static void unbecomeDC_drsuapi_connect_send(struct libnet_UnbecomeDC_state *s)
{
	struct composite_context *c = s->creq;
	struct composite_context *creq;
	char *binding_str;

	binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[seal,target_hostname=%s]",
				      s->source_dsa.address,
				      s->source_dsa.dns_name);
	if (composite_nomem(binding_str, c)) return;

	c->status = dcerpc_parse_binding(s, binding_str, &s->drsuapi.binding);
	talloc_free(binding_str);
	if (!composite_is_ok(c)) return;

	if (DEBUGLEVEL >= 10) {
		c->status = dcerpc_binding_set_flags(s->drsuapi.binding,
						     DCERPC_DEBUG_PRINT_BOTH,
						     0);
		if (!composite_is_ok(c)) return;
	}

	creq = dcerpc_pipe_connect_b_send(s, s->drsuapi.binding, &ndr_table_drsuapi,
					  s->libnet->cred, s->libnet->event_ctx,
					  s->libnet->lp_ctx);
	composite_continue(c, creq, unbecomeDC_drsuapi_connect_recv, s);
}
Beispiel #2
0
/*
  test two schannel connections
 */
bool torture_rpc_schannel2(struct torture_context *torture)
{
	struct test_join *join_ctx;
	NTSTATUS status;
	const char *binding = torture_setting_string(torture, "binding", NULL);
	struct dcerpc_binding *b;
	struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
	struct cli_credentials *credentials1, *credentials2;
	uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;

	join_ctx = torture_join_domain(torture, talloc_asprintf(torture, "%s2", TEST_MACHINE_NAME),
				       ACB_WSTRUST, &credentials1);
	torture_assert(torture, join_ctx != NULL,
		       "Failed to join domain with acct_flags=ACB_WSTRUST");

	credentials2 = cli_credentials_shallow_copy(torture, credentials1);
	cli_credentials_set_netlogon_creds(credentials1, NULL);
	cli_credentials_set_netlogon_creds(credentials2, NULL);

	status = dcerpc_parse_binding(torture, binding, &b);
	torture_assert_ntstatus_ok(torture, status, "Bad binding string");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(torture, status, "set flags");

	torture_comment(torture, "Opening first connection\n");
	status = dcerpc_pipe_connect_b(torture, &p1, b, &ndr_table_netlogon,
				       credentials1, torture->ev, torture->lp_ctx);
	torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");

	torture_comment(torture, "Opening second connection\n");
	status = dcerpc_pipe_connect_b(torture, &p2, b, &ndr_table_netlogon,
				       credentials2, torture->ev, torture->lp_ctx);
	torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");

	cli_credentials_set_netlogon_creds(credentials1, NULL);
	cli_credentials_set_netlogon_creds(credentials2, NULL);

	torture_comment(torture, "Testing logon on pipe1\n");
	if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
		return false;

	torture_comment(torture, "Testing logon on pipe2\n");
	if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
		return false;

	torture_comment(torture, "Again on pipe1\n");
	if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
		return false;

	torture_comment(torture, "Again on pipe2\n");
	if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
		return false;

	torture_leave_domain(torture, join_ctx);
	return true;
}
static void init_domain_recv_queryinfo(struct tevent_req *subreq)
{
	struct init_domain_state *state =
		tevent_req_callback_data(subreq,
		struct init_domain_state);
	struct lsa_DomainInfo *dominfo;
	struct composite_context *ctx;
	uint32_t lflags;

	state->ctx->status = dcerpc_lsa_QueryInfoPolicy_r_recv(subreq, state);
	TALLOC_FREE(subreq);
	if (!composite_is_ok(state->ctx)) return;
	state->ctx->status = state->queryinfo.out.result;
	if (!composite_is_ok(state->ctx)) return;

	if (!dom_sid_equal(state->domain->info->sid, &global_sid_Builtin)) {
		dominfo = &(*state->queryinfo.out.info)->account_domain;
		
		if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
			DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
				  state->domain->info->name,
				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
				  dominfo->name.string));
			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
			return;
		}
		
		if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
			DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
				  dom_sid_string(state, state->domain->info->sid),
				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
				  dom_sid_string(state, dominfo->sid)));
			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
			return;
		}
	}

	state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);

