static NTSTATUS tcp_ldap_netlogon(void *conn,
TALLOC_CTX *mem_ctx,
struct cldap_netlogon *io)
{
struct cldap_search search;
struct ldap_SearchResEntry *res;
NTSTATUS status;
DATA_BLOB *blob;
ZERO_STRUCT(search);
search.in.attributes = (const char *[]) { "netlogon", NULL };
search.in.filter = cldap_netlogon_create_filter(mem_ctx, io);
if (search.in.filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = tcp_ldap_rootdse(conn, mem_ctx, &search);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
res = search.out.response;
if (res == NULL) {
return NT_STATUS_NOT_FOUND;
}
if (res->num_attributes != 1 ||
strcasecmp(res->attributes[0].name, "netlogon") != 0 ||
res->attributes[0].num_values != 1 ||
res->attributes[0].values->length < 2) {
return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
}
blob = res->attributes[0].values;
status = pull_netlogon_samlogon_response(blob, mem_ctx,
&io->out.netlogon);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (io->in.map_response) {
map_netlogon_samlogon_response(&io->out.netlogon);
}
return NT_STATUS_OK;
}
static NTSTATUS udp_ldap_rootdse(void *data, TALLOC_CTX *mem_ctx,
struct cldap_search *io)
{
struct cldap_socket *cldap = talloc_get_type(data,
struct cldap_socket);
return cldap_search(cldap, mem_ctx, io);
}
static bool test_netlogon_extra_attrs(struct torture_context *tctx,
request_rootdse_t request_rootdse,
void *conn)
{
struct cldap_search io;
NTSTATUS status;
const char *attrs[] = {
"netlogon",
"supportedCapabilities",
NULL
};
const char *attrs2[] = { "netlogon", "*", NULL };
struct ldb_message ldbmsg = { NULL, 0, NULL };
ZERO_STRUCT(io);
io.in.dest_address = NULL;
io.in.dest_port = 0;
io.in.timeout = 2;
io.in.retries = 2;
/* Additional attributes may be requested next to netlogon */
torture_comment(tctx, "Requesting netlogon with additional attribute\n");
io.in.filter =
talloc_asprintf(tctx, "(&"
"(NtVer=%s)(AAC=%s)"
/* Query for LDAP_CAP_ACTIVE_DIRECTORY_OID */
"(supportedCapabilities=1.2.840.113556.1.4.800)"
")",
ldap_encode_ndr_uint32(tctx,
NETLOGON_NT_VERSION_5EX),
ldap_encode_ndr_uint32(tctx, 0));
torture_assert(tctx, io.in.filter != NULL, "OOM");
io.in.attributes = attrs;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response != NULL, "No Entries found.");
CHECK_VAL(io.out.response->num_attributes, 2);
/* netlogon + '*' attr return zero results */
torture_comment(tctx, "Requesting netlogon and '*' attributes\n");
io.in.attributes = attrs2;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response != NULL, "No Entries found.");
ldbmsg.num_elements = io.out.response->num_attributes;
ldbmsg.elements = io.out.response->attributes;
torture_assert(tctx, ldb_msg_find_element(&ldbmsg, "netlogon") != NULL,
"Attribute netlogon not found in Result Entry\n");
/* Wildcards are not allowed in filters when netlogon is requested. */
torture_comment(tctx, "Requesting netlogon with invalid attr filter\n");
io.in.filter =
talloc_asprintf(tctx,
"(&(NtVer=%s)(AAC=%s)(supportedCapabilities=*))",
ldap_encode_ndr_uint32(tctx,
NETLOGON_NT_VERSION_5EX),
ldap_encode_ndr_uint32(tctx, 0));
torture_assert(tctx, io.in.filter != NULL, "OOM");
io.in.attributes = attrs;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response == NULL,
"A wildcard filter should return no entries.");
return true;
}
bool torture_netlogon_tcp(struct torture_context *tctx)
{
const char *host = torture_setting_string(tctx, "host", NULL);
bool ret = true;
NTSTATUS status;
struct ldap_connection *conn;
TALLOC_CTX *mem_ctx;
const char *url;
mem_ctx = talloc_init("torture_ldap_netlogon");
url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
status = torture_ldap_connection(tctx, &conn, url);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
ret &= test_ldap_netlogon(tctx, tcp_ldap_netlogon, conn, host);
ret &= test_ldap_netlogon_flags(tctx, tcp_ldap_netlogon, conn, host);
ret &= test_netlogon_extra_attrs(tctx, tcp_ldap_rootdse, conn);
return ret;
}
static NTSTATUS udp_ldap_netlogon(void *data,
TALLOC_CTX *mem_ctx,
struct cldap_netlogon *io)
{
struct cldap_socket *cldap = talloc_get_type(data,
struct cldap_socket);
return cldap_netlogon(cldap, mem_ctx, io);
}
bool torture_netlogon_udp(struct torture_context *tctx)
{
const char *host = torture_setting_string(tctx, "host", NULL);
bool ret = true;
int r;
struct cldap_socket *cldap;
NTSTATUS status;
struct tsocket_address *dest_addr;
r = tsocket_address_inet_from_strings(tctx, "ip",
host,
lpcfg_cldap_port(tctx->lp_ctx),
&dest_addr);
CHECK_VAL(r, 0);
/* cldap_socket_init should now know about the dest. address */
status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
CHECK_STATUS(status, NT_STATUS_OK);
ret &= test_ldap_netlogon(tctx, udp_ldap_netlogon, cldap, host);
ret &= test_ldap_netlogon_flags(tctx, udp_ldap_netlogon, cldap, host);
ret &= test_netlogon_extra_attrs(tctx, udp_ldap_rootdse, cldap);
return ret;
}
/*
test a schannel connection with the given flags
*/
static bool test_schannel(struct torture_context *tctx,
uint16_t acct_flags, uint32_t dcerpc_flags,
int i)
{
struct test_join *join_ctx;
NTSTATUS status;
const char *binding = torture_setting_string(tctx, "binding", NULL);
struct dcerpc_binding *b;
struct dcerpc_pipe *p = NULL;
struct dcerpc_pipe *p_netlogon = NULL;
struct dcerpc_pipe *p_netlogon2 = NULL;
struct dcerpc_pipe *p_netlogon3 = NULL;
struct dcerpc_pipe *p_samr2 = NULL;
struct dcerpc_pipe *p_lsa = NULL;
struct netlogon_creds_CredentialState *creds;
struct cli_credentials *credentials;
join_ctx = torture_join_domain(tctx,
talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
acct_flags, &credentials);
torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
status = dcerpc_parse_binding(tctx, binding, &b);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
b->flags &= ~DCERPC_AUTH_OPTIONS;
b->flags |= dcerpc_flags;
status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status,
"Failed to connect with schannel");
torture_assert(tctx, test_samr_ops(tctx, p->binding_handle),
"Failed to process schannel secured SAMR ops");
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
/* Swap the binding details from SAMR to NETLOGON */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm map");
status = dcerpc_secondary_connection(p, &p_netlogon,
b);
torture_assert_ntstatus_ok(tctx, status, "seconday connection");
status = dcerpc_bind_auth(p_netlogon, &ndr_table_netlogon,
credentials, lpcfg_gensec_settings(tctx, tctx->lp_ctx),
DCERPC_AUTH_TYPE_SCHANNEL,
dcerpc_auth_level(p->conn),
NULL);
torture_assert_ntstatus_ok(tctx, status, "bind auth");
status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
torture_assert_ntstatus_ok(tctx, status, "schannel creds");
/* do a couple of logins */
torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON ops");
torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON EX ops");
/* Swap the binding details from SAMR to LSARPC */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm map");
status = dcerpc_secondary_connection(p, &p_lsa,
b);
torture_assert_ntstatus_ok(tctx, status, "seconday connection");
status = dcerpc_bind_auth(p_lsa, &ndr_table_lsarpc,
credentials, lpcfg_gensec_settings(tctx, tctx->lp_ctx),
DCERPC_AUTH_TYPE_SCHANNEL,
dcerpc_auth_level(p->conn),
NULL);
torture_assert_ntstatus_ok(tctx, status, "bind auth");
torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
"Failed to process schannel secured LSA ops");
/* Drop the socket, we want to start from scratch */
talloc_free(p);
p = NULL;
/* Now see what we are still allowed to do */
status = dcerpc_parse_binding(tctx, binding, &b);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
b->flags &= ~DCERPC_AUTH_OPTIONS;
b->flags |= dcerpc_flags;
status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status,
"Failed to connect with schannel");
/* do a some SAMR operations. We have *not* done a new serverauthenticate */
torture_assert (tctx, test_samr_ops(tctx, p_samr2->binding_handle),
"Failed to process schannel secured SAMR ops (on fresh connection)");
/* Swap the binding details from SAMR to NETLOGON */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm");
status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
b);
torture_assert_ntstatus_ok(tctx, status, "seconday connection");
/* and now setup an SCHANNEL bind on netlogon */
status = dcerpc_bind_auth(p_netlogon2, &ndr_table_netlogon,
credentials, lpcfg_gensec_settings(tctx, tctx->lp_ctx),
DCERPC_AUTH_TYPE_SCHANNEL,
dcerpc_auth_level(p_samr2->conn),
NULL);
torture_assert_ntstatus_ok(tctx, status, "auth failed");
/* Try the schannel-only SamLogonEx operation */
torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
/* And the more traditional style, proving that the
* credentials chaining state is fully present */
torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON ops (on fresh connection)");
/* Drop the socket, we want to start from scratch (again) */
talloc_free(p_samr2);
/* We don't want schannel for this test */
b->flags &= ~DCERPC_AUTH_OPTIONS;
