search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Clarify smb2 lock checks
[Samba.git] / source4 / torture / rpc / samba3rpc.c
blobdbed3efdb2a47bbf537ebdfe890da6d144369bfc
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc torture tests, designed to walk Samba3 code paths
5
6 Copyright (C) Volker Lendecke 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/raw/libcliraw.h"
24 #include "libcli/raw/raw_proto.h"
25 #include "torture/util.h"
26 #include "libcli/rap/rap.h"
27 #include "librpc/gen_ndr/ndr_lsa_c.h"
28 #include "librpc/gen_ndr/ndr_samr_c.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "librpc/gen_ndr/ndr_srvsvc_c.h"
31 #include "librpc/gen_ndr/ndr_spoolss_c.h"
32 #include "librpc/gen_ndr/ndr_winreg_c.h"
33 #include "librpc/gen_ndr/ndr_wkssvc_c.h"
34 #include "lib/cmdline/popt_common.h"
35 #include "torture/rpc/torture_rpc.h"
36 #include "libcli/libcli.h"
37 #include "libcli/smb_composite/smb_composite.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "../lib/crypto/crypto.h"
40 #include "libcli/security/security.h"
41 #include "param/param.h"
42 #include "lib/registry/registry.h"
43 #include "libcli/resolve/resolve.h"
44 #include "torture/ndr/ndr.h"
45 #include "libcli/smb2/smb2.h"
46 #include "libcli/smb2/smb2_calls.h"
47 #include "librpc/rpc/dcerpc.h"
48 #include "librpc/rpc/dcerpc_proto.h"
49 #include "../source3/libsmb/smb2cli.h"
50 #include "libcli/smb/smbXcli_base.h"
51
52 /*
53 * This tests a RPC call using an invalid vuid
54 */
55
56 bool torture_bind_authcontext(struct torture_context *torture)
57 {
58 TALLOC_CTX *mem_ctx;
59 NTSTATUS status;
60 bool ret = false;
61 struct lsa_ObjectAttribute objectattr;
62 struct lsa_OpenPolicy2 openpolicy;
63 struct policy_handle handle;
64 struct lsa_Close close_handle;
65 struct smbcli_session *tmp;
66 uint16_t tmp_vuid;
67 struct smbcli_session *session2;
68 struct smbcli_state *cli;
69 struct dcerpc_pipe *lsa_pipe;
70 struct dcerpc_binding_handle *lsa_handle;
71 struct cli_credentials *anon_creds;
72 struct smb_composite_sesssetup setup;
73 struct smbcli_options options;
74 struct smbcli_session_options session_options;
75
76 mem_ctx = talloc_init("torture_bind_authcontext");
77
78 if (mem_ctx == NULL) {
79 torture_comment(torture, "talloc_init failed\n");
80 return false;
81 }
82
83 lpcfg_smbcli_options(torture->lp_ctx, &options);
84 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
85
86 status = smbcli_full_connection(mem_ctx, &cli,
87 torture_setting_string(torture, "host", NULL),
88 lpcfg_smb_ports(torture->lp_ctx),
89 "IPC$", NULL,
90 lpcfg_socket_options(torture->lp_ctx),
91 cmdline_credentials,
92 lpcfg_resolve_context(torture->lp_ctx),
93 torture->ev, &options, &session_options,
94 lpcfg_gensec_settings(torture, torture->lp_ctx));
95 if (!NT_STATUS_IS_OK(status)) {
96 torture_comment(torture, "smbcli_full_connection failed: %s\n",
97 nt_errstr(status));
98 goto done;
99 }
100
101 lsa_pipe = dcerpc_pipe_init(mem_ctx, torture->ev);
102 if (lsa_pipe == NULL) {
103 torture_comment(torture, "dcerpc_pipe_init failed\n");
104 goto done;
105 }
106 lsa_handle = lsa_pipe->binding_handle;
107
108 status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
109 if (!NT_STATUS_IS_OK(status)) {
110 torture_comment(torture, "dcerpc_pipe_open_smb failed: %s\n",
111 nt_errstr(status));
112 goto done;
113 }
114
115 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
116 if (!NT_STATUS_IS_OK(status)) {
117 torture_comment(torture, "dcerpc_bind_auth_none failed: %s\n",
118 nt_errstr(status));
119 goto done;
120 }
121
122 openpolicy.in.system_name =talloc_asprintf(
123 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
124 ZERO_STRUCT(objectattr);
125 openpolicy.in.attr = &objectattr;
126 openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
127 openpolicy.out.handle = &handle;
128
129 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
130
131 if (!NT_STATUS_IS_OK(status)) {
132 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
133 nt_errstr(status));
134 goto done;
135 }
136 if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
137 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
138 nt_errstr(openpolicy.out.result));
139 goto done;
140 }
141
142 close_handle.in.handle = &handle;
143 close_handle.out.handle = &handle;
144
145 status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
146 if (!NT_STATUS_IS_OK(status)) {
147 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
148 nt_errstr(status));
149 goto done;
150 }
151 if (!NT_STATUS_IS_OK(close_handle.out.result)) {
152 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
153 nt_errstr(close_handle.out.result));
154 goto done;
155 }
156
157 session2 = smbcli_session_init(cli->transport, mem_ctx, false, session_options);
158 if (session2 == NULL) {
159 torture_comment(torture, "smbcli_session_init failed\n");
160 goto done;
161 }
162
163 if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) {
164 torture_comment(torture, "create_anon_creds failed\n");
165 goto done;
166 }
167
168 setup.in.sesskey = cli->transport->negotiate.sesskey;
169 setup.in.capabilities = cli->transport->negotiate.capabilities;
170 setup.in.workgroup = "";
171 setup.in.credentials = anon_creds;
172 setup.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
173
174 status = smb_composite_sesssetup(session2, &setup);
175 if (!NT_STATUS_IS_OK(status)) {
176 torture_comment(torture, "anon session setup failed: %s\n",
177 nt_errstr(status));
178 goto done;
179 }
180 session2->vuid = setup.out.vuid;
181
182 tmp = cli->tree->session;
183 tmp_vuid = smb1cli_session_current_id(tmp->smbXcli);
184 smb1cli_session_set_id(tmp->smbXcli, session2->vuid);
185 cli->tree->session = session2;
186
187 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
188
189 torture_assert(torture, smbXcli_conn_is_connected(cli->transport->conn),
190 "smb still connected");
191 torture_assert(torture, !dcerpc_binding_handle_is_connected(lsa_handle),
192 "dcerpc disonnected");
193
194 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
195 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 with wrong vuid gave %s, "
196 "expected NT_STATUS_IO_DEVICE_ERROR\n",
197 nt_errstr(status));
198 status = NT_STATUS_IO_DEVICE_ERROR;
199 }
200
201 torture_assert_ntstatus_equal(torture, status, NT_STATUS_IO_DEVICE_ERROR,
202 "lsa io device error");
203
204 smb1cli_session_set_id(tmp->smbXcli, tmp_vuid);
205 cli->tree->session = tmp;
206 talloc_free(lsa_pipe);
207 lsa_pipe = NULL;
208
209 ret = true;
210 done:
211 talloc_free(mem_ctx);
212 return ret;
213 }
214
215 /*
216 * Bind to lsa using a specific auth method
217 */
218
219 static bool bindtest(struct torture_context *tctx,
220 struct smbcli_state *cli,
221 struct cli_credentials *credentials,
222 uint8_t auth_type, uint8_t auth_level)
223 {
224 TALLOC_CTX *mem_ctx;
225 bool ret = false;
226 NTSTATUS status;
227
228 struct dcerpc_pipe *lsa_pipe;
229 struct dcerpc_binding_handle *lsa_handle;
230 struct lsa_ObjectAttribute objectattr;
231 struct lsa_OpenPolicy2 openpolicy;
232 struct lsa_QueryInfoPolicy query;
233 union lsa_PolicyInformation *info = NULL;
234 struct policy_handle handle;
235 struct lsa_Close close_handle;
236
237 if ((mem_ctx = talloc_init("bindtest")) == NULL) {
238 torture_comment(tctx, "talloc_init failed\n");
239 return false;
240 }
241
242 lsa_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev);
243 if (lsa_pipe == NULL) {
244 torture_comment(tctx, "dcerpc_pipe_init failed\n");
245 goto done;
246 }
247 lsa_handle = lsa_pipe->binding_handle;
248
249 status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
250 if (!NT_STATUS_IS_OK(status)) {
251 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
252 nt_errstr(status));
253 goto done;
254 }
255
256 status = dcerpc_bind_auth(lsa_pipe, &ndr_table_lsarpc,
257 credentials, lpcfg_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), auth_type, auth_level,
258 NULL);
259 if (!NT_STATUS_IS_OK(status)) {
260 torture_comment(tctx, "dcerpc_bind_auth failed: %s\n", nt_errstr(status));
261 goto done;
262 }
263
264 openpolicy.in.system_name =talloc_asprintf(
265 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
266 ZERO_STRUCT(objectattr);
267 openpolicy.in.attr = &objectattr;
268 openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
269 openpolicy.out.handle = &handle;
270
271 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
272
273 if (!NT_STATUS_IS_OK(status)) {
274 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
275 nt_errstr(status));
276 goto done;
277 }
278 if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
279 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
280 nt_errstr(openpolicy.out.result));
281 goto done;
282 }
283
284 query.in.handle = &handle;
285 query.in.level = LSA_POLICY_INFO_DOMAIN;
286 query.out.info = &info;
287
288 status = dcerpc_lsa_QueryInfoPolicy_r(lsa_handle, mem_ctx, &query);
289 if (!NT_STATUS_IS_OK(status)) {
290 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
291 nt_errstr(status));
292 goto done;
293 }
294 if (!NT_STATUS_IS_OK(query.out.result)) {
295 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
296 nt_errstr(query.out.result));
297 goto done;
298 }
299
300 close_handle.in.handle = &handle;
301 close_handle.out.handle = &handle;
302
303 status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
304 if (!NT_STATUS_IS_OK(status)) {
305 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
306 nt_errstr(status));
307 goto done;
308 }
309 if (!NT_STATUS_IS_OK(close_handle.out.result)) {
310 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
311 nt_errstr(close_handle.out.result));
312 goto done;
313 }
314
315
316 ret = true;
317 done:
318 talloc_free(mem_ctx);
319 return ret;
320 }
321
322 /*
323 * test authenticated RPC binds with the variants Samba3 does support
324 */
325
326 static bool torture_bind_samba3(struct torture_context *torture)
327 {
328 TALLOC_CTX *mem_ctx;
329 NTSTATUS status;
330 bool ret = false;
331 struct smbcli_state *cli;
332 struct smbcli_options options;
333 struct smbcli_session_options session_options;
334
335 mem_ctx = talloc_init("torture_bind_authcontext");
336
337 if (mem_ctx == NULL) {
338 torture_comment(torture, "talloc_init failed\n");
339 return false;
340 }
341
342 lpcfg_smbcli_options(torture->lp_ctx, &options);
343 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
344
345 status = smbcli_full_connection(mem_ctx, &cli,
346 torture_setting_string(torture, "host", NULL),
347 lpcfg_smb_ports(torture->lp_ctx),
348 "IPC$", NULL,
349 lpcfg_socket_options(torture->lp_ctx),
350 cmdline_credentials,
351 lpcfg_resolve_context(torture->lp_ctx),
352 torture->ev, &options, &session_options,
353 lpcfg_gensec_settings(torture, torture->lp_ctx));
354 if (!NT_STATUS_IS_OK(status)) {
355 torture_comment(torture, "smbcli_full_connection failed: %s\n",
356 nt_errstr(status));
357 goto done;
358 }
359
360 ret = true;
361
362 ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
363 DCERPC_AUTH_LEVEL_INTEGRITY);
364 ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
365 DCERPC_AUTH_LEVEL_PRIVACY);
366 ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
367 DCERPC_AUTH_LEVEL_INTEGRITY);
368 ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
369 DCERPC_AUTH_LEVEL_PRIVACY);
370
371 done:
372 talloc_free(mem_ctx);
373 return ret;
374 }
375
376 /*
377 * Lookup or create a user and return all necessary info
378 */
379
380 static bool get_usr_handle(struct torture_context *tctx,
381 struct smbcli_state *cli,
382 TALLOC_CTX *mem_ctx,
383 struct cli_credentials *admin_creds,
384 uint8_t auth_type,
385 uint8_t auth_level,
386 const char *username,
387 char **domain,
388 struct dcerpc_pipe **result_pipe,
389 struct policy_handle **result_handle,
390 struct dom_sid **sid_p)
391 {
392 struct dcerpc_pipe *samr_pipe;
393 struct dcerpc_binding_handle *samr_handle;
394 NTSTATUS status;
395 struct policy_handle conn_handle;
396 struct policy_handle domain_handle;
397 struct policy_handle *user_handle;
398 struct samr_Connect2 conn;
399 struct samr_EnumDomains enumdom;
400 uint32_t resume_handle = 0;
401 uint32_t num_entries = 0;
402 struct samr_SamArray *sam = NULL;
403 struct samr_LookupDomain l;
404 struct dom_sid2 *sid = NULL;
405 int dom_idx;
406 struct lsa_String domain_name;
407 struct lsa_String user_name;
408 struct samr_OpenDomain o;
409 struct samr_CreateUser2 c;
410 uint32_t user_rid,access_granted;
411
412 samr_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev);
413 torture_assert(tctx, samr_pipe, "dcerpc_pipe_init failed");
414 #if 0
415 samr_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
416 #endif
417 samr_handle = samr_pipe->binding_handle;
418
419 torture_assert_ntstatus_ok(tctx,
420 dcerpc_pipe_open_smb(samr_pipe, cli->tree, "\\samr"),
421 "dcerpc_pipe_open_smb failed");
422
423 if (admin_creds != NULL) {
424 torture_assert_ntstatus_ok(tctx,
425 dcerpc_bind_auth(samr_pipe, &ndr_table_samr,
426 admin_creds, lpcfg_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), auth_type, auth_level,
427 NULL),
428 "dcerpc_bind_auth failed");
429 } else {
430 /* We must have an authenticated SMB connection */
431 torture_assert_ntstatus_ok(tctx,
432 dcerpc_bind_auth_none(samr_pipe, &ndr_table_samr),
433 "dcerpc_bind_auth_none failed");
434 }
435
436 conn.in.system_name = talloc_asprintf(
437 mem_ctx, "\\\\%s", dcerpc_server_name(samr_pipe));
438 conn.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
439 conn.out.connect_handle = &conn_handle;
440
441 torture_assert_ntstatus_ok(tctx,
442 dcerpc_samr_Connect2_r(samr_handle, mem_ctx, &conn),
443 "samr_Connect2 failed");
444 torture_assert_ntstatus_ok(tctx, conn.out.result,
445 "samr_Connect2 failed");
446
447 enumdom.in.connect_handle = &conn_handle;
448 enumdom.in.resume_handle = &resume_handle;
449 enumdom.in.buf_size = (uint32_t)-1;
450 enumdom.out.resume_handle = &resume_handle;
451 enumdom.out.num_entries = &num_entries;
452 enumdom.out.sam = &sam;
453
454 torture_assert_ntstatus_ok(tctx,
455 dcerpc_samr_EnumDomains_r(samr_handle, mem_ctx, &enumdom),
456 "samr_EnumDomains failed");
457 torture_assert_ntstatus_ok(tctx, enumdom.out.result,
458 "samr_EnumDomains failed");
459
460 torture_assert_int_equal(tctx, *enumdom.out.num_entries, 2,
461 "samr_EnumDomains returned unexpected num_entries");
462
463 dom_idx = strequal(sam->entries[0].name.string,
464 "builtin") ? 1:0;
465
466 l.in.connect_handle = &conn_handle;
467 domain_name.string = sam->entries[dom_idx].name.string;
468 *domain = talloc_strdup(mem_ctx, domain_name.string);
469 l.in.domain_name = &domain_name;
470 l.out.sid = &sid;
471
472 torture_assert_ntstatus_ok(tctx,
473 dcerpc_samr_LookupDomain_r(samr_handle, mem_ctx, &l),
474 "samr_LookupDomain failed");
475 torture_assert_ntstatus_ok(tctx, l.out.result,
476 "samr_LookupDomain failed");
477
478 o.in.connect_handle = &conn_handle;
479 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
480 o.in.sid = *l.out.sid;
481 o.out.domain_handle = &domain_handle;
482
483 torture_assert_ntstatus_ok(tctx,
484 dcerpc_samr_OpenDomain_r(samr_handle, mem_ctx, &o),
485 "samr_OpenDomain failed");
486 torture_assert_ntstatus_ok(tctx, o.out.result,
487 "samr_OpenDomain failed");
488
489 c.in.domain_handle = &domain_handle;
490 user_name.string = username;
491 c.in.account_name = &user_name;
492 c.in.acct_flags = ACB_NORMAL;
493 c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
494 user_handle = talloc(mem_ctx, struct policy_handle);
495 c.out.user_handle = user_handle;
496 c.out.access_granted = &access_granted;
497 c.out.rid = &user_rid;
498
499 torture_assert_ntstatus_ok(tctx,
500 dcerpc_samr_CreateUser2_r(samr_handle, mem_ctx, &c),
501 "samr_CreateUser2 failed");
502
503 if (NT_STATUS_EQUAL(c.out.result, NT_STATUS_USER_EXISTS)) {
504 struct samr_LookupNames ln;
505 struct samr_OpenUser ou;
506 struct samr_Ids rids, types;
507
508 ln.in.domain_handle = &domain_handle;
509 ln.in.num_names = 1;
510 ln.in.names = &user_name;
511 ln.out.rids = &rids;
512 ln.out.types = &types;
513
514 torture_assert_ntstatus_ok(tctx,
515 dcerpc_samr_LookupNames_r(samr_handle, mem_ctx, &ln),
516 "samr_LookupNames failed");
517 torture_assert_ntstatus_ok(tctx, ln.out.result,
518 "samr_LookupNames failed");
519
520 ou.in.domain_handle = &domain_handle;
521 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
522 user_rid = ou.in.rid = ln.out.rids->ids[0];
523 ou.out.user_handle = user_handle;
524
525 torture_assert_ntstatus_ok(tctx,
526 dcerpc_samr_OpenUser_r(samr_handle, mem_ctx, &ou),
527 "samr_OpenUser failed");
528 status = ou.out.result;
529 } else {
530 status = c.out.result;
531 }
532
533 torture_assert_ntstatus_ok(tctx, status,
534 "samr_CreateUser failed");
535
536 *result_pipe = samr_pipe;
537 *result_handle = user_handle;
538 if (sid_p != NULL) {
539 *sid_p = dom_sid_add_rid(mem_ctx, *l.out.sid, user_rid);
540 }
541 return true;
542
543 }
544
545 /*
546 * Create a test user
547 */
548
549 static bool create_user(struct torture_context *tctx,
550 TALLOC_CTX *mem_ctx, struct smbcli_state *cli,
551 struct cli_credentials *admin_creds,
552 const char *username, const char *password,
