search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-lsaprc: Don't call lsa_OpenPolicy2 in lsa_LookupNames4.
[Samba/gebeck_regimport.git] / source3 / torture / pdbtest.c
blobc4c6bb687167efa0c2349db89501ab0ab87e451d
1 /*
2 Unix SMB/CIFS implementation.
3 passdb testing utility
4
5 Copyright (C) Wilco Baan Hofman 2006
6 Copyright (C) Jelmer Vernooij 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22
23 #include "includes.h"
24 #include "popt_common.h"
25 #include "passdb.h"
26
27 #include "../librpc/gen_ndr/drsblobs.h"
28 #include "../librpc/gen_ndr/ndr_drsblobs.h"
29 #include "../libcli/security/dom_sid.h"
30
31 #define TRUST_DOM "trustdom"
32 #define TRUST_PWD "trustpwd1232"
33 #define TRUST_SID "S-1-5-21-1111111111-2222222222-3333333333"
34
35 static bool samu_correct(struct samu *s1, struct samu *s2)
36 {
37 bool ret = True;
38 uint32 s1_len, s2_len;
39 const char *s1_buf, *s2_buf;
40 const uint8 *d1_buf, *d2_buf;
41
42 /* Check Unix username */
43 s1_buf = pdb_get_username(s1);
44 s2_buf = pdb_get_username(s2);
45 if (s2_buf == NULL && s1_buf != NULL) {
46 DEBUG(0, ("Username is not set\n"));
47 ret = False;
48 } else if (s1_buf == NULL) {
49 /* Do nothing */
50 } else if (strcmp(s1_buf,s2_buf)) {
51 DEBUG(0, ("Username not written correctly, want %s, got \"%s\"\n",
52 pdb_get_username(s1),
53 pdb_get_username(s2)));
54 ret = False;
55 }
56
57 /* Check NT username */
58 s1_buf = pdb_get_nt_username(s1);
59 s2_buf = pdb_get_nt_username(s2);
60 if (s2_buf == NULL && s1_buf != NULL) {
61 DEBUG(0, ("NT Username is not set\n"));
62 ret = False;
63 } else if (s1_buf == NULL) {
64 /* Do nothing */
65 } else if (strcmp(s1_buf, s2_buf)) {
66 DEBUG(0, ("NT Username not written correctly, want \"%s\", got \"%s\"\n",
67 pdb_get_nt_username(s1),
68 pdb_get_nt_username(s2)));
69 ret = False;
70 }
71
72 /* Check acct ctrl */
73 if (pdb_get_acct_ctrl(s1) != pdb_get_acct_ctrl(s2)) {
74 DEBUG(0, ("Acct ctrl field not written correctly, want %d (0x%X), got %d (0x%X)\n",
75 pdb_get_acct_ctrl(s1),
76 pdb_get_acct_ctrl(s1),
77 pdb_get_acct_ctrl(s2),
78 pdb_get_acct_ctrl(s2)));
79 ret = False;
80 }
81
82 /* Check NT password */
83 d1_buf = pdb_get_nt_passwd(s1);
84 d2_buf = pdb_get_nt_passwd(s2);
85 if (d2_buf == NULL && d1_buf != NULL) {
86 DEBUG(0, ("NT password is not set\n"));
87 ret = False;
88 } else if (d1_buf == NULL) {
89 /* Do nothing */
90 } else if (memcmp(d1_buf, d2_buf, NT_HASH_LEN)) {
91 DEBUG(0, ("NT password not written correctly\n"));
92 ret = False;
93 }
94
95 /* Check lanman password */
96 d1_buf = pdb_get_lanman_passwd(s1);
97 d2_buf = pdb_get_lanman_passwd(s2);
98 if (d2_buf == NULL && d1_buf != NULL) {
99 DEBUG(0, ("Lanman password is not set\n"));
100 } else if (d1_buf == NULL) {
101 /* Do nothing */
102 } else if (memcmp(d1_buf, d2_buf, NT_HASH_LEN)) {
103 DEBUG(0, ("Lanman password not written correctly\n"));
104 ret = False;
105 }
106
107 /* Check password history */
108 d1_buf = pdb_get_pw_history(s1, &s1_len);
109 d2_buf = pdb_get_pw_history(s2, &s2_len);
110 if (d2_buf == NULL && d1_buf != NULL) {
111 DEBUG(0, ("Password history is not set\n"));
112 } else if (d1_buf == NULL) {
113 /* Do nothing */
114 } else if (s1_len != s1_len) {
115 DEBUG(0, ("Password history not written correctly, lengths differ, want %d, got %d\n",
116 s1_len, s2_len));
117 ret = False;
118 } else if (strncmp(s1_buf, s2_buf, s1_len)) {
119 DEBUG(0, ("Password history not written correctly\n"));
120 ret = False;
121 }
122
123 /* Check logon time */
124 if (pdb_get_logon_time(s1) != pdb_get_logon_time(s2)) {
125 DEBUG(0, ("Logon time is not written correctly\n"));
126 ret = False;
127 }
128
129 /* Check logoff time */
130 if (pdb_get_logoff_time(s1) != pdb_get_logoff_time(s2)) {