status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
"Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
/* Required because the previous call will mark the current context as having failed */
tctx->last_result = TORTURE_OK;
tctx->last_reason = NULL;
torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
"Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
torture_leave_domain(tctx, join_ctx);
return true;
}
/*
ping pong
*/
bool torture_ping_pong(struct torture_context *torture)
{
const char *fn;
int num_locks;
TALLOC_CTX *mem_ctx = talloc_new(torture);
static bool do_reads;
static bool do_writes;
int lock_timeout;
int fd;
struct smbcli_state *cli;
int i;
uint8_t incr=0, last_incr=0;
uint8_t *val;
int count, loops;
struct timeval start;
fn = torture_setting_string(torture, "filename", NULL);
if (fn == NULL) {
DEBUG(0,("You must specify the filename using --option=torture:filename=...\n"));
return false;
}
num_locks = torture_setting_int(torture, "num_locks", -1);
if (num_locks == -1) {
DEBUG(0,("You must specify num_locks using --option=torture:num_locks=...\n"));
return false;
}
do_reads = torture_setting_bool(torture, "read", false);
do_writes = torture_setting_bool(torture, "write", false);
lock_timeout = torture_setting_int(torture, "lock_timeout", 100000);
if (!torture_open_connection(&cli, torture, 0)) {
DEBUG(0,("Could not open connection\n"));
return false;
}
fd = smbcli_open(cli->tree, fn, O_RDWR|O_CREAT, DENY_NONE);
if (fd == -1) {
printf("Failed to open %s\n", fn);
exit(1);
}
write_byte(cli, fd, 0, num_locks);
lock_byte(cli, fd, 0, lock_timeout);
start = timeval_current();
val = talloc_zero_array(mem_ctx, uint8_t, num_locks);
i = 0;
count = 0;
loops = 0;
while (1) {
lock_byte(cli, fd, (i+1)%num_locks, lock_timeout);
if (do_reads) {
uint8_t c;
read_byte(cli, fd, &c, i);
incr = c-val[i];
val[i] = c;
}
if (do_writes) {
uint8_t c = val[i] + 1;
write_byte(cli, fd, c, i);
}
unlock_byte(cli, fd, i);
i = (i+1)%num_locks;
count++;
if (loops>num_locks && incr!=last_incr) {
last_incr = incr;
printf("data increment = %u\n", incr);
fflush(stdout);
}
if (timeval_elapsed(&start) > 1.0) {
printf("%8u locks/sec\r",
(unsigned)(2*count/timeval_elapsed(&start)));
fflush(stdout);
start = timeval_current();
count=0;
}
loops++;
}
}
static bool test_schannel_anonymous_setPassword(struct torture_context *tctx,
uint32_t dcerpc_flags,
bool use2)
{
NTSTATUS status, result;
const char *binding = torture_setting_string(tctx, "binding", NULL);
struct dcerpc_binding *b;
struct dcerpc_pipe *p = NULL;
struct cli_credentials *credentials;
bool ok = true;
credentials = cli_credentials_init(NULL);
torture_assert(tctx, credentials != NULL, "Bad credentials");
cli_credentials_set_anonymous(credentials);
status = dcerpc_parse_binding(tctx, binding, &b);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_pipe_connect_b(tctx,
&p,
b,
&ndr_table_netlogon,
credentials,
tctx->ev,
tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
if (use2) {
struct netr_ServerPasswordSet2 r = {};
struct netr_Authenticator credential = {};
struct netr_Authenticator return_authenticator = {};
struct netr_CryptPassword new_password = {};
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
r.in.secure_channel_type = 0;
r.in.computer_name = TEST_MACHINE_NAME;
r.in.credential = &credential;
r.in.new_password = &new_password;
r.out.return_authenticator = &return_authenticator;
status = dcerpc_netr_ServerPasswordSet2_r(p->binding_handle, tctx, &r);
result = r.out.result;
} else {
struct netr_ServerPasswordSet r = {};
struct netr_Authenticator credential = {};
struct netr_Authenticator return_authenticator = {};
struct samr_Password new_password = {};
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
r.in.secure_channel_type = 0;
r.in.computer_name = TEST_MACHINE_NAME;
r.in.credential = &credential;
r.in.new_password = &new_password;
r.out.return_authenticator = &return_authenticator;
status = dcerpc_netr_ServerPasswordSet_r(p->binding_handle, tctx, &r);
result = r.out.result;
}
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet failed");
if (NT_STATUS_IS_OK(result)) {
torture_fail(tctx, "unexpectedly received NT_STATUS_OK");
}
return ok;
}
/* test a query FS info by asking for share's GUID */
static bool test_fsinfo(struct smbcli_state *cli, struct torture_context *tctx)
{
char *guid = NULL;
NTSTATUS status;
struct smb_composite_fsinfo io1;
struct composite_context **c;
int i;
extern int torture_numops;
struct tevent_context *event_ctx;
int *count = talloc_zero(tctx, int);
bool ret = true;
io1.in.dest_host = torture_setting_string(tctx, "host", NULL);
io1.in.dest_ports = lp_smb_ports(tctx->lp_ctx);
io1.in.socket_options = lp_socket_options(tctx->lp_ctx);
io1.in.called_name = torture_setting_string(tctx, "host", NULL);
io1.in.service = torture_setting_string(tctx, "share", NULL);
io1.in.service_type = "A:";
io1.in.credentials = cmdline_credentials;
io1.in.workgroup = lp_workgroup(tctx->lp_ctx);
io1.in.level = RAW_QFS_OBJECTID_INFORMATION;
io1.in.iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
io1.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx);
printf("testing parallel queryfsinfo [Object ID] with %d ops\n", torture_numops);
event_ctx = tctx->ev;
c = talloc_array(tctx, struct composite_context *, torture_numops);
for (i=0; i<torture_numops; i++) {
c[i] = smb_composite_fsinfo_send(cli->tree, &io1, lp_resolve_context(tctx->lp_ctx));
c[i]->async.fn = loadfile_complete;
c[i]->async.private_data = count;
}
printf("waiting for completion\n");
while (*count < torture_numops) {
event_loop_once(event_ctx);
if (torture_setting_bool(tctx, "progress", true)) {
printf("(%s) count=%d\r", __location__, *count);
fflush(stdout);
}
}
printf("count=%d\n", *count);
for (i=0;i<torture_numops;i++) {
status = smb_composite_fsinfo_recv(c[i], tctx);
if (!NT_STATUS_IS_OK(status)) {
printf("(%s) fsinfo[%d] failed - %s\n", __location__, i, nt_errstr(status));
ret = false;
continue;
}
if (io1.out.fsinfo->generic.level != RAW_QFS_OBJECTID_INFORMATION) {
printf("(%s) wrong level in returned info - %d "
"should be %d\n", __location__,
io1.out.fsinfo->generic.level, RAW_QFS_OBJECTID_INFORMATION);
ret = false;
continue;
}
guid=GUID_string(tctx, &io1.out.fsinfo->objectid_information.out.guid);
printf("[%d] GUID: %s\n", i, guid);
}
return ret;
}
bool torture_ldap_basic(struct torture_context *torture)
{
NTSTATUS status;
struct ldap_connection *conn;
TALLOC_CTX *mem_ctx;
bool ret = true;
const char *host = torture_setting_string(torture, "host", NULL);
const char *userdn = torture_setting_string(torture, "ldap_userdn", NULL);
const char *secret = torture_setting_string(torture, "ldap_secret", NULL);
const char *url;
const char *basedn;
const char **partitions;
mem_ctx = talloc_init("torture_ldap_basic");
url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
status = torture_ldap_connection(torture, &conn, url);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
if (!test_search_rootDSE(conn, &basedn, &partitions)) {
ret = false;
}
if (!test_search_rootDSE_empty_substring(conn)) {
ret = false;
}
/* other bind tests here */
if (!test_multibind(conn, userdn, secret)) {
ret = false;
}
if (!test_bind_sasl(torture, conn, popt_get_cmdline_credentials())) {
ret = false;
}
if (!test_search_auth_empty_substring(conn, basedn)) {
ret = false;
}
if (!test_compare_sasl(conn, basedn)) {
ret = false;
}
/* error codes test here */
if (!test_error_codes(torture, conn, basedn)) {
ret = false;
}
/* referrals test here */
if (!test_referrals(torture, mem_ctx, url, basedn, partitions)) {
ret = false;
}
if (!test_abandon_request(torture, conn, basedn)) {
ret = false;
}
/* if there are no more tests we are closing */
torture_ldap_close(conn);
talloc_free(mem_ctx);
return ret;
}
/* Check with a known 'well formed' PAC, from my test server */
static bool torture_pac_saved_check(struct torture_context *tctx)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
DATA_BLOB tmp_blob, validate_blob;
struct PAC_DATA *pac_data, pac_data2;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
const char *pac_file, *pac_kdc_key, *pac_member_key;
struct auth_serversupplied_info *server_info_out;
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p;
struct samr_Password *krbtgt_bytes, *krbsrv_bytes;
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
const char *principal_string;
char *broken_principal_string;
krb5_principal client_principal;
const char *authtime_string;
time_t authtime;
TALLOC_CTX *mem_ctx = tctx;
torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, NULL,
tctx->lp_ctx,
&smb_krb5_context),
"smb_krb5_init_context");
pac_kdc_key = torture_setting_string(tctx, "pac_kdc_key",
"B286757148AF7FD252C53603A150B7E7");
pac_member_key = torture_setting_string(tctx, "pac_member_key",
"D217FAEAE5E6B5F95CCC94077AB8A5FC");
torture_comment(tctx, "Using pac_kdc_key '%s'\n", pac_kdc_key);
torture_comment(tctx, "Using pac_member_key '%s'\n", pac_member_key);
/* The krbtgt key in use when the above PAC was generated.
