL_SYNCHRONIZE
,
1972 NETLOGON_CONTROL_PDC_REPLICATE
,
1973 NETLOGON_CONTROL_REDISCOVER
,
1974 NETLOGON_CONTROL_TC_QUERY
,
1975 NETLOGON_CONTROL_TRANSPORT_NOTIFY
,
1976 NETLOGON_CONTROL_FIND_USER
,
1977 NETLOGON_CONTROL_CHANGE_PASSWORD
,
1978 NETLOGON_CONTROL_TC_VERIFY
,
1979 NETLOGON_CONTROL_FORCE_DNS_REG
,
1980 NETLOGON_CONTROL_QUERY_DNS_REG
,
1981 NETLOGON_CONTROL_BACKUP_CHANGE_LOG
,
1982 NETLOGON_CONTROL_TRUNCATE_LOG
,
1983 NETLOGON_CONTROL_SET_DBFLAG
,
1984 NETLOGON_CONTROL_BREAKPOINT
1987 if (machine_credentials
) {
1988 secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
1991 torture_comment(tctx
, "Testing LogonControl with secure channel type: %d\n",
1992 secure_channel_type
);
1994 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
1995 r
.in
.function_code
= 1;
1996 r
.out
.query
= &query
;
1998 for (f
=0;f
<ARRAY_SIZE(function_codes
); f
++) {
2001 r
.in
.function_code
= function_codes
[f
];
2004 torture_comment(tctx
, "Testing LogonControl function code %s (%d) level %d\n",
2005 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2007 status
= dcerpc_netr_LogonControl_r(b
, tctx
, &r
);
2008 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2010 switch (r
.in
.level
) {
2012 switch (r
.in
.function_code
) {
2013 case NETLOGON_CONTROL_REPLICATE
:
2014 case NETLOGON_CONTROL_SYNCHRONIZE
:
2015 case NETLOGON_CONTROL_PDC_REPLICATE
:
2016 case NETLOGON_CONTROL_BREAKPOINT
:
2017 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG
:
2018 if ((secure_channel_type
== SEC_CHAN_BDC
) ||
2019 (secure_channel_type
== SEC_CHAN_WKSTA
)) {
2020 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_ACCESS_DENIED
,
2021 "LogonControl returned unexpected error code");
2023 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_NOT_SUPPORTED
,
2024 "LogonControl returned unexpected error code");
2028 case NETLOGON_CONTROL_REDISCOVER
:
2029 case NETLOGON_CONTROL_TC_QUERY
:
2030 case NETLOGON_CONTROL_TRANSPORT_NOTIFY
:
2031 case NETLOGON_CONTROL_FIND_USER
:
2032 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
2033 case NETLOGON_CONTROL_TC_VERIFY
:
2034 case NETLOGON_CONTROL_FORCE_DNS_REG
:
2035 case NETLOGON_CONTROL_QUERY_DNS_REG
:
2036 case NETLOGON_CONTROL_SET_DBFLAG
:
2037 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_NOT_SUPPORTED
,
2038 "LogonControl returned unexpected error code");
2040 case NETLOGON_CONTROL_TRUNCATE_LOG
:
2041 if ((secure_channel_type
== SEC_CHAN_BDC
) ||
2042 (secure_channel_type
== SEC_CHAN_WKSTA
)) {
2043 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_ACCESS_DENIED
,
2044 "LogonControl returned unexpected error code");
2046 torture_assert_werr_ok(tctx
, r
.out
.result
,
2047 "LogonControl returned unexpected result");
2051 torture_assert_werr_ok(tctx
, r
.out
.result
,
2052 "LogonControl returned unexpected result");
2057 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_NOT_SUPPORTED
,
2058 "LogonControl returned unexpected error code");
2061 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_UNKNOWN_LEVEL
,
2062 "LogonControl returned unexpected error code");
2069 torture_comment(tctx
, "Testing LogonControl function code %s (%d) level %d\n",
2070 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2071 status
= dcerpc_netr_LogonControl_r(b
, tctx
, &r
);
2072 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2073 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_INVALID_LEVEL
, "LogonControl");
2080 try a netlogon GetAnyDCName
2082 static bool test_GetAnyDCName(struct torture_context
*tctx
,
2083 struct dcerpc_pipe
*p
)
2086 struct netr_GetAnyDCName r
;
2087 const char *dcname
= NULL
;
2088 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2090 r
.in
.domainname
= lpcfg_workgroup(tctx
->lp_ctx
);
2091 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2092 r
.out
.dcname
= &dcname
;
2094 status
= dcerpc_netr_GetAnyDCName_r(b
, tctx
, &r
);
2095 torture_assert_ntstatus_ok(tctx
, status
, "GetAnyDCName");
2096 if ((!W_ERROR_IS_OK(r
.out
.result
)) &&
2097 (!W_ERROR_EQUAL(r
.out
.result
, WERR_NO_SUCH_DOMAIN
))) {
2102 torture_comment(tctx
, "\tDC is at '%s'\n", dcname
);
2105 r
.in
.domainname
= NULL
;
2107 status
= dcerpc_netr_GetAnyDCName_r(b
, tctx
, &r
);
2108 torture_assert_ntstatus_ok(tctx
, status
, "GetAnyDCName");
2109 if ((!W_ERROR_IS_OK(r
.out
.result
)) &&
2110 (!W_ERROR_EQUAL(r
.out
.result
, WERR_NO_SUCH_DOMAIN
))) {
2114 r
.in
.domainname
= "";
2116 status
= dcerpc_netr_GetAnyDCName_r(b
, tctx
, &r
);
2117 torture_assert_ntstatus_ok(tctx
, status
, "GetAnyDCName");
2118 if ((!W_ERROR_IS_OK(r
.out
.result
)) &&
2119 (!W_ERROR_EQUAL(r
.out
.result
, WERR_NO_SUCH_DOMAIN
))) {
2128 try a netlogon LogonControl2
2130 static bool test_LogonControl2(struct torture_context
*tctx
,
2131 struct dcerpc_pipe
*p
,
2132 struct cli_credentials
*machine_credentials
)
2136 struct netr_LogonControl2 r
;
2137 union netr_CONTROL_DATA_INFORMATION data
;
2138 union netr_CONTROL_QUERY_INFORMATION query
;
2140 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2142 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2144 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2146 r
.in
.function_code
= NETLOGON_CONTROL_REDISCOVER
;
2148 r
.out
.query
= &query
;
2153 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2154 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2156 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2157 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2160 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2162 r
.in
.function_code
= NETLOGON_CONTROL_TC_QUERY
;
2168 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2169 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2171 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2172 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2175 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2177 r
.in
.function_code
= NETLOGON_CONTROL_TRANSPORT_NOTIFY
;
2183 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2184 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2186 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2187 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2190 data
.debug_level
= ~0;
2192 r
.in
.function_code
= NETLOGON_CONTROL_SET_DBFLAG
;
2198 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2199 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2201 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2202 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2206 r
.in
.function_code
= 52;
2209 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2210 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2212 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2213 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2214 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_UNKNOWN_LEVEL
, "LogonControl2");
2216 data
.debug_level
= ~0;
2218 r
.in
.function_code
= NETLOGON_CONTROL_SET_DBFLAG
;
2222 torture_comment(tctx
, "Testing LogonControl2 function code %s (%d) level %d\n",
2223 function_code_str(tctx
, r
.in
.function_code
), r
.in
.function_code
, r
.in
.level
);
2225 status
= dcerpc_netr_LogonControl2_r(b
, tctx
, &r
);
2226 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl2");
2227 torture_assert_werr_equal(tctx
, r
.out
.result
, WERR_UNKNOWN_LEVEL
, "LogonControl2");
2233 try a netlogon DatabaseSync2
2235 static bool test_DatabaseSync2(struct torture_context
*tctx
,
2236 struct dcerpc_pipe
*p
,
2237 struct cli_credentials
*machine_credentials
)
2239 struct netr_DatabaseSync2 r
;
2240 struct netr_DELTA_ENUM_ARRAY
*delta_enum_array
= NULL
;
2241 struct netr_Authenticator return_authenticator
, credential
;
2243 struct netlogon_creds_CredentialState
*creds
;
2244 const uint32_t database_ids
[] = {0, 1, 2};
2246 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2248 if (!test_SetupCredentials2(p
, tctx
, NETLOGON_NEG_AUTH2_FLAGS
,
2249 machine_credentials
,
2250 cli_credentials_get_secure_channel_type(machine_credentials
),
2255 ZERO_STRUCT(return_authenticator
);
2257 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2258 r
.in
.computername
= TEST_MACHINE_NAME
;
2259 r
.in
.preferredmaximumlength
= (uint32_t)-1;
2260 r
.in
.return_authenticator
= &return_authenticator
;
2261 r
.out
.return_authenticator
= &return_authenticator
;
2262 r
.out
.delta_enum_array
= &delta_enum_array
;
2264 for (i
=0;i
<ARRAY_SIZE(database_ids
);i
++) {
2266 uint32_t sync_context
= 0;
2268 r
.in
.database_id
= database_ids
[i
];
2269 r
.in
.sync_context
= &sync_context
;
2270 r
.out
.sync_context
= &sync_context
;
2271 r
.in
.restart_state
= 0;
2273 torture_comment(tctx
, "Testing DatabaseSync2 of id %d\n", r
.in
.database_id
);
2276 netlogon_creds_client_authenticator(creds
, &credential
);
2278 r
.in
.credential
= &credential
;
2280 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_DatabaseSync2_r(b