131 DEBUG(0, ("Logoff time is not written correctly: %s vs %s \n",
132 http_timestring(talloc_tos(), pdb_get_logoff_time(s1)),
133 http_timestring(talloc_tos(), pdb_get_logoff_time(s2))));
134 ret = False;
135 }
136
137 /* Check kickoff time */
138 if (pdb_get_kickoff_time(s1) != pdb_get_kickoff_time(s2)) {
139 DEBUG(0, ("Kickoff time is not written correctly: %s vs %s \n",
140 http_timestring(talloc_tos(), pdb_get_kickoff_time(s1)),
141 http_timestring(talloc_tos(), pdb_get_kickoff_time(s2))));
142 ret = False;
143 }
144
145 /* Check bad password time */
146 if (pdb_get_bad_password_time(s1) != pdb_get_bad_password_time(s2)) {
147 DEBUG(0, ("Bad password time is not written correctly\n"));
148 ret = False;
149 }
150
151 /* Check password last set time */
152 if (pdb_get_pass_last_set_time(s1) != pdb_get_pass_last_set_time(s2)) {
153 DEBUG(0, ("Password last set time is not written correctly: %s vs %s \n",
154 http_timestring(talloc_tos(), pdb_get_pass_last_set_time(s1)),
155 http_timestring(talloc_tos(), pdb_get_pass_last_set_time(s2))));
156 ret = False;
157 }
158
159 /* Check password can change time */
160 if (pdb_get_pass_can_change_time(s1) != pdb_get_pass_can_change_time(s2)) {
161 DEBUG(0, ("Password can change time is not written correctly %s vs %s \n",
162 http_timestring(talloc_tos(), pdb_get_pass_can_change_time(s1)),
163 http_timestring(talloc_tos(), pdb_get_pass_can_change_time(s2))));
164 ret = False;
165 }
166
167 /* Check password must change time */
168 if (pdb_get_pass_must_change_time(s1) != pdb_get_pass_must_change_time(s2)) {
169 DEBUG(0, ("Password must change time is not written correctly\n"));
170 ret = False;
171 }
172
173 /* Check logon divs */
174 if (pdb_get_logon_divs(s1) != pdb_get_logon_divs(s2)) {
175 DEBUG(0, ("Logon divs not written correctly\n"));
176 ret = False;
177 }
178
179 /* Check logon hours */
180 if (pdb_get_hours_len(s1) != pdb_get_hours_len(s2)) {
181 DEBUG(0, ("Logon hours length not written correctly\n"));
182 ret = False;
183 } else if (pdb_get_hours_len(s1) != 0) {
184 d1_buf = pdb_get_hours(s1);
185 d2_buf = pdb_get_hours(s2);
186 if (d2_buf == NULL && d2_buf != NULL) {
187 DEBUG(0, ("Logon hours is not set\n"));
188 ret = False;
189 } else if (d1_buf == NULL) {
190 /* Do nothing */
191 } else if (memcmp(d1_buf, d2_buf, MAX_HOURS_LEN)) {
192 DEBUG(0, ("Logon hours is not written correctly\n"));
193 ret = False;
194 }
195 }
196
197 /* Check profile path */
198 s1_buf = pdb_get_profile_path(s1);
199 s2_buf = pdb_get_profile_path(s2);
200 if (s2_buf == NULL && s1_buf != NULL) {
201 DEBUG(0, ("Profile path is not set\n"));
202 ret = False;
203 } else if (s1_buf == NULL) {
204 /* Do nothing */
205 } else if (strcmp(s1_buf, s2_buf)) {
206 DEBUG(0, ("Profile path is not written correctly\n"));
207 ret = False;
208 }
209
210 /* Check home dir */
211 s1_buf = pdb_get_homedir(s1);
212 s2_buf = pdb_get_homedir(s2);
213 if (s2_buf == NULL && s1_buf != NULL) {
214 DEBUG(0, ("Home dir is not set\n"));
215 ret = False;
216 } else if (s1_buf == NULL) {
217 /* Do nothing */
218 } else if (strcmp(s1_buf, s2_buf)) {
219 DEBUG(0, ("Home dir is not written correctly\n"));
220 ret = False;
221 }
222
223 /* Check logon script */
224 s1_buf = pdb_get_logon_script(s1);
225 s2_buf = pdb_get_logon_script(s2);
226 if (s2_buf == NULL && s1_buf != NULL) {
227 DEBUG(0, ("Logon script not set\n"));
228 ret = False;
229 } else if (s1_buf == NULL) {
230 /* Do nothing */
231 } else if (strcmp(s1_buf, s2_buf)) {
232 DEBUG(0, ("Logon script is not written correctly\n"));
233 ret = False;
234 }
235
236 /* TODO Check user and group sids */
237
238 return ret;
239 }
240
241 static bool test_trusted_domains(TALLOC_CTX *ctx,