553 char **domain_name,
554 struct dom_sid **user_sid)
555 {
556 TALLOC_CTX *tmp_ctx;
557 NTSTATUS status;
558 struct dcerpc_pipe *samr_pipe;
559 struct dcerpc_binding_handle *samr_handle;
560 struct policy_handle *wks_handle;
561 bool ret = false;
562
563 if (!(tmp_ctx = talloc_new(mem_ctx))) {
564 torture_comment(tctx, "talloc_init failed\n");
565 return false;
566 }
567
568 ret = get_usr_handle(tctx, cli, tmp_ctx, admin_creds,
569 DCERPC_AUTH_TYPE_NTLMSSP,
570 DCERPC_AUTH_LEVEL_INTEGRITY,
571 username, domain_name, &samr_pipe, &wks_handle,
572 user_sid);
573 if (ret == false) {
574 torture_comment(tctx, "get_usr_handle failed\n");
575 goto done;
576 }
577 samr_handle = samr_pipe->binding_handle;
578
579 {
580 struct samr_SetUserInfo2 sui2;
581 struct samr_SetUserInfo sui;
582 struct samr_QueryUserInfo qui;
583 union samr_UserInfo u_info;
584 union samr_UserInfo *info;
585 DATA_BLOB session_key;
586
587
588 ZERO_STRUCT(u_info);
589 encode_pw_buffer(u_info.info23.password.data, password,
590 STR_UNICODE);
591
592 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
593 if (!NT_STATUS_IS_OK(status)) {
594 torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
595 goto done;
596 }
597 arcfour_crypt_blob(u_info.info23.password.data, 516,
598 &session_key);
599 u_info.info23.info.password_expired = 0;
600 u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT |
601 SAMR_FIELD_LM_PASSWORD_PRESENT |
602 SAMR_FIELD_EXPIRED_FLAG;
603 sui2.in.user_handle = wks_handle;
604 sui2.in.info = &u_info;
605 sui2.in.level = 23;
606
607 status = dcerpc_samr_SetUserInfo2_r(samr_handle, tmp_ctx, &sui2);
608 if (!NT_STATUS_IS_OK(status)) {
609 torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
610 nt_errstr(status));
611 goto done;
612 }
613 if (!NT_STATUS_IS_OK(sui2.out.result)) {
614 torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
615 nt_errstr(sui2.out.result));
616 goto done;
617 }
618
619 u_info.info16.acct_flags = ACB_NORMAL;
620 sui.in.user_handle = wks_handle;
621 sui.in.info = &u_info;
622 sui.in.level = 16;
623
624 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
625 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
626 torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
627 goto done;
628 }
629
630 qui.in.user_handle = wks_handle;
631 qui.in.level = 21;
632 qui.out.info = &info;
633
634 status = dcerpc_samr_QueryUserInfo_r(samr_handle, tmp_ctx, &qui);
635 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(qui.out.result)) {
636 torture_comment(tctx, "samr_QueryUserInfo(21) failed\n");
637 goto done;
638 }
639
640 info->info21.allow_password_change = 0;
641 info->info21.force_password_change = 0;
642 info->info21.account_name.string = NULL;
643 info->info21.rid = 0;
644 info->info21.acct_expiry = 0;
645 info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */
646
647 u_info.info21 = info->info21;
648 sui.in.user_handle = wks_handle;
649 sui.in.info = &u_info;
650 sui.in.level = 21;
651
652 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
653 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
654 torture_comment(tctx, "samr_SetUserInfo(21) failed\n");
655 goto done;
656 }
657 }
658
659 *domain_name= talloc_steal(mem_ctx, *domain_name);
660 *user_sid = talloc_steal(mem_ctx, *user_sid);
661 ret = true;
662 done:
663 talloc_free(tmp_ctx);
664 return ret;
665 }
666
667 /*
668 * Delete a test user
669 */
670
671 static bool delete_user(struct torture_context *tctx,
672 struct smbcli_state *cli,
673 struct cli_credentials *admin_creds,
674 const char *username)
675 {
676 TALLOC_CTX *mem_ctx;
677 NTSTATUS status;
678 char *dom_name;
679 struct dcerpc_pipe *samr_pipe;
680 struct dcerpc_binding_handle *samr_handle;
681 struct policy_handle *user_handle;
682 bool ret = false;
683
684 if ((mem_ctx = talloc_init("leave")) == NULL) {
685 torture_comment(tctx, "talloc_init failed\n");
686 return false;
687 }
688
689 ret = get_usr_handle(tctx, cli, mem_ctx, admin_creds,
690 DCERPC_AUTH_TYPE_NTLMSSP,
691 DCERPC_AUTH_LEVEL_INTEGRITY,
692 username, &dom_name, &samr_pipe,
693 &user_handle, NULL);
694 if (ret == false) {
695 torture_comment(tctx, "get_wks_handle failed\n");
696 goto done;
697 }
698 samr_handle = samr_pipe->binding_handle;
699
700 {
701 struct samr_DeleteUser d;
702
703 d.in.user_handle = user_handle;
704 d.out.user_handle = user_handle;
705
706 status = dcerpc_samr_DeleteUser_r(samr_handle, mem_ctx, &d);
707 if (!NT_STATUS_IS_OK(status)) {
708 torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(status));
709 goto done;
710 }
711 if (!NT_STATUS_IS_OK(d.out.result)) {
712 torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(d.out.result));
713 goto done;
714 }
715
716 }
717
718 ret = true;
719
720 done:
721 talloc_free(mem_ctx);
722 return ret;
723 }
724
725 /*
726 * Do a Samba3-style join
727 */
728
729 static bool join3(struct torture_context *tctx,
730 struct smbcli_state *cli,
731 bool use_level25,
732 struct cli_credentials *admin_creds,
733 struct cli_credentials *wks_creds)
734 {
735 TALLOC_CTX *mem_ctx;
736 NTSTATUS status;
737 char *dom_name;
738 struct dcerpc_pipe *samr_pipe;
739 struct dcerpc_binding_handle *samr_handle;
740 struct policy_handle *wks_handle;
741 bool ret = false;
742 NTTIME last_password_change;
743
744 if ((mem_ctx = talloc_init("join3")) == NULL) {
745 torture_comment(tctx, "talloc_init failed\n");
746 return false;
747 }
748
749 ret = get_usr_handle(
750 tctx, cli, mem_ctx, admin_creds,
751 DCERPC_AUTH_TYPE_NTLMSSP,
752 DCERPC_AUTH_LEVEL_PRIVACY,
753 talloc_asprintf(mem_ctx, "%s$",
754 cli_credentials_get_workstation(wks_creds)),
755 &dom_name, &samr_pipe, &wks_handle, NULL);
756 if (ret == false) {
757 torture_comment(tctx, "get_wks_handle failed\n");
758 goto done;
759 }
760 samr_handle = samr_pipe->binding_handle;
761 ret = false;
762 {
763 struct samr_QueryUserInfo q;
764 union samr_UserInfo *info;
765
766 q.in.user_handle = wks_handle;
767 q.in.level = 21;
768 q.out.info = &info;
769
770 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
771 if (!NT_STATUS_IS_OK(status)) {
772 torture_warning(tctx, "QueryUserInfo failed: %s\n",
773 nt_errstr(status));
774 goto done;
775 }
776 if (!NT_STATUS_IS_OK(q.out.result)) {
777 torture_warning(tctx, "QueryUserInfo failed: %s\n",
778 nt_errstr(q.out.result));
779 goto done;
780 }
781
782
783 last_password_change = info->info21.last_password_change;
784 }
785
786 cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED);
787
788 if (use_level25) {
789 struct samr_SetUserInfo2 sui2;
790 union samr_UserInfo u_info;
791 struct samr_UserInfo21 *i21 = &u_info.info25.info;
792 DATA_BLOB session_key;
793 DATA_BLOB confounded_session_key = data_blob_talloc(
794 mem_ctx, NULL, 16);
795 MD5_CTX ctx;
796 uint8_t confounder[16];
797
798 ZERO_STRUCT(u_info);
799
800 i21->full_name.string = talloc_asprintf(
801 mem_ctx, "%s$",
802 cli_credentials_get_workstation(wks_creds));
803 i21->acct_flags = ACB_WSTRUST;
804 i21->fields_present = SAMR_FIELD_FULL_NAME |
805 SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_NT_PASSWORD_PRESENT;
806 /* this would break the test result expectations
807 i21->fields_present |= SAMR_FIELD_EXPIRED_FLAG;
808 i21->password_expired = 1;
809 */
810
811 encode_pw_buffer(u_info.info25.password.data,
812 cli_credentials_get_password(wks_creds),
813 STR_UNICODE);
814 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
815 if (!NT_STATUS_IS_OK(status)) {
816 torture_comment(tctx, "dcerpc_fetch_session_key failed: %s\n",
817 nt_errstr(status));
818 goto done;
819 }
820 generate_random_buffer((uint8_t *)confounder, 16);
821
822 MD5Init(&ctx);
823 MD5Update(&ctx, confounder, 16);
824 MD5Update(&ctx, session_key.data, session_key.length);
825 MD5Final(confounded_session_key.data, &ctx);
826
827 arcfour_crypt_blob(u_info.info25.password.data, 516,
828 &confounded_session_key);
829 memcpy(&u_info.info25.password.data[516], confounder, 16);
830
831 sui2.in.user_handle = wks_handle;
832 sui2.in.level = 25;
833 sui2.in.info = &u_info;
834
835 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
836 if (!NT_STATUS_IS_OK(status)) {
837 torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
838 nt_errstr(status));
839 goto done;
840 }
841 if (!NT_STATUS_IS_OK(sui2.out.result)) {
842 torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
843 nt_errstr(sui2.out.result));
844 goto done;
845 }
846 } else {
847 struct samr_SetUserInfo2 sui2;
848 struct samr_SetUserInfo sui;
849 union samr_UserInfo u_info;
850 DATA_BLOB session_key;
851
852 encode_pw_buffer(u_info.info24.password.data,
853 cli_credentials_get_password(wks_creds),
854 STR_UNICODE);
855 /* just to make this test pass */
856 u_info.info24.password_expired = 1;
857
858 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
859 if (!NT_STATUS_IS_OK(status)) {
860 torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
861 goto done;
862 }
863 arcfour_crypt_blob(u_info.info24.password.data, 516,
864 &session_key);
865 sui2.in.user_handle = wks_handle;
866 sui2.in.info = &u_info;
867 sui2.in.level = 24;
868
869 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
870 if (!NT_STATUS_IS_OK(status)) {
871 torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
872 nt_errstr(status));
873 goto done;
874 }
875 if (!NT_STATUS_IS_OK(sui2.out.result)) {
876 torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
877 nt_errstr(sui2.out.result));
878 goto done;
879 }
880
881 u_info.info16.acct_flags = ACB_WSTRUST;
882 sui.in.user_handle = wks_handle;
883 sui.in.info = &u_info;
884 sui.in.level = 16;
885
886 status = dcerpc_samr_SetUserInfo_r(samr_handle, mem_ctx, &sui);
887 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
888 torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
889 goto done;
890 }
891 }
892
893 {
894 struct samr_QueryUserInfo q;
895 union samr_UserInfo *info;
896
897 q.in.user_handle = wks_handle;
898 q.in.level = 21;
899 q.out.info = &info;
900
901 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
902 if (!NT_STATUS_IS_OK(status)) {
903 torture_warning(tctx, "QueryUserInfo failed: %s\n",
904 nt_errstr(status));
905 goto done;
906 }
907 if (!NT_STATUS_IS_OK(q.out.result)) {
908 torture_warning(tctx, "QueryUserInfo failed: %s\n",
909 nt_errstr(q.out.result));
910 goto done;
911 }
912
913 if (use_level25) {
914 if (last_password_change
915 == info->info21.last_password_change) {
916 torture_warning(tctx, "last_password_change unchanged "
917 "during join, level25 must change "
918 "it\n");
919 goto done;
920 }
921 }
922 else {
923 if (last_password_change
924 != info->info21.last_password_change) {
925 torture_warning(tctx, "last_password_change changed "
926 "during join, level24 doesn't "
927 "change it\n");
928 goto done;
929 }
930 }
931 }
932
933 ret = true;
934
935 done:
936 talloc_free(mem_ctx);
937 return ret;
938 }
939
940 /*
941 * Do a ReqChallenge/Auth2 and get the wks creds
942 */
943
944 static bool auth2(struct torture_context *tctx,
945 struct smbcli_state *cli,
946 struct cli_credentials *wks_cred)
947 {
948 TALLOC_CTX *mem_ctx;
949 struct dcerpc_pipe *net_pipe;
950 struct dcerpc_binding_handle *net_handle;
951 bool result = false;
952 NTSTATUS status;
953 struct netr_ServerReqChallenge r;
954 struct netr_Credential netr_cli_creds;
955 struct netr_Credential netr_srv_creds;
956 uint32_t negotiate_flags;
957 struct netr_ServerAuthenticate2 a;
958 struct netlogon_creds_CredentialState *creds_state;
959 struct netr_Credential netr_cred;
960 struct samr_Password mach_pw;
961
962 mem_ctx = talloc_new(NULL);
963 if (mem_ctx == NULL) {
964 torture_comment(tctx, "talloc_new failed\n");
965 return false;
966 }
967
968 net_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev);
969 if (net_pipe == NULL) {
970 torture_comment(tctx, "dcerpc_pipe_init failed\n");
971 goto done;
972 }
973 net_handle = net_pipe->binding_handle;
974
975 status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
976 if (!NT_STATUS_IS_OK(status)) {
977 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
978 nt_errstr(status));
979 goto done;
980 }
981
982 status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
983 if (!NT_STATUS_IS_OK(status)) {
984 torture_comment(tctx, "dcerpc_bind_auth_none failed: %s\n",
985 nt_errstr(status));
986 goto done;
987 }
988
989 r.in.computer_name = cli_credentials_get_workstation(wks_cred);
990 r.in.server_name = talloc_asprintf(
991 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
992 if (r.in.server_name == NULL) {
993 torture_comment(tctx, "talloc_asprintf failed\n");
994 goto done;
995 }
996 generate_random_buffer(netr_cli_creds.data,
997 sizeof(netr_cli_creds.data));
998 r.in.credentials = &netr_cli_creds;
999 r.out.return_credentials = &netr_srv_creds;
1000
1001 status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
1002 if (!NT_STATUS_IS_OK(status)) {
1003 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
1004 nt_errstr(status));
1005 goto done;
1006 }
1007 if (!NT_STATUS_IS_OK(r.out.result)) {
1008 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
1009 nt_errstr(r.out.result));
1010 goto done;
1011 }
1012
1013 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
1014 E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
1015
1016 a.in.server_name = talloc_asprintf(
1017 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1018 a.in.account_name = talloc_asprintf(
1019 mem_ctx, "%s$", cli_credentials_get_workstation(wks_cred));
1020 a.in.computer_name = cli_credentials_get_workstation(wks_cred);
1021 a.in.secure_channel_type = SEC_CHAN_WKSTA;
1022 a.in.negotiate_flags = &negotiate_flags;
1023 a.out.negotiate_flags = &negotiate_flags;
1024 a.in.credentials = &netr_cred;
1025 a.out.return_credentials = &netr_cred;
1026
1027 creds_state = netlogon_creds_client_init(mem_ctx,
1028 a.in.account_name,
1029 a.in.computer_name,
1030 a.in.secure_channel_type,
1031 r.in.credentials,
1032 r.out.return_credentials, &mach_pw,
1033 &netr_cred, negotiate_flags);
1034 torture_assert(tctx, (creds_state != NULL), "memory allocation failed");
1035
1036 status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
1037 if (!NT_STATUS_IS_OK(status)) {
1038 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1039 nt_errstr(status));
1040 goto done;
1041 }
1042 if (!NT_STATUS_IS_OK(a.out.result)) {
1043 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1044 nt_errstr(a.out.result));
1045 goto done;
1046 }
1047
1048 if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) {
1049 torture_comment(tctx, "creds_client_check failed\n");
1050 goto done;
1051 }
1052
1053 cli_credentials_set_netlogon_creds(wks_cred, creds_state);
1054
1055 result = true;
1056
1057 done:
1058 talloc_free(mem_ctx);
1059 return result;
1060 }
1061
1062 /*
1063 * Do a couple of schannel protected Netlogon ops: Interactive and Network
1064 * login, and change the wks password
1065 */
1066
1067 static bool schan(struct torture_context *tctx,
1068 struct smbcli_state *cli,
1069 struct cli_credentials *wks_creds,
1070 struct cli_credentials *user_creds)
1071 {
1072 TALLOC_CTX *mem_ctx;
1073 NTSTATUS status;
1074 bool ret = false;
1075 struct dcerpc_pipe *net_pipe;
1076 struct dcerpc_binding_handle *net_handle;
1077 int i;
1078
1079 mem_ctx = talloc_new(NULL);
1080 if (mem_ctx == NULL) {
1081 torture_comment(tctx, "talloc_new failed\n");
1082 return false;
1083 }
1084
1085 net_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev);
1086 if (net_pipe == NULL) {
1087 torture_comment(tctx, "dcerpc_pipe_init failed\n");
1088 goto done;
1089 }
1090 net_handle = net_pipe->binding_handle;
1091
1092 status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
1093 if (!NT_STATUS_IS_OK(status)) {
1094 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
1095 nt_errstr(status));
1096 goto done;
1097 }
1098
1099 #if 0
1100 net_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN |
1101 DCERPC_DEBUG_PRINT_OUT;
1102 #endif
1103 #if 1
1104 net_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
1105 status = dcerpc_bind_auth(net_pipe, &ndr_table_netlogon,
1106 wks_creds, lpcfg_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), DCERPC_AUTH_TYPE_SCHANNEL,
1107 DCERPC_AUTH_LEVEL_PRIVACY,
1108 NULL);
1109 #else
1110 status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
1111 #endif
1112 if (!NT_STATUS_IS_OK(status)) {
1113 torture_comment(tctx, "schannel bind failed: %s\n", nt_errstr(status));
1114 goto done;
1115 }
1116
1117
1118 for (i=2; i<4; i++) {
1119 int flags;
1120 DATA_BLOB chal, nt_resp, lm_resp, names_blob;
1121 struct netlogon_creds_CredentialState *creds_state;
1122 struct netr_Authenticator netr_auth, netr_auth2;
1123 struct netr_NetworkInfo ninfo;
1124 struct netr_PasswordInfo pinfo;
1125 struct netr_LogonSamLogon r;
1126 union netr_LogonLevel logon;
1127 union netr_Validation validation;
1128 uint8_t authoritative;
1129 struct netr_Authenticator return_authenticator;
1130
1131 flags = CLI_CRED_LANMAN_AUTH | CLI_CRED_NTLM_AUTH |
1132 CLI_CRED_NTLMv2_AUTH;
1133
1134 chal = data_blob_talloc(mem_ctx, NULL, 8);
1135 if (chal.data == NULL) {
1136 torture_comment(tctx, "data_blob_talloc failed\n");