	/* We want to use the same flags as the LSA pipe did (so, if
	 * it needed schannel, then we need that here too) */
	lflags = dcerpc_binding_get_flags(state->domain->lsa_binding);
	state->ctx->status = dcerpc_binding_set_flags(state->domain->samr_binding,
						      lflags, 0);
	if (!composite_is_ok(state->ctx)) return;

	state->domain->libnet_ctx->samr.pipe = NULL;
	state->domain->libnet_ctx->samr.samr_handle = NULL;

	ctx = wb_connect_samr_send(state, state->domain);
	composite_continue(state->ctx, ctx, init_domain_recv_samr, state);
}
/* Having make a netlogon connection (possibly secured with schannel),
 * make an LSA connection to the same DC, on the same IPC$ share */
static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
{
	struct init_domain_state *state =
		talloc_get_type(ctx->async.private_data,
				struct init_domain_state);
	uint32_t flags;

	state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state->domain, 
						   &state->domain->netlogon_pipe);
	
	if (!composite_is_ok(state->ctx)) {
		return;
	}
	talloc_reparent(state, state->domain->netlogon_pipe, state->domain->netlogon_binding);

	/* the netlogon connection is ready */
	tevent_queue_start(state->domain->netlogon_queue);

	state->domain->lsa_binding = init_domain_binding(state, &ndr_table_lsarpc);

	/* For debugging, it can be a real pain if all the traffic is encrypted */
	if (lpcfg_winbind_sealed_pipes(state->service->task->lp_ctx)) {
		flags = DCERPC_SIGN | DCERPC_SEAL;
	} else {
		flags = DCERPC_SIGN;
	}
	state->ctx->status = dcerpc_binding_set_flags(state->domain->lsa_binding,
						      flags, 0);
	if (!composite_is_ok(state->ctx)) {
		return;
	}

	state->domain->libnet_ctx->lsa.pipe = NULL;
	state->domain->libnet_ctx->lsa.lsa_handle = NULL;

	/* this will make the secondary connection on the same IPC$ share, 
	   secured with SPNEGO or NTLMSSP */
	ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
						    state->domain->lsa_binding,
						    &ndr_table_lsarpc,
						    state->domain->libnet_ctx->cred,
						    state->domain->libnet_ctx->lp_ctx
		);
	composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state);
}
Beispiel #5
0
static bool test_secrets(struct torture_context *torture, const void *_data)
{
        struct dcerpc_pipe *p;
	struct policy_handle *handle;
	struct dcerpc_binding *binding;
	const struct secret_settings *settings = 
		(const struct secret_settings *)_data;
	NTSTATUS status;
	struct dcerpc_binding_handle *b;

	lpcfg_set_cmdline(torture->lp_ctx, "ntlmssp client:keyexchange", settings->keyexchange?"True":"False");
	lpcfg_set_cmdline(torture->lp_ctx, "ntlmssp_client:ntlm2", settings->ntlm2?"True":"False");
	lpcfg_set_cmdline(torture->lp_ctx, "ntlmssp_client:lm_key", settings->lm_key?"True":"False");

	torture_assert_ntstatus_ok(torture, torture_rpc_binding(torture, &binding), 
				   "Getting bindoptions");

	status = dcerpc_binding_set_flags(binding, settings->bindoptions, 0);
	torture_assert_ntstatus_ok(torture, status, "dcerpc_binding_set_flags");

	status = dcerpc_pipe_connect_b(torture, &p, binding,
				       &ndr_table_lsarpc,
				       cmdline_credentials,
				       torture->ev,
				       torture->lp_ctx);

	torture_assert_ntstatus_ok(torture, status, "connect");
	b = p->binding_handle;

	if (!test_lsa_OpenPolicy2(b, torture, &handle)) {
		talloc_free(p);
		return false;
	}

	torture_assert(torture, handle, "OpenPolicy2 failed.  This test cannot run against this server");
	
	if (!test_CreateSecret_basic(p, torture, handle)) {
		talloc_free(p);
		return false;
	}

	talloc_free(p);