, tctx
, &r
),
2281 "DatabaseSync2 failed");
2282 if (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
))
2285 /* Native mode servers don't do this */
2286 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_NOT_SUPPORTED
)) {
2290 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "DatabaseSync2");
2292 if (!netlogon_creds_client_check(creds
, &r
.out
.return_authenticator
->cred
)) {
2293 torture_comment(tctx
, "Credential chaining failed\n");
2296 } while (NT_STATUS_EQUAL(r
.out
.result
, STATUS_MORE_ENTRIES
));
2304 try a netlogon LogonControl2Ex
2306 static bool test_LogonControl2Ex(struct torture_context
*tctx
,
2307 struct dcerpc_pipe
*p
,
2308 struct cli_credentials
*machine_credentials
)
2312 struct netr_LogonControl2Ex r
;
2313 union netr_CONTROL_DATA_INFORMATION data
;
2314 union netr_CONTROL_QUERY_INFORMATION query
;
2316 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2318 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2320 r
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2322 r
.in
.function_code
= NETLOGON_CONTROL_REDISCOVER
;
2324 r
.out
.query
= &query
;
2329 torture_comment(tctx
, "Testing LogonControl2Ex level %d function %d\n",
2330 i
, r
.in
.function_code
);
2332 status
= dcerpc_netr_LogonControl2Ex_r(b
, tctx
, &r
);
2333 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2336 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2338 r
.in
.function_code
= NETLOGON_CONTROL_TC_QUERY
;
2344 torture_comment(tctx
, "Testing LogonControl2Ex level %d function %d\n",
2345 i
, r
.in
.function_code
);
2347 status
= dcerpc_netr_LogonControl2Ex_r(b
, tctx
, &r
);
2348 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2351 data
.domain
= lpcfg_workgroup(tctx
->lp_ctx
);
2353 r
.in
.function_code
= NETLOGON_CONTROL_TRANSPORT_NOTIFY
;
2359 torture_comment(tctx
, "Testing LogonControl2Ex level %d function %d\n",
2360 i
, r
.in
.function_code
);
2362 status
= dcerpc_netr_LogonControl2Ex_r(b
, tctx
, &r
);
2363 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2366 data
.debug_level
= ~0;
2368 r
.in
.function_code
= NETLOGON_CONTROL_SET_DBFLAG
;
2374 torture_comment(tctx
, "Testing LogonControl2Ex level %d function %d\n",
2375 i
, r
.in
.function_code
);
2377 status
= dcerpc_netr_LogonControl2Ex_r(b
, tctx
, &r
);
2378 torture_assert_ntstatus_ok(tctx
, status
, "LogonControl");
2384 static bool test_netr_GetForestTrustInformation(struct torture_context
*tctx
,
2385 struct dcerpc_pipe
*p
,
2386 struct cli_credentials
*machine_credentials
)
2388 struct netr_GetForestTrustInformation r
;
2389 struct netlogon_creds_CredentialState
*creds
;
2390 struct netr_Authenticator a
;
2391 struct netr_Authenticator return_authenticator
;
2392 struct lsa_ForestTrustInformation
*forest_trust_info
;
2393 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2395 if (!test_SetupCredentials3(p
, tctx
, NETLOGON_NEG_AUTH2_ADS_FLAGS
,
2396 machine_credentials
, &creds
)) {
2400 netlogon_creds_client_authenticator(creds
, &a
);
2402 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2403 r
.in
.computer_name
= TEST_MACHINE_NAME
;
2404 r
.in
.credential
= &a
;
2406 r
.out
.return_authenticator
= &return_authenticator
;
2407 r
.out
.forest_trust_info
= &forest_trust_info
;
2409 torture_assert_ntstatus_ok(tctx
,
2410 dcerpc_netr_GetForestTrustInformation_r(b
, tctx
, &r
),
2411 "netr_GetForestTrustInformation failed");
2412 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_NOT_IMPLEMENTED
)) {
2413 torture_comment(tctx
, "not considering NT_STATUS_NOT_IMPLEMENTED as an error\n");
2415 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
2416 "netr_GetForestTrustInformation failed");
2419 torture_assert(tctx
,
2420 netlogon_creds_client_check(creds
, &return_authenticator
.cred
),
2421 "Credential chaining failed");
2426 static bool test_netr_DsRGetForestTrustInformation(struct torture_context
*tctx
,
2427 struct dcerpc_pipe
*p
, const char *trusted_domain_name
)
2430 struct netr_DsRGetForestTrustInformation r
;
2431 struct lsa_ForestTrustInformation info
, *info_ptr
;
2432 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2436 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2437 r
.in
.trusted_domain_name
= trusted_domain_name
;
2439 r
.out
.forest_trust_info
= &info_ptr
;
2441 torture_comment(tctx
,"Testing netr_DsRGetForestTrustInformation\n");
2443 status
= dcerpc_netr_DsRGetForestTrustInformation_r(b
, tctx
, &r
);
2444 torture_assert_ntstatus_ok(tctx
, status
, "DsRGetForestTrustInformation");
2445 torture_assert_werr_ok(tctx
, r
.out
.result
, "DsRGetForestTrustInformation");
2451 try a netlogon netr_DsrEnumerateDomainTrusts
2453 static bool test_DsrEnumerateDomainTrusts(struct torture_context
*tctx
,
2454 struct dcerpc_pipe
*p
)
2457 struct netr_DsrEnumerateDomainTrusts r
;
2458 struct netr_DomainTrustList trusts
;
2460 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2462 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2463 r
.in
.trust_flags
= 0x3f;
2464 r
.out
.trusts
= &trusts
;
2466 status
= dcerpc_netr_DsrEnumerateDomainTrusts_r(b
, tctx
, &r
);
2467 torture_assert_ntstatus_ok(tctx
, status
, "DsrEnumerateDomaintrusts");
2468 torture_assert_werr_ok(tctx
, r
.out
.result
, "DsrEnumerateDomaintrusts");
2470 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2471 * will show non-forest trusts and all UPN suffixes of the own forest
2472 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2474 if (r
.out
.trusts
->count
) {
2475 if (!test_netr_DsRGetForestTrustInformation(tctx
, p
, NULL
)) {
2480 for (i
=0; i
<r
.out
.trusts
->count
; i
++) {
2482 /* get info for transitive forest trusts */
2484 if (r
.out
.trusts
->array
[i
].trust_attributes
& NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) {
2485 if (!test_netr_DsRGetForestTrustInformation(tctx
, p
,
2486 r
.out
.trusts
->array
[i
].dns_name
)) {
2495 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context
*tctx
,
2496 struct dcerpc_pipe
*p
)
2499 struct netr_NetrEnumerateTrustedDomains r
;
2500 struct netr_Blob trusted_domains_blob
;
2501 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2503 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2504 r
.out
.trusted_domains_blob
= &trusted_domains_blob
;
2506 status
= dcerpc_netr_NetrEnumerateTrustedDomains_r(b
, tctx
, &r
);
2507 torture_assert_ntstatus_ok(tctx
, status
, "netr_NetrEnumerateTrustedDomains");
2508 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "NetrEnumerateTrustedDomains");
2513 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context
*tctx
,
2514 struct dcerpc_pipe
*p
)
2517 struct netr_NetrEnumerateTrustedDomainsEx r
;
2518 struct netr_DomainTrustList dom_trust_list
;
2519 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2521 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2522 r
.out
.dom_trust_list
= &dom_trust_list
;
2524 status
= dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b
, tctx
, &r
);
2525 torture_assert_ntstatus_ok(tctx
, status
, "netr_NetrEnumerateTrustedDomainsEx");
2526 torture_assert_werr_ok(tctx
, r
.out
.result
, "NetrEnumerateTrustedDomainsEx");
2532 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
2533 const char *computer_name
,
2534 const char *expected_site
)
2537 struct netr_DsRGetSiteName r
;
2538 const char *site
= NULL
;
2539 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2541 r
.in
.computer_name
= computer_name
;
2543 torture_comment(tctx
, "Testing netr_DsRGetSiteName\n");
2545 status
= dcerpc_netr_DsRGetSiteName_r(b
, tctx
, &r
);
2546 torture_assert_ntstatus_ok(tctx
, status
, "DsRGetSiteName");
2547 torture_assert_werr_ok(tctx
, r
.out
.result
, "DsRGetSiteName");
2548 torture_assert_str_equal(tctx
, expected_site
, site
, "netr_DsRGetSiteName");
2554 try a netlogon netr_DsRGetDCName
2556 static bool test_netr_DsRGetDCName(struct torture_context
*tctx
,
2557 struct dcerpc_pipe
*p
)
2560 struct netr_DsRGetDCName r
;
2561 struct netr_DsRGetDCNameInfo
*info
= NULL
;
2562 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2564 r
.in
.server_unc
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2565 r
.in
.domain_name
= lpcfg_dnsdomain(tctx
->lp_ctx
);
2566 r
.in
.domain_guid
= NULL
;
2567 r
.in
.site_guid
= NULL
;
2568 r
.in
.flags
= DS_RETURN_DNS_NAME
;
2571 status
= dcerpc_netr_DsRGetDCName_r(b
, tctx
, &r
);
2572 torture_assert_ntstatus_ok(tctx
, status
, "DsRGetDCName");
2573 torture_assert_werr_ok(tctx
, r
.out
.result
, "DsRGetDCName");
2575 torture_assert_int_equal(tctx
,
2576 (info
->dc_flags
& (DS_DNS_CONTROLLER
)),
2579 torture_assert_int_equal(tctx
,
2580 (info
->dc_flags
& (DS_DNS_DOMAIN
)),
2583 torture_assert_int_equal(tctx
,
2584 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2588 r
.in
.domain_name
= lpcfg_workgroup(tctx
->lp_ctx
);
2591 status
= dcerpc_netr_DsRGetDCName_r(b
, tctx
, &r
);