* This is an arcfour-hmac-md5 key, extracted with our 'net
* samdump' tool. */
if (*pac_kdc_key == 0) {
krbtgt_bytes = NULL;
} else {
krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key);
if (!krbtgt_bytes) {
torture_fail(tctx, "(saved test) Could not interpret krbtgt key");
}
}
krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key);
if (!krbsrv_bytes) {
torture_fail(tctx, "(saved test) Could not interpret krbsrv key");
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
krbsrv_bytes->hash, sizeof(krbsrv_bytes->hash),
&server_keyblock);
torture_assert(tctx, !ret,
talloc_asprintf(tctx,
"(saved test) Server Keyblock encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
if (krbtgt_bytes) {
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash),
&krbtgt_keyblock);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) Server Keyblock encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
}
krbtgt_keyblock_p = &krbtgt_keyblock;
} else {
krbtgt_keyblock_p = NULL;
}
pac_file = torture_setting_string(tctx, "pac_file", NULL);
if (pac_file) {
tmp_blob.data = (uint8_t *)file_load(pac_file, &tmp_blob.length, 0, mem_ctx);
torture_comment(tctx, "(saved test) Loaded pac of size %ld from %s\n", (long)tmp_blob.length, pac_file);
} else {
tmp_blob = data_blob_talloc(mem_ctx, saved_pac, sizeof(saved_pac));
}
dump_data(10,tmp_blob.data,tmp_blob.length);
principal_string = torture_setting_string(tctx, "pac_client_principal",
"[email protected]");
authtime_string = torture_setting_string(tctx, "pac_authtime", "1120440609");
authtime = strtoull(authtime_string, NULL, 0);
ret = krb5_parse_name(smb_krb5_context->krb5_context, principal_string,
&client_principal);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) parsing of client principal [%s] failed: %s",
principal_string,
smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
/* Decode and verify the signaure on the PAC */
nt_status = kerberos_decode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&pac_data,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC decoding failed: %s",
nt_errstr(nt_status)));
}
/* Now check we can read it back (using Heimdal's pac parsing) */
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
tmp_blob,
smb_krb5_context->krb5_context,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) Heimdal PAC decoding failed: %s",
nt_errstr(nt_status)));
}
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid)));
}
talloc_free(server_info_out);
/* Parse the PAC again, for the logon info this time (using Samba4's parsing) */
nt_status = kerberos_pac_logon_info(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&logon_info,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC decoding (for logon info) failed: %s",
nt_errstr(nt_status)));
}
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
3, &validation,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC decoding (make server info) failed: %s",
nt_errstr(nt_status)));
}
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid)));
}
if (krbtgt_bytes == NULL) {
torture_comment(tctx, "skipping PAC encoding tests as non kdc key\n");
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
return true;
}
ret = kerberos_encode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
pac_data,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
&validate_blob);
if (ret != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) PAC push failed");
}
dump_data(10, validate_blob.data, validate_blob.length);
/* compare both the length and the data bytes after a
* pull/push cycle. This ensures we use the exact same
* pointer, padding etc algorithms as win2k3.
*/
if (tmp_blob.length != validate_blob.length) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]",
(unsigned)tmp_blob.length, (unsigned)validate_blob.length));
}
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
DEBUG(0, ("tmp_data:\n"));
dump_data(0, tmp_blob.data, tmp_blob.length);
DEBUG(0, ("validate_blob:\n"));
dump_data(0, validate_blob.data, validate_blob.length);
torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
}
ret = kerberos_create_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
server_info_out,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime,
&validate_blob);
if (ret != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) regnerated PAC create failed");
}
dump_data(10,validate_blob.data,validate_blob.length);
/* compare both the length and the data bytes after a
* pull/push cycle. This ensures we use the exact same
* pointer, padding etc algorithms as win2k3.
*/
if (tmp_blob.length != validate_blob.length) {
ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx,
lp_iconv_convenience(tctx->lp_ctx), &pac_data2,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
nt_status = ndr_map_error2ntstatus(ndr_err);
torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
NDR_PRINT_DEBUG(PAC_DATA, pac_data);
NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]",
(unsigned)tmp_blob.length, (unsigned)validate_blob.length));
}
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx,
lp_iconv_convenience(tctx->lp_ctx), &pac_data2,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
nt_status = ndr_map_error2ntstatus(ndr_err);
torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
NDR_PRINT_DEBUG(PAC_DATA, pac_data);
NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
DEBUG(0, ("tmp_data:\n"));
dump_data(0, tmp_blob.data, tmp_blob.length);
DEBUG(0, ("validate_blob:\n"));
dump_data(0, validate_blob.data, validate_blob.length);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC regenerate failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
}
/* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */
nt_status = kerberos_decode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&pac_data,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime + 1, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)");
}
/* Break the client principal */
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
broken_principal_string = talloc_strdup(mem_ctx, principal_string);
broken_principal_string[0]++;
ret = krb5_parse_name(smb_krb5_context->krb5_context,
broken_principal_string, &client_principal);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) parsing of broken client principal failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
nt_status = kerberos_decode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&pac_data,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal");
}
/* Finally... Bugger up the signature, and check we fail the checksum */
tmp_blob.data[tmp_blob.length - 2]++;
nt_status = kerberos_decode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&pac_data,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum");
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
return true;
}
/*
* Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
*
*/
static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
/*
* dlz_bind9 use the special dns/host.domain account
*/
status = gensec_set_target_hostname(gensec_client_context,
talloc_asprintf(tctx,
"%s.%s",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx)));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_target_service(gensec_client_context, "dns");
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
lpcfg_dnsdomain(tctx->lp_ctx),
"127.0.0.1", "type", "key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_TRUE,
"Failed to check key for update rights samba_dlz");
dlz_destroy(dbdata);
return true;
}
/*
* Test some zone dumps
*/
static bool test_dlz_bind9_zonedump(struct torture_context *tctx)
{
size_t i;
void *dbdata;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
struct test_expected_rr *expected1 = NULL;
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook,
"putrr", dlz_bind9_putrr_hook,
"putnamedrr", dlz_bind9_putnamedrr_hook,
NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
