2 Unix SMB/CIFS implementation.
4 test suite for schannel operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/torture_rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "../libcli/auth/schannel.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "libcli/security/security.h"
32 #include "system/filesys.h"
33 #include "param/param.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "auth/gensec/gensec.h"
36 #include "libcli/composite/composite.h"
37 #include "lib/events/events.h"
39 #define TEST_MACHINE_NAME "schannel"
42 try a netlogon SamLogon
44 bool test_netlogon_ex_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
45 struct cli_credentials
*credentials
,
46 struct netlogon_creds_CredentialState
*creds
)
49 struct netr_LogonSamLogonEx r
;
50 struct netr_NetworkInfo ninfo
;
51 union netr_LogonLevel logon
;
52 union netr_Validation validation
;
53 uint8_t authoritative
= 0;
55 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
57 int flags
= CLI_CRED_NTLM_AUTH
;
58 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
60 if (lpcfg_client_lanman_auth(tctx
->lp_ctx
)) {
61 flags
|= CLI_CRED_LANMAN_AUTH
;
64 if (lpcfg_client_ntlmv2_auth(tctx
->lp_ctx
)) {
65 flags
|= CLI_CRED_NTLMv2_AUTH
;
68 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
69 &ninfo
.identity_info
.account_name
.string
,
70 &ninfo
.identity_info
.domain_name
.string
);
72 generate_random_buffer(ninfo
.challenge
,
73 sizeof(ninfo
.challenge
));
74 chal
= data_blob_const(ninfo
.challenge
,
75 sizeof(ninfo
.challenge
));
77 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
78 cli_credentials_get_domain(credentials
));
80 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
86 torture_assert_ntstatus_ok(tctx
, status
,
87 "cli_credentials_get_ntlm_response failed");
89 ninfo
.lm
.data
= lm_resp
.data
;
90 ninfo
.lm
.length
= lm_resp
.length
;
92 ninfo
.nt
.data
= nt_resp
.data
;
93 ninfo
.nt
.length
= nt_resp
.length
;
95 ninfo
.identity_info
.parameter_control
= 0;
96 ninfo
.identity_info
.logon_id_low
= 0;
97 ninfo
.identity_info
.logon_id_high
= 0;
98 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
100 logon
.network
= &ninfo
;
102 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
103 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
104 r
.in
.logon_level
= 2;
106 r
.in
.flags
= &_flags
;
107 r
.out
.validation
= &validation
;
108 r
.out
.authoritative
= &authoritative
;
109 r
.out
.flags
= &_flags
;
111 torture_comment(tctx
,
112 "Testing LogonSamLogonEx with name %s\n",
113 ninfo
.identity_info
.account_name
.string
);
116 r
.in
.validation_level
= i
;
118 torture_assert_ntstatus_ok(tctx
, dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
119 "LogonSamLogon failed");
120 torture_assert_ntstatus_ok(tctx
, r
.out
.result
, "LogonSamLogon failed");
127 do some samr ops using the schannel connection
129 static bool test_samr_ops(struct torture_context
*tctx
,
130 struct dcerpc_binding_handle
*b
)
132 struct samr_GetDomPwInfo r
;
133 struct samr_PwInfo info
;
134 struct samr_Connect connect_r
;
135 struct samr_OpenDomain opendom
;
137 struct lsa_String name
;
138 struct policy_handle handle
;
139 struct policy_handle domain_handle
;
141 name
.string
= lpcfg_workgroup(tctx
->lp_ctx
);
142 r
.in
.domain_name
= &name
;
145 connect_r
.in
.system_name
= 0;
146 connect_r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
147 connect_r
.out
.connect_handle
= &handle
;
149 printf("Testing Connect and OpenDomain on BUILTIN\n");
151 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_Connect_r(b
, tctx
, &connect_r
),
153 if (!NT_STATUS_IS_OK(connect_r
.out
.result
)) {
154 if (NT_STATUS_EQUAL(connect_r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
155 printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