2592 torture_assert_ntstatus_ok(tctx
, status
, "DsRGetDCName");
2593 torture_assert_werr_ok(tctx
, r
.out
.result
, "DsRGetDCName");
2595 torture_assert_int_equal(tctx
,
2596 (info
->dc_flags
& (DS_DNS_CONTROLLER
)), 0,
2598 torture_assert_int_equal(tctx
,
2599 (info
->dc_flags
& (DS_DNS_DOMAIN
)), 0,
2601 torture_assert_int_equal(tctx
,
2602 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2606 if (strcasecmp(info
->dc_site_name
, info
->client_site_name
) == 0) {
2607 torture_assert_int_equal(tctx
,
2608 (info
->dc_flags
& (DS_SERVER_CLOSEST
)),
2613 return test_netr_DsRGetSiteName(p
, tctx
,
2615 info
->dc_site_name
);
2619 try a netlogon netr_DsRGetDCNameEx
2621 static bool test_netr_DsRGetDCNameEx(struct torture_context
*tctx
,
2622 struct dcerpc_pipe
*p
)
2625 struct netr_DsRGetDCNameEx r
;
2626 struct netr_DsRGetDCNameInfo
*info
= NULL
;
2627 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2629 r
.in
.server_unc
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2630 r
.in
.domain_name
= lpcfg_dnsdomain(tctx
->lp_ctx
);
2631 r
.in
.domain_guid
= NULL
;
2632 r
.in
.site_name
= NULL
;
2633 r
.in
.flags
= DS_RETURN_DNS_NAME
;
2636 status
= dcerpc_netr_DsRGetDCNameEx_r(b
, tctx
, &r
);
2637 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx");
2638 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx");
2640 torture_assert_int_equal(tctx
,
2641 (info
->dc_flags
& (DS_DNS_CONTROLLER
)),
2644 torture_assert_int_equal(tctx
,
2645 (info
->dc_flags
& (DS_DNS_DOMAIN
)),
2648 torture_assert_int_equal(tctx
,
2649 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2653 r
.in
.domain_name
= lpcfg_workgroup(tctx
->lp_ctx
);
2656 status
= dcerpc_netr_DsRGetDCNameEx_r(b
, tctx
, &r
);
2657 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx");
2658 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx");
2660 torture_assert_int_equal(tctx
,
2661 (info
->dc_flags
& (DS_DNS_CONTROLLER
)), 0,
2663 torture_assert_int_equal(tctx
,
2664 (info
->dc_flags
& (DS_DNS_DOMAIN
)), 0,
2666 torture_assert_int_equal(tctx
,
2667 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2671 if (strcasecmp(info
->dc_site_name
, info
->client_site_name
) == 0) {
2672 torture_assert_int_equal(tctx
,
2673 (info
->dc_flags
& (DS_SERVER_CLOSEST
)),
2678 return test_netr_DsRGetSiteName(p
, tctx
, info
->dc_unc
,
2679 info
->dc_site_name
);
2683 try a netlogon netr_DsRGetDCNameEx2
2685 static bool test_netr_DsRGetDCNameEx2(struct torture_context
*tctx
,
2686 struct dcerpc_pipe
*p
)
2689 struct netr_DsRGetDCNameEx2 r
;
2690 struct netr_DsRGetDCNameInfo
*info
= NULL
;
2691 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2693 torture_comment(tctx
, "Testing netr_DsRGetDCNameEx2 with no inputs\n");
2695 r
.in
.flags
= DS_RETURN_DNS_NAME
;
2698 status
= dcerpc_netr_DsRGetDCNameEx2_r(b
, tctx
, &r
);
2699 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx2");
2700 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx2");
2702 torture_assert_int_equal(tctx
,
2703 (info
->dc_flags
& (DS_DNS_CONTROLLER
)),
2706 torture_assert_int_equal(tctx
,
2707 (info
->dc_flags
& (DS_DNS_DOMAIN
)),
2710 torture_assert_int_equal(tctx
,
2711 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2715 r
.in
.server_unc
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2716 r
.in
.client_account
= NULL
;
2717 r
.in
.mask
= 0x00000000;
2718 r
.in
.domain_name
= lpcfg_dnsdomain(tctx
->lp_ctx
);
2719 r
.in
.domain_guid
= NULL
;
2720 r
.in
.site_name
= NULL
;
2721 r
.in
.flags
= DS_RETURN_DNS_NAME
;
2724 torture_comment(tctx
, "Testing netr_DsRGetDCNameEx2 without client account\n");
2726 status
= dcerpc_netr_DsRGetDCNameEx2_r(b
, tctx
, &r
);
2727 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx2");
2728 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx2");
2730 r
.in
.domain_name
= lpcfg_workgroup(tctx
->lp_ctx
);
2733 status
= dcerpc_netr_DsRGetDCNameEx2_r(b
, tctx
, &r
);
2734 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx2");
2735 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx2");
2737 torture_assert_int_equal(tctx
,
2738 (info
->dc_flags
& (DS_DNS_CONTROLLER
)), 0,
2740 torture_assert_int_equal(tctx
,
2741 (info
->dc_flags
& (DS_DNS_DOMAIN
)), 0,
2743 torture_assert_int_equal(tctx
,
2744 (info
->dc_flags
& (DS_DNS_FOREST_ROOT
)),
2748 if (strcasecmp(info
->dc_site_name
, info
->client_site_name
) == 0) {
2749 torture_assert_int_equal(tctx
,
2750 (info
->dc_flags
& (DS_SERVER_CLOSEST
)),
2755 torture_comment(tctx
, "Testing netr_DsRGetDCNameEx2 with client account\n");
2756 r
.in
.client_account
= TEST_MACHINE_NAME
"$";
2757 r
.in
.mask
= ACB_SVRTRUST
;
2758 r
.in
.flags
= DS_RETURN_FLAT_NAME
;
2761 status
= dcerpc_netr_DsRGetDCNameEx2_r(b
, tctx
, &r
);
2762 torture_assert_ntstatus_ok(tctx
, status
, "netr_DsRGetDCNameEx2");
2763 torture_assert_werr_ok(tctx
, r
.out
.result
, "netr_DsRGetDCNameEx2");
2765 return test_netr_DsRGetSiteName(p
, tctx
, info
->dc_unc
,
2766 info
->dc_site_name
);
2769 /* This is a substitution for "samdb_server_site_name" which relies on the
2770 * correct "lp_ctx" and therefore can't be used here. */
2771 static const char *server_site_name(struct torture_context
*tctx
,
2772 struct ldb_context
*ldb
)
2774 TALLOC_CTX
*tmp_ctx
;
2775 struct ldb_dn
*dn
, *server_dn
;
2776 const struct ldb_val
*site_name_val
;
2777 const char *server_dn_str
, *site_name
;
2779 tmp_ctx
= talloc_new(ldb
);
2780 if (tmp_ctx
== NULL
) {
2784 dn
= ldb_dn_new(tmp_ctx
, ldb
, "");
2789 server_dn_str
= samdb_search_string(ldb
, tmp_ctx
, dn
, "serverName",
2791 if (server_dn_str
== NULL
) {
2795 server_dn
= ldb_dn_new(tmp_ctx
, ldb
, server_dn_str
);
2796 if (server_dn
== NULL
) {
2800 /* CN=<Server name>, CN=Servers, CN=<Site name>, CN=Sites, ... */
2801 site_name_val
= ldb_dn_get_component_val(server_dn
, 2);
2802 if (site_name_val
== NULL
) {
2806 site_name
= (const char *) site_name_val
->data
;
2808 talloc_steal(tctx
, site_name
);
2809 talloc_free(tmp_ctx
);
2814 talloc_free(tmp_ctx
);
2818 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context
*tctx
,
2819 struct dcerpc_pipe
*p
)
2822 struct ldb_context
*sam_ctx
= NULL
;
2824 struct netr_DsrGetDcSiteCoverageW r
;
2825 struct DcSitesCtr
*ctr
= NULL
;
2826 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2828 torture_comment(tctx
, "This does only pass with the default site\n");
2830 /* We won't double-check this when we are over 'local' transports */
2831 if (dcerpc_server_name(p
)) {
2832 /* Set up connection to SAMDB on DC */
2833 url
= talloc_asprintf(tctx
, "ldap://%s", dcerpc_server_name(p
));
2834 sam_ctx
= ldb_wrap_connect(tctx
, tctx
->ev
, tctx
->lp_ctx
, url
,
2836 cmdline_credentials
,
2839 torture_assert(tctx
, sam_ctx
, "Connection to the SAMDB on DC failed!");
2842 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2845 status
= dcerpc_netr_DsrGetDcSiteCoverageW_r(b
, tctx
, &r
);
2846 torture_assert_ntstatus_ok(tctx
, status
, "failed");
2847 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
2849 torture_assert(tctx
, ctr
->num_sites
== 1,
2850 "we should per default only get the default site");
2851 if (sam_ctx
!= NULL
) {
2852 torture_assert_casestr_equal(tctx
, ctr
->sites
[0].string
,
2853 server_site_name(tctx
, sam_ctx
),
2854 "didn't return default site");
2860 static bool test_netr_DsRAddressToSitenamesW(struct torture_context
*tctx
,
2861 struct dcerpc_pipe
*p
)
2864 struct ldb_context
*sam_ctx
= NULL
;
2866 struct netr_DsRAddressToSitenamesW r
;
2867 struct netr_DsRAddress addrs
[6];
2868 struct sockaddr_in
*addr
;
2870 struct sockaddr_in6
*addr6
;
2872 struct netr_DsRAddressToSitenamesWCtr
*ctr
;
2873 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
2877 torture_comment(tctx
, "This does only pass with the default site\n");
2879 /* We won't double-check this when we are over 'local' transports */
2880 if (dcerpc_server_name(p
)) {
2881 /* Set up connection to SAMDB on DC */
2882 url
= talloc_asprintf(tctx
, "ldap://%s", dcerpc_server_name(p
));
2883 sam_ctx
= ldb_wrap_connect(tctx
, tctx
->ev
, tctx
->lp_ctx
, url
,
2885 cmdline_credentials
,
2888 torture_assert(tctx
, sam_ctx
, "Connection to the SAMDB on DC failed!");
2891 /* First try valid IP addresses */
2893 addrs
[0].size
= sizeof(struct sockaddr_in
);
2894 addrs
[0].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[0].size
);
2895 addr
= (struct sockaddr_in
*) addrs
[0].buffer
;
2896 addrs
[0].buffer
[0] = AF_INET
;
2897 ret
= inet_pton(AF_INET
, "127.0.0.1", &addr
->sin_addr
);
2898 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2900 addrs
[1].size
= sizeof(struct sockaddr_in
);
2901 addrs
[1].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[1].size
);
2902 addr
= (struct sockaddr_in
*) addrs
[1].buffer
;
2903 addrs
[1].buffer
[0] = AF_INET
;
2904 ret
= inet_pton(AF_INET
, "0.0.0.0", &addr
->sin_addr
);