	return true;
}
Beispiel #6
0
static struct bkrp_BackupKey *createRetreiveBackupKeyGUIDStruct(struct torture_context *tctx,
				struct dcerpc_pipe *p, int version, DATA_BLOB *out)
{
	struct dcerpc_binding *binding;
	struct bkrp_client_side_wrapped data;
	struct GUID *g = talloc(tctx, struct GUID);
	struct bkrp_BackupKey *r = talloc_zero(tctx, struct bkrp_BackupKey);
	enum ndr_err_code ndr_err;
	DATA_BLOB blob;
	NTSTATUS status;

	if (r == NULL) {
		return NULL;
	}

	binding = dcerpc_binding_dup(tctx, p->binding);
	if (binding == NULL) {
		return NULL;
	}

	status = dcerpc_binding_set_flags(binding, DCERPC_SEAL|DCERPC_AUTH_SPNEGO, 0);
	if (!NT_STATUS_IS_OK(status)) {
		return NULL;
	}

	ZERO_STRUCT(data);
	status = GUID_from_string(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, g);
	if (!NT_STATUS_IS_OK(status)) {
		return NULL;
	}

	r->in.guidActionAgent = g;
	data.version = version;
	ndr_err = ndr_push_struct_blob(&blob, tctx, &data,
			(ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		return NULL;
	}
	r->in.data_in = blob.data;
	r->in.data_in_len = blob.length;
	r->out.data_out = &out->data;
	r->out.data_out_len = talloc(r, uint32_t);
	return r;
}
Beispiel #7
0
/**
 * open a rpc connection to a specific transport
 */
NTSTATUS torture_rpc_connection_transport(struct torture_context *tctx, 
					  struct dcerpc_pipe **p, 
					  const struct ndr_interface_table *table,
					  enum dcerpc_transport_t transport,
					  uint32_t assoc_group_id,
					  uint32_t extra_flags)
{
	NTSTATUS status;
	struct dcerpc_binding *binding;

	*p = NULL;

	status = torture_rpc_binding(tctx, &binding);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = dcerpc_binding_set_transport(binding, transport);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = dcerpc_binding_set_assoc_group_id(binding, assoc_group_id);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = dcerpc_binding_set_flags(binding, extra_flags, 0);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = dcerpc_pipe_connect_b(tctx, p, binding, table,
				       popt_get_cmdline_credentials(),
				       tctx->ev, tctx->lp_ctx);
	if (!NT_STATUS_IS_OK(status)) {
		*p = NULL;
		return status;
	}

	return NT_STATUS_OK;
}
static bool retry_with_schannel(struct init_domain_state *state, 
				struct dcerpc_binding *binding,
				const struct ndr_interface_table *table,
				void (*continuation)(struct composite_context *))
{
	struct composite_context *ctx;
	uint32_t nflags;
	uint32_t bflags;

	state->ctx->status = NT_STATUS_OK;

	nflags = dcerpc_binding_get_flags(state->domain->netlogon_binding);
	bflags = dcerpc_binding_get_flags(binding);

	if ((nflags & DCERPC_SCHANNEL) && !(bflags & DCERPC_SCHANNEL)) {
		/* Opening a policy handle failed, perhaps it was
		 * because we don't get a 'wrong password' error on
		 * NTLMSSP binds */

		/* Try again with schannel */
		bflags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;

		state->ctx->status = dcerpc_binding_set_flags(binding, bflags, 0);
		if (!composite_is_ok(state->ctx)) return true;

		/* Try again, likewise on the same IPC$ share, 
		   secured with SCHANNEL */
		ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
							    binding,
							    table, 
							    state->domain->libnet_ctx->cred,
							    state->domain->libnet_ctx->lp_ctx);
		composite_continue(state->ctx, ctx, continuation, state);		
		return true;
	} else {
		return false;
	}
}
Beispiel #9
0
static bool test_schannel_anonymous_setPassword(struct torture_context *tctx,
						uint32_t dcerpc_flags,
						bool use2)
{
	NTSTATUS status, result;
	const char *binding = torture_setting_string(tctx, "binding", NULL);
	struct dcerpc_binding *b;
	struct dcerpc_pipe *p = NULL;
	struct cli_credentials *credentials;
	bool ok = true;