1137 goto done;
1138 }
1139
1140 generate_random_buffer(chal.data, chal.length);
1141 names_blob = NTLMv2_generate_names_blob(
1142 mem_ctx,
1143 cli_credentials_get_workstation(user_creds),
1144 cli_credentials_get_domain(user_creds));
1145 status = cli_credentials_get_ntlm_response(
1146 user_creds, mem_ctx, &flags, chal, names_blob,
1147 &lm_resp, &nt_resp, NULL, NULL);
1148 if (!NT_STATUS_IS_OK(status)) {
1149 torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"
1150 " %s\n", nt_errstr(status));
1151 goto done;
1152 }
1153
1154 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1155 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1156
1157 ninfo.identity_info.account_name.string =
1158 cli_credentials_get_username(user_creds);
1159 ninfo.identity_info.domain_name.string =
1160 cli_credentials_get_domain(user_creds);
1161 ninfo.identity_info.parameter_control = 0;
1162 ninfo.identity_info.logon_id_low = 0;
1163 ninfo.identity_info.logon_id_high = 0;
1164 ninfo.identity_info.workstation.string =
1165 cli_credentials_get_workstation(user_creds);
1166 memcpy(ninfo.challenge, chal.data, sizeof(ninfo.challenge));
1167 ninfo.nt.length = nt_resp.length;
1168 ninfo.nt.data = nt_resp.data;
1169 ninfo.lm.length = lm_resp.length;
1170 ninfo.lm.data = lm_resp.data;
1171
1172 logon.network = &ninfo;
1173
1174 r.in.server_name = talloc_asprintf(
1175 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1176 ZERO_STRUCT(netr_auth2);
1177 r.in.computer_name =
1178 cli_credentials_get_workstation(wks_creds);
1179 r.in.credential = &netr_auth;
1180 r.in.return_authenticator = &netr_auth2;
1181 r.in.logon_level = NetlogonNetworkInformation;
1182 r.in.validation_level = i;
1183 r.in.logon = &logon;
1184 r.out.validation = &validation;
1185 r.out.authoritative = &authoritative;
1186 r.out.return_authenticator = &return_authenticator;
1187
1188 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1189 if (!NT_STATUS_IS_OK(status)) {
1190 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1191 nt_errstr(status));
1192 goto done;
1193 }
1194 if (!NT_STATUS_IS_OK(r.out.result)) {
1195 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1196 nt_errstr(r.out.result));
1197 goto done;
1198 }
1199
1200 if ((r.out.return_authenticator == NULL) ||
1201 (!netlogon_creds_client_check(creds_state,
1202 &r.out.return_authenticator->cred))) {
1203 torture_comment(tctx, "Credentials check failed!\n");
1204 goto done;
1205 }
1206
1207 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1208
1209 pinfo.identity_info = ninfo.identity_info;
1210 ZERO_STRUCT(pinfo.lmpassword.hash);
1211 E_md4hash(cli_credentials_get_password(user_creds),
1212 pinfo.ntpassword.hash);
1213
1214 netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
1215
1216 logon.password = &pinfo;
1217
1218 r.in.logon_level = NetlogonInteractiveInformation;
1219 r.in.logon = &logon;
1220 r.out.return_authenticator = &return_authenticator;
1221
1222 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1223 if (!NT_STATUS_IS_OK(status)) {
1224 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1225 nt_errstr(status));
1226 goto done;
1227 }
1228 if (!NT_STATUS_IS_OK(r.out.result)) {
1229 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1230 nt_errstr(r.out.result));
1231 goto done;
1232 }
1233
1234 if ((r.out.return_authenticator == NULL) ||
1235 (!netlogon_creds_client_check(creds_state,
1236 &r.out.return_authenticator->cred))) {
1237 torture_comment(tctx, "Credentials check failed!\n");
1238 goto done;
1239 }
1240 }
1241
1242 {
1243 struct netr_ServerPasswordSet s;
1244 char *password = generate_random_password(wks_creds, 8, 255);
1245 struct netlogon_creds_CredentialState *creds_state;
1246 struct netr_Authenticator credential, return_authenticator;
1247 struct samr_Password new_password;
1248
1249 s.in.server_name = talloc_asprintf(
1250 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1251 s.in.computer_name = cli_credentials_get_workstation(wks_creds);
1252 s.in.account_name = talloc_asprintf(
1253 mem_ctx, "%s$", s.in.computer_name);
1254 s.in.secure_channel_type = SEC_CHAN_WKSTA;
1255 s.in.credential = &credential;
1256 s.in.new_password = &new_password;
1257 s.out.return_authenticator = &return_authenticator;
1258
1259 E_md4hash(password, new_password.hash);
1260
1261 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1262 netlogon_creds_des_encrypt(creds_state, &new_password);
1263 netlogon_creds_client_authenticator(creds_state, &credential);
1264
1265 status = dcerpc_netr_ServerPasswordSet_r(net_handle, mem_ctx, &s);
1266 if (!NT_STATUS_IS_OK(status)) {
1267 torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(status));
1268 goto done;
1269 }
1270 if (!NT_STATUS_IS_OK(s.out.result)) {
1271 torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(s.out.result));
1272 goto done;
1273 }
1274
1275 if (!netlogon_creds_client_check(creds_state,
1276 &s.out.return_authenticator->cred)) {
1277 torture_comment(tctx, "Credential chaining failed\n");
1278 }
1279
1280 cli_credentials_set_password(wks_creds, password,
1281 CRED_SPECIFIED);
1282 }
1283
1284 ret = true;
1285 done:
1286 talloc_free(mem_ctx);
1287 return ret;
1288 }
1289
1290 /*
1291 * Delete the wks account again
1292 */
1293
1294 static bool leave(struct torture_context *tctx,
1295 struct smbcli_state *cli,
1296 struct cli_credentials *admin_creds,
1297 struct cli_credentials *wks_creds)
1298 {
1299 char *wks_name = talloc_asprintf(
1300 NULL, "%s$", cli_credentials_get_workstation(wks_creds));
1301 bool ret;
1302
1303 ret = delete_user(tctx, cli, admin_creds, wks_name);
1304 talloc_free(wks_name);
1305 return ret;
1306 }
1307
1308 /*
1309 * Test the Samba3 DC code a bit. Join, do some schan netlogon ops, leave
1310 */
1311
1312 static bool torture_netlogon_samba3(struct torture_context *torture)
1313 {
1314 NTSTATUS status;
1315 struct smbcli_state *cli;
1316 struct cli_credentials *anon_creds;
1317 struct cli_credentials *wks_creds;
1318 const char *wks_name;
1319 int i;
1320 struct smbcli_options options;
1321 struct smbcli_session_options session_options;
1322
1323 wks_name = torture_setting_string(torture, "wksname", NULL);
1324 if (wks_name == NULL) {
1325 wks_name = get_myname(torture);
1326 }
1327
1328 if (!(anon_creds = cli_credentials_init_anon(torture))) {
1329 torture_fail(torture, "create_anon_creds failed\n");
1330 }
1331
1332 lpcfg_smbcli_options(torture->lp_ctx, &options);
1333 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
1334
1335 status = smbcli_full_connection(torture, &cli,
1336 torture_setting_string(torture, "host", NULL),
1337 lpcfg_smb_ports(torture->lp_ctx),
1338 "IPC$", NULL,
1339 lpcfg_socket_options(torture->lp_ctx),
1340 anon_creds,
1341 lpcfg_resolve_context(torture->lp_ctx),
1342 torture->ev, &options, &session_options,
1343 lpcfg_gensec_settings(torture, torture->lp_ctx));
1344 torture_assert_ntstatus_ok(torture, status, "smbcli_full_connection failed\n");
1345
1346 wks_creds = cli_credentials_init(torture);
1347 if (wks_creds == NULL) {
1348 torture_fail(torture, "cli_credentials_init failed\n");
1349 }
1350
1351 cli_credentials_set_conf(wks_creds, torture->lp_ctx);
1352 cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1353 cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1354 cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1355 cli_credentials_set_password(wks_creds,
1356 generate_random_password(wks_creds, 8, 255),
1357 CRED_SPECIFIED);
1358
1359 torture_assert(torture,
1360 join3(torture, cli, false, cmdline_credentials, wks_creds),
1361 "join failed");
1362
1363 cli_credentials_set_domain(
1364 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1365 CRED_SPECIFIED);
1366
1367 for (i=0; i<2; i++) {
1368
1369 /* Do this more than once, the routine "schan" changes
1370 * the workstation password using the netlogon
1371 * password change routine */
1372
1373 int j;
1374
1375 torture_assert(torture,
1376 auth2(torture, cli, wks_creds),
1377 "auth2 failed");
1378
1379 for (j=0; j<2; j++) {
1380 torture_assert(torture,
1381 schan(torture, cli, wks_creds, cmdline_credentials),
1382 "schan failed");
1383 }
1384 }
1385
1386 torture_assert(torture,
1387 leave(torture, cli, cmdline_credentials, wks_creds),
1388 "leave failed");
1389
1390 return true;
1391 }
1392
1393 /*
1394 * Do a simple join, testjoin and leave using specified smb and samr
1395 * credentials
1396 */
1397
1398 static bool test_join3(struct torture_context *tctx,
1399 bool use_level25,
1400 struct cli_credentials *smb_creds,
1401 struct cli_credentials *samr_creds,
1402 const char *wks_name)
1403 {
1404 NTSTATUS status;
1405 struct smbcli_state *cli;
1406 struct cli_credentials *wks_creds;
1407 struct smbcli_options options;
1408 struct smbcli_session_options session_options;
1409
1410 lpcfg_smbcli_options(tctx->lp_ctx, &options);
1411 lpcfg_smbcli_session_options(tctx->lp_ctx, &session_options);
1412
1413 status = smbcli_full_connection(tctx, &cli,
1414 torture_setting_string(tctx, "host", NULL),
1415 lpcfg_smb_ports(tctx->lp_ctx),
1416 "IPC$", NULL, lpcfg_socket_options(tctx->lp_ctx),
1417 smb_creds, lpcfg_resolve_context(tctx->lp_ctx),
1418 tctx->ev, &options, &session_options,
1419 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
1420 torture_assert_ntstatus_ok(tctx, status,
1421 "smbcli_full_connection failed");
1422
1423 wks_creds = cli_credentials_init(cli);
1424 torture_assert(tctx, wks_creds, "cli_credentials_init failed");
1425
1426 cli_credentials_set_conf(wks_creds, tctx->lp_ctx);
1427 cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1428 cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1429 cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1430 cli_credentials_set_password(wks_creds,
1431 generate_random_password(wks_creds, 8, 255),
1432 CRED_SPECIFIED);
1433
1434 torture_assert(tctx,
1435 join3(tctx, cli, use_level25, samr_creds, wks_creds),
1436 "join failed");
1437
1438 cli_credentials_set_domain(
1439 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1440 CRED_SPECIFIED);
1441
1442 torture_assert(tctx,
1443 auth2(tctx, cli, wks_creds),
1444 "auth2 failed");
1445
1446 torture_assert(tctx,
1447 leave(tctx, cli, samr_creds, wks_creds),
1448 "leave failed");
1449
1450 talloc_free(cli);
1451
1452 return true;
1453 }
1454
1455 /*
1456 * Test the different session key variants. Do it by joining, this uses the
1457 * session key in the setpassword routine. Test the join by doing the auth2.
1458 */
1459
1460 static bool torture_samba3_sessionkey(struct torture_context *torture)
1461 {
1462 struct cli_credentials *anon_creds;
1463 const char *wks_name;
1464
1465 wks_name = torture_setting_string(torture, "wksname", get_myname(torture));
1466
1467 if (!(anon_creds = cli_credentials_init_anon(torture))) {
1468 torture_fail(torture, "create_anon_creds failed\n");
1469 }
1470
1471 cli_credentials_set_workstation(anon_creds, wks_name, CRED_SPECIFIED);
1472
1473
1474 if (!torture_setting_bool(torture, "samba3", false)) {
1475
1476 /* Samba3 in the build farm right now does this happily. Need
1477 * to fix :-) */
1478
1479 if (test_join3(torture, false, anon_creds, NULL, wks_name)) {
1480 torture_fail(torture, "join using anonymous bind on an anonymous smb "
1481 "connection succeeded -- HUH??\n");
1482 }
1483 }
1484
1485 torture_assert(torture,
1486 test_join3(torture, false, anon_creds, cmdline_credentials, wks_name),
1487 "join using ntlmssp bind on an anonymous smb connection failed");
1488
1489 torture_assert(torture,
1490 test_join3(torture, false, cmdline_credentials, NULL, wks_name),
1491 "join using anonymous bind on an authenticated smb connection failed");
1492
1493 torture_assert(torture,
1494 test_join3(torture, false, cmdline_credentials, cmdline_credentials, wks_name),
1495 "join using ntlmssp bind on an authenticated smb connection failed");
1496
1497 /*
1498 * The following two are tests for setuserinfolevel 25
1499 */
1500
1501 torture_assert(torture,
1502 test_join3(torture, true, anon_creds, cmdline_credentials, wks_name),
1503 "join using ntlmssp bind on an anonymous smb connection failed");
1504
1505 torture_assert(torture,
1506 test_join3(torture, true, cmdline_credentials, NULL, wks_name),
1507 "join using anonymous bind on an authenticated smb connection failed");
1508
1509 return true;
1510 }
1511
1512 /*
1513 * open pipe and bind, given an IPC$ context
1514 */
1515
1516 static NTSTATUS pipe_bind_smb(struct torture_context *tctx,
1517 TALLOC_CTX *mem_ctx,
1518 struct smbcli_tree *tree,
1519 const char *pipe_name,
1520 const struct ndr_interface_table *iface,
1521 struct dcerpc_pipe **p)
1522 {
1523 struct dcerpc_pipe *result;
1524 NTSTATUS status;
1525
1526 if (!(result = dcerpc_pipe_init(mem_ctx, tctx->ev))) {
1527 return NT_STATUS_NO_MEMORY;
1528 }
1529
1530 status = dcerpc_pipe_open_smb(result, tree, pipe_name);
1531 if (!NT_STATUS_IS_OK(status)) {
1532 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
1533 nt_errstr(status));
1534 talloc_free(result);
1535 return status;
1536 }
1537
1538 status = dcerpc_bind_auth_none(result, iface);
1539 if (!NT_STATUS_IS_OK(status)) {
1540 torture_comment(tctx, "schannel bind failed: %s\n", nt_errstr(status));
1541 talloc_free(result);
1542 return status;
1543 }
1544
1545 *p = result;
1546 return NT_STATUS_OK;
1547 }
1548
1549 /*
1550 * Sane wrapper around lsa_LookupNames
1551 */
1552
1553 static struct dom_sid *name2sid(struct torture_context *tctx,
1554 TALLOC_CTX *mem_ctx,
1555 struct dcerpc_pipe *p,
1556 const char *name,
1557 const char *domain)
1558 {
1559 struct lsa_ObjectAttribute attr;
1560 struct lsa_QosInfo qos;
1561 struct lsa_OpenPolicy2 r;
1562 struct lsa_Close c;
1563 NTSTATUS status;
1564 struct policy_handle handle;
1565 struct lsa_LookupNames l;
1566 struct lsa_TransSidArray sids;
1567 struct lsa_RefDomainList *domains = NULL;
1568 struct lsa_String lsa_name;
1569 uint32_t count = 0;
1570 struct dom_sid *result;
1571 TALLOC_CTX *tmp_ctx;
1572 struct dcerpc_binding_handle *b = p->binding_handle;
1573
1574 if (!(tmp_ctx = talloc_new(mem_ctx))) {
1575 return NULL;
1576 }
1577
1578 qos.len = 0;
1579 qos.impersonation_level = 2;
1580 qos.context_mode = 1;
1581 qos.effective_only = 0;
1582
1583 attr.len = 0;
1584 attr.root_dir = NULL;
1585 attr.object_name = NULL;
1586 attr.attributes = 0;
1587 attr.sec_desc = NULL;
1588 attr.sec_qos = &qos;
1589
1590 r.in.system_name = "\\";
1591 r.in.attr = &attr;
1592 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1593 r.out.handle = &handle;
1594
1595 status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r);
1596 if (!NT_STATUS_IS_OK(status)) {
1597 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(status));
1598 talloc_free(tmp_ctx);
1599 return NULL;
1600 }
1601 if (!NT_STATUS_IS_OK(r.out.result)) {
1602 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(r.out.result));
1603 talloc_free(tmp_ctx);
1604 return NULL;
1605 }
1606
1607 sids.count = 0;
1608 sids.sids = NULL;
1609
1610 lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, name);
1611
1612 l.in.handle = &handle;
1613 l.in.num_names = 1;
1614 l.in.names = &lsa_name;
1615 l.in.sids = &sids;
1616 l.in.level = 1;
1617 l.in.count = &count;
1618 l.out.count = &count;
1619 l.out.sids = &sids;
1620 l.out.domains = &domains;
1621
1622 status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l);
1623 if (!NT_STATUS_IS_OK(status)) {
1624 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1625 nt_errstr(status));
1626 talloc_free(tmp_ctx);
1627 return NULL;
1628 }
1629 if (!NT_STATUS_IS_OK(l.out.result)) {
1630 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1631 nt_errstr(l.out.result));
1632 talloc_free(tmp_ctx);
1633 return NULL;
1634 }
1635
1636 result = dom_sid_add_rid(mem_ctx, domains->domains[0].sid,
1637 l.out.sids->sids[0].rid);
1638
1639 c.in.handle = &handle;
1640 c.out.handle = &handle;
1641
1642 status = dcerpc_lsa_Close_r(b, tmp_ctx, &c);
1643 if (!NT_STATUS_IS_OK(status)) {
1644 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(status));
1645 talloc_free(tmp_ctx);
1646 return NULL;
1647 }
1648 if (!NT_STATUS_IS_OK(c.out.result)) {
1649 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(c.out.result));
1650 talloc_free(tmp_ctx);
1651 return NULL;
1652 }
1653
1654 talloc_free(tmp_ctx);
1655 return result;
1656 }
1657
1658 /*
1659 * Find out the user SID on this connection
1660 */
1661
1662 static struct dom_sid *whoami(struct torture_context *tctx,
1663 TALLOC_CTX *mem_ctx,
1664 struct smbcli_tree *tree)
1665 {
1666 struct dcerpc_pipe *lsa;
1667 struct dcerpc_binding_handle *lsa_handle;
1668 struct lsa_GetUserName r;
1669 NTSTATUS status;
1670 struct lsa_String *authority_name_p = NULL;
1671 struct lsa_String *account_name_p = NULL;
1672 struct dom_sid *result;
1673
1674 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\lsarpc",
1675 &ndr_table_lsarpc, &lsa);
1676 if (!NT_STATUS_IS_OK(status)) {
1677 torture_warning(tctx, "Could not bind to LSA: %s\n",
1678 nt_errstr(status));
1679 return NULL;
1680 }
1681 lsa_handle = lsa->binding_handle;
1682
1683 r.in.system_name = "\\";
1684 r.in.account_name = &account_name_p;
