2 Unix SMB/CIFS implementation.
4 test suite for schannel operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/torture_rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "auth/gensec/schannel.h"
30 #include "../libcli/auth/schannel.h"
31 #include "libcli/auth/libcli_auth.h"
32 #include "libcli/security/security.h"
33 #include "system/filesys.h"
34 #include "param/param.h"
35 #include "librpc/rpc/dcerpc_proto.h"
36 #include "auth/gensec/gensec.h"
37 #include "libcli/composite/composite.h"
38 #include "lib/events/events.h"
40 #define TEST_MACHINE_NAME "schannel"
43 try a netlogon SamLogon
45 bool test_netlogon_ex_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
46 struct cli_credentials
*credentials
,
47 struct netlogon_creds_CredentialState
*creds
)
50 struct netr_LogonSamLogonEx r
;
51 struct netr_NetworkInfo ninfo
;
52 union netr_LogonLevel logon
;
53 union netr_Validation validation
;
54 uint8_t authoritative
= 0;
56 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
58 int flags
= CLI_CRED_NTLM_AUTH
;
59 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
61 if (lpcfg_client_lanman_auth(tctx
->lp_ctx
)) {
62 flags
|= CLI_CRED_LANMAN_AUTH
;
65 if (lpcfg_client_ntlmv2_auth(tctx
->lp_ctx
)) {
66 flags
|= CLI_CRED_NTLMv2_AUTH
;
69 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
70 &ninfo
.identity_info
.account_name
.string
,
71 &ninfo
.identity_info
.domain_name
.string
);
73 generate_random_buffer(ninfo
.challenge
,
74 sizeof(ninfo
.challenge
));
75 chal
= data_blob_const(ninfo
.challenge
,
76 sizeof(ninfo
.challenge
));
78 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
79 cli_credentials_get_domain(credentials
));
81 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
87 torture_assert_ntstatus_ok(tctx
, status
,
88 "cli_credentials_get_ntlm_response failed");
90 ninfo
.lm
.data
= lm_resp
.data
;
91 ninfo
.lm
.length
= lm_resp
.length
;
93 ninfo
.nt
.data
= nt_resp
.data
;
94 ninfo
.nt
.length
= nt_resp
.length
;
96 ninfo
.identity_info
.parameter_control
= 0;
97 ninfo
.identity_info
.logon_id_low
= 0;
98 ninfo
.identity_info
.logon_id_high
= 0;
99 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
101 logon
.network
= &ninfo
;
103 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
104 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
105 r
.in
.logon_level
= 2;
107 r
.in
.flags
= &_flags
;
108 r
.out
.validation
= &validation
;
109 r
.out
.authoritative
= &authoritative
;
110 r
.out
.flags
= &_flags
;
112 torture_comment(tctx
,
113 "Testing LogonSamLogonEx with name %s\n",
114 ninfo
.identity_info
.account_name
.string
);
117 r
.in
.validation_level
= i
;
119 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
120 "LogonSamLogon failed");
121 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonSamLogon failed");
128 do some samr ops using the schannel connection
130 static bool test_samr_ops(struct torture_context
*tctx
,
131 struct dcerpc_binding_handle
*b
)
133 struct samr_GetDomPwInfo r
;
134 struct samr_PwInfo info
;
135 struct samr_Connect connect_r
;
136 struct samr_OpenDomain opendom
;
138 struct lsa_String name
;
139 struct policy_handle handle
;
140 struct policy_handle domain_handle
;
142 name
.string
= lpcfg_workgroup(tctx
->lp_ctx
);
143 r
.in
.domain_name
= &name
;
146 connect_r
.in
.system_name
= 0;
147 connect_r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
148 connect_r
.out
.connect_handle
= &handle
;
150 torture_comment(tctx
, "Testing Connect and OpenDomain on BUILTIN\n");
152 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_Connect_r(b
, tctx
, &connect_r
),
154 if (!NT_STATUS_IS_OK(connect_r
.out
.result
)) {
155 if (NT_STATUS_EQUAL(connect_r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
156 torture_comment(tctx