expected1 = talloc_zero(tctx, struct test_expected_rr);
torture_assert(tctx, expected1 != NULL, "talloc failed");
expected1->tctx = tctx;
expected1->num_records = 7;
expected1->records = talloc_zero_array(expected1,
struct test_expected_record,
expected1->num_records);
torture_assert(tctx, expected1->records != NULL, "talloc failed");
expected1->records[0].name = talloc_asprintf(expected1->records,
"%s.", lpcfg_dnsdomain(tctx->lp_ctx));
expected1->records[0].type = "soa";
expected1->records[0].ttl = 3600;
expected1->records[0].data = talloc_asprintf(expected1->records,
"%s.%s. hostmaster.%s. 1 900 600 86400 3600",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx),
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, expected1->records[0].data != NULL, "talloc failed");
expected1->records[1].name = talloc_asprintf(expected1->records,
"%s.", lpcfg_dnsdomain(tctx->lp_ctx));
expected1->records[1].type = "ns";
expected1->records[1].ttl = 900;
expected1->records[1].data = talloc_asprintf(expected1->records, "%s.%s.",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, expected1->records[1].data != NULL, "talloc failed");
expected1->records[2].name = talloc_asprintf(expected1->records,
"%s.", lpcfg_dnsdomain(tctx->lp_ctx));
expected1->records[2].type = "aaaa";
expected1->records[2].ttl = 900;
expected1->records[3].name = talloc_asprintf(expected1->records,
"%s.", lpcfg_dnsdomain(tctx->lp_ctx));
expected1->records[3].type = "a";
expected1->records[3].ttl = 900;
expected1->records[4].name = talloc_asprintf(expected1->records, "%s.%s.",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, expected1->records[4].name != NULL, "unknown host");
expected1->records[4].type = "aaaa";
expected1->records[4].ttl = 900;
expected1->records[5].name = talloc_asprintf(expected1->records, "%s.%s.",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, expected1->records[5].name != NULL, "unknown host");
expected1->records[5].type = "a";
expected1->records[5].ttl = 900;
/*
* We expect multiple srv records
*/
expected1->records[6].name = NULL;
expected1->records[6].type = "srv";
expected1->records[6].ttl = 900;
torture_assert_int_equal(tctx, dlz_allnodes(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, (dns_sdlzallnodes_t *)expected1),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
for (i = 0; i < expected1->num_records; i++) {
torture_assert(tctx, expected1->records[i].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[i].name,
expected1->records[i].type));
}
torture_assert_int_equal(tctx, expected1->num_rr, 24,
"Got wrong record count");
dlz_destroy(dbdata);
return true;
}
bool torture_net_become_dc(struct torture_context *torture)
{
bool ret = true;
NTSTATUS status;
struct libnet_BecomeDC b;
struct libnet_UnbecomeDC u;
struct libnet_vampire_cb_state *s;
struct ldb_message *msg;
int ldb_ret;
uint32_t i;
char *private_dir;
const char *address;
struct nbt_name name;
const char *netbios_name;
struct cli_credentials *machine_account;
struct test_join *tj;
struct loadparm_context *lp_ctx;
struct ldb_context *ldb;
struct libnet_context *ctx;
struct dsdb_schema *schema;
char *location = NULL;
torture_assert_ntstatus_ok(torture, torture_temp_dir(torture, "libnet_BecomeDC", &location),
"torture_temp_dir should return NT_STATUS_OK" );
netbios_name = lpcfg_parm_string(torture->lp_ctx, NULL, "become dc", "smbtorture dc");
if (!netbios_name || !netbios_name[0]) {
netbios_name = "smbtorturedc";
}
make_nbt_name_server(&name, torture_setting_string(torture, "host", NULL));
/* do an initial name resolution to find its IP */
status = resolve_name_ex(lpcfg_resolve_context(torture->lp_ctx),
0, 0,
&name, torture, &address, torture->ev);
torture_assert_ntstatus_ok(torture, status, talloc_asprintf(torture,
"Failed to resolve %s - %s\n",
name.name, nt_errstr(status)));
/* Join domain as a member server. */
tj = torture_join_domain(torture, netbios_name,
ACB_WSTRUST,
&machine_account);
torture_assert(torture, tj, talloc_asprintf(torture,
"%s failed to join domain as workstation\n",
netbios_name));
s = libnet_vampire_cb_state_init(torture, torture->lp_ctx, torture->ev,
netbios_name,
torture_join_dom_netbios_name(tj),
torture_join_dom_dns_name(tj),
location);
torture_assert(torture, s, "libnet_vampire_cb_state_init");
ctx = libnet_context_init(torture->ev, torture->lp_ctx);
ctx->cred = cmdline_credentials;
ZERO_STRUCT(b);
b.in.domain_dns_name = torture_join_dom_dns_name(tj);
b.in.domain_netbios_name = torture_join_dom_netbios_name(tj);
b.in.domain_sid = torture_join_sid(tj);
b.in.source_dsa_address = address;
b.in.dest_dsa_netbios_name = netbios_name;
b.in.callbacks.private_data = s;
b.in.callbacks.check_options = libnet_vampire_cb_check_options;
b.in.callbacks.prepare_db = libnet_vampire_cb_prepare_db;
b.in.callbacks.schema_chunk = libnet_vampire_cb_schema_chunk;
b.in.callbacks.config_chunk = libnet_vampire_cb_store_chunk;
b.in.callbacks.domain_chunk = libnet_vampire_cb_store_chunk;
status = libnet_BecomeDC(ctx, s, &b);
torture_assert_ntstatus_ok_goto(torture, status, ret, cleanup, talloc_asprintf(torture,
"libnet_BecomeDC() failed - %s %s\n",
nt_errstr(status), b.out.error_string));
ldb = libnet_vampire_cb_ldb(s);
msg = ldb_msg_new(s);
torture_assert_int_equal_goto(torture, (msg?1:0), 1, ret, cleanup,
"ldb_msg_new() failed\n");
msg->dn = ldb_dn_new(msg, ldb, "@ROOTDSE");
torture_assert_int_equal_goto(torture, (msg->dn?1:0), 1, ret, cleanup,
"ldb_msg_new(@ROOTDSE) failed\n");
ldb_ret = ldb_msg_add_string(msg, "isSynchronized", "TRUE");
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_msg_add_string(msg, isSynchronized, TRUE) failed\n");
for (i=0; i < msg->num_elements; i++) {
msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
}
torture_comment(torture, "mark ROOTDSE with isSynchronized=TRUE\n");
ldb_ret = ldb_modify(libnet_vampire_cb_ldb(s), msg);
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_modify() failed\n");
/* commit the transaction now we know the secrets were written
* out properly
*/
ldb_ret = ldb_transaction_commit(ldb);
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_transaction_commit() failed\n");
/* reopen the ldb */
talloc_unlink(s, ldb);
lp_ctx = libnet_vampire_cb_lp_ctx(s);
private_dir = talloc_asprintf(s, "%s/%s", location, "private");
lpcfg_set_cmdline(lp_ctx, "private dir", private_dir);
torture_comment(torture, "Reopen the SAM LDB with system credentials and all replicated data: %s\n", private_dir);
ldb = samdb_connect(s, torture->ev, lp_ctx, system_session(lp_ctx), 0);
torture_assert_goto(torture, ldb != NULL, ret, cleanup,
talloc_asprintf(torture,
"Failed to open '%s/sam.ldb'\n", private_dir));
torture_assert_goto(torture, dsdb_uses_global_schema(ldb), ret, cleanup,
"Uses global schema");
schema = dsdb_get_schema(ldb, s);
torture_assert_goto(torture, schema != NULL, ret, cleanup,
"Failed to get loaded dsdb_schema\n");
/* Make sure we get this from the command line */
if (lpcfg_parm_bool(torture->lp_ctx, NULL, "become dc", "do not unjoin", false)) {
talloc_free(s);
return ret;
}
cleanup:
ZERO_STRUCT(u);
u.in.domain_dns_name = torture_join_dom_dns_name(tj);
u.in.domain_netbios_name = torture_join_dom_netbios_name(tj);
u.in.source_dsa_address = address;
u.in.dest_dsa_netbios_name = netbios_name;
status = libnet_UnbecomeDC(ctx, s, &u);
torture_assert_ntstatus_ok(torture, status, talloc_asprintf(torture,
"libnet_UnbecomeDC() failed - %s %s\n",
nt_errstr(status), u.out.error_string));
/* Leave domain. */
torture_leave_domain(torture, tj);
talloc_free(s);
return ret;
}
BOOL torture_domain_close_samr(struct torture_context *torture)
{
BOOL ret = True;
NTSTATUS status;
TALLOC_CTX *mem_ctx=NULL;
struct libnet_context *ctx;
struct lsa_String domain_name;
struct dcerpc_binding *binding;
const char *bindstr;
uint32_t access_mask;
struct policy_handle h;
struct dcerpc_pipe *p;
struct libnet_DomainClose r;
bindstr = torture_setting_string(torture, "binding", NULL);
status = dcerpc_parse_binding(torture, bindstr, &binding);
