/* do some lsa ops using the schannel connection */ static bool test_lsa_ops(struct torture_context *tctx, struct dcerpc_pipe *p) { struct lsa_GetUserName r; bool ret = true; struct lsa_String *account_name_p = NULL; struct lsa_String *authority_name_p = NULL; struct dcerpc_binding_handle *b = p->binding_handle; printf("\nTesting GetUserName\n"); r.in.system_name = "\\"; r.in.account_name = &account_name_p; r.in.authority_name = &authority_name_p; r.out.account_name = &account_name_p; /* do several ops to test credential chaining and various operations */ torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r), "lsa_GetUserName failed"); authority_name_p = *r.out.authority_name; if (!NT_STATUS_IS_OK(r.out.result)) { printf("GetUserName failed - %s\n", nt_errstr(r.out.result)); return false; } else { if (!r.out.account_name) { return false; } if (strcmp(account_name_p->string, "ANONYMOUS LOGON") != 0) { printf("GetUserName returned wrong user: %s, expected %s\n", account_name_p->string, "ANONYMOUS LOGON"); /* FIXME: gd */ if (!torture_setting_bool(tctx, "samba3", false)) { return false; } } if (!authority_name_p || !authority_name_p->string) { return false; } if (strcmp(authority_name_p->string, "NT AUTHORITY") != 0) { printf("GetUserName returned wrong user: %s, expected %s\n", authority_name_p->string, "NT AUTHORITY"); /* FIXME: gd */ if (!torture_setting_bool(tctx, "samba3", false)) { return false; } } } if (!test_many_LookupSids(p, tctx, NULL)) { printf("LsaLookupSids3 failed!\n"); return false; } return ret; }
/* do some lsa ops using the schannel connection */ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) { struct lsa_GetUserName r; NTSTATUS status; BOOL ret = True; struct lsa_StringPointer authority_name_p; printf("\nTesting GetUserName\n"); r.in.system_name = "\\"; r.in.account_name = NULL; r.in.authority_name = &authority_name_p; authority_name_p.string = NULL; /* do several ops to test credential chaining and various operations */ status = dcerpc_lsa_GetUserName(p, mem_ctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) { printf("not considering %s to be an error\n", nt_errstr(status)); } else if (!NT_STATUS_IS_OK(status)) { printf("GetUserName failed - %s\n", nt_errstr(status)); return False; } else { if (!r.out.account_name) { return False; } if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) { printf("GetUserName returned wrong user: %s, expected %s\n", r.out.account_name->string, "ANONYMOUS LOGON"); return False; } if (!r.out.authority_name || !r.out.authority_name->string) { return False; } if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) { printf("GetUserName returned wrong user: %s, expected %s\n", r.out.authority_name->string->string, "NT AUTHORITY"); return False; } } if (!test_many_LookupSids(p, mem_ctx, NULL)) { printf("LsaLookupSids3 failed!\n"); return False; } return ret; }
/* test a schannel connection with the given flags */ static bool test_schannel(struct torture_context *tctx, uint16_t acct_flags, uint32_t dcerpc_flags, int i) { struct test_join *join_ctx; NTSTATUS status; const char *binding = torture_setting_string(tctx, "binding", NULL); struct dcerpc_binding *b; struct dcerpc_pipe *p = NULL; struct dcerpc_pipe *p_netlogon = NULL; struct dcerpc_pipe *p_netlogon2 = NULL; struct dcerpc_pipe *p_netlogon3 = NULL; struct dcerpc_pipe *p_samr2 = NULL; struct dcerpc_pipe *p_lsa = NULL; struct netlogon_creds_CredentialState *creds; struct cli_credentials *credentials; enum dcerpc_transport_t transport; join_ctx = torture_join_domain(tctx, talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i), acct_flags, &credentials); torture_assert(tctx, join_ctx != NULL, "Failed to join domain"); status = dcerpc_parse_binding(tctx, binding, &b); torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS); torture_assert_ntstatus_ok(tctx, status, "set flags"); status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr, credentials, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "Failed to connect to samr with schannel"); torture_assert(tctx, test_samr_ops(tctx, p->binding_handle), "Failed to process schannel secured SAMR ops"); /* Also test that when we connect to the netlogon pipe, that * the credentials we setup on the first pipe are valid for * the second */ /* Swap the binding details from SAMR to NETLOGON */ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "epm map"); status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS); torture_assert_ntstatus_ok(tctx, status, "set flags"); status = dcerpc_secondary_auth_connection(p, b, &ndr_table_netlogon, credentials, tctx->lp_ctx, tctx, &p_netlogon); torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection"); creds = cli_credentials_get_netlogon_creds(credentials); torture_assert(tctx, (creds != NULL), "schannel creds"); /* checks the capabilities */ torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds), "Failed to process schannel secured capability ops (on fresh connection)"); /* do a couple of logins */ torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds), "Failed to process schannel secured NETLOGON ops"); torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds), "Failed to process schannel secured NETLOGON EX ops"); /* we *MUST* use ncacn_np for openpolicy etc. */ transport = dcerpc_binding_get_transport(b); status = dcerpc_binding_set_transport(b, NCACN_NP); torture_assert_ntstatus_ok(tctx, status, "set transport"); /* Swap the binding details from SAMR to LSARPC */ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "epm map"); torture_assert_ntstatus_ok(tctx, dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc, credentials, tctx->ev, tctx->lp_ctx), "failed to connect lsarpc with schannel"); torture_assert(tctx, test_lsa_ops(tctx, p_lsa), "Failed to process schannel secured LSA ops"); talloc_free(p_lsa); p_lsa = NULL; /* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */ status = dcerpc_binding_set_transport(b, NCACN_IP_TCP); torture_assert_ntstatus_ok(tctx, status, "set transport"); torture_assert_ntstatus_ok(tctx, dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx), "failed to call epm map"); torture_assert_ntstatus_ok(tctx, dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc, credentials, tctx->ev, tctx->lp_ctx), "failed to connect lsarpc with schannel"); torture_assert(tctx, test_many_LookupSids(p_lsa, tctx, NULL), "LsaLookupSids3 failed!\n"); status = dcerpc_binding_set_transport(b, transport); torture_assert_ntstatus_ok(tctx, status, "set transport"); /* Drop the socket, we want to start from scratch */ talloc_free(p); p = NULL; /* Now see what we are still allowed to do */ status = dcerpc_parse_binding(tctx, binding, &b); torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS); torture_assert_ntstatus_ok(tctx, status, "set flags"); status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr, credentials, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "Failed to connect with schannel"); /* do a some SAMR operations. We have *not* done a new serverauthenticate */ torture_assert (tctx, test_samr_ops(tctx, p_samr2->binding_handle), "Failed to process schannel secured SAMR ops (on fresh connection)"); /* Swap the binding details from SAMR to NETLOGON */ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "epm"); status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS); torture_assert_ntstatus_ok(tctx, status, "set flags"); status = dcerpc_secondary_auth_connection(p_samr2, b, &ndr_table_netlogon, credentials, tctx->lp_ctx, tctx, &p_netlogon2); torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection"); /* checks the capabilities */ torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds), "Failed to process schannel secured capability ops (on fresh connection)"); /* Try the schannel-only SamLogonEx operation */ torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds), "Failed to process schannel secured NETLOGON EX ops (on fresh connection)"); /* And the more traditional style, proving that the * credentials chaining state is fully present */ torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds), "Failed to process schannel secured NETLOGON ops (on fresh connection)"); /* Drop the socket, we want to start from scratch (again) */ talloc_free(p_samr2); /* We don't want schannel for this test */ status = dcerpc_binding_set_flags(b, 0, DCERPC_AUTH_OPTIONS); torture_assert_ntstatus_ok(tctx, status, "set flags"); status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon, credentials, tctx->ev, tctx->lp_ctx); torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel"); torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds), "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)"); /* Required because the previous call will mark the current context as having failed */ tctx->last_result = TORTURE_OK; tctx->last_reason = NULL; torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds), "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth"); torture_leave_domain(tctx, join_ctx); return true; }