	credentials = cli_credentials_init(NULL);
	torture_assert(tctx, credentials != NULL, "Bad credentials");
	cli_credentials_set_anonymous(credentials);

	status = dcerpc_parse_binding(tctx, binding, &b);
	torture_assert_ntstatus_ok(tctx, status, "Bad binding string");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_pipe_connect_b(tctx,
				       &p,
				       b,
				       &ndr_table_netlogon,
				       credentials,
				       tctx->ev,
				       tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");

	if (use2) {
		struct netr_ServerPasswordSet2 r = {};
		struct netr_Authenticator credential = {};
		struct netr_Authenticator return_authenticator = {};
		struct netr_CryptPassword new_password = {};

		r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
		r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
		r.in.secure_channel_type = 0;
		r.in.computer_name = TEST_MACHINE_NAME;
		r.in.credential = &credential;
		r.in.new_password = &new_password;
		r.out.return_authenticator = &return_authenticator;

		status = dcerpc_netr_ServerPasswordSet2_r(p->binding_handle, tctx, &r);
		result = r.out.result;
	} else {
		struct netr_ServerPasswordSet r = {};
		struct netr_Authenticator credential = {};
		struct netr_Authenticator return_authenticator = {};
		struct samr_Password new_password = {};

		r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
		r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
		r.in.secure_channel_type = 0;
		r.in.computer_name = TEST_MACHINE_NAME;
		r.in.credential = &credential;
		r.in.new_password = &new_password;
		r.out.return_authenticator = &return_authenticator;

		status = dcerpc_netr_ServerPasswordSet_r(p->binding_handle, tctx, &r);
		result = r.out.result;
	}

	torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet failed");

	if (NT_STATUS_IS_OK(result)) {
		torture_fail(tctx, "unexpectedly received NT_STATUS_OK");
	}

	return ok;
}
Beispiel #10
0
/*
  test a schannel connection with the given flags
 */
static bool test_schannel(struct torture_context *tctx,
			  uint16_t acct_flags, uint32_t dcerpc_flags,
			  int i)
{
	struct test_join *join_ctx;
	NTSTATUS status;
	const char *binding = torture_setting_string(tctx, "binding", NULL);
	struct dcerpc_binding *b;
	struct dcerpc_pipe *p = NULL;
	struct dcerpc_pipe *p_netlogon = NULL;
	struct dcerpc_pipe *p_netlogon2 = NULL;
	struct dcerpc_pipe *p_netlogon3 = NULL;
	struct dcerpc_pipe *p_samr2 = NULL;
	struct dcerpc_pipe *p_lsa = NULL;
	struct netlogon_creds_CredentialState *creds;
	struct cli_credentials *credentials;
	enum dcerpc_transport_t transport;

	join_ctx = torture_join_domain(tctx,
				       talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
				       acct_flags, &credentials);
	torture_assert(tctx, join_ctx != NULL, "Failed to join domain");

	status = dcerpc_parse_binding(tctx, binding, &b);
	torture_assert_ntstatus_ok(tctx, status, "Bad binding string");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
				       credentials, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status,
		"Failed to connect to samr with schannel");

	torture_assert(tctx, test_samr_ops(tctx, p->binding_handle),
		       "Failed to process schannel secured SAMR ops");

	/* Also test that when we connect to the netlogon pipe, that
	 * the credentials we setup on the first pipe are valid for
	 * the second */

	/* Swap the binding details from SAMR to NETLOGON */
	status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "epm map");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_secondary_auth_connection(p, b, &ndr_table_netlogon,
						  credentials, tctx->lp_ctx,
						  tctx, &p_netlogon);
	torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");

	creds = cli_credentials_get_netlogon_creds(credentials);
	torture_assert(tctx, (creds != NULL), "schannel creds");

	/* checks the capabilities */
	torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
		       "Failed to process schannel secured capability ops (on fresh connection)");

	/* do a couple of logins */
	torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
		"Failed to process schannel secured NETLOGON ops");

	torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
		"Failed to process schannel secured NETLOGON EX ops");

	/* we *MUST* use ncacn_np for openpolicy etc. */
	transport = dcerpc_binding_get_transport(b);
	status = dcerpc_binding_set_transport(b, NCACN_NP);
	torture_assert_ntstatus_ok(tctx, status, "set transport");