2905 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2907 addrs
[2].size
= sizeof(struct sockaddr_in
);
2908 addrs
[2].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[2].size
);
2909 addr
= (struct sockaddr_in
*) addrs
[2].buffer
;
2910 addrs
[2].buffer
[0] = AF_INET
;
2911 ret
= inet_pton(AF_INET
, "255.255.255.255", &addr
->sin_addr
);
2912 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2915 addrs
[3].size
= sizeof(struct sockaddr_in6
);
2916 addrs
[3].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[3].size
);
2917 addr6
= (struct sockaddr_in6
*) addrs
[3].buffer
;
2918 addrs
[3].buffer
[0] = AF_INET6
;
2919 ret
= inet_pton(AF_INET6
, "::1", &addr6
->sin6_addr
);
2920 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2922 addrs
[4].size
= sizeof(struct sockaddr_in6
);
2923 addrs
[4].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[4].size
);
2924 addr6
= (struct sockaddr_in6
*) addrs
[4].buffer
;
2925 addrs
[4].buffer
[0] = AF_INET6
;
2926 ret
= inet_pton(AF_INET6
, "::", &addr6
->sin6_addr
);
2927 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2929 addrs
[5].size
= sizeof(struct sockaddr_in6
);
2930 addrs
[5].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[5].size
);
2931 addr6
= (struct sockaddr_in6
*) addrs
[5].buffer
;
2932 addrs
[5].buffer
[0] = AF_INET6
;
2933 ret
= inet_pton(AF_INET6
, "ff02::1", &addr6
->sin6_addr
);
2934 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2936 /* the test cases are repeated to have exactly 6. This is for
2937 * compatibility with IPv4-only machines */
2938 addrs
[3].size
= sizeof(struct sockaddr_in
);
2939 addrs
[3].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[3].size
);
2940 addr
= (struct sockaddr_in
*) addrs
[3].buffer
;
2941 addrs
[3].buffer
[0] = AF_INET
;
2942 ret
= inet_pton(AF_INET
, "127.0.0.1", &addr
->sin_addr
);
2943 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2945 addrs
[4].size
= sizeof(struct sockaddr_in
);
2946 addrs
[4].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[4].size
);
2947 addr
= (struct sockaddr_in
*) addrs
[4].buffer
;
2948 addrs
[4].buffer
[0] = AF_INET
;
2949 ret
= inet_pton(AF_INET
, "0.0.0.0", &addr
->sin_addr
);
2950 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2952 addrs
[5].size
= sizeof(struct sockaddr_in
);
2953 addrs
[5].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[5].size
);
2954 addr
= (struct sockaddr_in
*) addrs
[5].buffer
;
2955 addrs
[5].buffer
[0] = AF_INET
;
2956 ret
= inet_pton(AF_INET
, "255.255.255.255", &addr
->sin_addr
);
2957 torture_assert(tctx
, ret
> 0, "inet_pton failed");
2960 ctr
= talloc(tctx
, struct netr_DsRAddressToSitenamesWCtr
);
2962 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
2964 r
.in
.addresses
= addrs
;
2967 status
= dcerpc_netr_DsRAddressToSitenamesW_r(b
, tctx
, &r
);
2968 torture_assert_ntstatus_ok(tctx
, status
, "failed");
2969 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
2971 if (sam_ctx
!= NULL
) {
2972 for (i
= 0; i
< 3; i
++) {
2973 torture_assert_casestr_equal(tctx
,
2974 ctr
->sitename
[i
].string
,
2975 server_site_name(tctx
, sam_ctx
),
2976 "didn't return default site");
2978 for (i
= 3; i
< 6; i
++) {
2979 /* Windows returns "NULL" for the sitename if it isn't
2980 * IPv6 configured */
2981 if (torture_setting_bool(tctx
, "samba4", false)) {
2982 torture_assert_casestr_equal(tctx
,
2983 ctr
->sitename
[i
].string
,
2984 server_site_name(tctx
, sam_ctx
),
2985 "didn't return default site");
2990 /* Now try invalid ones (too short buffers) */
3000 status
= dcerpc_netr_DsRAddressToSitenamesW_r(b
, tctx
, &r
);
3001 torture_assert_ntstatus_ok(tctx
, status
, "failed");
3002 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
3004 for (i
= 0; i
< 6; i
++) {
3005 torture_assert(tctx
, ctr
->sitename
[i
].string
== NULL
,
3006 "sitename should be null");
3009 /* Now try invalid ones (wrong address types) */
3012 addrs
[0].buffer
[0] = AF_UNSPEC
;
3014 addrs
[1].buffer
[0] = AF_UNIX
; /* AF_LOCAL = AF_UNIX */
3016 addrs
[2].buffer
[0] = AF_UNIX
;
3019 addrs
[3].buffer
[0] = 250;
3021 addrs
[4].buffer
[0] = 251;
3023 addrs
[5].buffer
[0] = 252;
3025 status
= dcerpc_netr_DsRAddressToSitenamesW_r(b
, tctx
, &r
);
3026 torture_assert_ntstatus_ok(tctx
, status
, "failed");
3027 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
3029 for (i
= 0; i
< 6; i
++) {
3030 torture_assert(tctx
, ctr
->sitename
[i
].string
== NULL
,
3031 "sitename should be null");
3037 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context
*tctx
,
3038 struct dcerpc_pipe
*p
)
3041 struct ldb_context
*sam_ctx
= NULL
;
3043 struct netr_DsRAddressToSitenamesExW r
;
3044 struct netr_DsRAddress addrs
[6];
3045 struct sockaddr_in
*addr
;
3047 struct sockaddr_in6
*addr6
;
3049 struct netr_DsRAddressToSitenamesExWCtr
*ctr
;
3050 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
3054 torture_comment(tctx
, "This does pass with the default site\n");
3056 /* We won't double-check this when we are over 'local' transports */
3057 if (dcerpc_server_name(p
)) {
3058 /* Set up connection to SAMDB on DC */
3059 url
= talloc_asprintf(tctx
, "ldap://%s", dcerpc_server_name(p
));
3060 sam_ctx
= ldb_wrap_connect(tctx
, tctx
->ev
, tctx
->lp_ctx
, url
,
3062 cmdline_credentials
,
3065 torture_assert(tctx
, sam_ctx
, "Connection to the SAMDB on DC failed!");
3068 /* First try valid IP addresses */
3070 addrs
[0].size
= sizeof(struct sockaddr_in
);
3071 addrs
[0].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[0].size
);
3072 addr
= (struct sockaddr_in
*) addrs
[0].buffer
;
3073 addrs
[0].buffer
[0] = AF_INET
;
3074 ret
= inet_pton(AF_INET
, "127.0.0.1", &addr
->sin_addr
);
3075 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3077 addrs
[1].size
= sizeof(struct sockaddr_in
);
3078 addrs
[1].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[1].size
);
3079 addr
= (struct sockaddr_in
*) addrs
[1].buffer
;
3080 addrs
[1].buffer
[0] = AF_INET
;
3081 ret
= inet_pton(AF_INET
, "0.0.0.0", &addr
->sin_addr
);
3082 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3084 addrs
[2].size
= sizeof(struct sockaddr_in
);
3085 addrs
[2].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[2].size
);
3086 addr
= (struct sockaddr_in
*) addrs
[2].buffer
;
3087 addrs
[2].buffer
[0] = AF_INET
;
3088 ret
= inet_pton(AF_INET
, "255.255.255.255", &addr
->sin_addr
);
3089 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3092 addrs
[3].size
= sizeof(struct sockaddr_in6
);
3093 addrs
[3].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[3].size
);
3094 addr6
= (struct sockaddr_in6
*) addrs
[3].buffer
;
3095 addrs
[3].buffer
[0] = AF_INET6
;
3096 ret
= inet_pton(AF_INET6
, "::1", &addr6
->sin6_addr
);
3097 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3099 addrs
[4].size
= sizeof(struct sockaddr_in6
);
3100 addrs
[4].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[4].size
);
3101 addr6
= (struct sockaddr_in6
*) addrs
[4].buffer
;
3102 addrs
[4].buffer
[0] = AF_INET6
;
3103 ret
= inet_pton(AF_INET6
, "::", &addr6
->sin6_addr
);
3104 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3106 addrs
[5].size
= sizeof(struct sockaddr_in6
);
3107 addrs
[5].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[5].size
);
3108 addr6
= (struct sockaddr_in6
*) addrs
[5].buffer
;
3109 addrs
[5].buffer
[0] = AF_INET6
;
3110 ret
= inet_pton(AF_INET6
, "ff02::1", &addr6
->sin6_addr
);
3111 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3113 /* the test cases are repeated to have exactly 6. This is for
3114 * compatibility with IPv4-only machines */
3115 addrs
[3].size
= sizeof(struct sockaddr_in
);
3116 addrs
[3].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[3].size
);
3117 addr
= (struct sockaddr_in
*) addrs
[3].buffer
;
3118 addrs
[3].buffer
[0] = AF_INET
;
3119 ret
= inet_pton(AF_INET
, "127.0.0.1", &addr
->sin_addr
);
3120 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3122 addrs
[4].size
= sizeof(struct sockaddr_in
);
3123 addrs
[4].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[4].size
);
3124 addr
= (struct sockaddr_in
*) addrs
[4].buffer
;
3125 addrs
[4].buffer
[0] = AF_INET
;
3126 ret
= inet_pton(AF_INET
, "0.0.0.0", &addr
->sin_addr
);
3127 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3129 addrs
[5].size
= sizeof(struct sockaddr_in
);
3130 addrs
[5].buffer
= talloc_zero_array(tctx
, uint8_t, addrs
[5].size
);
3131 addr
= (struct sockaddr_in
*) addrs
[5].buffer
;
3132 addrs
[5].buffer
[0] = AF_INET
;
3133 ret
= inet_pton(AF_INET
, "255.255.255.255", &addr
->sin_addr
);
3134 torture_assert(tctx
, ret
> 0, "inet_pton failed");
3137 ctr
= talloc(tctx
, struct netr_DsRAddressToSitenamesExWCtr
);
3139 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
3141 r
.in
.addresses
= addrs
;
3144 status
= dcerpc_netr_DsRAddressToSitenamesExW_r(b
, tctx
, &r
);
3145 torture_assert_ntstatus_ok(tctx
, status