, "Connect failed (expected, schannel mapped to anonymous): %s\n",
157 nt_errstr(connect_r
.out
.result
));
159 torture_comment(tctx
, "Connect failed - %s\n", nt_errstr(connect_r
.out
.result
));
163 opendom
.in
.connect_handle
= &handle
;
164 opendom
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
165 opendom
.in
.sid
= dom_sid_parse_talloc(tctx
, "S-1-5-32");
166 opendom
.out
.domain_handle
= &domain_handle
;
168 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_OpenDomain_r(b
, tctx
, &opendom
),
169 "OpenDomain failed");
170 if (!NT_STATUS_IS_OK(opendom
.out
.result
)) {
171 torture_comment(tctx
, "OpenDomain failed - %s\n", nt_errstr(opendom
.out
.result
));
176 torture_comment(tctx
, "Testing GetDomPwInfo with name %s\n", r
.in
.domain_name
->string
);
178 /* do several ops to test credential chaining */
180 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_GetDomPwInfo_r(b
, tctx
, &r
),
181 "GetDomPwInfo failed");
182 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
183 if (!NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
184 torture_comment(tctx
, "GetDomPwInfo op %d failed - %s\n", i
, nt_errstr(r
.out
.result
));
195 do some lsa ops using the schannel connection
197 static bool test_lsa_ops(struct torture_context
*tctx
, struct dcerpc_pipe
*p
)
199 struct lsa_GetUserName r
;
201 struct lsa_String
*account_name_p
= NULL
;
202 struct lsa_String
*authority_name_p
= NULL
;
203 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
205 torture_comment(tctx
, "\nTesting GetUserName\n");
207 r
.in
.system_name
= "\\";
208 r
.in
.account_name
= &account_name_p
;
209 r
.in
.authority_name
= &authority_name_p
;
210 r
.out
.account_name
= &account_name_p
;
212 /* do several ops to test credential chaining and various operations */
213 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_GetUserName_r(b
, tctx
, &r
),
214 "lsa_GetUserName failed");
216 authority_name_p
= *r
.out
.authority_name
;
218 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
219 torture_comment(tctx
, "GetUserName failed - %s\n", nt_errstr(r
.out
.result
));
222 if (!r
.out
.account_name
) {
226 if (strcmp(account_name_p
->string
, "ANONYMOUS LOGON") != 0) {
227 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
228 account_name_p
->string
, "ANONYMOUS LOGON");
230 if (!torture_setting_bool(tctx
, "samba3", false)) {
234 if (!authority_name_p
|| !authority_name_p
->string
) {
238 if (strcmp(authority_name_p
->string
, "NT AUTHORITY") != 0) {
239 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
240 authority_name_p
->string
, "NT AUTHORITY");
242 if (!torture_setting_bool(tctx
, "samba3", false)) {
247 if (!test_many_LookupSids(p
, tctx
, NULL
)) {
248 torture_comment(tctx
, "LsaLookupSids3 failed!\n");
257 test a schannel connection with the given flags
259 static bool test_schannel(struct torture_context
*tctx
,
260 uint16_t acct_flags
, uint32_t dcerpc_flags
,
263 struct test_join
*join_ctx
;
265 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
266 struct dcerpc_binding
*b
;
267 struct dcerpc_pipe
*p
= NULL
;
268 struct dcerpc_pipe
*p_netlogon
= NULL
;
269 struct dcerpc_pipe
*p_netlogon2
= NULL
;
270 struct dcerpc_pipe
*p_netlogon3
= NULL
;
271 struct dcerpc_pipe
*p_samr2
= NULL
;
272 struct dcerpc_pipe
*p_lsa
= NULL
;
273 struct netlogon_creds_CredentialState
*creds
;
274 struct cli_credentials
*credentials
;
276 join_ctx
= torture_join_domain(tctx
,
277 talloc_asprintf(tctx
, "%s%d", TEST_MACHINE_NAME
, i
),
278 acct_flags
, &credentials
);
279 torture_assert(tctx
, join_ctx
!= NULL
, "Failed to join domain");
281 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
282 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
284 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
285 b
->flags
|= dcerpc_flags
;
287 status