156 nt_errstr(connect_r
.out
.result
));
158 printf("Connect failed - %s\n", nt_errstr(connect_r
.out
.result
));
162 opendom
.in
.connect_handle
= &handle
;
163 opendom
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
164 opendom
.in
.sid
= dom_sid_parse_talloc(tctx
, "S-1-5-32");
165 opendom
.out
.domain_handle
= &domain_handle
;
167 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_OpenDomain_r(b
, tctx
, &opendom
),
168 "OpenDomain failed");
169 if (!NT_STATUS_IS_OK(opendom
.out
.result
)) {
170 printf("OpenDomain failed - %s\n", nt_errstr(opendom
.out
.result
));
175 printf("Testing GetDomPwInfo with name %s\n", r
.in
.domain_name
->string
);
177 /* do several ops to test credential chaining */
179 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_GetDomPwInfo_r(b
, tctx
, &r
),
180 "GetDomPwInfo failed");
181 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
182 if (!NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
183 printf("GetDomPwInfo op %d failed - %s\n", i
, nt_errstr(r
.out
.result
));
194 do some lsa ops using the schannel connection
196 static bool test_lsa_ops(struct torture_context
*tctx
, struct dcerpc_pipe
*p
)
198 struct lsa_GetUserName r
;
200 struct lsa_String
*account_name_p
= NULL
;
201 struct lsa_String
*authority_name_p
= NULL
;
202 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
204 printf("\nTesting GetUserName\n");
206 r
.in
.system_name
= "\\";
207 r
.in
.account_name
= &account_name_p
;
208 r
.in
.authority_name
= &authority_name_p
;
209 r
.out
.account_name
= &account_name_p
;
211 /* do several ops to test credential chaining and various operations */
212 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_GetUserName_r(b
, tctx
, &r
),
213 "lsa_GetUserName failed");
215 authority_name_p
= *r
.out
.authority_name
;
217 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
218 printf("GetUserName failed - %s\n", nt_errstr(r
.out
.result
));
221 if (!r
.out
.account_name
) {
225 if (strcmp(account_name_p
->string
, "ANONYMOUS LOGON") != 0) {
226 printf("GetUserName returned wrong user: %s, expected %s\n",
227 account_name_p
->string
, "ANONYMOUS LOGON");
229 if (!torture_setting_bool(tctx
, "samba3", false)) {
233 if (!authority_name_p
|| !authority_name_p
->string
) {
237 if (strcmp(authority_name_p
->string
, "NT AUTHORITY") != 0) {
238 printf("GetUserName returned wrong user: %s, expected %s\n",
239 authority_name_p
->string
, "NT AUTHORITY");
241 if (!torture_setting_bool(tctx
, "samba3", false)) {
246 if (!test_many_LookupSids(p
, tctx
, NULL
)) {
247 printf("LsaLookupSids3 failed!\n");
256 test a schannel connection with the given flags
258 static bool test_schannel(struct torture_context
*tctx
,
259 uint16_t acct_flags
, uint32_t dcerpc_flags
,
262 struct test_join
*join_ctx
;
264 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
265 struct dcerpc_binding
*b
;
266 struct dcerpc_pipe
*p
= NULL
;
267 struct dcerpc_pipe
*p_netlogon
= NULL
;
268 struct dcerpc_pipe
*p_netlogon2
= NULL
;
269 struct dcerpc_pipe
*p_netlogon3
= NULL
;
270 struct dcerpc_pipe
*p_samr2
= NULL
;
271 struct dcerpc_pipe
*p_lsa
= NULL
;
272 struct netlogon_creds_CredentialState
*creds
;
273 struct cli_credentials
*credentials
;
275 join_ctx
= torture_join_domain(tctx
,
276 talloc_asprintf(tctx
, "%s%d", TEST_MACHINE_NAME
, i
),
277 acct_flags
, &credentials
);
278 torture_assert(tctx
, join_ctx
!= NULL
, "Failed to join domain");
280 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
281 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
283 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
284 b
->flags
|= dcerpc_flags
;
286 status
= dcerpc_pipe_connect_b(tctx
, &p
, b
, &ndr_table_samr
,
287 credentials
, tctx
->ev
, tctx