	/* Swap the binding details from SAMR to LSARPC */
	status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "epm map");

	torture_assert_ntstatus_ok(tctx,
		dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc,
				      credentials, tctx->ev, tctx->lp_ctx),
		"failed to connect lsarpc with schannel");

	torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
		"Failed to process schannel secured LSA ops");

	talloc_free(p_lsa);
	p_lsa = NULL;

	/* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */
	status = dcerpc_binding_set_transport(b, NCACN_IP_TCP);
	torture_assert_ntstatus_ok(tctx, status, "set transport");

	torture_assert_ntstatus_ok(tctx,
		dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx),
		"failed to call epm map");

	torture_assert_ntstatus_ok(tctx,
		dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc,
				      credentials, tctx->ev, tctx->lp_ctx),
		"failed to connect lsarpc with schannel");

	torture_assert(tctx,
		test_many_LookupSids(p_lsa, tctx, NULL),
		"LsaLookupSids3 failed!\n");

	status = dcerpc_binding_set_transport(b, transport);
	torture_assert_ntstatus_ok(tctx, status, "set transport");


	/* Drop the socket, we want to start from scratch */
	talloc_free(p);
	p = NULL;

	/* Now see what we are still allowed to do */

	status = dcerpc_parse_binding(tctx, binding, &b);
	torture_assert_ntstatus_ok(tctx, status, "Bad binding string");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
				       credentials, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status,
		"Failed to connect with schannel");

	/* do a some SAMR operations.  We have *not* done a new serverauthenticate */
	torture_assert (tctx, test_samr_ops(tctx, p_samr2->binding_handle),
			"Failed to process schannel secured SAMR ops (on fresh connection)");

	/* Swap the binding details from SAMR to NETLOGON */
	status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "epm");

	status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_secondary_auth_connection(p_samr2, b, &ndr_table_netlogon,
						  credentials, tctx->lp_ctx,
						  tctx, &p_netlogon2);
	torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");

	/* checks the capabilities */
	torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
		       "Failed to process schannel secured capability ops (on fresh connection)");

	/* Try the schannel-only SamLogonEx operation */
	torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
		       "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");


	/* And the more traditional style, proving that the
	 * credentials chaining state is fully present */
	torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
			     "Failed to process schannel secured NETLOGON ops (on fresh connection)");

	/* Drop the socket, we want to start from scratch (again) */
	talloc_free(p_samr2);

	/* We don't want schannel for this test */
	status = dcerpc_binding_set_flags(b, 0, DCERPC_AUTH_OPTIONS);
	torture_assert_ntstatus_ok(tctx, status, "set flags");

	status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
				       credentials, tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");

	torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
			"Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");

	/* Required because the previous call will mark the current context as having failed */
	tctx->last_result = TORTURE_OK;
	tctx->last_reason = NULL;

	torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
			"Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");

	torture_leave_domain(tctx, join_ctx);
	return true;
}
struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
					      struct wbsrv_service *service,
					      struct wb_dom_info *dom_info)
{
	struct composite_context *result, *ctx;
	struct init_domain_state *state;

	result = composite_create(mem_ctx, service->task->event_ctx);
	if (result == NULL) goto failed;

	state = talloc_zero(result, struct init_domain_state);
	if (state == NULL) goto failed;
	state->ctx = result;
	result->private_data = state;

	state->service = service;

	state->domain = talloc(state, struct wbsrv_domain);
	if (state->domain == NULL) goto failed;

	state->domain->service = service;

	state->domain->info = talloc_reference(state->domain, dom_info);
	if (state->domain->info == NULL) goto failed;

	state->domain->dc_name = dom_info->dc->name;
	state->domain->dc_address = dom_info->dc->address;

	state->domain->libnet_ctx = libnet_context_init(service->task->event_ctx, 
							service->task->lp_ctx);
	if (state->domain->libnet_ctx == NULL) goto failed;
	talloc_steal(state->domain, state->domain->libnet_ctx);