1685 r.in.authority_name = &authority_name_p;
1686 r.out.account_name = &account_name_p;
1687
1688 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
1689
1690 authority_name_p = *r.out.authority_name;
1691
1692 if (!NT_STATUS_IS_OK(status)) {
1693 torture_warning(tctx, "GetUserName failed - %s\n",
1694 nt_errstr(status));
1695 talloc_free(lsa);
1696 return NULL;
1697 }
1698 if (!NT_STATUS_IS_OK(r.out.result)) {
1699 torture_warning(tctx, "GetUserName failed - %s\n",
1700 nt_errstr(r.out.result));
1701 talloc_free(lsa);
1702 return NULL;
1703 }
1704
1705 result = name2sid(tctx, mem_ctx, lsa, account_name_p->string,
1706 authority_name_p->string);
1707
1708 talloc_free(lsa);
1709 return result;
1710 }
1711
1712 static int destroy_tree(struct smbcli_tree *tree)
1713 {
1714 smb_tree_disconnect(tree);
1715 return 0;
1716 }
1717
1718 /*
1719 * Do a tcon, given a session
1720 */
1721
1722 static NTSTATUS secondary_tcon(struct torture_context *tctx,
1723 TALLOC_CTX *mem_ctx,
1724 struct smbcli_session *session,
1725 const char *sharename,
1726 struct smbcli_tree **res)
1727 {
1728 struct smbcli_tree *result;
1729 TALLOC_CTX *tmp_ctx;
1730 union smb_tcon tcon;
1731 NTSTATUS status;
1732
1733 if (!(tmp_ctx = talloc_new(mem_ctx))) {
1734 return NT_STATUS_NO_MEMORY;
1735 }
1736
1737 if (!(result = smbcli_tree_init(session, mem_ctx, false))) {
1738 talloc_free(tmp_ctx);
1739 return NT_STATUS_NO_MEMORY;
1740 }
1741
1742 tcon.generic.level = RAW_TCON_TCONX;
1743 tcon.tconx.in.flags = TCONX_FLAG_EXTENDED_RESPONSE;
1744 tcon.tconx.in.flags |= TCONX_FLAG_EXTENDED_SIGNATURES;
1745 tcon.tconx.in.password = data_blob(NULL, 0);
1746 tcon.tconx.in.path = sharename;
1747 tcon.tconx.in.device = "?????";
1748
1749 status = smb_raw_tcon(result, tmp_ctx, &tcon);
1750 if (!NT_STATUS_IS_OK(status)) {
1751 torture_warning(tctx, "smb_raw_tcon failed: %s\n",
1752 nt_errstr(status));
1753 talloc_free(tmp_ctx);
1754 return status;
1755 }
1756
1757 result->tid = tcon.tconx.out.tid;
1758
1759 if (tcon.tconx.out.options & SMB_EXTENDED_SIGNATURES) {
1760 smb1cli_session_protect_session_key(result->session->smbXcli);
1761 }
1762
1763 result = talloc_steal(mem_ctx, result);
1764 talloc_set_destructor(result, destroy_tree);
1765 talloc_free(tmp_ctx);
1766 *res = result;
1767 return NT_STATUS_OK;
1768 }
1769
1770 /*
1771 * Test the getusername behaviour
1772 */
1773
1774 static bool torture_samba3_rpc_getusername(struct torture_context *torture)
1775 {
1776 NTSTATUS status;
1777 struct smbcli_state *cli;
1778 bool ret = true;
1779 struct dom_sid *user_sid;
1780 struct dom_sid *created_sid;
1781 struct cli_credentials *anon_creds;
1782 struct cli_credentials *user_creds;
1783 char *domain_name;
1784 struct smbcli_options options;
1785 struct smbcli_session_options session_options;
1786
1787 lpcfg_smbcli_options(torture->lp_ctx, &options);
1788 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
1789
1790 status = smbcli_full_connection(
1791 torture, &cli, torture_setting_string(torture, "host", NULL),
1792 lpcfg_smb_ports(torture->lp_ctx),
1793 "IPC$", NULL, lpcfg_socket_options(torture->lp_ctx), cmdline_credentials,
1794 lpcfg_resolve_context(torture->lp_ctx), torture->ev, &options,
1795 &session_options, lpcfg_gensec_settings(torture, torture->lp_ctx));
1796 torture_assert_ntstatus_ok(torture, status, "smbcli_full_connection failed\n");
1797
1798 if (!(user_sid = whoami(torture, torture, cli->tree))) {
1799 torture_fail(torture, "whoami on auth'ed connection failed\n");
1800 }
1801
1802 talloc_free(cli);
1803
1804 if (!(anon_creds = cli_credentials_init_anon(torture))) {
1805 torture_fail(torture, "create_anon_creds failed\n");
1806 }
1807
1808 status = smbcli_full_connection(
1809 torture, &cli, torture_setting_string(torture, "host", NULL),
1810 lpcfg_smb_ports(torture->lp_ctx), "IPC$", NULL,
1811 lpcfg_socket_options(torture->lp_ctx), anon_creds,
1812 lpcfg_resolve_context(torture->lp_ctx),
1813 torture->ev, &options, &session_options,
1814 lpcfg_gensec_settings(torture, torture->lp_ctx));
1815 torture_assert_ntstatus_ok(torture, status, "anon smbcli_full_connection failed\n");
1816
1817 if (!(user_sid = whoami(torture, torture, cli->tree))) {
1818 torture_fail(torture, "whoami on anon connection failed\n");
1819 }
1820
1821 torture_assert_sid_equal(torture, user_sid, dom_sid_parse_talloc(torture, "s-1-5-7"),
1822 "Anon lsa_GetUserName returned unexpected SID");
1823
1824 if (!(user_creds = cli_credentials_init(torture))) {
1825 torture_fail(torture, "cli_credentials_init failed\n");
1826 }
1827
1828 cli_credentials_set_conf(user_creds, torture->lp_ctx);
1829 cli_credentials_set_username(user_creds, "torture_username",
1830 CRED_SPECIFIED);
1831 cli_credentials_set_password(user_creds,
1832 generate_random_password(user_creds, 8, 255),
1833 CRED_SPECIFIED);
1834
1835 if (!create_user(torture, torture, cli, cmdline_credentials,
1836 cli_credentials_get_username(user_creds),
1837 cli_credentials_get_password(user_creds),
1838 &domain_name, &created_sid)) {
1839 torture_fail(torture, "create_user failed\n");
1840 }
1841
1842 cli_credentials_set_domain(user_creds, domain_name,
1843 CRED_SPECIFIED);
1844
1845 {
1846 struct smbcli_session *session2;
1847 struct smb_composite_sesssetup setup;
1848 struct smbcli_tree *tree;
1849
1850 session2 = smbcli_session_init(cli->transport, torture, false, session_options);
1851 if (session2 == NULL) {
1852 torture_fail(torture, "smbcli_session_init failed\n");
1853 }
1854
1855 setup.in.sesskey = cli->transport->negotiate.sesskey;
1856 setup.in.capabilities = cli->transport->negotiate.capabilities;
1857 setup.in.workgroup = "";
1858 setup.in.credentials = user_creds;
1859 setup.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
1860
1861 status = smb_composite_sesssetup(session2, &setup);
1862 torture_assert_ntstatus_ok(torture, status, "session setup with new user failed");
1863
1864 session2->vuid = setup.out.vuid;
1865
1866 if (!NT_STATUS_IS_OK(secondary_tcon(torture, torture, session2,
1867 "IPC$", &tree))) {
1868 torture_fail(torture, "secondary_tcon failed\n");
1869 }
1870
1871 if (!(user_sid = whoami(torture, torture, tree))) {
1872 torture_fail_goto(torture, del, "whoami on user connection failed\n");
1873 ret = false;
1874 goto del;
1875 }
1876
1877 talloc_free(tree);
1878 }
1879
1880 torture_comment(torture, "Created %s, found %s\n",
1881 dom_sid_string(torture, created_sid),
1882 dom_sid_string(torture, user_sid));
1883
1884 if (!dom_sid_equal(created_sid, user_sid)) {
1885 ret = false;
1886 }
1887
1888 del:
1889 if (!delete_user(torture, cli,
1890 cmdline_credentials,
1891 cli_credentials_get_username(user_creds))) {
1892 torture_fail(torture, "delete_user failed\n");
1893 }
1894
1895 return ret;
1896 }
1897
1898 static bool test_NetShareGetInfo(struct torture_context *tctx,
1899 struct dcerpc_pipe *p,
1900 const char *sharename)
1901 {
1902 NTSTATUS status;
1903 struct srvsvc_NetShareGetInfo r;
1904 union srvsvc_NetShareInfo info;
1905 uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007, 1501 };
1906 int i;
1907 bool ret = true;
1908 struct dcerpc_binding_handle *b = p->binding_handle;
1909
1910 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s",
1911 dcerpc_server_name(p));
1912 r.in.share_name = sharename;
1913 r.out.info = &info;
1914
1915 for (i=0;i<ARRAY_SIZE(levels);i++) {
1916 r.in.level = levels[i];
1917
1918 torture_comment(tctx, "Testing NetShareGetInfo level %u on share '%s'\n",
1919 r.in.level, r.in.share_name);
1920
1921 status = dcerpc_srvsvc_NetShareGetInfo_r(b, tctx, &r);
1922 if (!NT_STATUS_IS_OK(status)) {
1923 torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed"
1924 " - %s\n", r.in.level, r.in.share_name,
1925 nt_errstr(status));
1926 ret = false;
1927 continue;
1928 }
1929 if (!W_ERROR_IS_OK(r.out.result)) {
1930 torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed "
1931 "- %s\n", r.in.level, r.in.share_name,
1932 win_errstr(r.out.result));
1933 ret = false;
1934 continue;
1935 }
1936 }
1937
1938 return ret;
1939 }
1940
1941 static bool test_NetShareEnum(struct torture_context *tctx,
1942 struct dcerpc_pipe *p,
1943 const char **one_sharename)
1944 {
1945 NTSTATUS status;
1946 struct srvsvc_NetShareEnum r;
1947 struct srvsvc_NetShareInfoCtr info_ctr;
1948 struct srvsvc_NetShareCtr0 c0;
1949 struct srvsvc_NetShareCtr1 c1;
1950 struct srvsvc_NetShareCtr2 c2;
1951 struct srvsvc_NetShareCtr501 c501;
1952 struct srvsvc_NetShareCtr502 c502;
1953 struct srvsvc_NetShareCtr1004 c1004;
1954 struct srvsvc_NetShareCtr1005 c1005;
1955 struct srvsvc_NetShareCtr1006 c1006;
1956 struct srvsvc_NetShareCtr1007 c1007;
1957 uint32_t totalentries = 0;
1958 uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007 };
1959 int i;
1960 bool ret = true;
1961 struct dcerpc_binding_handle *b = p->binding_handle;
1962
1963 ZERO_STRUCT(info_ctr);
1964
1965 r.in.server_unc = talloc_asprintf(tctx,"\\\\%s",dcerpc_server_name(p));
1966 r.in.info_ctr = &info_ctr;
1967 r.in.max_buffer = (uint32_t)-1;
1968 r.in.resume_handle = NULL;
1969 r.out.totalentries = &totalentries;
1970 r.out.info_ctr = &info_ctr;
1971
1972 for (i=0;i<ARRAY_SIZE(levels);i++) {
1973 info_ctr.level = levels[i];
1974
1975 switch (info_ctr.level) {
1976 case 0:
1977 ZERO_STRUCT(c0);
1978 info_ctr.ctr.ctr0 = &c0;
1979 break;
1980 case 1:
1981 ZERO_STRUCT(c1);
1982 info_ctr.ctr.ctr1 = &c1;
1983 break;
1984 case 2:
1985 ZERO_STRUCT(c2);
1986 info_ctr.ctr.ctr2 = &c2;
1987 break;
1988 case 501:
1989 ZERO_STRUCT(c501);
1990 info_ctr.ctr.ctr501 = &c501;
1991 break;
1992 case 502:
1993 ZERO_STRUCT(c502);
1994 info_ctr.ctr.ctr502 = &c502;
1995 break;
1996 case 1004:
1997 ZERO_STRUCT(c1004);
1998 info_ctr.ctr.ctr1004 = &c1004;
1999 break;
2000 case 1005:
2001 ZERO_STRUCT(c1005);
2002 info_ctr.ctr.ctr1005 = &c1005;
2003 break;
2004 case 1006:
2005 ZERO_STRUCT(c1006);
2006 info_ctr.ctr.ctr1006 = &c1006;
2007 break;
2008 case 1007:
2009 ZERO_STRUCT(c1007);
2010 info_ctr.ctr.ctr1007 = &c1007;
2011 break;
2012 }
2013
2014 torture_comment(tctx, "Testing NetShareEnum level %u\n", info_ctr.level);
2015
2016 status = dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r);
2017 if (!NT_STATUS_IS_OK(status)) {
2018 torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2019 info_ctr.level, nt_errstr(status));
2020 ret = false;
2021 continue;
2022 }
2023 if (!W_ERROR_IS_OK(r.out.result)) {
2024 torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2025 info_ctr.level, win_errstr(r.out.result));
2026 continue;
2027 }
2028 if (info_ctr.level == 0) {
2029 struct srvsvc_NetShareCtr0 *ctr = r.out.info_ctr->ctr.ctr0;
2030 if (ctr->count > 0) {
2031 *one_sharename = ctr->array[0].name;
2032 }
2033 }
2034 }
2035
2036 return ret;
2037 }
2038
2039 static bool torture_samba3_rpc_srvsvc(struct torture_context *torture)
2040 {
2041 struct dcerpc_pipe *p;
2042 const char *sharename = NULL;
2043 bool ret = true;
2044
2045 torture_assert_ntstatus_ok(torture,
2046 torture_rpc_connection(torture, &p, &ndr_table_srvsvc),
2047 "failed to open srvsvc");
2048
2049 ret &= test_NetShareEnum(torture, p, &sharename);
2050 if (sharename == NULL) {
2051 torture_comment(torture, "did not get sharename\n");
2052 } else {
2053 ret &= test_NetShareGetInfo(torture, p, sharename);
2054 }
2055
2056 return ret;
2057 }
2058
2059 /*
2060 * Do a ReqChallenge/Auth2 with a random wks name, make sure it returns
2061 * NT_STATUS_NO_SAM_ACCOUNT
2062 */
2063
2064 static bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
2065 {
2066 TALLOC_CTX *mem_ctx;
2067 struct dcerpc_pipe *net_pipe;
2068 struct dcerpc_binding_handle *net_handle;
2069 char *wksname;
2070 bool result = false;
2071 NTSTATUS status;
2072 struct netr_ServerReqChallenge r;
2073 struct netr_Credential netr_cli_creds;
2074 struct netr_Credential netr_srv_creds;
2075 uint32_t negotiate_flags;
2076 struct netr_ServerAuthenticate2 a;
2077 struct netlogon_creds_CredentialState *creds_state;
2078 struct netr_Credential netr_cred;
2079 struct samr_Password mach_pw;
2080 struct smbcli_state *cli;
2081
2082 if (!(mem_ctx = talloc_new(torture))) {
2083 torture_comment(torture, "talloc_new failed\n");
2084 return false;
2085 }
2086
2087 if (!(wksname = generate_random_str_list(
2088 mem_ctx, 14, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"))) {
2089 torture_comment(torture, "generate_random_str_list failed\n");
2090 goto done;
2091 }
2092
2093 if (!(torture_open_connection_share(
2094 mem_ctx, &cli,
2095 torture, torture_setting_string(torture, "host", NULL),
2096 "IPC$", torture->ev))) {
2097 torture_comment(torture, "IPC$ connection failed\n");
2098 goto done;
2099 }
2100
2101 if (!(net_pipe = dcerpc_pipe_init(mem_ctx, torture->ev))) {
2102 torture_comment(torture, "dcerpc_pipe_init failed\n");
2103 goto done;
2104 }
2105 net_handle = net_pipe->binding_handle;
2106
2107 status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
2108 if (!NT_STATUS_IS_OK(status)) {
2109 torture_comment(torture, "dcerpc_pipe_open_smb failed: %s\n",
2110 nt_errstr(status));
2111 goto done;
2112 }
2113
2114 status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
2115 if (!NT_STATUS_IS_OK(status)) {
2116 torture_comment(torture, "dcerpc_bind_auth_none failed: %s\n",
2117 nt_errstr(status));
2118 goto done;
2119 }
2120
2121 r.in.computer_name = wksname;
2122 r.in.server_name = talloc_asprintf(
2123 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2124 if (r.in.server_name == NULL) {
2125 torture_comment(torture, "talloc_asprintf failed\n");
2126 goto done;
2127 }
2128 generate_random_buffer(netr_cli_creds.data,
2129 sizeof(netr_cli_creds.data));
2130 r.in.credentials = &netr_cli_creds;
2131 r.out.return_credentials = &netr_srv_creds;
2132
2133 status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
2134 if (!NT_STATUS_IS_OK(status)) {
2135 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2136 nt_errstr(status));
2137 goto done;
2138 }
2139 if (!NT_STATUS_IS_OK(r.out.result)) {
2140 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2141 nt_errstr(r.out.result));
2142 goto done;
2143 }
2144
2145 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
2146 E_md4hash("foobar", mach_pw.hash);
2147
2148 a.in.server_name = talloc_asprintf(
2149 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2150 a.in.account_name = talloc_asprintf(
2151 mem_ctx, "%s$", wksname);
2152 a.in.computer_name = wksname;
2153 a.in.secure_channel_type = SEC_CHAN_WKSTA;
2154 a.in.negotiate_flags = &negotiate_flags;
2155 a.out.negotiate_flags = &negotiate_flags;
2156 a.in.credentials = &netr_cred;
2157 a.out.return_credentials = &netr_cred;
2158
2159 creds_state = netlogon_creds_client_init(mem_ctx,
2160 a.in.account_name,
2161 a.in.computer_name,
2162 a.in.secure_channel_type,
2163 r.in.credentials,
2164 r.out.return_credentials, &mach_pw,
2165 &netr_cred, negotiate_flags);
2166 torture_assert(torture, (creds_state != NULL), "memory allocation failed");
2167
2168 status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
2169 if (!NT_STATUS_IS_OK(status)) {
2170 goto done;
2171 }
2172 if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) {
2173 torture_comment(torture, "dcerpc_netr_ServerAuthenticate2 returned %s, "
2174 "expected NT_STATUS_NO_TRUST_SAM_ACCOUNT\n",
2175 nt_errstr(a.out.result));
2176 goto done;
2177 }
2178
2179 result = true;
2180 done:
2181 talloc_free(mem_ctx);
2182 return result;
2183 }
2184
2185 static struct security_descriptor *get_sharesec(struct torture_context *tctx,
2186 TALLOC_CTX *mem_ctx,
2187 struct smbcli_session *sess,
2188 const char *sharename)
2189 {
2190 struct smbcli_tree *tree;
2191 TALLOC_CTX *tmp_ctx;
2192 struct dcerpc_pipe *p;
2193 struct dcerpc_binding_handle *b;
2194 NTSTATUS status;
2195 struct srvsvc_NetShareGetInfo r;
2196 union srvsvc_NetShareInfo info;
2197 struct security_descriptor *result;
2198
2199 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2200 torture_comment(tctx, "talloc_new failed\n");
2201 return NULL;
2202 }
2203
2204 if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2205 torture_comment(tctx, "secondary_tcon failed\n");
2206 talloc_free(tmp_ctx);
2207 return NULL;
2208 }
2209
2210 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2211 &ndr_table_srvsvc, &p);
2212 if (!NT_STATUS_IS_OK(status)) {
2213 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2214 nt_errstr(status));
2215 talloc_free(tmp_ctx);
2216 return NULL;
2217 }
2218 b = p->binding_handle;
2219
2220 #if 0
2221 p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2222 #endif
2223
2224 r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2225 dcerpc_server_name(p));
2226 r.in.share_name = sharename;
2227 r.in.level = 502;
2228 r.out.info = &info;
2229
2230 status = dcerpc_srvsvc_NetShareGetInfo_r(b, tmp_ctx, &r);
2231 if (!NT_STATUS_IS_OK(status)) {
2232 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2233 nt_errstr(status));
2234 talloc_free(tmp_ctx);
2235 return NULL;
2236 }
2237 if (!W_ERROR_IS_OK(r.out.result)) {
2238 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2239 win_errstr(r.out.result));
2240 talloc_free(tmp_ctx);
2241 return NULL;
2242 }
2243
2244 result = talloc_steal(mem_ctx, info.info502->sd_buf.sd);