242 struct pdb_methods *pdb,
243 bool *error)
244 {
245 NTSTATUS rv;
246 /* test trustdom calls */
247 struct pdb_trusted_domain *td;
248 struct pdb_trusted_domain *new_td;
249 struct trustAuthInOutBlob taiob;
250 struct AuthenticationInformation aia;
251 enum ndr_err_code ndr_err;
252
253 td = talloc_zero(ctx ,struct pdb_trusted_domain);
254 if (!td) {
255 fprintf(stderr, "talloc failed\n");
256 return false;
257 }
258
259 td->domain_name = talloc_strdup(td, TRUST_DOM);
260 td->netbios_name = talloc_strdup(td, TRUST_DOM);
261 if (!td->domain_name || !td->netbios_name) {
262 fprintf(stderr, "talloc failed\n");
263 return false;
264 }
265
266 td->trust_auth_incoming = data_blob_null;
267
268 ZERO_STRUCT(taiob);
269 ZERO_STRUCT(aia);
270 taiob.count = 1;
271 taiob.current.count = 1;
272 taiob.current.array = &aia;
273 unix_to_nt_time(&aia.LastUpdateTime, time(NULL));
274 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
275 aia.AuthInfo.clear.password = (uint8_t *) talloc_strdup(ctx, TRUST_PWD);
276 aia.AuthInfo.clear.size = strlen(TRUST_PWD);
277
278 taiob.previous.count = 0;
279 taiob.previous.array = NULL;
280
281 ndr_err = ndr_push_struct_blob(&td->trust_auth_outgoing,
282 td, &taiob,
283 (ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob);
284 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
285 fprintf(stderr, "ndr_push_struct_blob failed.\n");
286 return false;
287 }
288
289 td->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
290 td->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
291 td->trust_attributes = 0;
292 td->trust_forest_trust_info = data_blob_null;
293
294 rv = pdb->set_trusted_domain(pdb, TRUST_DOM, td);
295 if (!NT_STATUS_IS_OK(rv)) {
296 fprintf(stderr, "Error in set_trusted_domain %s\n",
297 get_friendly_nt_error_msg(rv));
298 *error = true;
299 }
300
301 rv = pdb->get_trusted_domain(pdb, ctx, TRUST_DOM, &new_td);
302 if (!NT_STATUS_IS_OK(rv)) {
303 fprintf(stderr, "Error in set_trusted_domain %s\n",
304 get_friendly_nt_error_msg(rv));
305 *error = true;
306 }
307
308 if (!strequal(td->domain_name, new_td->domain_name) ||
309 !strequal(td->netbios_name, new_td->netbios_name) ||
310 !dom_sid_equal(&td->security_identifier,
311 &new_td->security_identifier) ||
312 td->trust_direction != new_td->trust_direction ||
313 td->trust_type != new_td->trust_type ||
314 td->trust_attributes != new_td->trust_attributes ||
315 td->trust_auth_incoming.length != new_td->trust_auth_incoming.length ||
316 td->trust_forest_trust_info.length != new_td->trust_forest_trust_info.length ||
317 data_blob_cmp(&td->trust_auth_outgoing, &new_td->trust_auth_outgoing) != 0) {
318 fprintf(stderr, "Old and new trusdet domain data do not match\n");
319 *error = true;
320 }
321
322 return true;
323 }
324
325
326 int main(int argc, char **argv)
327 {
328 TALLOC_CTX *ctx;
329 struct samu *out = NULL;
330 struct samu *in = NULL;
331 NTSTATUS rv;
332 int i;
333 struct timeval tv;
334 bool error = False;
335 struct passwd *pwd;
336 uint8 *buf;
337 uint32 expire, min_age, history;
338 struct pdb_methods *pdb;
339 poptContext pc;
340 static const char *backend = NULL;
341 static const char *unix_user = "nobody";
342 struct poptOption long_options[] = {
343 {"username", 'u', POPT_ARG_STRING, &unix_user, 0, "Unix user to use for testing", "USERNAME" },
344 {"backend", 'b', POPT_ARG_STRING, &backend, 0, "Backend to use if not default", "BACKEND[:SETTINGS]" },
345 POPT_AUTOHELP
346 POPT_COMMON_SAMBA
347 POPT_TABLEEND
348 };
349
350 load_case_tables();
351
352 pc = poptGetContext("pdbtest", argc, (const char **) argv,
353 long_options, 0);
354
355 poptSetOtherOptionHelp(pc, "backend[:settings] username");
356
357 while(poptGetNextOpt(pc) != -1);