	/* Create a credentials structure */
	state->domain->libnet_ctx->cred = cli_credentials_init(state->domain);
	if (state->domain->libnet_ctx->cred == NULL) goto failed;

	cli_credentials_set_conf(state->domain->libnet_ctx->cred, service->task->lp_ctx);

	/* Connect the machine account to the credentials */
	state->ctx->status =
		cli_credentials_set_machine_account(state->domain->libnet_ctx->cred, state->domain->libnet_ctx->lp_ctx);
	if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;

	state->domain->netlogon_binding = init_domain_binding(state, &ndr_table_netlogon);

	state->domain->netlogon_pipe = NULL;

	state->domain->netlogon_queue = tevent_queue_create(state->domain,
							    "netlogon_queue");
	if (state->domain->netlogon_queue == NULL) goto failed;

	/* We start the queue when the connection is usable */
	tevent_queue_stop(state->domain->netlogon_queue);

	if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
	    ((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
	     (lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) &&
	    (dom_sid_equal(state->domain->info->sid,
			   state->service->primary_sid))) {
		uint32_t flags = DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;

		/* For debugging, it can be a real pain if all the traffic is encrypted */
		if (lpcfg_winbind_sealed_pipes(service->task->lp_ctx)) {
			flags |= DCERPC_SIGN | DCERPC_SEAL;
		} else {
			flags |= DCERPC_SIGN;
		}
		state->ctx->status = dcerpc_binding_set_flags(state->domain->netlogon_binding,
							      flags, 0);
		if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
	}

	/* No encryption on anonymous pipes */

	ctx = dcerpc_pipe_connect_b_send(state, state->domain->netlogon_binding, 
					 &ndr_table_netlogon,
					 state->domain->libnet_ctx->cred,
					 service->task->event_ctx,
					 service->task->lp_ctx);
	
	if (composite_nomem(ctx, state->ctx)) {
		goto failed;
	}
	
	composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
			   state);
	return result;
 failed:
	talloc_free(result);
	return NULL;
}
Beispiel #12
0
static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *iface, uint32_t if_version)
{
        NTSTATUS status;
	const struct ndr_interface_table *table;
	struct dcesrv_remote_private *priv;
	const char *binding = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "binding");
	const char *user, *pass, *domain;
	struct cli_credentials *credentials;
	bool must_free_credentials = true;
	bool machine_account;
	struct dcerpc_binding		*b;
	struct composite_context	*pipe_conn_req;
	uint32_t flags = 0;

	machine_account = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "use_machine_account", false);

	priv = talloc(dce_call->conn, struct dcesrv_remote_private);
	if (!priv) {
		return NT_STATUS_NO_MEMORY;	
	}
	
	priv->c_pipe = NULL;
	dce_call->context->private_data = priv;

	if (!binding) {
		DEBUG(0,("You must specify a DCE/RPC binding string\n"));
		return NT_STATUS_INVALID_PARAMETER;
	}

	user = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "user");
	pass = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "password");
	domain = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dceprc_remote", "domain");

	table = ndr_table_by_syntax(&iface->syntax_id);
	if (!table) {
		dce_call->fault_code = DCERPC_NCA_S_UNKNOWN_IF;
		return NT_STATUS_NET_WRITE_FAULT;
	}

	if (user && pass) {
		DEBUG(5, ("dcerpc_remote: RPC Proxy: Using specified account\n"));
		credentials = cli_credentials_init(priv);
		if (!credentials) {
			return NT_STATUS_NO_MEMORY;
		}
		cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
		cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
		if (domain) {
			cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
		}
		cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
	} else if (machine_account) {
		DEBUG(5, ("dcerpc_remote: RPC Proxy: Using machine account\n"));
		credentials = cli_credentials_init(priv);
		cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
		if (domain) {
			cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
		}
		status = cli_credentials_set_machine_account(credentials, dce_call->conn->dce_ctx->lp_ctx);
		if (!NT_STATUS_IS_OK(status)) {
			return status;
		}
	} else if (dce_call->conn->auth_state.session_info->credentials) {
		DEBUG(5, ("dcerpc_remote: RPC Proxy: Using delegated credentials\n"));
		credentials = dce_call->conn->auth_state.session_info->credentials;
		must_free_credentials = false;
	} else {
		DEBUG(1,("dcerpc_remote: RPC Proxy: You must supply binding, user and password or have delegated credentials\n"));
		return NT_STATUS_INVALID_PARAMETER;
	}