->lp_ctx
);
288 torture_assert_ntstatus_ok(tctx
, status
,
289 "Failed to connect with schannel");
291 torture_assert(tctx
, test_samr_ops(tctx
, p
->binding_handle
),
292 "Failed to process schannel secured SAMR ops");
294 /* Also test that when we connect to the netlogon pipe, that
295 * the credentials we setup on the first pipe are valid for
298 /* Swap the binding details from SAMR to NETLOGON */
299 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
300 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
302 status
= dcerpc_secondary_connection(p
, &p_netlogon
,
304 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
306 status
= dcerpc_bind_auth(p_netlogon
, &ndr_table_netlogon
,
307 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
308 DCERPC_AUTH_TYPE_SCHANNEL
,
309 dcerpc_auth_level(p
->conn
),
312 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
314 status
= dcerpc_schannel_creds(p_netlogon
->conn
->security_state
.generic_state
, tctx
, &creds
);
315 torture_assert_ntstatus_ok(tctx
, status
, "schannel creds");
317 /* do a couple of logins */
318 torture_assert(tctx
, test_netlogon_ops(p_netlogon
, tctx
, credentials
, creds
),
319 "Failed to process schannel secured NETLOGON ops");
321 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon
, tctx
, credentials
, creds
),
322 "Failed to process schannel secured NETLOGON EX ops");
324 /* Swap the binding details from SAMR to LSARPC */
325 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
);
326 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
328 status
= dcerpc_secondary_connection(p
, &p_lsa
,
331 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
333 status
= dcerpc_bind_auth(p_lsa
, &ndr_table_lsarpc
,
334 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
335 DCERPC_AUTH_TYPE_SCHANNEL
,
336 dcerpc_auth_level(p
->conn
),
339 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
341 torture_assert(tctx
, test_lsa_ops(tctx
, p_lsa
),
342 "Failed to process schannel secured LSA ops");
344 /* Drop the socket, we want to start from scratch */
348 /* Now see what we are still allowed to do */
350 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
351 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
353 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
354 b
->flags
|= dcerpc_flags
;
356 status
= dcerpc_pipe_connect_b(tctx
, &p_samr2
, b
, &ndr_table_samr
,
357 credentials
, tctx
->ev
, tctx
->lp_ctx
);
358 torture_assert_ntstatus_ok(tctx
, status
,
359 "Failed to connect with schannel");
361 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
362 torture_assert (tctx
, test_samr_ops(tctx
, p_samr2
->binding_handle
),
363 "Failed to process schannel secured SAMR ops (on fresh connection)");
365 /* Swap the binding details from SAMR to NETLOGON */
366 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
367 torture_assert_ntstatus_ok(tctx
, status
, "epm");
369 status
= dcerpc_secondary_connection(p_samr2
, &p_netlogon2
,
371 torture_assert_ntstatus_ok(tctx
, status
, "seconday connection");
373 /* and now setup an SCHANNEL bind on netlogon */
374 status
= dcerpc_bind_auth(p_netlogon2
, &ndr_table_netlogon
,
375 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
376 DCERPC_AUTH_TYPE_SCHANNEL
,
377 dcerpc_auth_level(p_samr2
->conn
),
380 torture_assert_ntstatus_ok(tctx
, status
, "auth failed");
382 /* Try the schannel-only SamLogonEx operation */
383 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon2
, tctx
, credentials
, creds
),
384 "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
387 /* And the more traditional style, proving that the
388 * credentials chaining state is fully present */
389 torture_assert(tctx
, test_netlogon_ops(p_netlogon2
, tctx
, credentials
, creds
),