, "failed");
3146 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
3148 if (sam_ctx
!= NULL
) {
3149 for (i
= 0; i
< 3; i
++) {
3150 torture_assert_casestr_equal(tctx
,
3151 ctr
->sitename
[i
].string
,
3152 server_site_name(tctx
, sam_ctx
),
3153 "didn't return default site");
3154 torture_assert(tctx
, ctr
->subnetname
[i
].string
== NULL
,
3155 "subnet should be null");
3157 for (i
= 3; i
< 6; i
++) {
3158 /* Windows returns "NULL" for the sitename if it isn't
3159 * IPv6 configured */
3160 if (torture_setting_bool(tctx
, "samba4", false)) {
3161 torture_assert_casestr_equal(tctx
,
3162 ctr
->sitename
[i
].string
,
3163 server_site_name(tctx
, sam_ctx
),
3164 "didn't return default site");
3166 torture_assert(tctx
, ctr
->subnetname
[i
].string
== NULL
,
3167 "subnet should be null");
3171 /* Now try invalid ones (too short buffers) */
3181 status
= dcerpc_netr_DsRAddressToSitenamesExW_r(b
, tctx
, &r
);
3182 torture_assert_ntstatus_ok(tctx
, status
, "failed");
3183 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
3185 for (i
= 0; i
< 6; i
++) {
3186 torture_assert(tctx
, ctr
->sitename
[i
].string
== NULL
,
3187 "sitename should be null");
3188 torture_assert(tctx
, ctr
->subnetname
[i
].string
== NULL
,
3189 "subnet should be null");
3193 addrs
[0].buffer
[0] = AF_UNSPEC
;
3195 addrs
[1].buffer
[0] = AF_UNIX
; /* AF_LOCAL = AF_UNIX */
3197 addrs
[2].buffer
[0] = AF_UNIX
;
3200 addrs
[3].buffer
[0] = 250;
3202 addrs
[4].buffer
[0] = 251;
3204 addrs
[5].buffer
[0] = 252;
3206 status
= dcerpc_netr_DsRAddressToSitenamesExW_r(b
, tctx
, &r
);
3207 torture_assert_ntstatus_ok(tctx
, status
, "failed");
3208 torture_assert_werr_ok(tctx
, r
.out
.result
, "failed");
3210 for (i
= 0; i
< 6; i
++) {
3211 torture_assert(tctx
, ctr
->sitename
[i
].string
== NULL
,
3212 "sitename should be null");
3213 torture_assert(tctx
, ctr
->subnetname
[i
].string
== NULL
,
3214 "subnet should be null");
3220 static bool test_netr_ServerGetTrustInfo_flags(struct torture_context
*tctx
,
3221 struct dcerpc_pipe
*p
,
3222 struct cli_credentials
*machine_credentials
,
3223 uint32_t negotiate_flags
)
3225 struct netr_ServerGetTrustInfo r
;
3227 struct netr_Authenticator a
;
3228 struct netr_Authenticator return_authenticator
;
3229 struct samr_Password new_owf_password
;
3230 struct samr_Password old_owf_password
;
3231 struct netr_TrustInfo
*trust_info
;
3233 struct netlogon_creds_CredentialState
*creds
;
3234 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
3236 struct samr_Password nt_hash
;
3238 if (!test_SetupCredentials3(p
, tctx
, negotiate_flags
,
3239 machine_credentials
, &creds
)) {
3243 netlogon_creds_client_authenticator(creds
, &a
);
3245 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
3246 r
.in
.account_name
= talloc_asprintf(tctx
, "%s$", TEST_MACHINE_NAME
);
3247 r
.in
.secure_channel_type
= cli_credentials_get_secure_channel_type(machine_credentials
);
3248 r
.in
.computer_name
= TEST_MACHINE_NAME
;
3249 r
.in
.credential
= &a
;
3251 r
.out
.return_authenticator
= &return_authenticator
;
3252 r
.out
.new_owf_password
= &new_owf_password
;
3253 r
.out
.old_owf_password
= &old_owf_password
;
3254 r
.out
.trust_info
= &trust_info
;
3256 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_ServerGetTrustInfo_r(b
, tctx
, &r
),
3257 "ServerGetTrustInfo failed");
3258 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "ServerGetTrustInfo failed");
3259 torture_assert(tctx
, netlogon_creds_client_check(creds
, &return_authenticator
.cred
), "Credential chaining failed");
3261 E_md4hash(cli_credentials_get_password(machine_credentials
), nt_hash
.hash
);
3263 netlogon_creds_des_decrypt(creds
, &new_owf_password
);
3265 dump_data(1, new_owf_password
.hash
, 16);
3266 dump_data(1, nt_hash
.hash
, 16);
3268 torture_assert_mem_equal(tctx
, new_owf_password
.hash
, nt_hash
.hash
, 16,
3269 "received unexpected owf password\n");
3274 static bool test_netr_ServerGetTrustInfo(struct torture_context
*tctx
,
3275 struct dcerpc_pipe
*p
,
3276 struct cli_credentials
*machine_credentials
)
3278 return test_netr_ServerGetTrustInfo_flags(tctx
, p
, machine_credentials
,
3279 NETLOGON_NEG_AUTH2_ADS_FLAGS
);
3282 static bool test_netr_ServerGetTrustInfo_AES(struct torture_context
*tctx
,
3283 struct dcerpc_pipe
*p
,
3284 struct cli_credentials
*machine_credentials
)
3286 return test_netr_ServerGetTrustInfo_flags(tctx
, p
, machine_credentials
,
3287 NETLOGON_NEG_AUTH2_ADS_FLAGS
| NETLOGON_NEG_SUPPORTS_AES
);
3290 static bool test_GetDomainInfo(struct torture_context
*tctx
,
3291 struct dcerpc_pipe
*p
,
3292 struct cli_credentials
*machine_credentials
)
3294 struct netr_LogonGetDomainInfo r
;
3295 struct netr_WorkstationInformation q1
;
3296 struct netr_Authenticator a
;
3297 struct netlogon_creds_CredentialState
*creds
;
3298 struct netr_OsVersion os
;
3299 union netr_WorkstationInfo query
;
3300 union netr_DomainInfo info
;
3301 const char* const attrs
[] = { "dNSHostName", "operatingSystem",
3302 "operatingSystemServicePack", "operatingSystemVersion",
3303 "servicePrincipalName", NULL
};
3305 struct ldb_context
*sam_ctx
= NULL
;
3306 struct ldb_message
**res
;
3307 struct ldb_message_element
*spn_el
;
3310 const char *old_dnsname
= NULL
;
3314 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
3316 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo\n");
3318 if (!test_SetupCredentials3(p
, tctx
, NETLOGON_NEG_AUTH2_ADS_FLAGS
,
3319 machine_credentials
, &creds
)) {
3323 /* We won't double-check this when we are over 'local' transports */
3324 if (dcerpc_server_name(p
)) {
3325 /* Set up connection to SAMDB on DC */
3326 url
= talloc_asprintf(tctx
, "ldap://%s", dcerpc_server_name(p
));
3327 sam_ctx
= ldb_wrap_connect(tctx
, tctx
->ev
, tctx
->lp_ctx
, url
,
3329 cmdline_credentials
,
3332 torture_assert(tctx
, sam_ctx
, "Connection to the SAMDB on DC failed!");
3335 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
3336 netlogon_creds_client_authenticator(creds
, &a
);
3339 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
3340 r
.in
.computer_name
= TEST_MACHINE_NAME
;
3341 r
.in
.credential
= &a
;
3343 r
.in
.return_authenticator
= &a
;
3344 r
.in
.query
= &query
;
3345 r
.out
.return_authenticator
= &a
;
3349 os
.os
.MajorVersion
= 123;
3350 os
.os
.MinorVersion
= 456;
3351 os
.os
.BuildNumber
= 789;
3352 os
.os
.CSDVersion
= "Service Pack 10";
3353 os
.os
.ServicePackMajor
= 10;
3354 os
.os
.ServicePackMinor
= 1;
3355 os
.os
.SuiteMask
= NETR_VER_SUITE_SINGLEUSERTS
;
3356 os
.os
.ProductType
= NETR_VER_NT_SERVER
;
3359 version_str
= talloc_asprintf(tctx
, "%d.%d (%d)", os
.os
.MajorVersion
,
3360 os
.os
.MinorVersion
, os
.os
.BuildNumber
);
3363 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s.%s", TEST_MACHINE_NAME
,
3364 lpcfg_dnsdomain(tctx
->lp_ctx
));
3365 q1
.sitename
= "Default-First-Site-Name";
3366 q1
.os_version
.os
= &os
;
3367 q1
.os_name
.string
= talloc_asprintf(tctx
,
3368 "Tortured by Samba4 RPC-NETLOGON: %s",
3369 timestring(tctx
, time(NULL
)));
3371 /* The workstation handles the "servicePrincipalName" and DNS hostname
3373 q1
.workstation_flags
= NETR_WS_FLAG_HANDLES_SPN_UPDATE
;
3375 query
.workstation_info
= &q1
;
3378 /* Gets back the old DNS hostname in AD */
3379 ret
= gendb_search(sam_ctx
, tctx
, NULL
, &res
, attrs
,
3380 "(sAMAccountName=%s$)", TEST_MACHINE_NAME
);
3382 ldb_msg_find_attr_as_string(res
[0], "dNSHostName", NULL
);
3384 /* Gets back the "servicePrincipalName"s in AD */
3385 spn_el
= ldb_msg_find_element(res
[0], "servicePrincipalName");
3386 if (spn_el
!= NULL
) {
3387 for (i
=0; i
< spn_el
->num_values
; i
++) {
3388 spns
= talloc_realloc(tctx
, spns
, char *, i
+ 1);
3389 spns
[i
] = (char *) spn_el
->values
[i
].data
;
3395 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3396 "LogonGetDomainInfo failed");
3397 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3398 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3403 /* AD workstation infos entry check */
3404 ret
= gendb_search(sam_ctx
, tctx
, NULL
, &res
, attrs
,
3405 "(sAMAccountName=%s$)", TEST_MACHINE_NAME
);
3406 torture_assert(tctx
, ret
== 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3407 torture_assert_str_equal(tctx
,
3408 ldb_msg_find_attr_as_string(res
[0], "operatingSystem", NULL
),
3409 q1
.os_name
.string
, "'operatingSystem' wrong!");
3410 torture_assert_str_equal(tctx
,
3411 ldb_msg_find_attr_as_string(res
[0], "operatingSystemServicePack", NULL
),
3412 os
.os
.CSDVersion
, "'operatingSystemServicePack' wrong!");
3413 torture_assert_str_equal(tctx
,
3414 ldb_msg_find_attr_as_string(res
[0], "operatingSystemVersion", NULL
),
3415 version_str
, "'operatingSystemVersion' wrong!");
3417 if (old_dnsname
!= NULL
) {
3418 /* If before a DNS hostname was set then it should remain
3419 the same in combination with the "servicePrincipalName"s.