= dcerpc_pipe_connect_b(tctx
, &p
, b
, &ndr_table_samr
,
288 credentials
, tctx
->ev
, tctx
->lp_ctx
);
289 torture_assert_ntstatus_ok(tctx
, status
,
290 "Failed to connect with schannel");
292 torture_assert(tctx
, test_samr_ops(tctx
, p
->binding_handle
),
293 "Failed to process schannel secured SAMR ops");
295 /* Also test that when we connect to the netlogon pipe, that
296 * the credentials we setup on the first pipe are valid for
299 /* Swap the binding details from SAMR to NETLOGON */
300 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
301 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
303 status
= dcerpc_secondary_connection(p
, &p_netlogon
,
305 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
307 status
= dcerpc_bind_auth(p_netlogon
, &ndr_table_netlogon
,
308 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
309 DCERPC_AUTH_TYPE_SCHANNEL
,
310 dcerpc_auth_level(p
->conn
),
313 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
315 status
= dcerpc_schannel_creds(p_netlogon
->conn
->security_state
.generic_state
, tctx
, &creds
);
316 torture_assert_ntstatus_ok(tctx
, status
, "schannel creds");
318 /* do a couple of logins */
319 torture_assert(tctx
, test_netlogon_ops(p_netlogon
, tctx
, credentials
, creds
),
320 "Failed to process schannel secured NETLOGON ops");
322 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon
, tctx
, credentials
, creds
),
323 "Failed to process schannel secured NETLOGON EX ops");
325 /* Swap the binding details from SAMR to LSARPC */
326 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
);
327 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
329 status
= dcerpc_secondary_connection(p
, &p_lsa
,
332 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
334 status
= dcerpc_bind_auth(p_lsa
, &ndr_table_lsarpc
,
335 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
336 DCERPC_AUTH_TYPE_SCHANNEL
,
337 dcerpc_auth_level(p
->conn
),
340 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
342 torture_assert(tctx
, test_lsa_ops(tctx
, p_lsa
),
343 "Failed to process schannel secured LSA ops");
345 /* Drop the socket, we want to start from scratch */
349 /* Now see what we are still allowed to do */
351 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
352 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
354 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
355 b
->flags
|= dcerpc_flags
;
357 status
= dcerpc_pipe_connect_b(tctx
, &p_samr2
, b
, &ndr_table_samr
,
358 credentials
, tctx
->ev
, tctx
->lp_ctx
);
359 torture_assert_ntstatus_ok(tctx
, status
,
360 "Failed to connect with schannel");
362 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
363 torture_assert (tctx
, test_samr_ops(tctx
, p_samr2
->binding_handle
),
364 "Failed to process schannel secured SAMR ops (on fresh connection)");
366 /* Swap the binding details from SAMR to NETLOGON */
367 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
368 torture_assert_ntstatus_ok(tctx
, status
, "epm");
370 status
= dcerpc_secondary_connection(p_samr2
, &p_netlogon2
,
372 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
374 /* and now setup an SCHANNEL bind on netlogon */
375 status
= dcerpc_bind_auth(p_netlogon2
, &ndr_table_netlogon
,
376 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
377 DCERPC_AUTH_TYPE_SCHANNEL
,
378 dcerpc_auth_level(p_samr2
->conn
),
381 torture_assert_ntstatus_ok(tctx
, status
, "auth failed");
383 /* Try the schannel-only SamLogonEx operation */
384 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon2
, tctx
, credentials
, creds
),
385 "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
388 /* And the more traditional style, proving that the
389 * credentials chaining state is fully present */
390 torture_assert(tctx