if (!NT_STATUS_IS_OK(status)) {
d_printf("failed to parse binding string\n");
return False;
}
ctx = libnet_context_init(NULL);
if (ctx == NULL) {
d_printf("failed to create libnet context\n");
ret = False;
goto done;
}
ctx->cred = cmdline_credentials;
mem_ctx = talloc_init("torture_domain_close_samr");
status = dcerpc_pipe_connect(mem_ctx, &p, bindstr, &dcerpc_table_samr,
cmdline_credentials, NULL);
if (!NT_STATUS_IS_OK(status)) {
d_printf("failed to connect to server %s: %s\n", bindstr,
nt_errstr(status));
ret = False;
goto done;
}
domain_name.string = lp_workgroup();
if (!test_opendomain_samr(p, torture, &h, &domain_name, &access_mask)) {
d_printf("failed to open domain on samr service\n");
ret = False;
goto done;
}
ctx->samr.pipe = p;
ctx->samr.name = domain_name.string;
ctx->samr.access_mask = access_mask;
ctx->samr.handle = h;
/* we have to use pipe's event context, otherwise the call will
hang indefinately */
ctx->event_ctx = p->conn->event_ctx;
ZERO_STRUCT(r);
r.in.type = DOMAIN_SAMR;
r.in.domain_name = domain_name.string;
status = libnet_DomainClose(ctx, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
ret = False;
goto done;
}
done:
talloc_free(mem_ctx);
talloc_free(ctx);
return ret;
}
_PUBLIC_ struct test_join *torture_join_domain(struct torture_context *tctx,
const char *machine_name,
uint32_t acct_flags,
struct cli_credentials **machine_credentials)
{
NTSTATUS status;
struct libnet_context *libnet_ctx;
struct libnet_JoinDomain *libnet_r;
struct test_join *tj;
struct samr_SetUserInfo s;
union samr_UserInfo u;
tj = talloc(tctx, struct test_join);
if (!tj) return NULL;
libnet_r = talloc(tj, struct libnet_JoinDomain);
if (!libnet_r) {
talloc_free(tj);
return NULL;
}
libnet_ctx = libnet_context_init(tctx->ev, tctx->lp_ctx);
if (!libnet_ctx) {
talloc_free(tj);
return NULL;
}
tj->libnet_r = libnet_r;
libnet_ctx->cred = cmdline_credentials;
libnet_r->in.binding = torture_setting_string(tctx, "binding", NULL);
if (!libnet_r->in.binding) {
libnet_r->in.binding = talloc_asprintf(libnet_r, "ncacn_np:%s", torture_setting_string(tctx, "host", NULL));
}
libnet_r->in.level = LIBNET_JOINDOMAIN_SPECIFIED;
libnet_r->in.netbios_name = machine_name;
libnet_r->in.account_name = talloc_asprintf(libnet_r, "%s$", machine_name);
if (!libnet_r->in.account_name) {
talloc_free(tj);
return NULL;
}
libnet_r->in.acct_type = acct_flags;
libnet_r->in.recreate_account = true;
status = libnet_JoinDomain(libnet_ctx, libnet_r, libnet_r);
if (!NT_STATUS_IS_OK(status)) {
if (libnet_r->out.error_string) {
DEBUG(0, ("Domain join failed - %s\n", libnet_r->out.error_string));
} else {
DEBUG(0, ("Domain join failed - %s\n", nt_errstr(status)));
}
talloc_free(tj);
return NULL;
}
tj->p = libnet_r->out.samr_pipe;
tj->user_handle = *libnet_r->out.user_handle;
tj->dom_sid = libnet_r->out.domain_sid;
talloc_steal(tj, libnet_r->out.domain_sid);
tj->dom_netbios_name = libnet_r->out.domain_name;
talloc_steal(tj, libnet_r->out.domain_name);
tj->dom_dns_name = libnet_r->out.realm;
talloc_steal(tj, libnet_r->out.realm);
tj->user_guid = libnet_r->out.account_guid;
tj->netbios_name = talloc_strdup(tj, machine_name);
if (!tj->netbios_name) {
talloc_free(tj);
return NULL;
}
ZERO_STRUCT(u);
s.in.user_handle = &tj->user_handle;
s.in.info = &u;
s.in.level = 21;
u.info21.fields_present = SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME;
u.info21.comment.string = talloc_asprintf(tj,
"Tortured by Samba4: %s",
timestring(tj, time(NULL)));
u.info21.full_name.string = talloc_asprintf(tj,
"Torture account for Samba4: %s",
timestring(tj, time(NULL)));
u.info21.description.string = talloc_asprintf(tj,
"Samba4 torture account created by host %s: %s",
lpcfg_netbios_name(tctx->lp_ctx), timestring(tj, time(NULL)));
status = dcerpc_samr_SetUserInfo_r(tj->p->binding_handle, tj, &s);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo (non-critical) failed - %s\n", nt_errstr(status));
}
if (!NT_STATUS_IS_OK(s.out.result)) {
printf("SetUserInfo (non-critical) failed - %s\n", nt_errstr(s.out.result));
}
*machine_credentials = cli_credentials_init(tj);
cli_credentials_set_conf(*machine_credentials, tctx->lp_ctx);
cli_credentials_set_workstation(*machine_credentials, machine_name, CRED_SPECIFIED);
cli_credentials_set_domain(*machine_credentials, libnet_r->out.domain_name, CRED_SPECIFIED);
if (libnet_r->out.realm) {
cli_credentials_set_realm(*machine_credentials, libnet_r->out.realm, CRED_SPECIFIED);
}
cli_credentials_set_username(*machine_credentials, libnet_r->in.account_name, CRED_SPECIFIED);
cli_credentials_set_password(*machine_credentials, libnet_r->out.join_password, CRED_SPECIFIED);
cli_credentials_set_kvno(*machine_credentials, libnet_r->out.kvno);
if (acct_flags & ACB_SVRTRUST) {
cli_credentials_set_secure_channel_type(*machine_credentials,
SEC_CHAN_BDC);
} else if (acct_flags & ACB_WSTRUST) {
cli_credentials_set_secure_channel_type(*machine_credentials,
SEC_CHAN_WKSTA);
} else {
DEBUG(0, ("Invalid account type specificed to torture_join_domain\n"));
talloc_free(*machine_credentials);
return NULL;
}
return tj;
}
struct test_join *torture_create_testuser_max_pwlen(struct torture_context *torture,
const char *username,
const char *domain,
uint16_t acct_type,
const char **random_password,
int max_pw_len)
{
NTSTATUS status;
struct samr_Connect c;
struct samr_CreateUser2 r;
struct samr_OpenDomain o;
struct samr_LookupDomain l;
struct dom_sid2 *sid = NULL;
struct samr_GetUserPwInfo pwp;
struct samr_PwInfo info;
struct samr_SetUserInfo s;
union samr_UserInfo u;
struct policy_handle handle;
uint32_t access_granted;
uint32_t rid;
DATA_BLOB session_key;
struct lsa_String name;
int policy_min_pw_len = 0;
struct test_join *join;
char *random_pw;
const char *dc_binding = torture_setting_string(torture, "dc_binding", NULL);
struct dcerpc_binding_handle *b = NULL;
join = talloc(NULL, struct test_join);
if (join == NULL) {
return NULL;
}
ZERO_STRUCTP(join);
printf("Connecting to SAMR\n");
if (dc_binding) {
status = dcerpc_pipe_connect(join,
&join->p,
dc_binding,
&ndr_table_samr,
cmdline_credentials, NULL, torture->lp_ctx);
} else {
status = torture_rpc_connection(torture,
&join->p,
&ndr_table_samr);
}
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
b = join->p->binding_handle;
c.in.system_name = NULL;
c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
c.out.connect_handle = &handle;
status = dcerpc_samr_Connect_r(b, join, &c);
if (!NT_STATUS_IS_OK(status)) {
const char *errstr = nt_errstr(status);
printf("samr_Connect failed - %s\n", errstr);
return NULL;
}
if (!NT_STATUS_IS_OK(c.out.result)) {
const char *errstr = nt_errstr(c.out.result);
printf("samr_Connect failed - %s\n", errstr);
return NULL;
}
if (domain) {
printf("Opening domain %s\n", domain);
name.string = domain;
l.in.connect_handle = &handle;
l.in.domain_name = &name;
l.out.sid = &sid;
status = dcerpc_samr_LookupDomain_r(b, join, &l);
if (!NT_STATUS_IS_OK(status)) {
printf("LookupDomain failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(l.out.result)) {
printf("LookupDomain failed - %s\n", nt_errstr(l.out.result));
goto failed;
}
} else {
struct samr_EnumDomains e;
uint32_t resume_handle = 0, num_entries;
struct samr_SamArray *sam;
int i;
e.in.connect_handle = &handle;
e.in.buf_size = (uint32_t)-1;
e.in.resume_handle = &resume_handle;
e.out.sam = &sam;
e.out.num_entries = &num_entries;
e.out.resume_handle = &resume_handle;
status = dcerpc_samr_EnumDomains_r(b, join, &e);
if (!NT_STATUS_IS_OK(status)) {
printf("EnumDomains failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(e.out.result)) {
printf("EnumDomains failed - %s\n", nt_errstr(e.out.result));
goto failed;
}
if ((num_entries != 2) || (sam && sam->count != 2)) {
printf("unexpected number of domains\n");
goto failed;
}
for (i=0; i < 2; i++) {
if (!strequal(sam->entries[i].name.string, "builtin")) {
domain = sam->entries[i].name.string;
break;
}
}
if (domain) {
printf("Opening domain %s\n", domain);
name.string = domain;