3420 The DNS hostname should also be returned by our
3421 "LogonGetDomainInfo" call (in the domain info structure). */
3423 torture_assert_str_equal(tctx
,
3424 ldb_msg_find_attr_as_string(res
[0], "dNSHostName", NULL
),
3425 old_dnsname
, "'DNS hostname' was not set!");
3427 spn_el
= ldb_msg_find_element(res
[0], "servicePrincipalName");
3428 torture_assert(tctx
, ((spns
!= NULL
) && (spn_el
!= NULL
)),
3429 "'servicePrincipalName's not set!");
3430 torture_assert(tctx
, spn_el
->num_values
== num_spns
,
3431 "'servicePrincipalName's incorrect!");
3432 for (i
=0; (i
< spn_el
->num_values
) && (i
< num_spns
); i
++)
3433 torture_assert_str_equal(tctx
,
3434 (char *) spn_el
->values
[i
].data
,
3435 spns
[i
], "'servicePrincipalName's incorrect!");
3437 torture_assert_str_equal(tctx
,
3438 info
.domain_info
->dns_hostname
.string
,
3440 "Out 'DNS hostname' doesn't match the old one!");
3442 /* If no DNS hostname was set then also now none should be set,
3443 the "servicePrincipalName"s should remain empty and no DNS
3444 hostname should be returned by our "LogonGetDomainInfo"
3445 call (in the domain info structure). */
3447 torture_assert(tctx
,
3448 ldb_msg_find_attr_as_string(res
[0], "dNSHostName", NULL
) == NULL
,
3449 "'DNS hostname' was set!");
3451 spn_el
= ldb_msg_find_element(res
[0], "servicePrincipalName");
3452 torture_assert(tctx
, ((spns
== NULL
) && (spn_el
== NULL
)),
3453 "'servicePrincipalName's were set!");
3455 torture_assert(tctx
,
3456 info
.domain_info
->dns_hostname
.string
== NULL
,
3457 "Out 'DNS host name' was set!");
3461 /* Checks "workstation flags" */
3462 torture_assert(tctx
,
3463 info
.domain_info
->workstation_flags
3464 == NETR_WS_FLAG_HANDLES_SPN_UPDATE
,
3465 "Out 'workstation flags' don't match!");
3468 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
3469 netlogon_creds_client_authenticator(creds
, &a
);
3471 /* Wipe out the osVersion, and prove which values still 'stick' */
3472 q1
.os_version
.os
= NULL
;
3474 /* Change also the DNS hostname to test differences in behaviour */
3475 talloc_free(discard_const_p(char, q1
.dns_hostname
));
3476 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s2.%s", TEST_MACHINE_NAME
,
3477 lpcfg_dnsdomain(tctx
->lp_ctx
));
3479 /* The workstation handles the "servicePrincipalName" and DNS hostname
3481 q1
.workstation_flags
= NETR_WS_FLAG_HANDLES_SPN_UPDATE
;
3483 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3484 "LogonGetDomainInfo failed");
3485 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3487 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3492 /* AD workstation infos entry check */
3493 ret
= gendb_search(sam_ctx
, tctx
, NULL
, &res
, attrs
,
3494 "(sAMAccountName=%s$)", TEST_MACHINE_NAME
);
3495 torture_assert(tctx
, ret
== 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3497 torture_assert_str_equal(tctx
,
3498 ldb_msg_find_attr_as_string(res
[0], "operatingSystem", NULL
),
3499 q1
.os_name
.string
, "'operatingSystem' should stick!");
3500 torture_assert(tctx
,
3501 ldb_msg_find_attr_as_string(res
[0], "operatingSystemServicePack", NULL
) == NULL
,
3502 "'operatingSystemServicePack' shouldn't stick!");
3503 torture_assert(tctx
,
3504 ldb_msg_find_attr_as_string(res
[0], "operatingSystemVersion", NULL
) == NULL
,
3505 "'operatingSystemVersion' shouldn't stick!");
3507 /* The DNS host name shouldn't have been updated by the server */
3509 torture_assert_str_equal(tctx
,
3510 ldb_msg_find_attr_as_string(res
[0], "dNSHostName", NULL
),
3511 old_dnsname
, "'DNS host name' did change!");
3513 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3514 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3516 spn_el
= ldb_msg_find_element(res
[0], "servicePrincipalName");
3517 torture_assert(tctx
, spn_el
!= NULL
,
3518 "There should exist 'servicePrincipalName's in AD!");
3519 temp_str
= talloc_asprintf(tctx
, "HOST/%s", TEST_MACHINE_NAME
);
3520 for (i
=0; i
< spn_el
->num_values
; i
++)
3521 if (strcasecmp((char *) spn_el
->values
[i
].data
, temp_str
) == 0)
3523 torture_assert(tctx
, i
!= spn_el
->num_values
,
3524 "'servicePrincipalName' HOST/<Netbios name> not found!");
3525 temp_str
= talloc_asprintf(tctx
, "HOST/%s", old_dnsname
);
3526 for (i
=0; i
< spn_el
->num_values
; i
++)
3527 if (strcasecmp((char *) spn_el
->values
[i
].data
, temp_str
) == 0)
3529 torture_assert(tctx
, i
!= spn_el
->num_values
,
3530 "'servicePrincipalName' HOST/<FQDN name> not found!");
3532 /* Check that the out DNS hostname was set properly */
3533 torture_assert_str_equal(tctx
, info
.domain_info
->dns_hostname
.string
,
3534 old_dnsname
, "Out 'DNS hostname' doesn't match the old one!");
3537 /* Checks "workstation flags" */
3538 torture_assert(tctx
,
3539 info
.domain_info
->workstation_flags
== NETR_WS_FLAG_HANDLES_SPN_UPDATE
,
3540 "Out 'workstation flags' don't match!");
3543 /* Now try the same but the workstation flags set to 0 */
3545 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
3546 netlogon_creds_client_authenticator(creds
, &a
);
3548 /* Change also the DNS hostname to test differences in behaviour */
3549 talloc_free(discard_const_p(char, q1
.dns_hostname
));
3550 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s2.%s", TEST_MACHINE_NAME
,
3551 lpcfg_dnsdomain(tctx
->lp_ctx
));
3553 /* Wipe out the osVersion, and prove which values still 'stick' */
3554 q1
.os_version
.os
= NULL
;
3556 /* Let the DC handle the "servicePrincipalName" and DNS hostname
3558 q1
.workstation_flags
= 0;
3560 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3561 "LogonGetDomainInfo failed");
3562 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3563 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3568 /* AD workstation infos entry check */
3569 ret
= gendb_search(sam_ctx
, tctx
, NULL
, &res
, attrs
,
3570 "(sAMAccountName=%s$)", TEST_MACHINE_NAME
);
3571 torture_assert(tctx
, ret
== 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3573 torture_assert_str_equal(tctx
,
3574 ldb_msg_find_attr_as_string(res
[0], "operatingSystem", NULL
),
3575 q1
.os_name
.string
, "'operatingSystem' should stick!");
3576 torture_assert(tctx
,
3577 ldb_msg_find_attr_as_string(res
[0], "operatingSystemServicePack", NULL
) == NULL
,
3578 "'operatingSystemServicePack' shouldn't stick!");
3579 torture_assert(tctx
,
3580 ldb_msg_find_attr_as_string(res
[0], "operatingSystemVersion", NULL
) == NULL
,
3581 "'operatingSystemVersion' shouldn't stick!");
3583 /* The DNS host name shouldn't have been updated by the server */
3585 torture_assert_str_equal(tctx
,
3586 ldb_msg_find_attr_as_string(res
[0], "dNSHostName", NULL
),
3587 old_dnsname
, "'DNS host name' did change!");
3589 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3590 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3592 spn_el
= ldb_msg_find_element(res
[0], "servicePrincipalName");
3593 torture_assert(tctx
, spn_el
!= NULL
,
3594 "There should exist 'servicePrincipalName's in AD!");
3595 temp_str
= talloc_asprintf(tctx
, "HOST/%s", TEST_MACHINE_NAME
);
3596 for (i
=0; i
< spn_el
->num_values
; i
++)
3597 if (strcasecmp((char *) spn_el
->values
[i
].data
, temp_str
) == 0)
3599 torture_assert(tctx
, i
!= spn_el
->num_values
,
3600 "'servicePrincipalName' HOST/<Netbios name> not found!");
3601 temp_str
= talloc_asprintf(tctx
, "HOST/%s", old_dnsname
);
3602 for (i
=0; i
< spn_el
->num_values
; i
++)
3603 if (strcasecmp((char *) spn_el
->values
[i
].data
, temp_str
) == 0)
3605 torture_assert(tctx
, i
!= spn_el
->num_values
,
3606 "'servicePrincipalName' HOST/<FQDN name> not found!");
3608 /* Here the server gives us NULL as the out DNS hostname */
3609 torture_assert(tctx
, info
.domain_info
->dns_hostname
.string
== NULL
,
3610 "Out 'DNS hostname' should be NULL!");
3613 /* Checks "workstation flags" */
3614 torture_assert(tctx
,
3615 info
.domain_info
->workstation_flags
== 0,
3616 "Out 'workstation flags' don't match!");
3619 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
3620 netlogon_creds_client_authenticator(creds