, test_netlogon_ops(p_netlogon2
, tctx
, credentials
, creds
),
391 "Failed to process schannel secured NETLOGON ops (on fresh connection)");
393 /* Drop the socket, we want to start from scratch (again) */
394 talloc_free(p_samr2
);
396 /* We don't want schannel for this test */
397 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
399 status
= dcerpc_pipe_connect_b(tctx
, &p_netlogon3
, b
, &ndr_table_netlogon
,
400 credentials
, tctx
->ev
, tctx
->lp_ctx
);
401 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
403 torture_assert(tctx
, !test_netlogon_ex_ops(p_netlogon3
, tctx
, credentials
, creds
),
404 "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
406 /* Required because the previous call will mark the current context as having failed */
407 tctx
->last_result
= TORTURE_OK
;
408 tctx
->last_reason
= NULL
;
410 torture_assert(tctx
, test_netlogon_ops(p_netlogon3
, tctx
, credentials
, creds
),
411 "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
413 torture_leave_domain(tctx
, join_ctx
);
420 a schannel test suite
422 bool torture_rpc_schannel(struct torture_context
*torture
)
427 uint32_t dcerpc_flags
;
429 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
430 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
431 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
432 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
433 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
434 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
435 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
436 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
}
440 for (i
=0;i
<ARRAY_SIZE(tests
);i
++) {
441 if (!test_schannel(torture
,
442 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
,
444 torture_comment(torture
, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
445 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
454 test two schannel connections
456 bool torture_rpc_schannel2(struct torture_context
*torture
)
458 struct test_join
*join_ctx
;
460 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
461 struct dcerpc_binding
*b
;
462 struct dcerpc_pipe
*p1
= NULL
, *p2
= NULL
;
463 struct cli_credentials
*credentials1
, *credentials2
;
464 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
;
466 join_ctx
= torture_join_domain(torture
, talloc_asprintf(torture
, "%s2", TEST_MACHINE_NAME
),
467 ACB_WSTRUST
, &credentials1
);
468 torture_assert(torture
, join_ctx
!= NULL
,
469 "Failed to join domain with acct_flags=ACB_WSTRUST");
471 credentials2
= (struct cli_credentials
*)talloc_memdup(torture
, credentials1
, sizeof(*credentials1
));
472 credentials1
->netlogon_creds
= NULL
;
473 credentials2
->netlogon_creds
= NULL
;
475 status
= dcerpc_parse_binding(torture
, binding
, &b
);
476 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
478 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
479 b
->flags
|= dcerpc_flags
;
481 torture_comment(torture
, "Opening first connection\n");
482 status
= dcerpc_pipe_connect_b(torture
, &p1
, b
, &ndr_table_netlogon
,
483 credentials1
, torture
->ev
, torture
->lp_ctx
);
484 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
486 torture_comment(torture
, "Opening second connection\n");
487 status
= dcerpc_pipe_connect_b(torture
, &p2
, b
, &ndr_table_netlogon
,
488 credentials2
, torture
->ev
, torture
->lp_ctx
);
489 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
491 credentials1
->netlogon_creds
= NULL
;
492 credentials2
->netlogon_creds
= NULL
;
494 torture_comment(torture
, "Testing logon on pipe1\n");
495 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
498 torture_comment(torture
, "Testing logon on pipe2\n");
499 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
502 torture_comment(torture
, "Again on pipe1\n");
