2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2007
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "torture/smbtorture.h"
23 #include "torture/winbind/proto.h"
24 #include "auth/auth.h"
25 #include "auth/auth_sam_reply.h"
26 #include "auth/gensec/gensec.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "auth/credentials/credentials.h"
30 #include "param/param.h"
31 #include "lib/cmdline/popt_common.h"
37 /* A helper function which avoids touching the local databases to
38 * generate the session info, as we just want to verify the PAC
39 * details, not the full local token */
40 static NTSTATUS
test_generate_session_info_pac(struct auth4_context
*auth_ctx
,
42 struct smb_krb5_context
*smb_krb5_context
,
44 const char *principal_name
,
45 const struct tsocket_address
*remote_address
,
46 uint32_t session_info_flags
,
47 struct auth_session_info
**session_info
)
50 struct auth_user_info_dc
*user_info_dc
;
52 struct pac_data
*pac_data
;
54 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gssapi_session_info context");
55 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
57 auth_ctx
->private_data
= pac_data
= talloc_zero(auth_ctx
, struct pac_data
);
59 pac_data
->pac_blob
= *pac_blob
;
61 talloc_steal(pac_data
, pac_data
->pac_blob
.data
);
62 nt_status
= kerberos_pac_blob_to_user_info_dc(tmp_ctx
,
64 smb_krb5_context
->krb5_context
,
67 if (!NT_STATUS_IS_OK(nt_status
)) {
72 if (user_info_dc
->info
->authenticated
) {
73 session_info_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
76 session_info_flags
|= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
;
77 nt_status
= auth_generate_session_info(mem_ctx
,
80 user_info_dc
, session_info_flags
,
82 if (!NT_STATUS_IS_OK(nt_status
)) {
91 /* Check to see if we can pass the PAC across to the NETLOGON server for validation */
93 /* Also happens to be a really good one-step verfication of our Kerberos stack */
95 static bool torture_winbind_pac(struct torture_context
*tctx
)
99 struct gensec_security
*gensec_client_context
;
100 struct gensec_security
*gensec_server_context
;
102 DATA_BLOB client_to_server
, server_to_client
;
104 struct auth4_context
*auth_context
;
105 struct auth_session_info
*session_info
;
106 struct pac_data
*pac_data
;
108 TALLOC_CTX
*tmp_ctx
= talloc_new(tctx
);
109 torture_assert(tctx
, tmp_ctx
!= NULL
, "talloc_new() failed");
111 auth_context
= talloc_zero(tmp_ctx
, struct auth4_context
);
112 torture_assert(tctx
, auth_context
!= NULL
, "talloc_new() failed");
114 auth_context
->generate_session_info_pac
= test_generate_session_info_pac
;
116 status
= gensec_client_start(tctx
, &gensec_client_context
,
117 lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
));
118 torture_assert_ntstatus_ok(tctx
, status
, "gensec_client_start (client) failed");
120 status
= gensec_set_target_hostname(gensec_client_context
, cli_credentials_get_workstation(cmdline_credentials
));
122 status
= gensec_set_credentials(gensec_client_context
, cmdline_credentials
);
123 torture_assert_ntstatus_ok(tctx
, status
, "gensec_set_credentials (client) failed");
125 status
= gensec_start_mech_by_sasl_name(gensec_client_context
, "GSSAPI");
126 torture_assert_ntstatus_ok(tctx
, status
, "gensec_start_mech_by_sasl_name (client) failed");
128 status
= gensec_server_start(tctx
,
129 lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
130 auth_context
, &gensec_server_context
);
131 torture_assert_ntstatus_ok(tctx
, status
, "gensec_server_start (server) failed");
133 status
= gensec_set_credentials(gensec_server_context
, cmdline_credentials
);
134 torture_assert_ntstatus_ok(tctx
, status
, "gensec_set_credentials (server) failed");
136 status
= gensec_start_mech_by_sasl_name(gensec_server_context
, "GSSAPI");
137 torture_assert_ntstatus_ok(tctx
, status
, "gensec_start_mech_by_sasl_name (server) failed");
139 server_to_client
= data_blob(NULL
, 0);
142 /* Do a client-server update dance */
143 status
= gensec_update(gensec_client_context
, tmp_ctx
, tctx
->ev
, server_to_client
, &client_to_server
);
144 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {;
145 torture_assert_ntstatus_ok(tctx
, status
, "gensec_update (client) failed");
148 status
= gensec_update(gensec_server_context
, tmp_ctx
, tctx
->ev
, client_to_server
, &server_to_client
);
149 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {;
150 torture_assert_ntstatus_ok(tctx
, status
, "gensec_update (server) failed");
153 if (NT_STATUS_IS_OK(status
)) {
158 /* Extract the PAC using Samba's code */
160 status
= gensec_session_info(gensec_server_context
, gensec_server_context
, &session_info
);
161 torture_assert_ntstatus_ok(tctx
, status
, "gensec_session_info failed");
163 pac_data
= talloc_get_type(auth_context
->private_data
, struct pac_data
);
165 torture_assert(tctx
, pac_data
!= NULL
, "gensec_update failed to fill in pac_data in auth_context");
166 torture_assert(tctx
, pac_data
->pac_blob
.data
!= NULL
, "pac_blob not present");
168 /* TODO: Check the PAC blob with winbind */
175 NTSTATUS
torture_winbind_init(void)
177 struct torture_suite
*suite
= torture_suite_create(talloc_autofree_context(), "winbind");
179 torture_suite_add_suite(suite
, torture_winbind_struct_init());
180 torture_suite_add_suite(suite
, torture_wbclient());
181 torture_suite_add_simple_test(suite
,
182 "pac", torture_winbind_pac
);
184 suite
->description
= talloc_strdup(suite
, "WINBIND tests");
186 torture_register_suite(suite
);