	/* parse binding string to the structure */
	status = dcerpc_parse_binding(dce_call->context, binding, &b);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("Failed to parse dcerpc binding '%s'\n", binding));
		return status;
	}

	/* If we already have a remote association group ID, then use that */
	if (dce_call->conn->assoc_group->proxied_id != 0) {
		status = dcerpc_binding_set_assoc_group_id(b,
			dce_call->conn->assoc_group->proxied_id);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(0, ("dcerpc_binding_set_assoc_group_id() - %s'\n",
				  nt_errstr(status)));
			return status;
		}
	}

	status = dcerpc_binding_set_abstract_syntax(b, &iface->syntax_id);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("dcerpc_binding_set_abstract_syntax() - %s'\n",
			  nt_errstr(status)));
		return status;
	}

	if (dce_call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) {
		status = dcerpc_binding_set_flags(b, DCERPC_CONCURRENT_MULTIPLEX, 0);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(0, ("dcerpc_binding_set_flags(CONC_MPX) - %s'\n",
				  nt_errstr(status)));
			return status;
		}
	}

	DEBUG(3, ("Using binding %s\n", dcerpc_binding_string(dce_call->context, b)));

	pipe_conn_req = dcerpc_pipe_connect_b_send(dce_call->context, b, table,
						   credentials, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
	status = dcerpc_pipe_connect_b_recv(pipe_conn_req, dce_call->context, &(priv->c_pipe));
	
	if (must_free_credentials) {
		talloc_free(credentials);
	}

	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	flags = dcerpc_binding_get_flags(priv->c_pipe->binding);
	if (!(flags & DCERPC_CONCURRENT_MULTIPLEX)) {
		dce_call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
	}

	if (dce_call->conn->assoc_group->proxied_id == 0) {
		dce_call->conn->assoc_group->proxied_id =
			dcerpc_binding_get_assoc_group_id(priv->c_pipe->binding);
	}

	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	return NT_STATUS_OK;	
}
Beispiel #13
0
_PUBLIC_ struct test_join *torture_join_domain(struct torture_context *tctx,
					       const char *machine_name, 
				      uint32_t acct_flags,
				      struct cli_credentials **machine_credentials)
{
	NTSTATUS status;
	struct libnet_context *libnet_ctx;
	struct libnet_JoinDomain *libnet_r;
	struct test_join *tj;
	struct samr_SetUserInfo s;
	union samr_UserInfo u;
	const char *binding_str = NULL;
	struct dcerpc_binding *binding = NULL;
	enum dcerpc_transport_t transport;

	tj = talloc_zero(tctx, struct test_join);
	if (!tj) return NULL;

	binding_str = torture_setting_string(tctx, "binding", NULL);
	if (binding_str == NULL) {
		const char *host = torture_setting_string(tctx, "host", NULL);
		binding_str = talloc_asprintf(tj, "ncacn_np:%s", host);
	}
	status = dcerpc_parse_binding(tj, binding_str, &binding);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("dcerpc_parse_binding(%s) failed - %s\n",
			  binding_str, nt_errstr(status)));
		talloc_free(tj);
		return NULL;
	}
	transport = dcerpc_binding_get_transport(binding);
	switch (transport) {
	case NCALRPC:
	case NCACN_UNIX_STREAM:
		break;
	default:
		dcerpc_binding_set_transport(binding, NCACN_NP);
		dcerpc_binding_set_flags(binding, 0, DCERPC_AUTH_OPTIONS);
		break;
	}

	libnet_r = talloc_zero(tj, struct libnet_JoinDomain);
	if (!libnet_r) {
		talloc_free(tj);
		return NULL;
	}
	
	libnet_ctx = libnet_context_init(tctx->ev, tctx->lp_ctx);
	if (!libnet_ctx) {
		talloc_free(tj);
		return NULL;
	}
	
	tj->libnet_r = libnet_r;
		