503 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
506 torture_comment(torture
, "Again on pipe2\n");
507 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
510 torture_leave_domain(torture
, join_ctx
);
514 struct torture_schannel_bench
;
516 struct torture_schannel_bench_conn
{
517 struct torture_schannel_bench
*s
;
519 struct cli_credentials
*wks_creds
;
520 struct dcerpc_pipe
*pipe
;
521 struct netr_LogonSamLogonEx r
;
522 struct netr_NetworkInfo ninfo
;
528 struct torture_schannel_bench
{
529 struct torture_context
*tctx
;
534 struct torture_schannel_bench_conn
*conns
;
535 struct test_join
*join_ctx1
;
536 struct cli_credentials
*wks_creds1
;
537 struct test_join
*join_ctx2
;
538 struct cli_credentials
*wks_creds2
;
539 struct cli_credentials
*user1_creds
;
540 struct cli_credentials
*user2_creds
;
541 struct dcerpc_binding
*b
;
548 static void torture_schannel_bench_connected(struct composite_context
*c
)
550 struct torture_schannel_bench_conn
*conn
=
551 (struct torture_schannel_bench_conn
*)c
->async
.private_data
;
552 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
553 struct torture_schannel_bench
);
555 s
->error
= dcerpc_pipe_connect_b_recv(c
, s
->conns
, &conn
->pipe
);
556 torture_comment(s
->tctx
, "conn[%u]: %s\n", conn
->index
, nt_errstr(s
->error
));
557 if (NT_STATUS_IS_OK(s
->error
)) {
562 static void torture_schannel_bench_recv(struct tevent_req
*subreq
);
564 static bool torture_schannel_bench_start(struct torture_schannel_bench_conn
*conn
)
566 struct torture_schannel_bench
*s
= conn
->s
;
568 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
569 int flags
= CLI_CRED_NTLM_AUTH
;
570 struct tevent_req
*subreq
;
571 struct cli_credentials
*user_creds
;
573 if (conn
->total
% 2) {
574 user_creds
= s
->user1_creds
;
576 user_creds
= s
->user2_creds
;
579 if (lpcfg_client_lanman_auth(s
->tctx
->lp_ctx
)) {
580 flags
|= CLI_CRED_LANMAN_AUTH
;
583 if (lpcfg_client_ntlmv2_auth(s
->tctx
->lp_ctx
)) {
584 flags
|= CLI_CRED_NTLMv2_AUTH
;
587 talloc_free(conn
->tmp
);
588 conn
->tmp
= talloc_new(s
);
589 ZERO_STRUCT(conn
->ninfo
);
590 ZERO_STRUCT(conn
->r
);
592 cli_credentials_get_ntlm_username_domain(user_creds
, conn
->tmp
,
593 &conn
->ninfo
.identity_info
.account_name
.string
,
594 &conn
->ninfo
.identity_info
.domain_name
.string
);
596 generate_random_buffer(conn
->ninfo
.challenge
,
597 sizeof(conn
->ninfo
.challenge
));
598 chal
= data_blob_const(conn
->ninfo
.challenge
,
599 sizeof(conn
->ninfo
.challenge
));
601 names_blob
= NTLMv2_generate_names_blob(conn
->tmp
,
602 cli_credentials_get_workstation(conn
->wks_creds
),
603 cli_credentials_get_domain(conn
->wks_creds
));
605 status
= cli_credentials_get_ntlm_response(user_creds
, conn
->tmp
,
611 torture_assert_ntstatus_ok(s
->tctx
, status
,
612 "cli_credentials_get_ntlm_response failed");
614 conn
->ninfo
.lm
.data
= lm_resp
.data
;
615 conn
->ninfo
.lm
.length
= lm_resp
.length
;
617 conn
->ninfo
.nt
.data
= nt_resp
.data
;
618 conn
->ninfo
.nt
.length
= nt_resp
.length
;
620 conn
->ninfo
.identity_info
.parameter_control
= 0;
621 conn
->ninfo
.identity_info
.logon_id_low
= 0;
622 conn
->ninfo
.identity_info
.logon_id_high
= 0;
623 conn
->ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(conn
->wks_creds
);
625 conn
->r
.in
.server_name
= talloc_asprintf(conn
->tmp
, "\\\\%s", dcerpc_server_name(conn
->pipe
));
626 conn
->r
.in
.computer_name
= cli_credentials_get_workstation(conn
->wks_creds
);
627 conn
->r
.in
.logon_level
= 2;
628 conn
->r
.in
.logon
= talloc(conn
->tmp
, union netr_LogonLevel
);
629 conn
->r
.in
.logon
->network
= &conn
->ninfo
;
630 conn
->r
.in
.flags
= talloc(conn
->tmp
, uint32_t);
631 conn
->r
.in
.validation_level
= 2;
632 conn
->r
.out
.validation
= talloc(conn
->tmp
, union netr_Validation