2245 talloc_free(tmp_ctx);
2246 return result;
2247 }
2248
2249 static NTSTATUS set_sharesec(struct torture_context *tctx,
2250 TALLOC_CTX *mem_ctx,
2251 struct smbcli_session *sess,
2252 const char *sharename,
2253 struct security_descriptor *sd)
2254 {
2255 struct smbcli_tree *tree;
2256 TALLOC_CTX *tmp_ctx;
2257 struct dcerpc_pipe *p;
2258 struct dcerpc_binding_handle *b;
2259 NTSTATUS status;
2260 struct sec_desc_buf i;
2261 struct srvsvc_NetShareSetInfo r;
2262 union srvsvc_NetShareInfo info;
2263 uint32_t error = 0;
2264
2265 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2266 torture_comment(tctx, "talloc_new failed\n");
2267 return NT_STATUS_NO_MEMORY;
2268 }
2269
2270 if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2271 torture_comment(tctx, "secondary_tcon failed\n");
2272 talloc_free(tmp_ctx);
2273 return NT_STATUS_UNSUCCESSFUL;
2274 }
2275
2276 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2277 &ndr_table_srvsvc, &p);
2278 if (!NT_STATUS_IS_OK(status)) {
2279 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2280 nt_errstr(status));
2281 talloc_free(tmp_ctx);
2282 return NT_STATUS_UNSUCCESSFUL;
2283 }
2284 b = p->binding_handle;
2285
2286 #if 0
2287 p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2288 #endif
2289
2290 r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2291 dcerpc_server_name(p));
2292 r.in.share_name = sharename;
2293 r.in.level = 1501;
2294 i.sd = sd;
2295 info.info1501 = &i;
2296 r.in.info = &info;
2297 r.in.parm_error = &error;
2298
2299 status = dcerpc_srvsvc_NetShareSetInfo_r(b, tmp_ctx, &r);
2300 if (!NT_STATUS_IS_OK(status)) {
2301 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2302 nt_errstr(status));
2303 }
2304 if (!W_ERROR_IS_OK(r.out.result)) {
2305 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2306 win_errstr(r.out.result));
2307 status = werror_to_ntstatus(r.out.result);
2308 }
2309 talloc_free(tmp_ctx);
2310 return status;
2311 }
2312
2313 bool try_tcon(struct torture_context *tctx,
2314 TALLOC_CTX *mem_ctx,
2315 struct security_descriptor *orig_sd,
2316 struct smbcli_session *session,
2317 const char *sharename, const struct dom_sid *user_sid,
2318 unsigned int access_mask, NTSTATUS expected_tcon,
2319 NTSTATUS expected_mkdir)
2320 {
2321 TALLOC_CTX *tmp_ctx;
2322 struct smbcli_tree *rmdir_tree, *tree;
2323 struct dom_sid *domain_sid;
2324 uint32_t rid;
2325 struct security_descriptor *sd;
2326 NTSTATUS status;
2327 bool ret = true;
2328
2329 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2330 torture_comment(tctx, "talloc_new failed\n");
2331 return false;
2332 }
2333
2334 status = secondary_tcon(tctx, tmp_ctx, session, sharename, &rmdir_tree);
2335 if (!NT_STATUS_IS_OK(status)) {
2336 torture_comment(tctx, "first tcon to delete dir failed\n");
2337 talloc_free(tmp_ctx);
2338 return false;
2339 }
2340
2341 smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2342
2343 if (!NT_STATUS_IS_OK(dom_sid_split_rid(tmp_ctx, user_sid,
2344 &domain_sid, &rid))) {
2345 torture_comment(tctx, "dom_sid_split_rid failed\n");
2346 talloc_free(tmp_ctx);
2347 return false;
2348 }
2349
2350 sd = security_descriptor_dacl_create(
2351 tmp_ctx, 0, "S-1-5-32-544",
2352 dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
2353 DOMAIN_RID_USERS)),
2354 dom_sid_string(mem_ctx, user_sid),
2355 SEC_ACE_TYPE_ACCESS_ALLOWED, access_mask, 0, NULL);
2356 if (sd == NULL) {
2357 torture_comment(tctx, "security_descriptor_dacl_create failed\n");
2358 talloc_free(tmp_ctx);
2359 return false;
2360 }
2361
2362 status = set_sharesec(tctx, mem_ctx, session, sharename, sd);
2363 if (!NT_STATUS_IS_OK(status)) {
2364 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2365 nt_errstr(status));
2366 talloc_free(tmp_ctx);
2367 return false;
2368 }
2369
2370 status = secondary_tcon(tctx, tmp_ctx, session, sharename, &tree);
2371 if (!NT_STATUS_EQUAL(status, expected_tcon)) {
2372 torture_comment(tctx, "Expected %s, got %s\n", nt_errstr(expected_tcon),
2373 nt_errstr(status));
2374 ret = false;
2375 goto done;
2376 }
2377
2378 if (!NT_STATUS_IS_OK(status)) {
2379 /* An expected non-access, no point in trying to write */
2380 goto done;
2381 }
2382
2383 status = smbcli_mkdir(tree, "sharesec_testdir");
2384 if (!NT_STATUS_EQUAL(status, expected_mkdir)) {
2385 torture_warning(tctx, "Expected %s, got %s\n",
2386 nt_errstr(expected_mkdir), nt_errstr(status));
2387 ret = false;
2388 }
2389
2390 done:
2391 smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2392
2393 status = set_sharesec(tctx, mem_ctx, session, sharename, orig_sd);
2394 if (!NT_STATUS_IS_OK(status)) {
2395 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2396 nt_errstr(status));
2397 talloc_free(tmp_ctx);
2398 return false;
2399 }
2400
2401 talloc_free(tmp_ctx);
2402 return ret;
2403 }
2404
2405 static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
2406 {
2407 struct smbcli_state *cli = NULL;
2408 struct security_descriptor *sd = NULL;
2409 struct dom_sid *user_sid = NULL;
2410 const char *testuser_passwd = NULL;
2411 struct cli_credentials *test_credentials = NULL;
2412 struct smbcli_options options;
2413 struct smbcli_session_options session_options;
2414 NTSTATUS status;
2415 struct test_join *tj = NULL;
2416 struct dcerpc_pipe *lsa_pipe = NULL;
2417 const char *priv_array[1];
2418
2419 /* Create a new user. The normal user has SeBackup and SeRestore
2420 privs so we can't lock them out with a share security descriptor. */
2421 tj = torture_create_testuser(torture,
2422 "sharesec_user",
2423 torture_setting_string(torture, "workgroup", NULL),
2424 ACB_NORMAL,
2425 &testuser_passwd);
2426 if (!tj) {
2427 torture_fail(torture, "Creating sharesec_user failed\n");
2428 }
2429
2430 /* Give them SeDiskOperatorPrivilege but no other privs. */
2431 status = torture_rpc_connection(torture, &lsa_pipe, &ndr_table_lsarpc);
2432 if (!NT_STATUS_IS_OK(status)) {
2433 torture_delete_testuser(torture, tj, "sharesec_user");
2434 talloc_free(tj);
2435 torture_fail(torture, "Error connecting to LSA pipe");
2436 }
2437
2438 priv_array[0] = "SeDiskOperatorPrivilege";
2439 if (!torture_setup_privs(torture,
2440 lsa_pipe,
2441 1,
2442 priv_array,
2443 torture_join_user_sid(tj))) {
2444 talloc_free(lsa_pipe);
2445 torture_delete_testuser(torture, tj, "sharesec_user");
2446 talloc_free(tj);
2447 torture_fail(torture, "Failed to setup privs\n");
2448 }
2449 talloc_free(lsa_pipe);
2450
2451 test_credentials = cli_credentials_init(torture);
2452 cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
2453 cli_credentials_set_domain(test_credentials, lpcfg_workgroup(torture->lp_ctx),
2454 CRED_SPECIFIED);
2455 cli_credentials_set_username(test_credentials, "sharesec_user", CRED_SPECIFIED);
2456 cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
2457
2458 ZERO_STRUCT(options);
2459 ZERO_STRUCT(session_options);
2460 lpcfg_smbcli_options(torture->lp_ctx, &options);
2461 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
2462
2463 status = smbcli_full_connection(torture,
2464 &cli,
2465 torture_setting_string(torture, "host", NULL),
2466 lpcfg_smb_ports(torture->lp_ctx),
2467 "IPC$",
2468 NULL,
2469 lpcfg_socket_options(torture->lp_ctx),
2470 test_credentials,
2471 lpcfg_resolve_context(torture->lp_ctx),
2472 torture->ev,
2473 &options,
2474 &session_options,
2475 lpcfg_gensec_settings(torture, torture->lp_ctx));
2476 if (!NT_STATUS_IS_OK(status)) {
2477 talloc_free(cli);
2478 torture_delete_testuser(torture, tj, "sharesec_user");
2479 talloc_free(tj);
2480 torture_fail(torture, "Failed to open connection\n");
2481 }
2482
2483 if (!(user_sid = whoami(torture, torture, cli->tree))) {
2484 talloc_free(cli);
2485 torture_delete_testuser(torture, tj, "sharesec_user");
2486 talloc_free(tj);
2487 torture_fail(torture, "whoami failed\n");
2488 }
2489
2490 sd = get_sharesec(torture, torture, cli->session,
2491 torture_setting_string(torture, "share", NULL));
2492
2493 if (!try_tcon(torture, torture, sd, cli->session,
2494 torture_setting_string(torture, "share", NULL),
2495 user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK)) {
2496 talloc_free(cli);
2497 torture_delete_testuser(torture, tj, "sharesec_user");
2498 talloc_free(tj);
2499 torture_fail(torture, "failed to test tcon with 0 access_mask");
2500 }
2501
2502 if (!try_tcon(torture, torture, sd, cli->session,
2503 torture_setting_string(torture, "share", NULL),
2504 user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
2505 NT_STATUS_MEDIA_WRITE_PROTECTED)) {
2506 talloc_free(cli);
2507 torture_delete_testuser(torture, tj, "sharesec_user");
2508 talloc_free(tj);
2509 torture_fail(torture, "failed to test tcon with SEC_FILE_READ_DATA access_mask");
2510 }
2511
2512 /* sharesec_user doesn't have any rights on the underlying file system.
2513 Go back to the normal user. */
2514
2515 talloc_free(cli);
2516 cli = NULL;
2517 torture_delete_testuser(torture, tj, "sharesec_user");
2518 talloc_free(tj);
2519 tj = NULL;
2520
2521 if (!(torture_open_connection_share(
2522 torture, &cli, torture, torture_setting_string(torture, "host", NULL),
2523 "IPC$", torture->ev))) {
2524 torture_fail(torture, "IPC$ connection failed\n");
2525 }
2526
2527 if (!(user_sid = whoami(torture, torture, cli->tree))) {
2528 torture_fail(torture, "whoami failed\n");
2529 }
2530 torture_assert(torture, try_tcon(
2531 torture, torture, sd, cli->session,
2532 torture_setting_string(torture, "share", NULL),
2533 user_sid, SEC_FILE_ALL, NT_STATUS_OK, NT_STATUS_OK),
2534 "failed to test tcon with SEC_FILE_ALL access_mask")
2535
2536 return true;
2537 }
2538
2539 static bool torture_samba3_rpc_lsa(struct torture_context *torture)
2540 {
2541 struct dcerpc_pipe *p;
2542 struct dcerpc_binding_handle *b;
2543 struct policy_handle lsa_handle;
2544
2545 torture_assert_ntstatus_ok(torture,
2546 torture_rpc_connection(torture, &p, &ndr_table_lsarpc),
2547 "failed to setup lsarpc");
2548
2549 b = p->binding_handle;
2550
2551 {
2552 struct lsa_ObjectAttribute attr;
2553 struct lsa_OpenPolicy2 o;
2554 o.in.system_name = talloc_asprintf(
2555 torture, "\\\\%s", dcerpc_server_name(p));
2556 ZERO_STRUCT(attr);
2557 o.in.attr = &attr;
2558 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2559 o.out.handle = &lsa_handle;
2560
2561 torture_assert_ntstatus_ok(torture,
2562 dcerpc_lsa_OpenPolicy2_r(b, torture, &o),
2563 "dcerpc_lsa_OpenPolicy2 failed");
2564 torture_assert_ntstatus_ok(torture, o.out.result,
2565 "dcerpc_lsa_OpenPolicy2 failed");
2566 }
2567
2568 {
2569 int i;
2570 int levels[] = { 2,3,5,6 };
2571
2572 for (i=0; i<ARRAY_SIZE(levels); i++) {
2573 struct lsa_QueryInfoPolicy r;
2574 union lsa_PolicyInformation *info = NULL;
2575 r.in.handle = &lsa_handle;
2576 r.in.level = levels[i];
2577 r.out.info = &info;
2578
2579 torture_assert_ntstatus_ok(torture,
2580 dcerpc_lsa_QueryInfoPolicy_r(b, torture, &r),
2581 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2582 torture_assert_ntstatus_ok(torture, r.out.result,
2583 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2584 }
2585 }
2586
2587 return true;
2588 }
2589
2590 static NTSTATUS get_servername(TALLOC_CTX *mem_ctx, struct smbcli_tree *tree,
2591 char **name)
2592 {
2593 struct rap_WserverGetInfo r;
2594 NTSTATUS status;
2595 char servername[17];
2596 size_t converted_size;
2597
2598 r.in.level = 0;
2599 r.in.bufsize = 0xffff;
2600
2601 status = smbcli_rap_netservergetinfo(tree, mem_ctx, &r);
2602 if (!NT_STATUS_IS_OK(status)) {
2603 return status;
2604 }
2605
2606 memcpy(servername, r.out.info.info0.name, 16);
2607 servername[16] = '\0';
2608
2609 if (!pull_ascii_talloc(mem_ctx, name, servername, &converted_size)) {
2610 return NT_STATUS_NO_MEMORY;
2611 }
2612
2613 return NT_STATUS_OK;
2614 }
2615
2616 static bool rap_get_servername(struct torture_context *tctx,
2617 char **servername)
2618 {
2619 struct smbcli_state *cli;
2620
2621 torture_assert(tctx,
2622 torture_open_connection_share(tctx, &cli, tctx, torture_setting_string(tctx, "host", NULL),
2623 "IPC$", tctx->ev),
2624 "IPC$ connection failed");
2625
2626 torture_assert_ntstatus_ok(tctx,
2627 get_servername(tctx, cli->tree, servername),
2628 "get_servername failed");
2629
2630 talloc_free(cli);
2631
2632 return true;
2633 }
2634
2635 static bool find_printers(struct torture_context *tctx,
2636 struct dcerpc_pipe *p,
2637 const char ***printers,
2638 int *num_printers)
2639 {
2640 struct srvsvc_NetShareEnum r;
2641 struct srvsvc_NetShareInfoCtr info_ctr;
2642 struct srvsvc_NetShareCtr1 c1_in;
2643 struct srvsvc_NetShareCtr1 *c1;
2644 uint32_t totalentries = 0;
2645 int i;
2646 struct dcerpc_binding_handle *b = p->binding_handle;
2647
2648 ZERO_STRUCT(c1_in);
2649 info_ctr.level = 1;
2650 info_ctr.ctr.ctr1 = &c1_in;
2651
2652 r.in.server_unc = talloc_asprintf(
2653 tctx, "\\\\%s", dcerpc_server_name(p));
2654 r.in.info_ctr = &info_ctr;
2655 r.in.max_buffer = (uint32_t)-1;
2656 r.in.resume_handle = NULL;
2657 r.out.totalentries = &totalentries;
2658 r.out.info_ctr = &info_ctr;
2659
2660 torture_assert_ntstatus_ok(tctx,
2661 dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r),
2662 "NetShareEnum level 1 failed");
2663 torture_assert_werr_ok(tctx, r.out.result,
2664 "NetShareEnum level 1 failed");
2665
2666 *printers = NULL;
2667 *num_printers = 0;
2668 c1 = r.out.info_ctr->ctr.ctr1;
2669 for (i=0; i<c1->count; i++) {
2670 if (c1->array[i].type != STYPE_PRINTQ) {
2671 continue;
2672 }
2673 if (!add_string_to_array(tctx, c1->array[i].name,
2674 printers, num_printers)) {
2675 return false;
2676 }
2677 }
2678
2679 return true;
2680 }
2681
2682 static bool enumprinters(struct torture_context *tctx,
2683 struct dcerpc_binding_handle *b,
2684 const char *servername, int level, int *num_printers)
2685 {
2686 struct spoolss_EnumPrinters r;
2687 DATA_BLOB blob;
2688 uint32_t needed;
2689 uint32_t count;
2690 union spoolss_PrinterInfo *info;
2691
2692 r.in.flags = PRINTER_ENUM_LOCAL;
2693 r.in.server = talloc_asprintf(tctx, "\\\\%s", servername);
2694 r.in.level = level;
2695 r.in.buffer = NULL;
2696 r.in.offered = 0;
2697 r.out.needed = &needed;
2698 r.out.count = &count;
2699 r.out.info = &info;
2700
2701 torture_assert_ntstatus_ok(tctx,
2702 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2703 "dcerpc_spoolss_EnumPrinters failed");
2704 torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2705 "EnumPrinters unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2706
2707 blob = data_blob_talloc_zero(tctx, needed);
2708 if (blob.data == NULL) {
2709 return false;
2710 }
2711
2712 r.in.buffer = &blob;
2713 r.in.offered = needed;
2714
2715 torture_assert_ntstatus_ok(tctx,
2716 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2717 "dcerpc_spoolss_EnumPrinters failed");
2718 torture_assert_werr_ok(tctx, r.out.result,
2719 "dcerpc_spoolss_EnumPrinters failed");
2720
2721 *num_printers = count;
2722
2723 return true;
2724 }
2725
2726 static bool getprinterinfo(struct torture_context *tctx,
2727 struct dcerpc_binding_handle *b,
2728 struct policy_handle *handle, int level,
2729 union spoolss_PrinterInfo **res)
2730 {
2731 struct spoolss_GetPrinter r;
2732 DATA_BLOB blob;
2733 uint32_t needed;
2734
2735 r.in.handle = handle;
2736 r.in.level = level;
2737 r.in.buffer = NULL;
2738 r.in.offered = 0;
2739 r.out.needed = &needed;
2740
2741 torture_assert_ntstatus_ok(tctx,
2742 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2743 "dcerpc_spoolss_GetPrinter failed");
2744 torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2745 "GetPrinter unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2746
2747 r.in.handle = handle;
2748 r.in.level = level;
2749 blob = data_blob_talloc_zero(tctx, needed);
2750 if (blob.data == NULL) {
2751 return false;
2752 }
2753 r.in.buffer = &blob;
2754 r.in.offered = needed;
2755
2756 torture_assert_ntstatus_ok(tctx,
2757 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2758 "dcerpc_spoolss_GetPrinter failed");
2759 torture_assert_werr_ok(tctx, r.out.result,
2760 "dcerpc_spoolss_GetPrinter failed");
2761
2762 if (res != NULL) {
2763 *res = talloc_steal(tctx, r.out.info);
2764 }
2765
2766 return true;
2767 }
2768
2769 static bool torture_samba3_rpc_spoolss(struct torture_context *torture)
2770 {
2771 struct dcerpc_pipe *p, *p2;
2772 struct dcerpc_binding_handle *b;
2773 struct policy_handle server_handle, printer_handle;
2774 const char **printers;
2775 int num_printers;
2776 struct spoolss_UserLevel1 userlevel1;
2777 char *servername;
2778
2779 torture_assert(torture,
2780 rap_get_servername(torture, &servername),
2781 "failed to rap servername");
2782
2783 torture_assert_ntstatus_ok(torture,
2784 torture_rpc_connection(torture, &p2, &ndr_table_srvsvc),
2785 "failed to setup srvsvc");
2786
2787 torture_assert(torture,
2788 find_printers(torture, p2, &printers, &num_printers),
2789 "failed to find printers via srvsvc");
2790
2791 talloc_free(p2);
2792
2793 if (num_printers == 0) {
2794 torture_skip(torture, "Did not find printers\n");
2795 return true;
2796 }
2797
2798 torture_assert_ntstatus_ok(torture,
2799 torture_rpc_connection(torture, &p, &ndr_table_spoolss),
2800 "failed to setup spoolss");
2801
2802 b = p->binding_handle;