	libnet_ctx->cred = cmdline_credentials;
	libnet_r->in.binding = dcerpc_binding_string(libnet_r, binding);
	if (libnet_r->in.binding == NULL) {
		talloc_free(tj);
		return NULL;
	}
	libnet_r->in.level = LIBNET_JOINDOMAIN_SPECIFIED;
	libnet_r->in.netbios_name = machine_name;
	libnet_r->in.account_name = talloc_asprintf(libnet_r, "%s$", machine_name);
	if (!libnet_r->in.account_name) {
		talloc_free(tj);
		return NULL;
	}
	
	libnet_r->in.acct_type = acct_flags;
	libnet_r->in.recreate_account = true;

	status = libnet_JoinDomain(libnet_ctx, libnet_r, libnet_r);
	if (!NT_STATUS_IS_OK(status)) {
		if (libnet_r->out.error_string) {
			DEBUG(0, ("Domain join failed - %s\n", libnet_r->out.error_string));
		} else {
			DEBUG(0, ("Domain join failed - %s\n", nt_errstr(status)));
		}
		talloc_free(tj);
                return NULL;
	}
	tj->p = libnet_r->out.samr_pipe;
	tj->user_handle = *libnet_r->out.user_handle;
	tj->dom_sid = libnet_r->out.domain_sid;
	talloc_steal(tj, libnet_r->out.domain_sid);
	tj->dom_netbios_name	= libnet_r->out.domain_name;
	talloc_steal(tj, libnet_r->out.domain_name);
	tj->dom_dns_name	= libnet_r->out.realm;
	talloc_steal(tj, libnet_r->out.realm);
	tj->user_guid = libnet_r->out.account_guid;
	tj->netbios_name = talloc_strdup(tj, machine_name);
	if (!tj->netbios_name) {
		talloc_free(tj);
		return NULL;
	}

	ZERO_STRUCT(u);
	s.in.user_handle = &tj->user_handle;
	s.in.info = &u;
	s.in.level = 21;

	u.info21.fields_present = SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME;
	u.info21.comment.string = talloc_asprintf(tj, 
						  "Tortured by Samba4: %s", 
						  timestring(tj, time(NULL)));
	u.info21.full_name.string = talloc_asprintf(tj, 
						    "Torture account for Samba4: %s", 
						    timestring(tj, time(NULL)));
	
	u.info21.description.string = talloc_asprintf(tj, 
						      "Samba4 torture account created by host %s: %s", 
						      lpcfg_netbios_name(tctx->lp_ctx), timestring(tj, time(NULL)));

	status = dcerpc_samr_SetUserInfo_r(tj->p->binding_handle, tj, &s);
	if (!NT_STATUS_IS_OK(status)) {
		printf("SetUserInfo (non-critical) failed - %s\n", nt_errstr(status));
	}
	if (!NT_STATUS_IS_OK(s.out.result)) {
		printf("SetUserInfo (non-critical) failed - %s\n", nt_errstr(s.out.result));
	}

	*machine_credentials = cli_credentials_init(tj);
	cli_credentials_set_conf(*machine_credentials, tctx->lp_ctx);
	cli_credentials_set_workstation(*machine_credentials, machine_name, CRED_SPECIFIED);
	cli_credentials_set_domain(*machine_credentials, libnet_r->out.domain_name, CRED_SPECIFIED);
	if (libnet_r->out.realm) {
		cli_credentials_set_realm(*machine_credentials, libnet_r->out.realm, CRED_SPECIFIED);
	}
	cli_credentials_set_username(*machine_credentials, libnet_r->in.account_name, CRED_SPECIFIED);
	cli_credentials_set_password(*machine_credentials, libnet_r->out.join_password, CRED_SPECIFIED);
	cli_credentials_set_kvno(*machine_credentials, libnet_r->out.kvno);
	if (acct_flags & ACB_SVRTRUST) {
		cli_credentials_set_secure_channel_type(*machine_credentials,
							SEC_CHAN_BDC);
	} else if (acct_flags & ACB_WSTRUST) {
		cli_credentials_set_secure_channel_type(*machine_credentials,
							SEC_CHAN_WKSTA);
	} else {
		DEBUG(0, ("Invalid account type specificed to torture_join_domain\n"));
		talloc_free(*machine_credentials);
		return NULL;
	}

	return tj;
}