);
633 conn
->r
.out
.authoritative
= talloc(conn
->tmp
, uint8_t);
634 conn
->r
.out
.flags
= conn
->r
.in
.flags
;
636 subreq
= dcerpc_netr_LogonSamLogonEx_r_send(s
, s
->tctx
->ev
,
637 conn
->pipe
->binding_handle
,
639 torture_assert(s
->tctx
, subreq
, "Failed to setup LogonSamLogonEx request");
641 tevent_req_set_callback(subreq
, torture_schannel_bench_recv
, conn
);
646 static void torture_schannel_bench_recv(struct tevent_req
*subreq
)
649 struct torture_schannel_bench_conn
*conn
=
650 (struct torture_schannel_bench_conn
*)tevent_req_callback_data_void(subreq
);
651 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
652 struct torture_schannel_bench
);
654 s
->error
= dcerpc_netr_LogonSamLogonEx_r_recv(subreq
, subreq
);
656 if (!NT_STATUS_IS_OK(s
->error
)) {
667 ret
= torture_schannel_bench_start(conn
);
669 s
->error
= NT_STATUS_INTERNAL_ERROR
;
674 test multiple schannel connection in parallel
676 bool torture_rpc_schannel_bench1(struct torture_context
*torture
)
680 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
681 struct torture_schannel_bench
*s
;
682 struct timeval start
;
687 s
= talloc_zero(torture
, struct torture_schannel_bench
);
689 s
->progress
= torture_setting_bool(torture
, "progress", true);
690 s
->timelimit
= torture_setting_int(torture
, "timelimit", 10);
691 s
->nprocs
= torture_setting_int(torture
, "nprocs", 4);
692 s
->conns
= talloc_zero_array(s
, struct torture_schannel_bench_conn
, s
->nprocs
);
694 s
->user1_creds
= (struct cli_credentials
*)talloc_memdup(s
,
696 sizeof(*s
->user1_creds
));
697 tmp
= torture_setting_string(s
->tctx
, "extra_user1", NULL
);
699 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
701 s
->user2_creds
= (struct cli_credentials
*)talloc_memdup(s
,
703 sizeof(*s
->user1_creds
));
704 tmp
= torture_setting_string(s
->tctx
, "extra_user2", NULL
);
706 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
709 s
->join_ctx1
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sb", TEST_MACHINE_NAME
),
710 ACB_WSTRUST
, &s
->wks_creds1
);
711 torture_assert(torture
, s
->join_ctx1
!= NULL
,
712 "Failed to join domain with acct_flags=ACB_WSTRUST");
713 s
->join_ctx2
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sc", TEST_MACHINE_NAME
),
714 ACB_WSTRUST
, &s
->wks_creds2
);
715 torture_assert(torture
, s
->join_ctx2
!= NULL
,
716 "Failed to join domain with acct_flags=ACB_WSTRUST");
718 cli_credentials_set_kerberos_state(s
->wks_creds1
, CRED_DONT_USE_KERBEROS
);
719 cli_credentials_set_kerberos_state(s
->wks_creds2
, CRED_DONT_USE_KERBEROS
);
721 for (i
=0; i
< s
->nprocs
; i
++) {
723 s
->conns
[i
].index
= i
;
724 s
->conns
[i
].wks_creds
= (struct cli_credentials
*)talloc_memdup(
725 s
->conns
, s
->wks_creds1
,sizeof(*s
->wks_creds1
));
726 if ((i
% 2) && (torture_setting_bool(torture
, "multijoin", false))) {
727 memcpy(s
->conns
[i
].wks_creds
, s
->wks_creds2
,
728 talloc_get_size(s
->conns
[i
].wks_creds
));
730 s
->conns
[i
].wks_creds
->netlogon_creds
= NULL
;
733 status
= dcerpc_parse_binding(s
, binding
, &s
->b
);
734 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
735 s
->b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
736 s
->b
->flags
|= DCERPC_SCHANNEL
| DCERPC_SIGN
;
738 torture_comment(torture
, "Opening %d connections in parallel\n", s
->nprocs
);
739 for (i
=0; i
< s
->nprocs
; i
++) {
741 s
->error
= dcerpc_pipe_connect_b(s
->conns
, &s
->conns
[i
].pipe
, s
->b
,
743 s
->conns
[i
].wks_creds
,
744 torture
->ev
, torture
->lp_ctx
);
745 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed to connect with schannel");
748 * This path doesn't work against windows,
749 * because of windows drops the connections
750 * which haven't reached a session setup yet
752 * The same as the reset on zero vc stuff.