, &a
);
3622 /* Put the DNS hostname back */
3623 talloc_free(discard_const_p(char, q1
.dns_hostname
));
3624 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s.%s", TEST_MACHINE_NAME
,
3625 lpcfg_dnsdomain(tctx
->lp_ctx
));
3627 /* The workstation handles the "servicePrincipalName" and DNS hostname
3629 q1
.workstation_flags
= NETR_WS_FLAG_HANDLES_SPN_UPDATE
;
3631 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3632 "LogonGetDomainInfo failed");
3633 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3634 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3638 /* Now the in/out DNS hostnames should be the same */
3639 torture_assert_str_equal(tctx
,
3640 info
.domain_info
->dns_hostname
.string
,
3641 query
.workstation_info
->dns_hostname
,
3642 "In/Out 'DNS hostnames' don't match!");
3643 old_dnsname
= info
.domain_info
->dns_hostname
.string
;
3645 /* Checks "workstation flags" */
3646 torture_assert(tctx
,
3647 info
.domain_info
->workstation_flags
3648 == NETR_WS_FLAG_HANDLES_SPN_UPDATE
,
3649 "Out 'workstation flags' don't match!");
3651 /* Checks for trusted domains */
3652 torture_assert(tctx
,
3653 (info
.domain_info
->trusted_domain_count
!= 0)
3654 && (info
.domain_info
->trusted_domains
!= NULL
),
3655 "Trusted domains have been requested!");
3658 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
3659 netlogon_creds_client_authenticator(creds
, &a
);
3661 /* The workstation handles the "servicePrincipalName" and DNS hostname
3662 updates and requests inbound trusts */
3663 q1
.workstation_flags
= NETR_WS_FLAG_HANDLES_SPN_UPDATE
3664 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
;
3666 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3667 "LogonGetDomainInfo failed");
3668 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3669 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3673 /* Checks "workstation flags" */
3674 torture_assert(tctx
,
3675 info
.domain_info
->workstation_flags
3676 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3677 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
),
3678 "Out 'workstation flags' don't match!");
3680 /* Checks for trusted domains */
3681 torture_assert(tctx
,
3682 (info
.domain_info
->trusted_domain_count
!= 0)
3683 && (info
.domain_info
->trusted_domains
!= NULL
),
3684 "Trusted domains have been requested!");
3687 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 6th call (no DNS hostname)\n");
3688 netlogon_creds_client_authenticator(creds
, &a
);
3690 query
.workstation_info
->dns_hostname
= NULL
;
3692 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3693 "LogonGetDomainInfo failed");
3694 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3695 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3697 /* The old DNS hostname should stick */
3698 torture_assert_str_equal(tctx
,
3699 info
.domain_info
->dns_hostname
.string
,
3701 "'DNS hostname' changed!");
3703 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 7th call (extra workstation flags)\n");
3704 netlogon_creds_client_authenticator(creds
, &a
);
3706 q1
.workstation_flags
= NETR_WS_FLAG_HANDLES_SPN_UPDATE
3707 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
| 0x4;
3709 /* Put the DNS hostname back */
3710 talloc_free(discard_const_p(char, q1
.dns_hostname
));
3711 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s.%s", TEST_MACHINE_NAME
,
3712 lpcfg_dnsdomain(tctx
->lp_ctx
));
3714 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3715 "LogonGetDomainInfo failed");
3716 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3717 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3719 /* Checks "workstation flags" */
3720 torture_assert(tctx
,
3721 info
.domain_info
->workstation_flags
3722 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3723 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
),
3724 "Out 'workstation flags' don't match!");
3726 if (!torture_setting_bool(tctx
, "dangerous", false)) {
3727 torture_comment(tctx
, "Not testing netr_LogonGetDomainInfo 8th call (no workstation info) - enable dangerous tests in order to do so\n");
3729 /* Try a call without the workstation information structure */
3731 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo 8th call (no workstation info)\n");
3732 netlogon_creds_client_authenticator(creds
, &a
);
3734 query
.workstation_info
= NULL
;
3736 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonGetDomainInfo_r(b
, tctx
, &r
),
3737 "LogonGetDomainInfo failed");
3738 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonGetDomainInfo failed");
3739 torture_assert(tctx
, netlogon_creds_client_check(creds
, &a
.cred
), "Credential chaining failed");
3745 static bool test_GetDomainInfo_async(struct torture_context
*tctx
,
3746 struct dcerpc_pipe
*p
,
3747 struct cli_credentials
*machine_credentials
)
3750 struct netr_LogonGetDomainInfo r
;
3751 struct netr_WorkstationInformation q1
;
3752 struct netr_Authenticator a
;
3753 #define ASYNC_COUNT 100
3754 struct netlogon_creds_CredentialState
*creds
;
3755 struct netlogon_creds_CredentialState
*creds_async
[ASYNC_COUNT
];
3756 struct tevent_req
*req
[ASYNC_COUNT
];
3758 union netr_WorkstationInfo query
;
3759 union netr_DomainInfo info
;
3761 torture_comment(tctx
, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT
);
3763 if (!test_SetupCredentials3(p
, tctx
, NETLOGON_NEG_AUTH2_ADS_FLAGS
,
3764 machine_credentials
, &creds
)) {
3769 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
3770 r
.in
.computer_name
= TEST_MACHINE_NAME
;
3771 r
.in
.credential
= &a
;
3773 r
.in
.return_authenticator
= &a
;
3774 r
.in
.query
= &query
;
3775 r
.out
.return_authenticator
= &a
;
3779 q1
.dns_hostname
= talloc_asprintf(tctx
, "%s.%s", TEST_MACHINE_NAME
,
3780 lpcfg_dnsdomain(tctx
->lp_ctx
));
3781 q1
.sitename
= "Default-First-Site-Name";
3782 q1
.os_name
.string
= "UNIX/Linux or similar";
3784 query
.workstation_info
= &q1
;
3786 for (i
=0;i
<ASYNC_COUNT
;i
++) {
3787 netlogon_creds_client_authenticator(creds
, &a
);
3789 creds_async
[i
] = (struct netlogon_creds_CredentialState
*)talloc_memdup(creds
, creds
, sizeof(*creds
));
3790 req
[i
] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx
, tctx
->ev
, p
->binding_handle
, &r
);
3792 /* even with this flush per request a w2k3 server seems to
3793 clag with multiple outstanding requests. bleergh. */
3794 torture_assert_int_equal(tctx
, tevent_loop_once(tctx
->ev
), 0,
3795 "tevent_loop_once failed");
3798 for (i
=0;i
<ASYNC_COUNT
;i
++) {
3799 torture_assert_int_equal(tctx
, tevent_req_poll(req
[i
], tctx
->ev
), true,
3800 "tevent_req_poll() failed");
3802 status
= dcerpc_netr_LogonGetDomainInfo_r_recv(req
[i
], tctx
);
3804 torture_assert_ntstatus_ok(tctx
, status
, "netr_LogonGetDomainInfo_async");
3805 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "netr_LogonGetDomainInfo_async");
3807 torture_assert(tctx
, netlogon_creds_client_check(creds_async
[i
], &a
.cred
),
3808 "Credential chaining failed at async");
3811 torture_comment(tctx
,
3812 "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT
);
3817 static bool test_ManyGetDCName(struct torture_context
*tctx
,
3818 struct dcerpc_pipe
*p
)
3821 struct dcerpc_pipe
*p2
;
3822 struct lsa_ObjectAttribute attr
;
3823 struct lsa_QosInfo qos
;
3824 struct lsa_OpenPolicy2 o
;
3825 struct policy_handle lsa_handle
;
3826 struct lsa_DomainList domains
;
3828 struct lsa_EnumTrustDom t
;
3829 uint32_t resume_handle
= 0;
3830 struct netr_GetAnyDCName d
;
3831 const char *dcname
= NULL
;
3832 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
3833 struct dcerpc_binding_handle
*b2
;
3837 if (p
->conn
->transport
.transport
!= NCACN_NP
) {
3841 torture_comment(tctx
, "Torturing GetDCName\n");
3843 status
= dcerpc_secondary_connection(p
, &p2
, p
->binding
);
3844 torture_assert_ntstatus_ok(tctx
, status
, "Failed to create secondary connection");
3846 status
= dcerpc_bind_auth_none(p2
, &ndr_table_lsarpc
);
3847 torture_assert_ntstatus_ok(tctx
, status
, "Failed to create bind on secondary connection");