l.in.connect_handle = &handle;
l.in.domain_name = &name;
l.out.sid = &sid;
status = dcerpc_samr_LookupDomain_r(b, join, &l);
if (!NT_STATUS_IS_OK(status)) {
printf("LookupDomain failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(l.out.result)) {
printf("LookupDomain failed - %s\n", nt_errstr(l.out.result));
goto failed;
}
} else {
printf("cannot proceed without domain name\n");
goto failed;
}
}
talloc_steal(join, *l.out.sid);
join->dom_sid = *l.out.sid;
join->dom_netbios_name = talloc_strdup(join, domain);
if (!join->dom_netbios_name) goto failed;
o.in.connect_handle = &handle;
o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
o.in.sid = *l.out.sid;
o.out.domain_handle = &join->domain_handle;
status = dcerpc_samr_OpenDomain_r(b, join, &o);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenDomain failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(o.out.result)) {
printf("OpenDomain failed - %s\n", nt_errstr(o.out.result));
goto failed;
}
printf("Creating account %s\n", username);
again:
name.string = username;
r.in.domain_handle = &join->domain_handle;
r.in.account_name = &name;
r.in.acct_flags = acct_type;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.out.user_handle = &join->user_handle;
r.out.access_granted = &access_granted;
r.out.rid = &rid;
status = dcerpc_samr_CreateUser2_r(b, join, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("CreateUser2 failed - %s\n", nt_errstr(status));
goto failed;
}
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_USER_EXISTS)) {
status = DeleteUser_byname(b, join, &join->domain_handle, name.string);
if (NT_STATUS_IS_OK(status)) {
goto again;
}
}
if (!NT_STATUS_IS_OK(r.out.result)) {
printf("CreateUser2 failed - %s\n", nt_errstr(r.out.result));
goto failed;
}
join->user_sid = dom_sid_add_rid(join, join->dom_sid, rid);
pwp.in.user_handle = &join->user_handle;
pwp.out.info = &info;
status = dcerpc_samr_GetUserPwInfo_r(b, join, &pwp);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(pwp.out.result)) {
policy_min_pw_len = pwp.out.info->min_password_length;
}
random_pw = generate_random_password(join, MAX(8, policy_min_pw_len), max_pw_len);
printf("Setting account password '%s'\n", random_pw);
ZERO_STRUCT(u);
s.in.user_handle = &join->user_handle;
s.in.info = &u;
s.in.level = 24;
encode_pw_buffer(u.info24.password.data, random_pw, STR_UNICODE);
u.info24.password_expired = 0;
status = dcerpc_fetch_session_key(join->p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo level %u - no session key - %s\n",
s.in.level, nt_errstr(status));
torture_leave_domain(torture, join);
goto failed;
}
arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
status = dcerpc_samr_SetUserInfo_r(b, join, &s);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(s.out.result)) {
printf("SetUserInfo failed - %s\n", nt_errstr(s.out.result));
goto failed;
}
ZERO_STRUCT(u);
s.in.user_handle = &join->user_handle;
s.in.info = &u;
s.in.level = 21;
u.info21.acct_flags = acct_type | ACB_PWNOEXP;
u.info21.fields_present = SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME;
u.info21.comment.string = talloc_asprintf(join,
"Tortured by Samba4: %s",
timestring(join, time(NULL)));
u.info21.full_name.string = talloc_asprintf(join,
"Torture account for Samba4: %s",
timestring(join, time(NULL)));
u.info21.description.string = talloc_asprintf(join,
"Samba4 torture account created by host %s: %s",
lpcfg_netbios_name(torture->lp_ctx),
timestring(join, time(NULL)));
printf("Resetting ACB flags, force pw change time\n");
status = dcerpc_samr_SetUserInfo_r(b, join, &s);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo failed - %s\n", nt_errstr(status));
goto failed;
}
if (!NT_STATUS_IS_OK(s.out.result)) {
printf("SetUserInfo failed - %s\n", nt_errstr(s.out.result));
goto failed;
}
if (random_password) {
*random_password = random_pw;
}
return join;
failed:
torture_leave_domain(torture, join);
return NULL;
}
static bool test_session_expire1(struct torture_context *tctx)
{
NTSTATUS status;
bool ret = false;
struct smbcli_options options;
struct smbcli_session_options session_options;
const char *host = torture_setting_string(tctx, "host", NULL);
const char *share = torture_setting_string(tctx, "share", NULL);
struct cli_credentials *credentials = cmdline_credentials;
struct smbcli_state *cli = NULL;
enum credentials_use_kerberos use_kerberos;
char fname[256];
union smb_fileinfo qfinfo;
uint16_t vuid;
uint16_t fnum = 0;
struct smb_composite_sesssetup io_sesssetup;
size_t i;
use_kerberos = cli_credentials_get_kerberos_state(credentials);
if (use_kerberos != CRED_MUST_USE_KERBEROS) {
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
}
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
lpcfg_smbcli_session_options(tctx->lp_ctx, &session_options);
status = smbcli_full_connection(tctx, &cli,
host,
lpcfg_smb_ports(tctx->lp_ctx),
share, NULL,
lpcfg_socket_options(tctx->lp_ctx),
credentials,
lpcfg_resolve_context(tctx->lp_ctx),
tctx->ev, &options, &session_options,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"smbcli_full_connection failed");
vuid = cli->session->vuid;
/* Add some random component to the file name. */
snprintf(fname, 256, "session_expire1_%s.dat",
generate_random_str(tctx, 8));
smbcli_unlink(cli->tree, fname);
fnum = smbcli_nt_create_full(cli->tree, fname, 0,
SEC_RIGHTS_FILE_ALL,
FILE_ATTRIBUTE_NORMAL,
NTCREATEX_SHARE_ACCESS_NONE,
NTCREATEX_DISP_OPEN_IF,
NTCREATEX_OPTIONS_DELETE_ON_CLOSE,
0);
torture_assert_ntstatus_ok_goto(tctx, smbcli_nt_error(cli->tree), ret,
done, "create file");
torture_assert_goto(tctx, fnum > 0, ret, done, "create file");
/* get the access information */
ZERO_STRUCT(qfinfo);
qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
qfinfo.access_information.in.file.fnum = fnum;
for (i=0; i < 2; i++) {
torture_comment(tctx, "query info => OK\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"raw_fileinfo failed");
torture_comment(tctx, "sleep 5 seconds\n");
smb_msleep(5*1000);
}
/*
* the krb5 library may not handle expired creds
* well, lets start with an empty ccache.
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
/*
* now with CAP_DYNAMIC_REAUTH
*
* This should trigger NT_STATUS_NETWORK_SESSION_EXPIRED
*/
ZERO_STRUCT(io_sesssetup);
io_sesssetup.in.sesskey = cli->transport->negotiate.sesskey;
io_sesssetup.in.capabilities = cli->transport->negotiate.capabilities;
io_sesssetup.in.capabilities |= CAP_DYNAMIC_REAUTH;
io_sesssetup.in.credentials = credentials;
io_sesssetup.in.workgroup = lpcfg_workgroup(tctx->lp_ctx);
io_sesssetup.in.gensec_settings = lpcfg_gensec_settings(tctx,
tctx->lp_ctx);
torture_comment(tctx, "reauth with CAP_DYNAMIC_REAUTH => OK\n");
ZERO_STRUCT(io_sesssetup.out);
status = smb_composite_sesssetup(cli->session, &io_sesssetup);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"reauth failed");
torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
ret, done, "reauth");
for (i=0; i < 2; i++) {
torture_comment(tctx, "query info => OK\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"raw_fileinfo failed");
torture_comment(tctx, "sleep 5 seconds\n");
smb_msleep(5*1000);
torture_comment(tctx, "query info => EXPIRED\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_equal_goto(tctx, status,
NT_STATUS_NETWORK_SESSION_EXPIRED,
ret, done, "raw_fileinfo expired");
/*
* the krb5 library may not handle expired creds
* well, lets start with an empty ccache.
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
torture_comment(tctx, "reauth with CAP_DYNAMIC_REAUTH => OK\n");
ZERO_STRUCT(io_sesssetup.out);
status = smb_composite_sesssetup(cli->session, &io_sesssetup);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"reauth failed");
torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
ret, done, "reauth");
}
torture_comment(tctx, "query info => OK\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"raw_fileinfo failed");
/*
* the krb5 library may not handle expired creds
* well, lets start with an empty ccache.