390 "Failed to process schannel secured NETLOGON ops (on fresh connection)");
392 /* Drop the socket, we want to start from scratch (again) */
393 talloc_free(p_samr2
);
395 /* We don't want schannel for this test */
396 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
398 status
= dcerpc_pipe_connect_b(tctx
, &p_netlogon3
, b
, &ndr_table_netlogon
,
399 credentials
, tctx
->ev
, tctx
->lp_ctx
);
400 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
402 torture_assert(tctx
, !test_netlogon_ex_ops(p_netlogon3
, tctx
, credentials
, creds
),
403 "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
405 /* Required because the previous call will mark the current context as having failed */
406 tctx
->last_result
= TORTURE_OK
;
407 tctx
->last_reason
= NULL
;
409 torture_assert(tctx
, test_netlogon_ops(p_netlogon3
, tctx
, credentials
, creds
),
410 "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
412 torture_leave_domain(tctx
, join_ctx
);
419 a schannel test suite
421 bool torture_rpc_schannel(struct torture_context
*torture
)
426 uint32_t dcerpc_flags
;
428 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
429 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
430 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
431 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
432 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
},
433 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
},
434 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
435 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
}
439 for (i
=0;i
<ARRAY_SIZE(tests
);i
++) {
440 if (!test_schannel(torture
,
441 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
,
443 torture_comment(torture
, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
444 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
453 test two schannel connections
455 bool torture_rpc_schannel2(struct torture_context
*torture
)
457 struct test_join
*join_ctx
;
459 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
460 struct dcerpc_binding
*b
;
461 struct dcerpc_pipe
*p1
= NULL
, *p2
= NULL
;
462 struct cli_credentials
*credentials1
, *credentials2
;
463 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
;
465 join_ctx
= torture_join_domain(torture
, talloc_asprintf(torture
, "%s2", TEST_MACHINE_NAME
),
466 ACB_WSTRUST
, &credentials1
);
467 torture_assert(torture
, join_ctx
!= NULL
,
468 "Failed to join domain with acct_flags=ACB_WSTRUST");
470 credentials2
= (struct cli_credentials
*)talloc_memdup(torture
, credentials1
, sizeof(*credentials1
));
471 credentials1
->netlogon_creds
= NULL
;
472 credentials2
->netlogon_creds
= NULL
;
474 status
= dcerpc_parse_binding(torture
, binding
, &b
);
475 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
477 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
478 b
->flags
|= dcerpc_flags
;
480 printf("Opening first connection\n");
481 status
= dcerpc_pipe_connect_b(torture
, &p1
, b
, &ndr_table_netlogon
,
482 credentials1
, torture
->ev
, torture
->lp_ctx
);
483 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
485 torture_comment(torture
, "Opening second connection\n");
486 status
= dcerpc_pipe_connect_b(torture
, &p2
, b
, &ndr_table_netlogon
,
487 credentials2
, torture
->ev
, torture
->lp_ctx
);
488 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
490 credentials1
->netlogon_creds
= NULL
;
491 credentials2
->netlogon_creds
= NULL
;
493 torture_comment(torture
, "Testing logon on pipe1\n");
494 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
497 torture_comment(torture
, "Testing logon on pipe2\n");
498 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
501 torture_comment(torture
, "Again on pipe1\n");
502 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