754 struct composite_context
*c
;
755 c
= dcerpc_pipe_connect_b_send(s
->conns
, s
->b
,
757 s
->conns
[i
].wks_creds
,
760 torture_assert(torture
, c
!= NULL
, "Failed to setup connect");
761 c
->async
.fn
= torture_schannel_bench_connected
;
762 c
->async
.private_data
= &s
->conns
[i
];
765 while (NT_STATUS_IS_OK(s
->error
) && s
->nprocs
!= s
->nconns
) {
766 int ev_ret
= tevent_loop_once(torture
->ev
);
767 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
770 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed establish a connect");
773 * Change the workstation password after establishing the netlogon
774 * schannel connections to prove that existing connections are not
775 * affected by a wks pwchange.
779 struct netr_ServerPasswordSet pwset
;
780 char *password
= generate_random_password(s
->join_ctx1
, 8, 255);
781 struct netlogon_creds_CredentialState
*creds_state
;
782 struct dcerpc_pipe
*net_pipe
;
783 struct netr_Authenticator credential
, return_authenticator
;
784 struct samr_Password new_password
;
786 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
789 torture
->ev
, torture
->lp_ctx
);
791 torture_assert_ntstatus_ok(torture
, status
,
792 "dcerpc_pipe_connect_b failed");
794 pwset
.in
.server_name
= talloc_asprintf(
795 net_pipe
, "\\\\%s", dcerpc_server_name(net_pipe
));
796 pwset
.in
.computer_name
=
797 cli_credentials_get_workstation(s
->wks_creds1
);
798 pwset
.in
.account_name
= talloc_asprintf(
799 net_pipe
, "%s$", pwset
.in
.computer_name
);
800 pwset
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
801 pwset
.in
.credential
= &credential
;
802 pwset
.in
.new_password
= &new_password
;
803 pwset
.out
.return_authenticator
= &return_authenticator
;
805 E_md4hash(password
, new_password
.hash
);
807 creds_state
= cli_credentials_get_netlogon_creds(
809 netlogon_creds_des_encrypt(creds_state
, &new_password
);
810 netlogon_creds_client_authenticator(creds_state
, &credential
);
812 torture_assert_ntstatus_ok(torture
, dcerpc_netr_ServerPasswordSet_r(net_pipe
->binding_handle
, torture
, &pwset
),
813 "ServerPasswordSet failed");
814 torture_assert_ntstatus_ok(torture
, pwset
.out
.result
,
815 "ServerPasswordSet failed");
817 if (!netlogon_creds_client_check(creds_state
,
818 &pwset
.out
.return_authenticator
->cred
)) {
819 torture_comment(torture
, "Credential chaining failed\n");
822 cli_credentials_set_password(s
->wks_creds1
, password
,
825 talloc_free(net_pipe
);
827 /* Just as a test, connect with the new creds */
829 talloc_free(s
->wks_creds1
->netlogon_creds
);
830 s
->wks_creds1
->netlogon_creds
= NULL
;
832 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
835 torture
->ev
, torture
->lp_ctx
);
837 torture_assert_ntstatus_ok(torture
, status
,
838 "dcerpc_pipe_connect_b failed");
840 talloc_free(net_pipe
);
843 torture_comment(torture
, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
844 s
->nprocs
, s
->timelimit
);
845 for (i
=0; i
< s
->nprocs
; i
++) {
846 ret
= torture_schannel_bench_start(&s
->conns
[i
]);
847 torture_assert(torture
, ret
, "Failed to setup LogonSamLogonEx");
850 start
= timeval_current();
851 end
= timeval_add(&start
, s
->timelimit
, 0);
853 while (NT_STATUS_IS_OK(s
->error
) && !timeval_expired(&end
)) {
854 int ev_ret
= tevent_loop_once(torture
->ev
);
855 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
857 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed some request");
859 talloc_free(s
->conns
);
861 for (i
=0; i
< s
->nprocs
; i
++) {
862 s
->total
+= s
->conns
[i
].total
;
865 torture_comment(torture
,
866 "Total ops[%llu] (%u ops/s)\n",
867 (unsigned long long)s
->total
,
868 (unsigned)s
->total
/s
->timelimit
);
870 torture_leave_domain(torture
, s
->join_ctx1
);
871 torture_leave_domain(torture
, s
->join_ctx2
);