2803
2804 ZERO_STRUCT(userlevel1);
2805 userlevel1.client = talloc_asprintf(
2806 torture, "\\\\%s", lpcfg_netbios_name(torture->lp_ctx));
2807 userlevel1.user = cli_credentials_get_username(cmdline_credentials);
2808 userlevel1.build = 2600;
2809 userlevel1.major = 3;
2810 userlevel1.minor = 0;
2811 userlevel1.processor = 0;
2812
2813 {
2814 struct spoolss_OpenPrinterEx r;
2815
2816 ZERO_STRUCT(r);
2817 r.in.printername = talloc_asprintf(torture, "\\\\%s",
2818 servername);
2819 r.in.datatype = NULL;
2820 r.in.access_mask = 0;
2821 r.in.userlevel_ctr.level = 1;
2822 r.in.userlevel_ctr.user_info.level1 = &userlevel1;
2823 r.out.handle = &server_handle;
2824
2825 torture_assert_ntstatus_ok(torture,
2826 dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2827 "dcerpc_spoolss_OpenPrinterEx failed");
2828 torture_assert_werr_ok(torture, r.out.result,
2829 "dcerpc_spoolss_OpenPrinterEx failed");
2830 }
2831
2832 {
2833 struct spoolss_ClosePrinter r;
2834
2835 r.in.handle = &server_handle;
2836 r.out.handle = &server_handle;
2837
2838 torture_assert_ntstatus_ok(torture,
2839 dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2840 "dcerpc_spoolss_ClosePrinter failed");
2841 torture_assert_werr_ok(torture, r.out.result,
2842 "dcerpc_spoolss_ClosePrinter failed");
2843 }
2844
2845 {
2846 struct spoolss_OpenPrinterEx r;
2847
2848 ZERO_STRUCT(r);
2849 r.in.printername = talloc_asprintf(
2850 torture, "\\\\%s\\%s", servername, printers[0]);
2851 r.in.datatype = NULL;
2852 r.in.access_mask = 0;
2853 r.in.userlevel_ctr.level = 1;
2854 r.in.userlevel_ctr.user_info.level1 = &userlevel1;
2855 r.out.handle = &printer_handle;
2856
2857 torture_assert_ntstatus_ok(torture,
2858 dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2859 "dcerpc_spoolss_OpenPrinterEx failed");
2860 torture_assert_werr_ok(torture, r.out.result,
2861 "dcerpc_spoolss_OpenPrinterEx failed");
2862 }
2863
2864 {
2865 int i;
2866
2867 for (i=0; i<8; i++) {
2868 torture_assert(torture,
2869 getprinterinfo(torture, b, &printer_handle, i, NULL),
2870 talloc_asprintf(torture, "getprinterinfo %d failed", i));
2871 }
2872 }
2873
2874 {
2875 struct spoolss_ClosePrinter r;
2876
2877 r.in.handle = &printer_handle;
2878 r.out.handle = &printer_handle;
2879
2880 torture_assert_ntstatus_ok(torture,
2881 dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2882 "dcerpc_spoolss_ClosePrinter failed");
2883 torture_assert_werr_ok(torture, r.out.result,
2884 "dcerpc_spoolss_ClosePrinter failed");
2885 }
2886
2887 {
2888 int num_enumerated;
2889
2890 torture_assert(torture,
2891 enumprinters(torture, b, servername, 1, &num_enumerated),
2892 "enumprinters failed");
2893
2894 torture_assert_int_equal(torture, num_printers, num_enumerated,
2895 "netshareenum / enumprinters lvl 1 numprinter mismatch");
2896 }
2897
2898 {
2899 int num_enumerated;
2900
2901 torture_assert(torture,
2902 enumprinters(torture, b, servername, 2, &num_enumerated),
2903 "enumprinters failed");
2904
2905 torture_assert_int_equal(torture, num_printers, num_enumerated,
2906 "netshareenum / enumprinters lvl 2 numprinter mismatch");
2907 }
2908
2909 return true;
2910 }
2911
2912 static bool torture_samba3_rpc_wkssvc(struct torture_context *torture)
2913 {
2914 struct dcerpc_pipe *p;
2915 struct dcerpc_binding_handle *b;
2916 char *servername;
2917
2918 torture_assert(torture,
2919 rap_get_servername(torture, &servername),
2920 "failed to rap servername");
2921
2922 torture_assert_ntstatus_ok(torture,
2923 torture_rpc_connection(torture, &p, &ndr_table_wkssvc),
2924 "failed to setup wkssvc");
2925
2926 b = p->binding_handle;
2927
2928 {
2929 struct wkssvc_NetWkstaInfo100 wks100;
2930 union wkssvc_NetWkstaInfo info;
2931 struct wkssvc_NetWkstaGetInfo r;
2932
2933 r.in.server_name = "\\foo";
2934 r.in.level = 100;
2935 info.info100 = &wks100;
2936 r.out.info = &info;
2937
2938 torture_assert_ntstatus_ok(torture,
2939 dcerpc_wkssvc_NetWkstaGetInfo_r(b, torture, &r),
2940 "dcerpc_wkssvc_NetWksGetInfo failed");
2941 torture_assert_werr_ok(torture, r.out.result,
2942 "dcerpc_wkssvc_NetWksGetInfo failed");
2943
2944 torture_assert_str_equal(torture, servername, r.out.info->info100->server_name,
2945 "servername RAP / DCERPC inconsistency");
2946 }
2947
2948 return true;
2949 }
2950
2951 static bool winreg_close(struct torture_context *tctx,
2952 struct dcerpc_binding_handle *b,
2953 struct policy_handle *handle)
2954 {
2955 struct winreg_CloseKey c;
2956
2957 c.in.handle = c.out.handle = handle;
2958
2959 torture_assert_ntstatus_ok(tctx,
2960 dcerpc_winreg_CloseKey_r(b, tctx, &c),
2961 "winreg_CloseKey failed");
2962 torture_assert_werr_ok(tctx, c.out.result,
2963 "winreg_CloseKey failed");
2964
2965 return true;
2966 }
2967
2968 static bool enumvalues(struct torture_context *tctx,
2969 struct dcerpc_binding_handle *b,
2970 struct policy_handle *handle)
2971 {
2972 uint32_t enum_index = 0;
2973
2974 while (1) {
2975 struct winreg_EnumValue r;
2976 struct winreg_ValNameBuf name;
2977 enum winreg_Type type = 0;
2978 uint8_t buf8[1024];
2979 NTSTATUS status;
2980 uint32_t size, length;
2981
2982 r.in.handle = handle;
2983 r.in.enum_index = enum_index;
2984 name.name = "";
2985 name.size = 1024;
2986 r.in.name = r.out.name = &name;
2987 size = 1024;
2988 length = 5;
2989 r.in.type = &type;
2990 r.in.value = buf8;
2991 r.in.size = &size;
2992 r.in.length = &length;
2993
2994 status = dcerpc_winreg_EnumValue_r(b, tctx, &r);
2995 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2996 return true;
2997 }
2998 enum_index += 1;
2999 }
3000 }
3001
3002 static bool enumkeys(struct torture_context *tctx,
3003 struct dcerpc_binding_handle *b,
3004 struct policy_handle *handle,
3005 int depth)
3006 {
3007 struct winreg_EnumKey r;
3008 struct winreg_StringBuf kclass, name;
3009 NTSTATUS status;
3010 NTTIME t = 0;
3011
3012 if (depth <= 0) {
3013 return true;
3014 }
3015
3016 kclass.name = "";
3017 kclass.size = 1024;
3018
3019 r.in.handle = handle;
3020 r.in.enum_index = 0;
3021 r.in.name = &name;
3022 r.in.keyclass = &kclass;
3023 r.out.name = &name;
3024 r.in.last_changed_time = &t;
3025
3026 do {
3027 struct winreg_OpenKey o;
3028 struct policy_handle key_handle;
3029 int i;
3030
3031 name.name = NULL;
3032 name.size = 1024;
3033
3034 status = dcerpc_winreg_EnumKey_r(b, tctx, &r);
3035 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
3036 /* We're done enumerating */
3037 return true;
3038 }
3039
3040 for (i=0; i<10-depth; i++) {
3041 torture_comment(tctx, " ");
3042 }
3043 torture_comment(tctx, "%s\n", r.out.name->name);
3044
3045 o.in.parent_handle = handle;
3046 o.in.keyname.name = r.out.name->name;
3047 o.in.options = 0;
3048 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3049 o.out.handle = &key_handle;
3050
3051 status = dcerpc_winreg_OpenKey_r(b, tctx, &o);
3052 if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(o.out.result)) {
3053 enumkeys(tctx, b, &key_handle, depth-1);
3054 enumvalues(tctx, b, &key_handle);
3055 torture_assert(tctx, winreg_close(tctx, b, &key_handle), "");
3056 }
3057
3058 r.in.enum_index += 1;
3059 } while(true);
3060
3061 return true;
3062 }
3063
3064 typedef NTSTATUS (*winreg_open_fn)(struct dcerpc_binding_handle *, TALLOC_CTX *, void *);
3065
3066 static bool test_Open3(struct torture_context *tctx,
3067 struct dcerpc_binding_handle *b,
3068 const char *name, winreg_open_fn open_fn)
3069 {
3070 struct policy_handle handle;
3071 struct winreg_OpenHKLM r;
3072
3073 r.in.system_name = 0;
3074 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3075 r.out.handle = &handle;
3076
3077 torture_assert_ntstatus_ok(tctx,
3078 open_fn(b, tctx, &r),
3079 talloc_asprintf(tctx, "%s failed", name));
3080 torture_assert_werr_ok(tctx, r.out.result,
3081 talloc_asprintf(tctx, "%s failed", name));
3082
3083 enumkeys(tctx, b, &handle, 4);
3084
3085 torture_assert(tctx,
3086 winreg_close(tctx, b, &handle),
3087 "dcerpc_CloseKey failed");
3088
3089 return true;
3090 }
3091
3092 static bool torture_samba3_rpc_winreg(struct torture_context *torture)
3093 {
3094 struct dcerpc_pipe *p;
3095 struct dcerpc_binding_handle *b;
3096 bool ret = true;
3097 struct {
3098 const char *name;
3099 winreg_open_fn fn;
3100 } open_fns[] = {
3101 {"OpenHKLM", (winreg_open_fn)dcerpc_winreg_OpenHKLM_r },
3102 {"OpenHKU", (winreg_open_fn)dcerpc_winreg_OpenHKU_r },
3103 {"OpenHKPD", (winreg_open_fn)dcerpc_winreg_OpenHKPD_r },
3104 {"OpenHKPT", (winreg_open_fn)dcerpc_winreg_OpenHKPT_r },
3105 {"OpenHKCR", (winreg_open_fn)dcerpc_winreg_OpenHKCR_r }};
3106 #if 0
3107 int i;
3108 #endif
3109
3110 torture_assert_ntstatus_ok(torture,
3111 torture_rpc_connection(torture, &p, &ndr_table_winreg),
3112 "failed to setup winreg");
3113
3114 b = p->binding_handle;
3115
3116 #if 1
3117 ret = test_Open3(torture, b, open_fns[0].name, open_fns[0].fn);
3118 #else
3119 for (i = 0; i < ARRAY_SIZE(open_fns); i++) {
3120 if (!test_Open3(torture, b, open_fns[i].name, open_fns[i].fn))
3121 ret = false;
3122 }
3123 #endif
3124 return ret;
3125 }
3126
3127 static bool get_shareinfo(struct torture_context *tctx,
3128 struct dcerpc_binding_handle *b,
3129 const char *servername,
3130 const char *share,
3131 struct srvsvc_NetShareInfo502 **info502)
3132 {
3133 struct srvsvc_NetShareGetInfo r;
3134 union srvsvc_NetShareInfo info;
3135
3136 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", servername);
3137 r.in.share_name = share;
3138 r.in.level = 502;
3139 r.out.info = &info;
3140
3141 torture_assert_ntstatus_ok(tctx,
3142 dcerpc_srvsvc_NetShareGetInfo_r(b, tctx, &r),
3143 "srvsvc_NetShareGetInfo failed");
3144 torture_assert_werr_ok(tctx, r.out.result,
3145 "srvsvc_NetShareGetInfo failed");
3146
3147 *info502 = talloc_move(tctx, &info.info502);
3148
3149 return true;
3150 }
3151
3152 /*
3153 * Get us a handle on HKLM\
3154 */
3155
3156 static bool get_hklm_handle(struct torture_context *tctx,
3157 struct dcerpc_binding_handle *b,
3158 struct policy_handle *handle)
3159 {
3160 struct winreg_OpenHKLM r;
3161 struct policy_handle result;
3162
3163 r.in.system_name = 0;
3164 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3165 r.out.handle = &result;
3166
3167 torture_assert_ntstatus_ok(tctx,
3168 dcerpc_winreg_OpenHKLM_r(b, tctx, &r),
3169 "OpenHKLM failed");
3170 torture_assert_werr_ok(tctx, r.out.result,
3171 "OpenHKLM failed");
3172
3173 *handle = result;
3174
3175 return true;
3176 }
3177
3178 static bool torture_samba3_createshare(struct torture_context *tctx,
3179 struct dcerpc_binding_handle *b,
3180 const char *sharename)
3181 {
3182 struct policy_handle hklm;
3183 struct policy_handle new_handle;
3184 struct winreg_CreateKey c;
3185 struct winreg_CloseKey cl;
3186 enum winreg_CreateAction action_taken;
3187
3188 c.in.handle = &hklm;
3189 c.in.name.name = talloc_asprintf(
3190 tctx, "software\\samba\\smbconf\\%s", sharename);
3191 torture_assert(tctx, c.in.name.name, "talloc_asprintf failed");
3192
3193 c.in.keyclass.name = "";
3194 c.in.options = 0;
3195 c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3196 c.in.secdesc = NULL;
3197 c.in.action_taken = &action_taken;
3198 c.out.new_handle = &new_handle;
3199 c.out.action_taken = &action_taken;
3200
3201 torture_assert_ntstatus_ok(tctx,
3202 dcerpc_winreg_CreateKey_r(b, tctx, &c),
3203 "OpenKey failed");
3204 torture_assert_werr_ok(tctx, c.out.result,
3205 "OpenKey failed");
3206
3207 cl.in.handle = &new_handle;
3208 cl.out.handle = &new_handle;
3209
3210 torture_assert_ntstatus_ok(tctx,
3211 dcerpc_winreg_CloseKey_r(b, tctx, &cl),
3212 "CloseKey failed");
3213 torture_assert_werr_ok(tctx, cl.out.result,
3214 "CloseKey failed");
3215
3216 return true;
3217 }
3218
3219 static bool torture_samba3_deleteshare(struct torture_context *tctx,
3220 struct dcerpc_binding_handle *b,
3221 const char *sharename)
3222 {
3223 struct policy_handle hklm;
3224 struct winreg_DeleteKey d;
3225
3226 torture_assert(tctx,
3227 get_hklm_handle(tctx, b, &hklm),
3228 "get_hklm_handle failed");
3229
3230 d.in.handle = &hklm;
3231 d.in.key.name = talloc_asprintf(
3232 tctx, "software\\samba\\smbconf\\%s", sharename);
3233 torture_assert(tctx, d.in.key.name, "talloc_asprintf failed");
3234
3235 torture_assert_ntstatus_ok(tctx,
3236 dcerpc_winreg_DeleteKey_r(b, tctx, &d),
3237 "DeleteKey failed");
3238 torture_assert_werr_ok(tctx, d.out.result,
3239 "DeleteKey failed");
3240
3241 return true;
3242 }
3243
3244 static bool torture_samba3_setconfig(struct torture_context *tctx,
3245 struct dcerpc_binding_handle *b,
3246 const char *sharename,
3247 const char *parameter,
3248 const char *value)
3249 {
3250 struct policy_handle hklm, key_handle;
3251 struct winreg_OpenKey o;
3252 struct winreg_SetValue s;
3253 uint32_t type;
3254 DATA_BLOB val;
3255
3256 torture_assert(tctx,
3257 get_hklm_handle(tctx, b, &hklm),
3258 "get_hklm_handle failed");
3259
3260 o.in.parent_handle = &hklm;
3261 o.in.keyname.name = talloc_asprintf(
3262 tctx, "software\\samba\\smbconf\\%s", sharename);
3263 torture_assert(tctx, o.in.keyname.name, "talloc_asprintf failed");
3264
3265 o.in.options = 0;
3266 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3267 o.out.handle = &key_handle;
3268
3269 torture_assert_ntstatus_ok(tctx,
3270 dcerpc_winreg_OpenKey_r(b, tctx, &o),
3271 "OpenKey failed");
3272 torture_assert_werr_ok(tctx, o.out.result,
3273 "OpenKey failed");
3274
3275 torture_assert(tctx,
3276 reg_string_to_val(tctx, "REG_SZ", value, &type, &val),
3277 "reg_string_to_val failed");
3278
3279 s.in.handle = &key_handle;
3280 s.in.name.name = parameter;
3281 s.in.type = type;
3282 s.in.data = val.data;
3283 s.in.size = val.length;
3284
3285 torture_assert_ntstatus_ok(tctx,
3286 dcerpc_winreg_SetValue_r(b, tctx, &s),
3287 "SetValue failed");
3288 torture_assert_werr_ok(tctx, s.out.result,
3289 "SetValue failed");
3290
3291 return true;
3292 }
3293
3294 static bool torture_samba3_regconfig(struct torture_context *torture)
3295 {
3296 struct srvsvc_NetShareInfo502 *i = NULL;
3297 const char *comment = "Dummer Kommentar";
3298 struct dcerpc_pipe *srvsvc_pipe, *winreg_pipe;
3299
3300 torture_assert_ntstatus_ok(torture,
3301 torture_rpc_connection(torture, &srvsvc_pipe, &ndr_table_srvsvc),
3302 "failed to setup srvsvc");
3303
3304 torture_assert_ntstatus_ok(torture,
3305 torture_rpc_connection(torture, &winreg_pipe, &ndr_table_winreg),
3306 "failed to setup winreg");
3307
3308 torture_assert(torture,
3309 torture_samba3_createshare(torture, winreg_pipe->binding_handle, "blubber"),
3310 "torture_samba3_createshare failed");
3311
3312 torture_assert(torture,
3313 torture_samba3_setconfig(torture, winreg_pipe->binding_handle, "blubber", "comment", comment),
3314 "torture_samba3_setconfig failed");
3315
3316 torture_assert(torture,
3317 get_shareinfo(torture, srvsvc_pipe->binding_handle, dcerpc_server_name(srvsvc_pipe), "blubber", &i),
3318 "get_shareinfo failed");
3319
3320 torture_assert_str_equal(torture, comment, i->comment,
3321 "got unexpected comment");
3322
3323 torture_assert(torture,
3324 torture_samba3_deleteshare(torture, winreg_pipe->binding_handle, "blubber"),
3325 "torture_samba3_deleteshare failed");
3326
3327 return true;
3328 }
3329
3330 /*
3331 * Test that even with a result of 0 rids the array is returned as a
3332 * non-NULL pointer. Yes, XP does notice.
3333 */
3334
3335 bool torture_samba3_getaliasmembership_0(struct torture_context *torture)
3336 {
3337 struct dcerpc_pipe *p;
3338 struct dcerpc_binding_handle *b;
3339 struct samr_Connect2 c;
3340 struct samr_OpenDomain o;
3341 struct dom_sid sid;
3342 struct lsa_SidPtr ptr;
3343 struct lsa_SidArray sids;
3344 struct samr_GetAliasMembership g;
3345 struct samr_Ids rids;
3346 struct policy_handle samr, domain;
3347
3348 torture_assert_ntstatus_ok(torture,
3349 torture_rpc_connection(torture, &p, &ndr_table_samr),
3350 "failed to setup samr");
3351
3352 b = p->binding_handle;
3353
3354 c.in.system_name = NULL;
3355 c.in.access_mask = SAMR_ACCESS_LOOKUP_DOMAIN;
3356 c.out.connect_handle = &samr;
3357 torture_assert_ntstatus_ok(torture,
3358 dcerpc_samr_Connect2_r(b, torture, &c),
3359 "");
3360 torture_assert_ntstatus_ok(torture, c.out.result,
3361 "");
3362 dom_sid_parse("S-1-5-32", &sid);
3363 o.in.connect_handle = &samr;
3364 o.in.access_mask = SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS;
3365 o.in.sid = &sid;
3366 o.out.domain_handle = &domain;
3367 torture_assert_ntstatus_ok(torture,
3368 dcerpc_samr_OpenDomain_r(b, torture, &o),
3369 "");
3370 torture_assert_ntstatus_ok(torture, o.out.result,
3371 "");
3372 dom_sid_parse("S-1-2-3-4-5", &sid);
3373 ptr.sid = &sid;
3374 sids.num_sids = 1;
3375 sids.sids = &ptr;
3376 g.in.domain_handle = &domain;
3377 g.in.sids = &sids;
3378 g.out.rids = &rids;
3379 torture_assert_ntstatus_ok(torture,
3380 dcerpc_samr_GetAliasMembership_r(b, torture, &g),
3381 "");
3382 torture_assert_ntstatus_ok(torture, g.out.result,
3383 "");
3384 if (rids.ids == NULL) {
3385 /* This is the piece to test here */
3386 torture_fail(torture,
3387 "torture_samba3_getaliasmembership_0: "
3388 "Server returns NULL rids array\n");
3389 }
3390
3391 return true;
3392 }
3393
3394 /**
3395 * Test smb reauthentication while rpc pipe is in use.