505 torture_comment(torture
, "Again on pipe2\n");
506 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
509 torture_leave_domain(torture
, join_ctx
);
513 struct torture_schannel_bench
;
515 struct torture_schannel_bench_conn
{
516 struct torture_schannel_bench
*s
;
518 struct cli_credentials
*wks_creds
;
519 struct dcerpc_pipe
*pipe
;
520 struct netr_LogonSamLogonEx r
;
521 struct netr_NetworkInfo ninfo
;
527 struct torture_schannel_bench
{
528 struct torture_context
*tctx
;
533 struct torture_schannel_bench_conn
*conns
;
534 struct test_join
*join_ctx1
;
535 struct cli_credentials
*wks_creds1
;
536 struct test_join
*join_ctx2
;
537 struct cli_credentials
*wks_creds2
;
538 struct cli_credentials
*user1_creds
;
539 struct cli_credentials
*user2_creds
;
540 struct dcerpc_binding
*b
;
547 static void torture_schannel_bench_connected(struct composite_context
*c
)
549 struct torture_schannel_bench_conn
*conn
=
550 (struct torture_schannel_bench_conn
*)c
->async
.private_data
;
551 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
552 struct torture_schannel_bench
);
554 s
->error
= dcerpc_pipe_connect_b_recv(c
, s
->conns
, &conn
->pipe
);
555 torture_comment(s
->tctx
, "conn[%u]: %s\n", conn
->index
, nt_errstr(s
->error
));
556 if (NT_STATUS_IS_OK(s
->error
)) {
561 static void torture_schannel_bench_recv(struct tevent_req
*subreq
);
563 static bool torture_schannel_bench_start(struct torture_schannel_bench_conn
*conn
)
565 struct torture_schannel_bench
*s
= conn
->s
;
567 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
568 int flags
= CLI_CRED_NTLM_AUTH
;
569 struct tevent_req
*subreq
;
570 struct cli_credentials
*user_creds
;
572 if (conn
->total
% 2) {
573 user_creds
= s
->user1_creds
;
575 user_creds
= s
->user2_creds
;
578 if (lpcfg_client_lanman_auth(s
->tctx
->lp_ctx
)) {
579 flags
|= CLI_CRED_LANMAN_AUTH
;
582 if (lpcfg_client_ntlmv2_auth(s
->tctx
->lp_ctx
)) {
583 flags
|= CLI_CRED_NTLMv2_AUTH
;
586 talloc_free(conn
->tmp
);
587 conn
->tmp
= talloc_new(s
);
588 ZERO_STRUCT(conn
->ninfo
);
589 ZERO_STRUCT(conn
->r
);
591 cli_credentials_get_ntlm_username_domain(user_creds
, conn
->tmp
,
592 &conn
->ninfo
.identity_info
.account_name
.string
,
593 &conn
->ninfo
.identity_info
.domain_name
.string
);
595 generate_random_buffer(conn
->ninfo
.challenge
,
596 sizeof(conn
->ninfo
.challenge
));
597 chal
= data_blob_const(conn
->ninfo
.challenge
,
598 sizeof(conn
->ninfo
.challenge
));
600 names_blob
= NTLMv2_generate_names_blob(conn
->tmp
,
601 cli_credentials_get_workstation(conn
->wks_creds
),
602 cli_credentials_get_domain(conn
->wks_creds
));
604 status
= cli_credentials_get_ntlm_response(user_creds
, conn
->tmp
,
610 torture_assert_ntstatus_ok(s
->tctx
, status
,
611 "cli_credentials_get_ntlm_response failed");
613 conn
->ninfo
.lm
.data
= lm_resp
.data
;
614 conn
->ninfo
.lm
.length
= lm_resp
.length
;
616 conn
->ninfo
.nt
.data
= nt_resp
.data
;
617 conn
->ninfo
.nt
.length
= nt_resp
.length
;
619 conn
->ninfo
.identity_info
.parameter_control
= 0;
620 conn
->ninfo
.identity_info
.logon_id_low
= 0;
621 conn
->ninfo
.identity_info
.logon_id_high
= 0;
622 conn
->ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(conn
->wks_creds
);
624 conn
->r
.in
.server_name
= talloc_asprintf(conn
->tmp
, "\\\\%s", dcerpc_server_name(conn
->pipe
));
625 conn
->r
.in
.computer_name
= cli_credentials_get_workstation(conn
->wks_creds
);
626 conn
->r
.in
.logon_level
= 2;
627 conn
->r
.in
.logon
= talloc(conn
->tmp
, union netr_LogonLevel
);
628 conn
->r
.in
.logon
->network
= &conn
->ninfo
;
629 conn
->r
.in
.flags
= talloc(conn
->tmp
, uint32_t);
630 conn
->r
.in
.validation_level
= 2;
631 conn
->r
.out
.validation
= talloc(conn
->tmp
, union netr_Validation
);
632 conn
->r
.out