3848 b2
= p2
->binding_handle
;
3851 qos
.impersonation_level
= 2;
3852 qos
.context_mode
= 1;
3853 qos
.effective_only
= 0;
3856 attr
.root_dir
= NULL
;
3857 attr
.object_name
= NULL
;
3858 attr
.attributes
= 0;
3859 attr
.sec_desc
= NULL
;
3860 attr
.sec_qos
= &qos
;
3862 o
.in
.system_name
= "\\";
3864 o
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
3865 o
.out
.handle
= &lsa_handle
;
3867 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_OpenPolicy2_r(b2
, tctx
, &o
),
3868 "OpenPolicy2 failed");
3869 torture_assert_ntstatus_ok(tctx
, o
.out
.result
, "OpenPolicy2 failed");
3871 t
.in
.handle
= &lsa_handle
;
3872 t
.in
.resume_handle
= &resume_handle
;
3873 t
.in
.max_size
= 1000;
3874 t
.out
.domains
= &domains
;
3875 t
.out
.resume_handle
= &resume_handle
;
3877 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_EnumTrustDom_r(b2
, tctx
, &t
),
3878 "EnumTrustDom failed");
3880 if ((!NT_STATUS_IS_OK(t
.out
.result
) &&
3881 (!NT_STATUS_EQUAL(t
.out
.result
, NT_STATUS_NO_MORE_ENTRIES
))))
3882 torture_fail(tctx
, "Could not list domains");
3886 d
.in
.logon_server
= talloc_asprintf(tctx
, "\\\\%s",
3887 dcerpc_server_name(p
));
3888 d
.out
.dcname
= &dcname
;
3890 for (i
=0; i
<domains
.count
* 4; i
++) {
3891 struct lsa_DomainInfo
*info
=
3892 &domains
.domains
[rand()%domains
.count
];
3894 d
.in
.domainname
= info
->name
.string
;
3896 status
= dcerpc_netr_GetAnyDCName_r(b
, tctx
, &d
);
3897 torture_assert_ntstatus_ok(tctx
, status
, "GetAnyDCName");
3899 torture_comment(tctx
, "\tDC for domain %s is %s\n", info
->name
.string
,
3900 dcname
? dcname
: "unknown");
3906 static bool test_SetPassword_with_flags(struct torture_context
*tctx
,
3907 struct dcerpc_pipe
*p
,
3908 struct cli_credentials
*machine_credentials
)
3910 uint32_t flags
[] = { 0, NETLOGON_NEG_STRONG_KEYS
};
3911 struct netlogon_creds_CredentialState
*creds
;
3914 if (!test_SetupCredentials2(p
, tctx
, 0,
3915 machine_credentials
,
3916 cli_credentials_get_secure_channel_type(machine_credentials
),
3918 torture_skip(tctx
, "DC does not support negotiation of 64bit session keys");
3921 for (i
=0; i
< ARRAY_SIZE(flags
); i
++) {
3922 torture_assert(tctx
,
3923 test_SetPassword_flags(tctx
, p
, machine_credentials
, flags
[i
]),
3924 talloc_asprintf(tctx
, "failed to test SetPassword negotiating with 0x%08x flags", flags
[i
]));
3930 struct torture_suite
*torture_rpc_netlogon(TALLOC_CTX
*mem_ctx
)
3932 struct torture_suite
*suite
= torture_suite_create(mem_ctx
, "netlogon");
3933 struct torture_rpc_tcase
*tcase
;
3934 struct torture_test
*test
;
3936 tcase
= torture_suite_add_machine_bdc_rpc_iface_tcase(suite
, "netlogon",
3937 &ndr_table_netlogon
, TEST_MACHINE_NAME
);
3939 torture_rpc_tcase_add_test(tcase
, "Broken RPC binding handle",
3940 test_netr_broken_binding_handle
);
3942 torture_rpc_tcase_add_test(tcase
, "LogonUasLogon", test_LogonUasLogon
);
3943 torture_rpc_tcase_add_test(tcase
, "LogonUasLogoff", test_LogonUasLogoff
);
3944 torture_rpc_tcase_add_test_creds(tcase
, "SamLogon", test_SamLogon
);
3945 torture_rpc_tcase_add_test_creds(tcase
, "invalidAuthenticate2", test_invalidAuthenticate2
);
3946 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword", test_SetPassword
);
3947 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword2", test_SetPassword2
);
3948 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword2_AES", test_SetPassword2_AES
);
3949 torture_rpc_tcase_add_test_creds(tcase
, "GetPassword", test_GetPassword
);
3950 torture_rpc_tcase_add_test_creds(tcase
, "GetTrustPasswords", test_GetTrustPasswords
);
3951 torture_rpc_tcase_add_test_creds(tcase
, "GetDomainInfo", test_GetDomainInfo
);
3952 torture_rpc_tcase_add_test_creds(tcase
, "DatabaseSync", test_DatabaseSync
);
3953 torture_rpc_tcase_add_test_creds(tcase
, "DatabaseDeltas", test_DatabaseDeltas
);
3954 torture_rpc_tcase_add_test_creds(tcase
, "DatabaseRedo", test_DatabaseRedo
);
3955 torture_rpc_tcase_add_test_creds(tcase
, "AccountDeltas", test_AccountDeltas
);
3956 torture_rpc_tcase_add_test_creds(tcase
, "AccountSync", test_AccountSync
);
3957 torture_rpc_tcase_add_test(tcase
, "GetDcName", test_GetDcName
);
3958 torture_rpc_tcase_add_test(tcase
, "ManyGetDCName", test_ManyGetDCName
);
3959 torture_rpc_tcase_add_test(tcase
, "GetAnyDCName", test_GetAnyDCName
);
3960 torture_rpc_tcase_add_test_creds(tcase
, "DatabaseSync2", test_DatabaseSync2
);
3961 torture_rpc_tcase_add_test(tcase
, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts
);
3962 torture_rpc_tcase_add_test(tcase
, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains
);
3963 torture_rpc_tcase_add_test(tcase
, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx
);
3964 test
= torture_rpc_tcase_add_test_creds(tcase
, "GetDomainInfo_async", test_GetDomainInfo_async
);
3965 test
->dangerous
= true;
3966 torture_rpc_tcase_add_test(tcase
, "DsRGetDCName", test_netr_DsRGetDCName
);
3967 torture_rpc_tcase_add_test(tcase
, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx
);
3968 torture_rpc_tcase_add_test(tcase
, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2
);
3969 torture_rpc_tcase_add_test(tcase
, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW
);
3970 torture_rpc_tcase_add_test(tcase
, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW
);
3971 torture_rpc_tcase_add_test(tcase
, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW
);
3972 torture_rpc_tcase_add_test_creds(tcase
, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo
);
3973 torture_rpc_tcase_add_test_creds(tcase
, "ServerGetTrustInfo_AES", test_netr_ServerGetTrustInfo_AES
);
3974 torture_rpc_tcase_add_test_creds(tcase
, "GetForestTrustInformation", test_netr_GetForestTrustInformation
);
3979 struct torture_suite
*torture_rpc_netlogon_s3(TALLOC_CTX
*mem_ctx
)
3981 struct torture_suite
*suite
= torture_suite_create(mem_ctx
, "netlogon-s3");
3982 struct torture_rpc_tcase
*tcase
;
3984 tcase
= torture_suite_add_machine_bdc_rpc_iface_tcase(suite
, "netlogon",
3985 &ndr_table_netlogon
, TEST_MACHINE_NAME
);
3987 torture_rpc_tcase_add_test_creds(tcase
, "SamLogon", test_SamLogon
);
3988 torture_rpc_tcase_add_test_creds(tcase
, "SamLogon_NULL_domain", test_SamLogon_NULL_domain
);
3989 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword", test_SetPassword
);
3990 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword_with_flags", test_SetPassword_with_flags
);
3991 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword2", test_SetPassword2
);
3992 torture_rpc_tcase_add_test_creds(tcase
, "SetPassword2_AES", test_SetPassword2_AES
);
3993 torture_rpc_tcase_add_test(tcase
, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains
);
3998 struct torture_suite
*torture_rpc_netlogon_admin(TALLOC_CTX
*mem_ctx
)
4000 struct torture_suite
*suite
= torture_suite_create(mem_ctx
, "netlogon.admin");
4001 struct torture_rpc_tcase
*tcase
;
4003 tcase
= torture_suite_add_machine_bdc_rpc_iface_tcase(suite
, "netlogon",
4004 &ndr_table_netlogon
, TEST_MACHINE_NAME
);
4005 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl", test_LogonControl
);
4006 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2", test_LogonControl2
);
4007 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2Ex", test_LogonControl2Ex
);
4009 tcase
= torture_suite_add_machine_workstation_rpc_iface_tcase(suite
, "netlogon",
4010 &ndr_table_netlogon
, TEST_MACHINE_NAME
);
4011 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl", test_LogonControl
);
4012 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2", test_LogonControl2
);
4013 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2Ex", test_LogonControl2Ex
);
4015 tcase
= torture_suite_add_rpc_iface_tcase(suite
, "netlogon",
4016 &ndr_table_netlogon
);
4017 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl", test_LogonControl
);
4018 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2", test_LogonControl2
);
4019 torture_rpc_tcase_add_test_creds(tcase
, "LogonControl2Ex", test_LogonControl2Ex
);