3396 */
3397 static bool torture_rpc_smb_reauth1(struct torture_context *torture)
3398 {
3399 TALLOC_CTX *mem_ctx;
3400 NTSTATUS status;
3401 bool ret = false;
3402 struct smbcli_state *cli;
3403 struct smbcli_options options;
3404 struct smbcli_session_options session_options;
3405
3406 struct dcerpc_pipe *lsa_pipe;
3407 struct dcerpc_binding_handle *lsa_handle;
3408 struct lsa_GetUserName r;
3409 struct lsa_String *authority_name_p = NULL;
3410 char *authority_name_saved = NULL;
3411 struct lsa_String *account_name_p = NULL;
3412 char *account_name_saved = NULL;
3413 struct cli_credentials *anon_creds = NULL;
3414 struct smb_composite_sesssetup io;
3415
3416 mem_ctx = talloc_init("torture_samba3_reauth");
3417 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3418
3419 lpcfg_smbcli_options(torture->lp_ctx, &options);
3420 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
3421
3422 status = smbcli_full_connection(mem_ctx, &cli,
3423 torture_setting_string(torture, "host", NULL),
3424 lpcfg_smb_ports(torture->lp_ctx),
3425 "IPC$", NULL,
3426 lpcfg_socket_options(torture->lp_ctx),
3427 cmdline_credentials,
3428 lpcfg_resolve_context(torture->lp_ctx),
3429 torture->ev, &options, &session_options,
3430 lpcfg_gensec_settings(torture, torture->lp_ctx));
3431 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3432 "smbcli_full_connection failed");
3433
3434 lsa_pipe = dcerpc_pipe_init(mem_ctx, torture->ev);
3435 torture_assert_goto(torture, (lsa_pipe != NULL), ret, done,
3436 "dcerpc_pipe_init failed");
3437 lsa_handle = lsa_pipe->binding_handle;
3438
3439 status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
3440 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3441 "dcerpc_pipe_open failed");
3442
3443 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
3444 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3445 "dcerpc_bind_auth_none failed");
3446
3447 /* lsa getusername */
3448
3449 ZERO_STRUCT(r);
3450 r.in.system_name = "\\";
3451 r.in.account_name = &account_name_p;
3452 r.in.authority_name = &authority_name_p;
3453 r.out.account_name = &account_name_p;
3454
3455 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3456
3457 authority_name_p = *r.out.authority_name;
3458
3459 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3460 "GetUserName failed");
3461 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3462 "GetUserName failed");
3463
3464 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3465 authority_name_p->string,
3466 account_name_p->string);
3467
3468 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3469 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3470 "talloc failed");
3471 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3472 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3473 "talloc failed");
3474
3475 /* smb re-authenticate as anonymous */
3476
3477 anon_creds = cli_credentials_init_anon(mem_ctx);
3478
3479 ZERO_STRUCT(io);
3480 io.in.sesskey = cli->transport->negotiate.sesskey;
3481 io.in.capabilities = cli->transport->negotiate.capabilities;
3482 io.in.credentials = anon_creds;
3483 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3484 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3485
3486 status = smb_composite_sesssetup(cli->session, &io);
3487 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3488 "session reauth to anon failed");
3489
3490 /* re-do lsa getusername after reauth */
3491
3492 TALLOC_FREE(authority_name_p);
3493 TALLOC_FREE(account_name_p);
3494 ZERO_STRUCT(r);
3495 r.in.system_name = "\\";
3496 r.in.account_name = &account_name_p;
3497 r.in.authority_name = &authority_name_p;
3498 r.out.account_name = &account_name_p;
3499
3500 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3501
3502 authority_name_p = *r.out.authority_name;
3503
3504 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3505 "GetUserName failed");
3506 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3507 "GetUserName failed");
3508
3509 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3510 ret, done, "authority_name not equal after reauth to anon");
3511 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3512 ret, done, "account_name not equal after reauth to anon");
3513
3514 /* smb re-auth again to the original user */
3515
3516 ZERO_STRUCT(io);
3517 io.in.sesskey = cli->transport->negotiate.sesskey;
3518 io.in.capabilities = cli->transport->negotiate.capabilities;
3519 io.in.credentials = cmdline_credentials;
3520 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3521 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3522
3523 status = smb_composite_sesssetup(cli->session, &io);
3524 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3525 "session reauth to anon failed");
3526
3527 /* re-do lsa getusername */
3528
3529 TALLOC_FREE(authority_name_p);
3530 TALLOC_FREE(account_name_p);
3531 ZERO_STRUCT(r);
3532 r.in.system_name = "\\";
3533 r.in.account_name = &account_name_p;
3534 r.in.authority_name = &authority_name_p;
3535 r.out.account_name = &account_name_p;
3536
3537 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3538
3539 authority_name_p = *r.out.authority_name;
3540
3541 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3542 "GetUserName failed");
3543 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3544 "GetUserName failed");
3545
3546 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3547 ret, done, "authority_name not equal after reauth to anon");
3548 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3549 ret, done, "account_name not equal after reauth to anon");
3550
3551 ret = true;
3552
3553 done:
3554 talloc_free(mem_ctx);
3555 return ret;
3556 }
3557
3558 /**
3559 * Test smb reauthentication while rpc pipe is in use.
3560 * Open a second lsa bind after reauth to anon.
3561 * Do lsa getusername on that second bind.
3562 */
3563 static bool torture_rpc_smb_reauth2(struct torture_context *torture)
3564 {
3565 TALLOC_CTX *mem_ctx;
3566 NTSTATUS status;
3567 bool ret = false;
3568 struct smbcli_state *cli;
3569 struct smbcli_options options;
3570 struct smbcli_session_options session_options;
3571
3572 struct dcerpc_pipe *lsa_pipe;
3573 struct dcerpc_binding_handle *lsa_handle;
3574 struct lsa_GetUserName r;
3575 struct lsa_String *authority_name_p = NULL;
3576 char *authority_name_saved = NULL;
3577 struct lsa_String *account_name_p = NULL;
3578 char *account_name_saved = NULL;
3579 struct cli_credentials *anon_creds = NULL;
3580 struct smb_composite_sesssetup io;
3581
3582 mem_ctx = talloc_init("torture_samba3_reauth");
3583 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3584
3585 lpcfg_smbcli_options(torture->lp_ctx, &options);
3586 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
3587
3588 status = smbcli_full_connection(mem_ctx, &cli,
3589 torture_setting_string(torture, "host", NULL),
3590 lpcfg_smb_ports(torture->lp_ctx),
3591 "IPC$", NULL,
3592 lpcfg_socket_options(torture->lp_ctx),
3593 cmdline_credentials,
3594 lpcfg_resolve_context(torture->lp_ctx),
3595 torture->ev, &options, &session_options,
3596 lpcfg_gensec_settings(torture, torture->lp_ctx));
3597 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3598 "smbcli_full_connection failed");
3599
3600 /* smb re-authenticate as anonymous */
3601
3602 anon_creds = cli_credentials_init_anon(mem_ctx);
3603
3604 ZERO_STRUCT(io);
3605 io.in.sesskey = cli->transport->negotiate.sesskey;
3606 io.in.capabilities = cli->transport->negotiate.capabilities;
3607 io.in.credentials = anon_creds;
3608 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3609 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3610
3611 status = smb_composite_sesssetup(cli->session, &io);
3612 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3613 "session reauth to anon failed");
3614
3615 /* open the lsa pipe */
3616
3617 lsa_pipe = dcerpc_pipe_init(mem_ctx, torture->ev);
3618 torture_assert_goto(torture, (lsa_pipe != NULL), ret, done,
3619 "dcerpc_pipe_init failed");
3620 lsa_handle = lsa_pipe->binding_handle;
3621
3622 status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
3623 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3624 "dcerpc_pipe_open failed");
3625
3626 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
3627 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3628 "dcerpc_bind_auth_none failed");
3629
3630 /* lsa getusername */
3631
3632 ZERO_STRUCT(r);
3633 r.in.system_name = "\\";
3634 r.in.account_name = &account_name_p;
3635 r.in.authority_name = &authority_name_p;
3636 r.out.account_name = &account_name_p;
3637
3638 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3639
3640 authority_name_p = *r.out.authority_name;
3641
3642 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3643 "GetUserName failed");
3644 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3645 "GetUserName failed");
3646
3647 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3648 authority_name_p->string,
3649 account_name_p->string);
3650
3651 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3652 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3653 "talloc failed");
3654 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3655 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3656 "talloc failed");
3657
3658 /* smb re-auth again to the original user */
3659
3660 ZERO_STRUCT(io);
3661 io.in.sesskey = cli->transport->negotiate.sesskey;
3662 io.in.capabilities = cli->transport->negotiate.capabilities;
3663 io.in.credentials = cmdline_credentials;
3664 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3665 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3666
3667 status = smb_composite_sesssetup(cli->session, &io);
3668 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3669 "session reauth to anon failed");
3670
3671 /* re-do lsa getusername after reauth */
3672
3673 TALLOC_FREE(authority_name_p);
3674 TALLOC_FREE(account_name_p);
3675 ZERO_STRUCT(r);
3676 r.in.system_name = "\\";
3677 r.in.account_name = &account_name_p;
3678 r.in.authority_name = &authority_name_p;
3679 r.out.account_name = &account_name_p;
3680
3681 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3682
3683 authority_name_p = *r.out.authority_name;
3684
3685 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3686 "GetUserName failed");
3687 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3688 "GetUserName failed");
3689
3690 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3691 ret, done, "authority_name not equal after reauth to anon");
3692 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3693 ret, done, "account_name not equal after reauth to anon");
3694
3695 ret = true;
3696
3697 done:
3698 talloc_free(mem_ctx);
3699 return ret;
3700 }
3701
3702 /**
3703 * Test smb2 reauthentication while rpc pipe is in use.
3704 */
3705 static bool torture_rpc_smb2_reauth1(struct torture_context *torture)
3706 {
3707 TALLOC_CTX *mem_ctx;
3708 NTSTATUS status;
3709 bool ret = false;
3710 struct smbcli_options options;
3711
3712 struct dcerpc_pipe *lsa_pipe;
3713 struct dcerpc_binding_handle *lsa_handle;
3714 struct lsa_GetUserName r;
3715 struct lsa_String *authority_name_p = NULL;
3716 char *authority_name_saved = NULL;
3717 struct lsa_String *account_name_p = NULL;
3718 char *account_name_saved = NULL;
3719 struct cli_credentials *anon_creds = NULL;
3720 const char *host = torture_setting_string(torture, "host", NULL);
3721 struct smb2_tree *tree;
3722
3723 mem_ctx = talloc_init("torture_samba3_reauth");
3724 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3725
3726 lpcfg_smbcli_options(torture->lp_ctx, &options);
3727
3728 status = smb2_connect(mem_ctx,
3729 host,
3730 lpcfg_smb_ports(torture->lp_ctx),
3731 "IPC$",
3732 lpcfg_resolve_context(torture->lp_ctx),
3733 cmdline_credentials,
3734 &tree,
3735 torture->ev,
3736 &options,
3737 lpcfg_socket_options(torture->lp_ctx),
3738 lpcfg_gensec_settings(torture, torture->lp_ctx)
3739 );
3740 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3741 "smb2_connect failed");
3742
3743 lsa_pipe = dcerpc_pipe_init(mem_ctx, torture->ev);
3744 torture_assert_goto(torture, (lsa_pipe != NULL), ret, done,
3745 "dcerpc_pipe_init failed");
3746 lsa_handle = lsa_pipe->binding_handle;
3747
3748 status = dcerpc_pipe_open_smb2(lsa_pipe, tree, "lsarpc");
3749 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3750 "dcerpc_pipe_open_smb2 failed");
3751
3752 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
3753 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3754 "dcerpc_bind_auth_none failed");
3755
3756 /* lsa getusername */
3757
3758 ZERO_STRUCT(r);
3759 r.in.system_name = "\\";
3760 r.in.account_name = &account_name_p;
3761 r.in.authority_name = &authority_name_p;
3762 r.out.account_name = &account_name_p;
3763
3764 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3765
3766 authority_name_p = *r.out.authority_name;
3767
3768 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3769 "GetUserName failed");
3770 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3771 "GetUserName failed");
3772
3773 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3774 authority_name_p->string,
3775 account_name_p->string);
3776
3777 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3778 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3779 "talloc failed");
3780 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3781 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3782 "talloc failed");
3783
3784 /* smb re-authenticate as anonymous */
3785
3786 anon_creds = cli_credentials_init_anon(mem_ctx);
3787
3788 status = smb2_session_setup_spnego(tree->session,
3789 anon_creds,
3790 0 /* previous_session_id */);
3791 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3792 "session reauth to anon failed");
3793
3794 /* re-do lsa getusername after reauth */
3795
3796 TALLOC_FREE(authority_name_p);
3797 TALLOC_FREE(account_name_p);
3798 ZERO_STRUCT(r);
3799 r.in.system_name = "\\";
3800 r.in.account_name = &account_name_p;
3801 r.in.authority_name = &authority_name_p;
3802 r.out.account_name = &account_name_p;
3803
3804 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3805
3806 authority_name_p = *r.out.authority_name;
3807
3808 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3809 "GetUserName failed");
3810 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3811 "GetUserName failed");
3812
3813 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3814 ret, done, "authority_name not equal after reauth to anon");
3815 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3816 ret, done, "account_name not equal after reauth to anon");
3817
3818 /* smb re-auth again to the original user */
3819
3820 status = smb2_session_setup_spnego(tree->session,
3821 cmdline_credentials,
3822 0 /* previous_session_id */);
3823 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3824 "session reauth to anon failed");
3825
3826 /* re-do lsa getusername */
3827
3828 TALLOC_FREE(authority_name_p);
3829 TALLOC_FREE(account_name_p);
3830 ZERO_STRUCT(r);
3831 r.in.system_name = "\\";
3832 r.in.account_name = &account_name_p;
3833 r.in.authority_name = &authority_name_p;
3834 r.out.account_name = &account_name_p;
3835
3836 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3837
3838 authority_name_p = *r.out.authority_name;
3839
3840 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3841 "GetUserName failed");
3842 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3843 "GetUserName failed");
3844
3845 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3846 ret, done, "authority_name not equal after reauth to anon");
3847 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3848 ret, done, "account_name not equal after reauth to anon");
3849
3850 ret = true;
3851
3852 done:
3853 talloc_free(mem_ctx);
3854 return ret;
3855 }
3856
3857 /**
3858 * Test smb2 reauthentication while rpc pipe is in use.
3859 * Open a second lsa bind after reauth to anon.
3860 * Do lsa getusername on that second bind.
3861 */
3862 static bool torture_rpc_smb2_reauth2(struct torture_context *torture)
3863 {
3864 TALLOC_CTX *mem_ctx;
3865 NTSTATUS status;
3866 bool ret = false;
3867 struct smbcli_options options;
3868
3869 struct dcerpc_pipe *lsa_pipe;
3870 struct dcerpc_binding_handle *lsa_handle;
3871 struct lsa_GetUserName r;
3872 struct lsa_String *authority_name_p = NULL;
3873 char *authority_name_saved = NULL;
3874 struct lsa_String *account_name_p = NULL;
3875 char *account_name_saved = NULL;
3876 struct cli_credentials *anon_creds = NULL;
3877 const char *host = torture_setting_string(torture, "host", NULL);
3878 struct smb2_tree *tree;
3879
3880 mem_ctx = talloc_init("torture_samba3_reauth");
3881 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3882
3883 lpcfg_smbcli_options(torture->lp_ctx, &options);
3884
3885 status = smb2_connect(mem_ctx,
3886 host,
3887 lpcfg_smb_ports(torture->lp_ctx),
3888 "IPC$",
3889 lpcfg_resolve_context(torture->lp_ctx),
3890 cmdline_credentials,
3891 &tree,
3892 torture->ev,
3893 &options,
3894 lpcfg_socket_options(torture->lp_ctx),
3895 lpcfg_gensec_settings(torture, torture->lp_ctx)
3896 );
3897 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3898 "smb2_connect failed");
3899
3900 /* smb re-authenticate as anonymous */
3901
3902 anon_creds = cli_credentials_init_anon(mem_ctx);
3903
3904 status = smb2_session_setup_spnego(tree->session,
3905 anon_creds,
3906 0 /* previous_session_id */);
3907 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3908 "session reauth to anon failed");
3909
3910 /* open the lsa pipe */
3911
3912 lsa_pipe = dcerpc_pipe_init(mem_ctx, torture->ev);
3913 torture_assert_goto(torture, (lsa_pipe != NULL), ret, done,
3914 "dcerpc_pipe_init failed");
3915 lsa_handle = lsa_pipe->binding_handle;
3916
3917 status = dcerpc_pipe_open_smb2(lsa_pipe, tree, "lsarpc");
3918 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3919 "dcerpc_pipe_open_smb2 failed");
3920
3921 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
3922 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3923 "dcerpc_bind_auth_none failed");
3924
3925 /* lsa getusername */
3926
3927 ZERO_STRUCT(r);
3928 r.in.system_name = "\\";
3929 r.in.account_name = &account_name_p;
3930 r.in.authority_name = &authority_name_p;
3931 r.out.account_name = &account_name_p;
3932
3933 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3934
3935 authority_name_p = *r.out.authority_name;
3936
3937 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3938 "GetUserName failed");
3939 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3940 "GetUserName failed");
3941
3942 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3943 authority_name_p->string,
3944 account_name_p->string);
3945
3946 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3947 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3948 "talloc failed");
3949 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3950 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3951 "talloc failed");
3952
3953 /* smb re-auth again to the original user */
3954
3955 status = smb2_session_setup_spnego(tree->session,
3956 cmdline_credentials,
3957 0 /* previous_session_id */);
3958 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3959 "session reauth to anon failed");
3960
3961 /* re-do lsa getusername */
3962
3963 TALLOC_FREE(authority_name_p);
3964 TALLOC_FREE(account_name_p);
3965 ZERO_STRUCT(r);
3966 r.in.system_name = "\\";
3967 r.in.account_name = &account_name_p;
3968 r.in.authority_name = &authority_name_p;
3969 r.out.account_name = &account_name_p;
3970
3971 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3972
3973 authority_name_p = *r.out.authority_name;
3974
3975 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3976 "GetUserName failed");
3977 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3978 "GetUserName failed");
3979
3980 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3981 ret, done, "authority_name not equal after reauth to anon");
3982 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3983 ret, done, "account_name not equal after reauth to anon");
3984
3985 ret = true;
3986
3987 done:
3988 talloc_free(mem_ctx);
3989 return ret;
3990 }
3991
3992 static bool torture_rpc_smb1_pipe_name(struct torture_context *torture)
3993 {
3994 TALLOC_CTX *mem_ctx;
3995 NTSTATUS status;
3996 bool ret = false;
3997 struct smbcli_state *cli;
3998 struct smbcli_options options;
3999 struct smbcli_session_options session_options;
4000 union smb_open io;
4001 union smb_close cl;
4002 uint16_t fnum;
4003
4004 mem_ctx = talloc_init("torture_samba3_smb1_pipe_name");
4005 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4006
4007 lpcfg_smbcli_options(torture->lp_ctx, &options);
4008 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
4009
4010 status = smbcli_full_connection(mem_ctx, &cli,
4011 torture_setting_string(torture, "host", NULL),
4012 lpcfg_smb_ports(torture->lp_ctx),
4013 "IPC$", NULL,
4014 lpcfg_socket_options(torture->lp_ctx),
4015 cmdline_credentials,