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
/*
* now without CAP_DYNAMIC_REAUTH
*
* This should not trigger NT_STATUS_NETWORK_SESSION_EXPIRED
*/
torture_comment(tctx, "reauth without CAP_DYNAMIC_REAUTH => OK\n");
io_sesssetup.in.capabilities &= ~CAP_DYNAMIC_REAUTH;
ZERO_STRUCT(io_sesssetup.out);
status = smb_composite_sesssetup(cli->session, &io_sesssetup);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"reauth failed");
torture_assert_int_equal_goto(tctx, io_sesssetup.out.vuid, vuid,
ret, done, "reauth");
for (i=0; i < 2; i++) {
torture_comment(tctx, "query info => OK\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"raw_fileinfo failed");
torture_comment(tctx, "sleep 5 seconds\n");
smb_msleep(5*1000);
}
torture_comment(tctx, "query info => OK\n");
ZERO_STRUCT(qfinfo.access_information.out);
status = smb_raw_fileinfo(cli->tree, tctx, &qfinfo);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"raw_fileinfo failed");
ret = true;
done:
if (fnum > 0) {
smbcli_close(cli->tree, fnum);
}
talloc_free(cli);
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
return ret;
}
bool torture_samba3_checkfsp(struct torture_context *torture)
{
struct smbcli_state *cli;
const char *fname = "test.txt";
const char *dirname = "testdir";
int fnum;
NTSTATUS status;
bool ret = true;
TALLOC_CTX *mem_ctx;
ssize_t nread;
char buf[16];
struct smbcli_tree *tree2;
if ((mem_ctx = talloc_init("torture_samba3_checkfsp")) == NULL) {
d_printf("talloc_init failed\n");
return false;
}
if (!torture_open_connection_share(
torture, &cli, torture, torture_setting_string(torture, "host", NULL),
torture_setting_string(torture, "share", NULL), torture->ev)) {
d_printf("torture_open_connection_share failed\n");
ret = false;
goto done;
}
smbcli_deltree(cli->tree, dirname);
status = torture_second_tcon(torture, cli->session,
torture_setting_string(torture, "share", NULL),
&tree2);
CHECK_STATUS(status, NT_STATUS_OK);
if (!NT_STATUS_IS_OK(status))
goto done;
/* Try a read on an invalid FID */
nread = smbcli_read(cli->tree, 4711, buf, 0, sizeof(buf));
CHECK_STATUS(smbcli_nt_error(cli->tree), NT_STATUS_INVALID_HANDLE);
/* Try a read on a directory handle */
status = smbcli_mkdir(cli->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
d_printf("smbcli_mkdir failed: %s\n", nt_errstr(status));
ret = false;
goto done;
}
/* Open the directory */
{
union smb_open io;
io.generic.level = RAW_OPEN_NTCREATEX;
io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED;
io.ntcreatex.in.root_fid.fnum = 0;
io.ntcreatex.in.security_flags = 0;
io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
io.ntcreatex.in.alloc_size = 0;
io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE;
io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
io.ntcreatex.in.create_options = 0;
io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
io.ntcreatex.in.fname = dirname;
status = smb_raw_open(cli->tree, mem_ctx, &io);
if (!NT_STATUS_IS_OK(status)) {
d_printf("smb_open on the directory failed: %s\n",
nt_errstr(status));
ret = false;
goto done;
}
fnum = io.ntcreatex.out.file.fnum;
}
/* Try a read on the directory */
nread = smbcli_read(cli->tree, fnum, buf, 0, sizeof(buf));
if (nread >= 0) {
d_printf("smbcli_read on a directory succeeded, expected "
"failure\n");
ret = false;
}
CHECK_STATUS(smbcli_nt_error(cli->tree),
NT_STATUS_INVALID_DEVICE_REQUEST);
/* Same test on the second tcon */
nread = smbcli_read(tree2, fnum, buf, 0, sizeof(buf));
if (nread >= 0) {
d_printf("smbcli_read on a directory succeeded, expected "
"failure\n");
ret = false;
}
CHECK_STATUS(smbcli_nt_error(tree2), NT_STATUS_INVALID_HANDLE);
smbcli_close(cli->tree, fnum);
/* Try a normal file read on a second tcon */
fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);
if (fnum == -1) {
d_printf("Failed to create %s - %s\n", fname,
smbcli_errstr(cli->tree));
ret = false;
goto done;
}
nread = smbcli_read(tree2, fnum, buf, 0, sizeof(buf));
CHECK_STATUS(smbcli_nt_error(tree2), NT_STATUS_INVALID_HANDLE);
smbcli_close(cli->tree, fnum);
done:
smbcli_deltree(cli->tree, dirname);
torture_close_connection(cli);
talloc_free(mem_ctx);
return ret;
}
/*
* Test some updates
*/
static bool test_dlz_bind9_update01(struct torture_context *tctx)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
void *version = NULL;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
struct test_expected_rr *expected1 = NULL;
char *name = NULL;
char *data0 = NULL;
char *data1 = NULL;
char *data2 = NULL;
bool ret = false;
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook,
"putrr", dlz_bind9_putrr_hook,
"putnamedrr", dlz_bind9_putnamedrr_hook,
NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
expected1 = talloc_zero(tctx, struct test_expected_rr);
torture_assert(tctx, expected1 != NULL, "talloc failed");
expected1->tctx = tctx;
expected1->query_name = __func__;
name = talloc_asprintf(expected1, "%s.%s",
expected1->query_name,
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, name != NULL, "talloc failed");
expected1->num_records = 2;
expected1->records = talloc_zero_array(expected1,
struct test_expected_record,
expected1->num_records);
torture_assert(tctx, expected1->records != NULL, "talloc failed");
expected1->records[0].name = expected1->query_name;
expected1->records[0].type = "a";
expected1->records[0].ttl = 3600;
expected1->records[0].data = "127.1.2.3";
expected1->records[0].printed = false;
data0 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[0].ttl,
"in",
expected1->records[0].type,
expected1->records[0].data);
torture_assert(tctx, data0 != NULL, "talloc failed");
expected1->records[1].name = expected1->query_name;
expected1->records[1].type = "a";
expected1->records[1].ttl = 3600;
expected1->records[1].data = "127.3.2.1";
expected1->records[1].printed = false;
data1 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[1].ttl,
"in",
expected1->records[1].type,
expected1->records[1].data);
torture_assert(tctx, data1 != NULL, "talloc failed");
data2 = talloc_asprintf(expected1,
"%s.\t" "0\t" "in\t" "a\t" "127.3.3.3",
name);
torture_assert(tctx, data2 != NULL, "talloc failed");
/*
* Prepare session info
*/
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
/*
* dlz_bind9 use the special dns/host.domain account
*/
status = gensec_set_target_hostname(gensec_client_context,
talloc_asprintf(tctx,
"%s.%s",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx)));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_target_service(gensec_client_context, "dns");
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO");
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
name,
"127.0.0.1",
expected1->records[0].type,
"key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_TRUE,
"Failed to check key for update rights samba_dlz");
/*
* We test the following:
*
* 1. lookup the records => NOT_FOUND
* 2. delete all records => NOT_FOUND
* 3. delete 1st record => NOT_FOUND
* 4. create 1st record => SUCCESS
* 5. lookup the records => found 1st
* 6. create 2nd record => SUCCESS
* 7. lookup the records => found 1st and 2nd
* 8. delete unknown record => NOT_FOUND
* 9. lookup the records => found 1st and 2nd
* 10. delete 1st record => SUCCESS
* 11. lookup the records => found 2nd
* 12. delete 2nd record => SUCCESS
* 13. lookup the records => NOT_FOUND
* 14. create 1st record => SUCCESS
* 15. lookup the records => found 1st
* 16. create 2nd record => SUCCESS
* 17. lookup the records => found 1st and 2nd
* 18. update 1st record => SUCCESS
* 19. lookup the records => found 1st and 2nd
* 20. delete all unknown type records => NOT_FOUND
* 21. lookup the records => found 1st and 2nd
* 22. delete all records => SUCCESS
* 23. lookup the records => NOT_FOUND
*/
/* Step 1. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 2. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 3. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 4. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 5. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 6. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 7. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 8. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data2, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data2));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 9. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 10. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 11. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 12. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 13. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 14. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 15. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 16. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 17. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 18. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 19. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 20. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name, "txt", dbdata, version),
ISC_R_FAILURE, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, "txt"));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 21. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 22. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 23. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
dlz_destroy(dbdata);
return true;
cancel_version:
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
return ret;
}
bool torture_samba3_posixtimedlock(struct torture_context *tctx)
{
struct smbcli_state *cli;
NTSTATUS status;
bool ret = true;
const char *dirname = "posixlock";
const char *fname = "locked";
const char *fpath;
const char *localdir;
const char *localname;
int fnum = -1;
int fd = -1;
struct flock posix_lock;
union smb_lock io;
struct smb_lock_entry lock_entry;
struct smbcli_request *req;
struct lock_result_state lock_result;
struct tevent_timer *te;
if (!torture_open_connection(&cli, tctx, 0)) {
ret = false;
goto done;
}
smbcli_deltree(cli->tree, dirname);
status = smbcli_mkdir(cli->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
torture_warning(tctx, "smbcli_mkdir failed: %s\n",
nt_errstr(status));
ret = false;
goto done;
}
if (!(fpath = talloc_asprintf(tctx, "%s\\%s", dirname, fname))) {
torture_warning(tctx, "talloc failed\n");
ret = false;
goto done;
}
fnum = smbcli_open(cli->tree, fpath, O_RDWR | O_CREAT, DENY_NONE);
if (fnum == -1) {
torture_warning(tctx, "Could not create file %s: %s\n", fpath,
smbcli_errstr(cli->tree));
ret = false;
goto done;
}
if (!(localdir = torture_setting_string(tctx, "localdir", NULL))) {
torture_warning(tctx, "Need 'localdir' setting\n");
ret = false;
goto done;
}
if (!(localname = talloc_asprintf(tctx, "%s/%s/%s", localdir, dirname,
fname))) {
torture_warning(tctx, "talloc failed\n");
ret = false;
goto done;
}
/*
* Lock a byte range from posix
*/
fd = open(localname, O_RDWR);
if (fd == -1) {
torture_warning(tctx, "open(%s) failed: %s\n",
localname, strerror(errno));
goto done;
}
posix_lock.l_type = F_WRLCK;
posix_lock.l_whence = SEEK_SET;
posix_lock.l_start = 0;
posix_lock.l_len = 1;
if (fcntl(fd, F_SETLK, &posix_lock) == -1) {
torture_warning(tctx, "fcntl failed: %s\n", strerror(errno));
ret = false;
goto done;
}
/*
* Try a cifs brlock without timeout to see if posix locking = yes
*/
io.lockx.in.ulock_cnt = 0;
io.lockx.in.lock_cnt = 1;
lock_entry.count = 1;
lock_entry.offset = 0;
lock_entry.pid = cli->tree->session->pid;
io.lockx.level = RAW_LOCK_LOCKX;
io.lockx.in.mode = LOCKING_ANDX_LARGE_FILES;
io.lockx.in.timeout = 0;
io.lockx.in.locks = &lock_entry;
io.lockx.in.file.fnum = fnum;
status = smb_raw_lock(cli->tree, &io);
ret = true;
CHECK_STATUS(status, NT_STATUS_FILE_LOCK_CONFLICT);
if (!ret) {
goto done;
}
/*
* Now fire off a timed brlock, unlock the posix lock and see if the
* timed lock gets through.