.authoritative
= talloc(conn
->tmp
, uint8_t);
633 conn
->r
.out
.flags
= conn
->r
.in
.flags
;
635 subreq
= dcerpc_netr_LogonSamLogonEx_r_send(s
, s
->tctx
->ev
,
636 conn
->pipe
->binding_handle
,
638 torture_assert(s
->tctx
, subreq
, "Failed to setup LogonSamLogonEx request");
640 tevent_req_set_callback(subreq
, torture_schannel_bench_recv
, conn
);
645 static void torture_schannel_bench_recv(struct tevent_req
*subreq
)
648 struct torture_schannel_bench_conn
*conn
=
649 (struct torture_schannel_bench_conn
*)tevent_req_callback_data_void(subreq
);
650 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
651 struct torture_schannel_bench
);
653 s
->error
= dcerpc_netr_LogonSamLogonEx_r_recv(subreq
, subreq
);
655 if (!NT_STATUS_IS_OK(s
->error
)) {
666 ret
= torture_schannel_bench_start(conn
);
668 s
->error
= NT_STATUS_INTERNAL_ERROR
;
673 test multiple schannel connection in parallel
675 bool torture_rpc_schannel_bench1(struct torture_context
*torture
)
679 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
680 struct torture_schannel_bench
*s
;
681 struct timeval start
;
686 s
= talloc_zero(torture
, struct torture_schannel_bench
);
688 s
->progress
= torture_setting_bool(torture
, "progress", true);
689 s
->timelimit
= torture_setting_int(torture
, "timelimit", 10);
690 s
->nprocs
= torture_setting_int(torture
, "nprocs", 4);
691 s
->conns
= talloc_zero_array(s
, struct torture_schannel_bench_conn
, s
->nprocs
);
693 s
->user1_creds
= (struct cli_credentials
*)talloc_memdup(s
,
695 sizeof(*s
->user1_creds
));
696 tmp
= torture_setting_string(s
->tctx
, "extra_user1", NULL
);
698 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
700 s
->user2_creds
= (struct cli_credentials
*)talloc_memdup(s
,
702 sizeof(*s
->user1_creds
));
703 tmp
= torture_setting_string(s
->tctx
, "extra_user2", NULL
);
705 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
708 s
->join_ctx1
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sb", TEST_MACHINE_NAME
),
709 ACB_WSTRUST
, &s
->wks_creds1
);
710 torture_assert(torture
, s
->join_ctx1
!= NULL
,
711 "Failed to join domain with acct_flags=ACB_WSTRUST");
712 s
->join_ctx2
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sc", TEST_MACHINE_NAME
),
713 ACB_WSTRUST
, &s
->wks_creds2
);
714 torture_assert(torture
, s
->join_ctx2
!= NULL
,
715 "Failed to join domain with acct_flags=ACB_WSTRUST");
717 cli_credentials_set_kerberos_state(s
->wks_creds1
, CRED_DONT_USE_KERBEROS
);
718 cli_credentials_set_kerberos_state(s
->wks_creds2
, CRED_DONT_USE_KERBEROS
);
720 for (i
=0; i
< s
->nprocs
; i
++) {
722 s
->conns
[i
].index
= i
;
723 s
->conns
[i
].wks_creds
= (struct cli_credentials
*)talloc_memdup(
724 s
->conns
, s
->wks_creds1
,sizeof(*s
->wks_creds1
));
725 if ((i
% 2) && (torture_setting_bool(torture
, "multijoin", false))) {
726 memcpy(s
->conns
[i
].wks_creds
, s
->wks_creds2
,
727 talloc_get_size(s
->conns
[i
].wks_creds
));
729 s
->conns
[i
].wks_creds
->netlogon_creds
= NULL
;
732 status
= dcerpc_parse_binding(s
, binding
, &s
->b
);
733 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
734 s
->b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
735 s
->b
->flags
|= DCERPC_SCHANNEL
| DCERPC_SIGN
;
737 torture_comment(torture
, "Opening %d connections in parallel\n", s
->nprocs
);
738 for (i
=0; i
< s
->nprocs
; i
++) {
740 s
->error
= dcerpc_pipe_connect_b(s
->conns
, &s
->conns
[i
].pipe
, s
->b
,
742 s
->conns
[i
].wks_creds
,
743 torture
->ev
, torture
->lp_ctx
);
744 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed to connect with schannel");
747 * This path doesn't work against windows,
748 * because of windows drops the connections
749 * which haven't reached a session setup yet
751 * The same as the reset on zero vc stuff.