4016 lpcfg_resolve_context(torture->lp_ctx),
4017 torture->ev, &options, &session_options,
4018 lpcfg_gensec_settings(torture, torture->lp_ctx));
4019 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4020 "smbcli_full_connection failed");
4021
4022 ZERO_STRUCT(io);
4023 io.generic.level = RAW_OPEN_NTCREATEX;
4024 io.ntcreatex.in.access_mask = DESIRED_ACCESS_PIPE;
4025 io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ|
4026 NTCREATEX_SHARE_ACCESS_WRITE;
4027 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
4028 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
4029 io.ntcreatex.in.security_flags = 0;
4030
4031 io.ntcreatex.in.fname = "__none__";
4032 status = smb_raw_open(cli->tree, torture, &io);
4033 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4034 ret, done,
4035 "smb_raw_open for '__none__'");
4036
4037 io.ntcreatex.in.fname = "pipe\\srvsvc";
4038 status = smb_raw_open(cli->tree, torture, &io);
4039 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4040 ret, done,
4041 "smb_raw_open for 'pipe\\srvsvc'");
4042
4043 io.ntcreatex.in.fname = "\\pipe\\srvsvc";
4044 status = smb_raw_open(cli->tree, torture, &io);
4045 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4046 ret, done,
4047 "smb_raw_open for '\\pipe\\srvsvc'");
4048
4049 io.ntcreatex.in.fname = "srvsvc";
4050 status = smb_raw_open(cli->tree, torture, &io);
4051 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4052 "smb2_create failed for 'srvsvc'");
4053 fnum = io.ntcreatex.out.file.fnum;
4054 ZERO_STRUCT(cl);
4055 cl.generic.level = RAW_CLOSE_CLOSE;
4056 cl.close.in.file.fnum = fnum;
4057 status = smb_raw_close(cli->tree, &cl);
4058 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4059 "smb_raw_close failed");
4060
4061 io.ntcreatex.in.fname = "\\srvsvc";
4062 status = smb_raw_open(cli->tree, torture, &io);
4063 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4064 "smb2_create failed for '\\srvsvc'");
4065 fnum = io.ntcreatex.out.file.fnum;
4066 ZERO_STRUCT(cl);
4067 cl.generic.level = RAW_CLOSE_CLOSE;
4068 cl.close.in.file.fnum = fnum;
4069 status = smb_raw_close(cli->tree, &cl);
4070 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4071 "smb_raw_close failed");
4072
4073 io.ntcreatex.in.fname = "\\\\\\\\\\srvsvc";
4074 status = smb_raw_open(cli->tree, torture, &io);
4075 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4076 "smb2_create failed for '\\\\\\\\\\srvsvc'");
4077 fnum = io.ntcreatex.out.file.fnum;
4078 ZERO_STRUCT(cl);
4079 cl.generic.level = RAW_CLOSE_CLOSE;
4080 cl.close.in.file.fnum = fnum;
4081 status = smb_raw_close(cli->tree, &cl);
4082 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4083 "smb_raw_close failed");
4084
4085 ZERO_STRUCT(io);
4086 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
4087 io.nttrans.in.access_mask = DESIRED_ACCESS_PIPE;
4088 io.nttrans.in.share_access = NTCREATEX_SHARE_ACCESS_READ|
4089 NTCREATEX_SHARE_ACCESS_WRITE;
4090 io.nttrans.in.open_disposition = NTCREATEX_DISP_OPEN;
4091 io.nttrans.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
4092 io.nttrans.in.security_flags = 0;
4093
4094 io.nttrans.in.fname = "__none__";
4095 status = smb_raw_open(cli->tree, torture, &io);
4096 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4097 ret, done,
4098 "smb_raw_open for '__none__'");
4099
4100 io.nttrans.in.fname = "pipe\\srvsvc";
4101 status = smb_raw_open(cli->tree, torture, &io);
4102 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4103 ret, done,
4104 "smb_raw_open for 'pipe\\srvsvc'");
4105
4106 io.nttrans.in.fname = "\\pipe\\srvsvc";
4107 status = smb_raw_open(cli->tree, torture, &io);
4108 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4109 ret, done,
4110 "smb_raw_open for '\\pipe\\srvsvc'");
4111
4112 io.nttrans.in.fname = "srvsvc";
4113 status = smb_raw_open(cli->tree, torture, &io);
4114 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4115 "smb2_create failed for 'srvsvc'");
4116 fnum = io.nttrans.out.file.fnum;
4117 ZERO_STRUCT(cl);
4118 cl.generic.level = RAW_CLOSE_CLOSE;
4119 cl.close.in.file.fnum = fnum;
4120 status = smb_raw_close(cli->tree, &cl);
4121 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4122 "smb_raw_close failed");
4123
4124 io.nttrans.in.fname = "\\srvsvc";
4125 status = smb_raw_open(cli->tree, torture, &io);
4126 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4127 "smb2_create failed for '\\srvsvc'");
4128 fnum = io.nttrans.out.file.fnum;
4129 ZERO_STRUCT(cl);
4130 cl.generic.level = RAW_CLOSE_CLOSE;
4131 cl.close.in.file.fnum = fnum;
4132 status = smb_raw_close(cli->tree, &cl);
4133 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4134 "smb_raw_close failed");
4135
4136 io.nttrans.in.fname = "\\\\\\\\\\srvsvc";
4137 status = smb_raw_open(cli->tree, torture, &io);
4138 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4139 "smb2_create failed for '\\\\\\\\\\srvsvc'");
4140 fnum = io.nttrans.out.file.fnum;
4141 ZERO_STRUCT(cl);
4142 cl.generic.level = RAW_CLOSE_CLOSE;
4143 cl.close.in.file.fnum = fnum;
4144 status = smb_raw_close(cli->tree, &cl);
4145 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4146 "smb_raw_close failed");
4147
4148 ZERO_STRUCT(io);
4149 io.generic.level = RAW_OPEN_OPENX;
4150 io.openx.in.open_mode = OPENX_MODE_ACCESS_RDWR;
4151 io.openx.in.open_func = OPENX_OPEN_FUNC_OPEN;
4152
4153 io.openx.in.fname = "__none__";
4154 status = smb_raw_open(cli->tree, torture, &io);
4155 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4156 ret, done,
4157 "smb_raw_open for '__none__'");
4158
4159 io.openx.in.fname = "srvsvc";
4160 status = smb_raw_open(cli->tree, torture, &io);
4161 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4162 ret, done,
4163 "smb_raw_open for 'srvsvc'");
4164
4165 io.openx.in.fname = "\\srvsvc";
4166 status = smb_raw_open(cli->tree, torture, &io);
4167 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4168 ret, done,
4169 "smb_raw_open for '\\srvsvc'");
4170
4171 io.openx.in.fname = "\\pipesrvsvc";
4172 status = smb_raw_open(cli->tree, torture, &io);
4173 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4174 ret, done,
4175 "smb_raw_open for '\\pipesrvsvc'");
4176
4177 io.openx.in.fname = "pipe\\__none__";
4178 status = smb_raw_open(cli->tree, torture, &io);
4179 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4180 ret, done,
4181 "smb_raw_open for 'pipe\\__none__'");
4182
4183 io.openx.in.fname = "\\pipe\\__none__";
4184 status = smb_raw_open(cli->tree, torture, &io);
4185 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4186 ret, done,
4187 "smb_raw_open for '\\pipe\\__none__'");
4188
4189 io.openx.in.fname = "pipe\\srvsvc";
4190 status = smb_raw_open(cli->tree, torture, &io);
4191 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4192 "smb2_create failed for 'pipe\\srvsvc'");
4193 fnum = io.openx.out.file.fnum;
4194 ZERO_STRUCT(cl);
4195 cl.generic.level = RAW_CLOSE_CLOSE;
4196 cl.close.in.file.fnum = fnum;
4197 status = smb_raw_close(cli->tree, &cl);
4198 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4199 "smb_raw_close failed");
4200
4201 io.openx.in.fname = "\\pipe\\srvsvc";
4202 status = smb_raw_open(cli->tree, torture, &io);
4203 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4204 "smb2_create failed for '\\pipe\\srvsvc'");
4205 fnum = io.openx.out.file.fnum;
4206 ZERO_STRUCT(cl);
4207 cl.generic.level = RAW_CLOSE_CLOSE;
4208 cl.close.in.file.fnum = fnum;
4209 status = smb_raw_close(cli->tree, &cl);
4210 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4211 "smb_raw_close failed");
4212
4213 io.openx.in.fname = "\\\\\\\\\\pipe\\srvsvc";
4214 status = smb_raw_open(cli->tree, torture, &io);
4215 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4216 "smb2_create failed for '\\\\\\\\\\pipe\\srvsvc'");
4217 fnum = io.openx.out.file.fnum;
4218 ZERO_STRUCT(cl);
4219 cl.generic.level = RAW_CLOSE_CLOSE;
4220 cl.close.in.file.fnum = fnum;
4221 status = smb_raw_close(cli->tree, &cl);
4222 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4223 "smb_raw_close failed");
4224
4225 io.openx.in.fname = "\\\\\\\\\\pipe\\\\\\\\\\srvsvc";
4226 status = smb_raw_open(cli->tree, torture, &io);
4227 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4228 "smb2_create failed for '\\\\\\\\\\pipe\\\\\\\\\\srvsvc'");
4229 fnum = io.openx.out.file.fnum;
4230 ZERO_STRUCT(cl);
4231 cl.generic.level = RAW_CLOSE_CLOSE;
4232 cl.close.in.file.fnum = fnum;
4233 status = smb_raw_close(cli->tree, &cl);
4234 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4235 "smb_raw_close failed");
4236 ret = true;
4237
4238 done:
4239 talloc_free(mem_ctx);
4240 return ret;
4241 }
4242
4243 static bool torture_rpc_smb2_pipe_name(struct torture_context *torture)
4244 {
4245 TALLOC_CTX *mem_ctx;
4246 NTSTATUS status;
4247 bool ret = false;
4248 struct smbcli_options options;
4249 const char *host = torture_setting_string(torture, "host", NULL);
4250 struct smb2_tree *tree;
4251 struct smb2_handle h;
4252 struct smb2_create io;
4253
4254 mem_ctx = talloc_init("torture_samba3_smb2_pipe_name");
4255 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4256
4257 lpcfg_smbcli_options(torture->lp_ctx, &options);
4258
4259 status = smb2_connect(mem_ctx,
4260 host,
4261 lpcfg_smb_ports(torture->lp_ctx),
4262 "IPC$",
4263 lpcfg_resolve_context(torture->lp_ctx),
4264 cmdline_credentials,
4265 &tree,
4266 torture->ev,
4267 &options,
4268 lpcfg_socket_options(torture->lp_ctx),
4269 lpcfg_gensec_settings(torture, torture->lp_ctx)
4270 );
4271 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4272 "smb2_connect failed");
4273
4274 ZERO_STRUCT(io);
4275 io.in.oplock_level = 0;
4276 io.in.desired_access = DESIRED_ACCESS_PIPE;
4277 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4278 io.in.file_attributes = 0;
4279 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4280 io.in.share_access =
4281 NTCREATEX_SHARE_ACCESS_READ|
4282 NTCREATEX_SHARE_ACCESS_WRITE;
4283 io.in.create_options = 0;
4284
4285 io.in.fname = "__none__";
4286 status = smb2_create(tree, tree, &io);
4287 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4288 ret, done,
4289 "smb2_create for '__none__'");
4290
4291 io.in.fname = "\\srvsvc";
4292 status = smb2_create(tree, tree, &io);
4293 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4294 ret, done,
4295 "smb2_create for '\\srvsvc'");
4296
4297 io.in.fname = "\\pipe\\srvsvc";
4298 status = smb2_create(tree, tree, &io);
4299 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4300 ret, done,
4301 "smb2_create for '\\pipe\\srvsvc'");
4302
4303 io.in.fname = "pipe\\srvsvc";
4304 status = smb2_create(tree, tree, &io);
4305 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4306 ret, done,
4307 "smb2_create for 'pipe\\srvsvc'");
4308
4309 io.in.fname = "srvsvc";
4310 status = smb2_create(tree, tree, &io);
4311 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4312 "smb2_create failed for 'srvsvc'");
4313
4314 h = io.out.file.handle;
4315
4316 status = smb2_util_close(tree, h);
4317 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4318 "smb2_util_close failed");
4319
4320 ret = true;
4321 done:
4322 talloc_free(mem_ctx);
4323 return ret;
4324 }
4325
4326 /**
4327 * Test behaviour of a waiting read call on a pipe when
4328 * the pipe handle is closed:
4329 * - open a pipe via smb2
4330 * - trigger a read which hangs since there is nothing to read
4331 * - close the pipe file handle
4332 * - wait for the read to return and check the status
4333 * (STATUS_PIPE_BROKEN)
4334 */
4335 static bool torture_rpc_smb2_pipe_read_close(struct torture_context *torture)
4336 {
4337 TALLOC_CTX *mem_ctx;
4338 NTSTATUS status;
4339 bool ret = false;
4340 struct smbcli_options options;
4341 const char *host = torture_setting_string(torture, "host", NULL);
4342 struct smb2_tree *tree;
4343 struct smb2_handle h;
4344 struct smb2_request *smb2req;
4345 struct smb2_create io;
4346 struct smb2_read rd;
4347
4348 mem_ctx = talloc_init("torture_samba3_pipe_read_close");
4349 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4350
4351 lpcfg_smbcli_options(torture->lp_ctx, &options);
4352
4353 status = smb2_connect(mem_ctx,
4354 host,
4355 lpcfg_smb_ports(torture->lp_ctx),
4356 "IPC$",
4357 lpcfg_resolve_context(torture->lp_ctx),
4358 cmdline_credentials,
4359 &tree,
4360 torture->ev,
4361 &options,
4362 lpcfg_socket_options(torture->lp_ctx),
4363 lpcfg_gensec_settings(torture, torture->lp_ctx)
4364 );
4365 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4366 "smb2_connect failed");
4367
4368 ZERO_STRUCT(io);
4369 io.in.oplock_level = 0;
4370 io.in.desired_access = DESIRED_ACCESS_PIPE;
4371 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4372 io.in.file_attributes = 0;
4373 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4374 io.in.share_access =
4375 NTCREATEX_SHARE_ACCESS_READ|
4376 NTCREATEX_SHARE_ACCESS_WRITE;
4377 io.in.create_options = 0;
4378 io.in.fname = "lsarpc";
4379
4380 status = smb2_create(tree, tree, &io);
4381 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4382 "smb2_create failed for 'lsarpc'");
4383
4384 h = io.out.file.handle;
4385
4386 ZERO_STRUCT(rd);
4387 rd.in.file.handle = h;
4388 rd.in.length = 1024;
4389 rd.in.offset = 0;
4390 rd.in.min_count = 0;
4391
4392 smb2req = smb2_read_send(tree, &rd);
4393 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4394 "smb2_read_send failed");
4395
4396 status = smb2_util_close(tree, h);
4397 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4398 "smb2_util_close failed");
4399
4400 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4401 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4402 "smb2_read_recv: unexpected return code");
4403
4404 ret = true;
4405 done:
4406 talloc_free(mem_ctx);
4407 return ret;
4408 }
4409
4410 /**
4411 * Test behaviour of a waiting read call on a pipe when
4412 * the tree is disconnected.
4413 * - open a pipe via smb2
4414 * - trigger a read which hangs since there is nothing to read
4415 * - do a tree disconnect
4416 * - wait for the read to return and check the status
4417 * (STATUS_PIPE_BROKEN)
4418 */
4419 static bool torture_rpc_smb2_pipe_read_tdis(struct torture_context *torture)
4420 {
4421 TALLOC_CTX *mem_ctx;
4422 NTSTATUS status;
4423 bool ret = false;
4424 struct smbcli_options options;
4425 const char *host = torture_setting_string(torture, "host", NULL);
4426 struct smb2_tree *tree;
4427 struct smb2_handle h;
4428 struct smb2_request *smb2req;
4429 struct smb2_create io;
4430 struct smb2_read rd;
4431
4432 mem_ctx = talloc_init("torture_samba3_pipe_read_tdis");
4433 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4434
4435 lpcfg_smbcli_options(torture->lp_ctx, &options);
4436
4437 status = smb2_connect(mem_ctx,
4438 host,
4439 lpcfg_smb_ports(torture->lp_ctx),
4440 "IPC$",
4441 lpcfg_resolve_context(torture->lp_ctx),
4442 cmdline_credentials,
4443 &tree,
4444 torture->ev,
4445 &options,
4446 lpcfg_socket_options(torture->lp_ctx),
4447 lpcfg_gensec_settings(torture, torture->lp_ctx)
4448 );
4449 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4450 "smb2_connect failed");
4451
4452 ZERO_STRUCT(io);
4453 io.in.oplock_level = 0;
4454 io.in.desired_access = DESIRED_ACCESS_PIPE;
4455 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4456 io.in.file_attributes = 0;
4457 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4458 io.in.share_access =
4459 NTCREATEX_SHARE_ACCESS_READ|
4460 NTCREATEX_SHARE_ACCESS_WRITE;
4461 io.in.create_options = 0;
4462 io.in.fname = "lsarpc";
4463
4464 status = smb2_create(tree, tree, &io);
4465 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4466 "smb2_create failed for 'lsarpc'");
4467
4468 h = io.out.file.handle;
4469
4470 ZERO_STRUCT(rd);
4471 rd.in.file.handle = h;
4472 rd.in.length = 1024;
4473 rd.in.offset = 0;
4474 rd.in.min_count = 0;
4475
4476 smb2req = smb2_read_send(tree, &rd);
4477 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4478 "smb2_read_send failed");
4479
4480 status = smb2_tdis(tree);
4481 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4482 "smb2_tdis failed");
4483
4484 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4485 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4486 "smb2_read_recv: unexpected return code");
4487
4488 ret = true;
4489 done:
4490 talloc_free(mem_ctx);
4491 return ret;
4492 }
4493
4494 /**
4495 * Test behaviour of a waiting read call on a pipe when
4496 * the user logs off
4497 * - open a pipe via smb2
4498 * - trigger a read which hangs since there is nothing to read
4499 * - do a logoff
4500 * - wait for the read to return and check the status
4501 * (STATUS_PIPE_BROKEN)
4502 */
4503 static bool torture_rpc_smb2_pipe_read_logoff(struct torture_context *torture)
4504 {
4505 TALLOC_CTX *mem_ctx;
4506 NTSTATUS status;
4507 bool ret = false;
4508 struct smbcli_options options;
4509 const char *host = torture_setting_string(torture, "host", NULL);
4510 struct smb2_tree *tree;
4511 struct smb2_handle h;
4512 struct smb2_request *smb2req;
4513 struct smb2_create io;
4514 struct smb2_read rd;
4515
4516 mem_ctx = talloc_init("torture_samba3_pipe_read_tdis");
4517 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4518
4519 lpcfg_smbcli_options(torture->lp_ctx, &options);
4520
4521 status = smb2_connect(mem_ctx,
4522 host,
4523 lpcfg_smb_ports(torture->lp_ctx),
4524 "IPC$",
4525 lpcfg_resolve_context(torture->lp_ctx),
4526 cmdline_credentials,
4527 &tree,
4528 torture->ev,
4529 &options,
4530 lpcfg_socket_options(torture->lp_ctx),
4531 lpcfg_gensec_settings(torture, torture->lp_ctx)
4532 );
4533 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4534 "smb2_connect failed");
4535
4536 ZERO_STRUCT(io);
4537 io.in.oplock_level = 0;
4538 io.in.desired_access = DESIRED_ACCESS_PIPE;
4539 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4540 io.in.file_attributes = 0;
4541 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4542 io.in.share_access =
4543 NTCREATEX_SHARE_ACCESS_READ|
4544 NTCREATEX_SHARE_ACCESS_WRITE;
4545 io.in.create_options = 0;
4546 io.in.fname = "lsarpc";
4547
4548 status = smb2_create(tree, tree, &io);
4549 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4550 "smb2_create failed for 'lsarpc'");
4551
4552 h = io.out.file.handle;
4553
4554 ZERO_STRUCT(rd);
4555 rd.in.file.handle = h;
4556 rd.in.length = 1024;
4557 rd.in.offset = 0;
4558 rd.in.min_count = 0;
4559
4560 smb2req = smb2_read_send(tree, &rd);
4561 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4562 "smb2_read_send failed");
4563
4564 status = smb2_logoff(tree->session);
4565 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4566 "smb2_logoff failed");
4567
4568 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4569 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4570 "smb2_read_recv: unexpected return code");
4571
4572 ret = true;
4573 done:
4574 talloc_free(mem_ctx);
4575 return ret;
4576 }
4577
4578
4579 struct torture_suite *torture_rpc_samba3(TALLOC_CTX *mem_ctx)
4580 {
4581 struct torture_suite *suite = torture_suite_create(mem_ctx, "samba3");
4582
4583 torture_suite_add_simple_test(suite, "bind", torture_bind_samba3);
4584 torture_suite_add_simple_test(suite, "netlogon", torture_netlogon_samba3);
4585 torture_suite_add_simple_test(suite, "sessionkey", torture_samba3_sessionkey);
4586 torture_suite_add_simple_test(suite, "srvsvc", torture_samba3_rpc_srvsvc);
4587 torture_suite_add_simple_test(suite, "sharesec", torture_samba3_rpc_sharesec);
4588 torture_suite_add_simple_test(suite, "getusername", torture_samba3_rpc_getusername);
4589 torture_suite_add_simple_test(suite, "randomauth2", torture_samba3_rpc_randomauth2);
4590 torture_suite_add_simple_test(suite, "lsa", torture_samba3_rpc_lsa);
4591 torture_suite_add_simple_test(suite, "spoolss", torture_samba3_rpc_spoolss);
4592 torture_suite_add_simple_test(suite, "wkssvc", torture_samba3_rpc_wkssvc);
4593 torture_suite_add_simple_test(suite, "winreg", torture_samba3_rpc_winreg);
4594 torture_suite_add_simple_test(suite, "getaliasmembership-0", torture_samba3_getaliasmembership_0);
4595 torture_suite_add_simple_test(suite, "regconfig", torture_samba3_regconfig);
4596 torture_suite_add_simple_test(suite, "smb-reauth1", torture_rpc_smb_reauth1);
4597 torture_suite_add_simple_test(suite, "smb-reauth2", torture_rpc_smb_reauth2);
4598 torture_suite_add_simple_test(suite, "smb2-reauth1", torture_rpc_smb2_reauth1);
4599 torture_suite_add_simple_test(suite, "smb2-reauth2", torture_rpc_smb2_reauth2);
4600 torture_suite_add_simple_test(suite, "smb1-pipe-name", torture_rpc_smb1_pipe_name);
4601 torture_suite_add_simple_test(suite, "smb2-pipe-name", torture_rpc_smb2_pipe_name);
4602 torture_suite_add_simple_test(suite, "smb2-pipe-read-close", torture_rpc_smb2_pipe_read_close);
4603 torture_suite_add_simple_test(suite, "smb2-pipe-read-tdis", torture_rpc_smb2_pipe_read_tdis);
4604 torture_suite_add_simple_test(suite, "smb2-pipe-read-logoff", torture_rpc_smb2_pipe_read_logoff);
4605
4606 suite->description = talloc_strdup(suite, "samba3 DCERPC interface tests");
4607
4608 return suite;
4609 }
Samba GIT mirror