358
359 poptFreeContext(pc);
360
361 /* Load configuration */
362 lp_load_global(get_dyn_CONFIGFILE());
363 setup_logging("pdbtest", DEBUG_STDOUT);
364
365 if (backend == NULL) {
366 backend = lp_passdb_backend();
367 }
368
369 rv = make_pdb_method_name(&pdb, backend);
370 if (NT_STATUS_IS_ERR(rv)) {
371 fprintf(stderr, "Error initializing '%s': %s\n", backend, get_friendly_nt_error_msg(rv));
372 exit(1);
373 }
374
375 ctx = talloc_init("PDBTEST");
376
377 if (!(out = samu_new(ctx))) {
378 fprintf(stderr, "Can't create samu structure.\n");
379 exit(1);
380 }
381
382 if ((pwd = Get_Pwnam_alloc(ctx, unix_user)) == NULL) {
383 fprintf(stderr, "Error getting user information for %s\n", unix_user);
384 exit(1);
385 }
386
387 samu_set_unix(out, pwd);
388
389 pdb_set_profile_path(out, "\\\\torture\\profile", PDB_SET);
390 pdb_set_homedir(out, "\\\\torture\\home", PDB_SET);
391 pdb_set_logon_script(out, "torture_script.cmd", PDB_SET);
392
393 pdb_set_acct_ctrl(out, ACB_NORMAL, PDB_SET);
394
395 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &history);
396 if (history * PW_HISTORY_ENTRY_LEN < NT_HASH_LEN) {
397 buf = (uint8 *)TALLOC(ctx, NT_HASH_LEN);
398 } else {
399 buf = (uint8 *)TALLOC(ctx, history * PW_HISTORY_ENTRY_LEN);
400 }
401
402 /* Generate some random hashes */
403 GetTimeOfDay(&tv);
404 srand(tv.tv_usec);
405 for (i = 0; i < NT_HASH_LEN; i++) {
406 buf[i] = (uint8) rand();
407 }
408 pdb_set_nt_passwd(out, buf, PDB_SET);
409 for (i = 0; i < LM_HASH_LEN; i++) {
410 buf[i] = (uint8) rand();
411 }
412 pdb_set_lanman_passwd(out, buf, PDB_SET);
413 for (i = 0; i < history * PW_HISTORY_ENTRY_LEN; i++) {
414 buf[i] = (uint8) rand();
415 }
416 pdb_set_pw_history(out, buf, history, PDB_SET);
417
418 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire);
419 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &min_age);
420 pdb_set_pass_last_set_time(out, time(NULL), PDB_SET);
421
422 if (min_age == (uint32)-1) {
423 pdb_set_pass_can_change_time(out, 0, PDB_SET);
424 } else {
425 pdb_set_pass_can_change_time(out, time(NULL)+min_age, PDB_SET);
426 }
427
428 pdb_set_logon_time(out, time(NULL)-3600, PDB_SET);
429
430 pdb_set_logoff_time(out, time(NULL), PDB_SET);
431
432 pdb_set_kickoff_time(out, time(NULL)+3600, PDB_SET);
433
434 /* Create account */
435 if (!NT_STATUS_IS_OK(rv = pdb->add_sam_account(pdb, out))) {
436 fprintf(stderr, "Error in add_sam_account: %s\n",
437 get_friendly_nt_error_msg(rv));
438 exit(1);
439 }
440
441 if (!(in = samu_new(ctx))) {
442 fprintf(stderr, "Can't create samu structure.\n");
443 exit(1);
444 }
445
446 /* Get account information through getsampwnam() */
447 rv = pdb->getsampwnam(pdb, in, out->username);
448 if (NT_STATUS_IS_ERR(rv)) {
449 fprintf(stderr, "Error getting sampw of added user %s: %s\n",
450 out->username, nt_errstr(rv));
451 if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
452 fprintf(stderr, "Error in delete_sam_account %s\n",
453 get_friendly_nt_error_msg(rv));
454 }
455 TALLOC_FREE(ctx);
456 exit(1);
457 }
458
459 /* Verify integrity */
460 if (samu_correct(out, in)) {
461 printf("User info written correctly\n");
462 } else {
463 printf("User info NOT written correctly\n");
464 error = True;
465 }
466
467 /* Delete account */
468 if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
469 fprintf(stderr, "Error in delete_sam_account %s\n",
470 get_friendly_nt_error_msg(rv));
471 }
472
473 if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
474 if (!test_trusted_domains(ctx, pdb, &error)) {
475 fprintf(stderr, "failed testing trusted domains.\n");
476 exit(1);
477 }
478 }
479
480 TALLOC_FREE(ctx);
481
482 if (error) {
483 return 1;
484 }
485 return 0;
486 }
reg import