753 struct composite_context
*c
;
754 c
= dcerpc_pipe_connect_b_send(s
->conns
, s
->b
,
756 s
->conns
[i
].wks_creds
,
759 torture_assert(torture
, c
!= NULL
, "Failed to setup connect");
760 c
->async
.fn
= torture_schannel_bench_connected
;
761 c
->async
.private_data
= &s
->conns
[i
];
764 while (NT_STATUS_IS_OK(s
->error
) && s
->nprocs
!= s
->nconns
) {
765 int ev_ret
= event_loop_once(torture
->ev
);
766 torture_assert(torture
, ev_ret
== 0, "event_loop_once failed");
769 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed establish a connect");
772 * Change the workstation password after establishing the netlogon
773 * schannel connections to prove that existing connections are not
774 * affected by a wks pwchange.
778 struct netr_ServerPasswordSet pwset
;
779 char *password
= generate_random_password(s
->join_ctx1
, 8, 255);
780 struct netlogon_creds_CredentialState
*creds_state
;
781 struct dcerpc_pipe
*net_pipe
;
782 struct netr_Authenticator credential
, return_authenticator
;
783 struct samr_Password new_password
;
785 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
788 torture
->ev
, torture
->lp_ctx
);
790 torture_assert_ntstatus_ok(torture
, status
,
791 "dcerpc_pipe_connect_b failed");
793 pwset
.in
.server_name
= talloc_asprintf(
794 net_pipe
, "\\\\%s", dcerpc_server_name(net_pipe
));
795 pwset
.in
.computer_name
=
796 cli_credentials_get_workstation(s
->wks_creds1
);
797 pwset
.in
.account_name
= talloc_asprintf(
798 net_pipe
, "%s$", pwset
.in
.computer_name
);
799 pwset
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
800 pwset
.in
.credential
= &credential
;
801 pwset
.in
.new_password
= &new_password
;
802 pwset
.out
.return_authenticator
= &return_authenticator
;
804 E_md4hash(password
, new_password
.hash
);
806 creds_state
= cli_credentials_get_netlogon_creds(
808 netlogon_creds_des_encrypt(creds_state
, &new_password
);
809 netlogon_creds_client_authenticator(creds_state
, &credential
);
811 torture_assert_ntstatus_ok(torture
, dcerpc_netr_ServerPasswordSet_r(net_pipe
->binding_handle
, torture
, &pwset
),
812 "ServerPasswordSet failed");
813 torture_assert_ntstatus_ok(torture
, pwset
.out
.result
,
814 "ServerPasswordSet failed");
816 if (!netlogon_creds_client_check(creds_state
,
817 &pwset
.out
.return_authenticator
->cred
)) {
818 printf("Credential chaining failed\n");
821 cli_credentials_set_password(s
->wks_creds1
, password
,
824 talloc_free(net_pipe
);
826 /* Just as a test, connect with the new creds */
828 talloc_free(s
->wks_creds1
->netlogon_creds
);
829 s
->wks_creds1
->netlogon_creds
= NULL
;
831 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
834 torture
->ev
, torture
->lp_ctx
);
836 torture_assert_ntstatus_ok(torture
, status
,
837 "dcerpc_pipe_connect_b failed");
839 talloc_free(net_pipe
);
842 torture_comment(torture
, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
843 s
->nprocs
, s
->timelimit
);
844 for (i
=0; i
< s
->nprocs
; i
++) {
845 ret
= torture_schannel_bench_start(&s
->conns
[i
]);
846 torture_assert(torture
, ret
, "Failed to setup LogonSamLogonEx");
849 start
= timeval_current();
850 end
= timeval_add(&start
, s
->timelimit
, 0);
852 while (NT_STATUS_IS_OK(s
->error
) && !timeval_expired(&end
)) {
853 int ev_ret
= event_loop_once(torture
->ev
);
854 torture_assert(torture
, ev_ret
== 0, "event_loop_once failed");
856 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed some request");
858 talloc_free(s
->conns
);
860 for (i
=0; i
< s
->nprocs
; i
++) {
861 s
->total
+= s
->conns
[i
].total
;
864 torture_comment(torture
,
865 "Total ops[%llu] (%u ops/s)\n",
866 (unsigned long long)s
->total
,
867 (unsigned)s
->total
/s
->timelimit
);
869 torture_leave_domain(torture
, s
->join_ctx1
);
870 torture_leave_domain(torture
, s
->join_ctx2
);