*/
io.lockx.in.timeout = 5000;
req = smb_raw_lock_send(cli->tree, &io);
if (req == NULL) {
torture_warning(tctx, "smb_raw_lock_send failed\n");
ret = false;
goto done;
}
lock_result.done = false;
req->async.fn = receive_lock_result;
req->async.private_data = &lock_result;
te = tevent_add_timer(req->transport->socket->event.ctx,
tctx, timeval_current_ofs(1, 0),
close_locked_file, &fd);
if (te == NULL) {
torture_warning(tctx, "tevent_add_timer failed\n");
ret = false;
goto done;
}
while ((fd != -1) || (!lock_result.done)) {
if (tevent_loop_once(req->transport->socket->event.ctx)
== -1) {
torture_warning(tctx, "tevent_loop_once failed: %s\n",
strerror(errno));
ret = false;
goto done;
}
}
CHECK_STATUS(lock_result.status, NT_STATUS_OK);
done:
if (fnum != -1) {
smbcli_close(cli->tree, fnum);
}
if (fd != -1) {
close(fd);
}
smbcli_deltree(cli->tree, dirname);
return ret;
}
bool torture_ldap_sort(struct torture_context *torture)
{
struct ldb_context *ldb;
bool ret = false;
const char *host = torture_setting_string(torture, "host", NULL);
char *url;
int i;
codepoint_t j;
struct ldb_message_element *elem;
struct ldb_message *msg;
struct ldb_server_sort_control **control;
struct ldb_request *req;
struct ldb_result *ctx;
struct ldb_val *prev = NULL;
const char *prev_txt = NULL;
int prev_len = 0;
struct ldb_val *cur = NULL;
const char *cur_txt = NULL;
int cur_len = 0;
struct ldb_dn *dn;
/* TALLOC_CTX* ctx;*/
url = talloc_asprintf(torture, "ldap://%s/", host);
ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, url,
NULL,
popt_get_cmdline_credentials(),
0);
torture_assert(torture, ldb, "Failed to make LDB connection to target");
ctx = talloc_zero(ldb, struct ldb_result);
control = talloc_array(ctx, struct ldb_server_sort_control *, 2);
control[0] = talloc(control, struct ldb_server_sort_control);
control[0]->attributeName = talloc_strdup(control, "cn");
control[0]->orderingRule = NULL;
control[0]->reverse = 0;
control[1] = NULL;
dn = ldb_get_default_basedn(ldb);
ldb_dn_add_child_fmt(dn, "cn=users");
ret = ldb_build_search_req(&req, ldb, ctx,
dn,
LDB_SCOPE_SUBTREE,
"(objectClass=*)", NULL,
NULL,
ctx, ldb_search_default_callback, NULL);
torture_assert(torture, ret == LDB_SUCCESS, "Failed to build search request");
ret = ldb_request_add_control(req, LDB_CONTROL_SERVER_SORT_OID, true, control);
torture_assert(torture, ret == LDB_SUCCESS, "Failed to add control to search request");
ret = ldb_request(ldb, req);
torture_assert(torture, ret == LDB_SUCCESS, ldb_errstring(ldb));
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
torture_assert(torture, ret == LDB_SUCCESS, ldb_errstring(ldb));
ret = true;
if (ctx->count > 1) {
for (i=0;i<ctx->count;i++) {
msg = ctx->msgs[i];
elem = ldb_msg_find_element(msg,"cn");
torture_assert_not_null(torture, elem, "msg lacks CN");
cur = elem->values;
torture_comment(torture, "cn: %s\n",cur->data);
if (prev != NULL)
{
/* Do only the ascii case right now ... */
cur_txt = (const char *) cur->data;
cur_len = cur->length;
prev_txt = (const char *) prev->data;
prev_len = prev->length;
/* Remove leading whitespace as the sort function do so ... */
while ( cur_txt[0] == cur_txt[1] ) { cur_txt++; cur_len--;}
while ( prev_txt[0] == prev_txt[1] ) { prev_txt++; prev_len--;}
while( *(cur_txt) && *(prev_txt) && cur_len && prev_len ) {
j = toupper_m(*(prev_txt))-toupper_m(*(cur_txt));
if ( j > 0 ) {
/* Just check that is not due to trailling white space in prev_txt
* That is to say *cur_txt = 0 and prev_txt = 20 */
/* Remove trailling whitespace */
while ( *prev_txt == ' ' ) { prev_txt++; prev_len--;}
while ( *cur_txt == ' ' ) { cur_txt++; cur_len--;}
/* Now that potential whitespace are removed if we are at the end
* of the cur_txt then it means that in fact strings were identical
*/
torture_assert(torture, *cur_txt && *prev_txt, "Data wrongly sorted");
break;
}
else
{
if ( j == 0 )
{
if ( *(cur_txt) == ' ') {
while ( cur_txt[0] == cur_txt[1] ) { cur_txt++; cur_len--;}
while ( prev_txt[0] == prev_txt[1] ) { prev_txt++; prev_len--;}
}
cur_txt++;
prev_txt++;
prev_len--;
cur_len--;
}
else
{
break;
}
}
}
if ( ret != 1 ) {
break;
}
}
prev = cur;
}
}
return ret;
}
bool torture_libnetapi_user(struct torture_context *tctx)
{
NET_API_STATUS status = 0;
uint8_t *buffer = NULL;
uint32_t levels[] = { 0, 1, 2, 3, 4, 10, 11, 20, 23 };
uint32_t enum_levels[] = { 0, 1, 2, 3, 4, 10, 11, 20, 23 };
uint32_t getgr_levels[] = { 0, 1 };
int i;
struct USER_INFO_0 u0;
struct USER_INFO_1007 u1007;
uint32_t parm_err = 0;
const char *hostname = torture_setting_string(tctx, "host", NULL);
struct libnetapi_ctx *ctx;
torture_assert(tctx, torture_libnetapi_init_context(tctx, &ctx),
"failed to initialize libnetapi");
torture_comment(tctx, "NetUser tests\n");
/* cleanup */
NetUserDel(hostname, TORTURE_TEST_USER);
NetUserDel(hostname, TORTURE_TEST_USER2);
/* add a user */
status = test_netuseradd(tctx, hostname, TORTURE_TEST_USER);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserAdd");
goto out;
}
/* enum the new user */
for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
status = test_netuserenum(tctx, hostname, enum_levels[i], TORTURE_TEST_USER);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserEnum");
goto out;
}
}
/* basic queries */
for (i=0; i<ARRAY_SIZE(levels); i++) {
torture_comment(tctx, "Testing NetUserGetInfo level %d\n", levels[i]);
status = NetUserGetInfo(hostname, TORTURE_TEST_USER, levels[i], &buffer);
if (status && status != 124) {
NETAPI_STATUS(tctx, ctx, status, "NetUserGetInfo");
goto out;
}
}
/* testing getgroups */
for (i=0; i<ARRAY_SIZE(getgr_levels); i++) {
status = test_netusergetgroups(tctx, hostname, getgr_levels[i], TORTURE_TEST_USER, NULL);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserGetGroups");
goto out;
}
}
/* modify description */
torture_comment(tctx, "Testing NetUserSetInfo level %d\n", 1007);
u1007.usri1007_comment = "NetApi modified user";
status = NetUserSetInfo(hostname, TORTURE_TEST_USER, 1007, (uint8_t *)&u1007, &parm_err);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserSetInfo");
goto out;
}
/* query info */
for (i=0; i<ARRAY_SIZE(levels); i++) {
status = NetUserGetInfo(hostname, TORTURE_TEST_USER, levels[i], &buffer);
if (status && status != 124) {
NETAPI_STATUS(tctx, ctx, status, "NetUserGetInfo");
goto out;
}
}
torture_comment(tctx, "Testing NetUserSetInfo level 0\n");
u0.usri0_name = TORTURE_TEST_USER2;
status = NetUserSetInfo(hostname, TORTURE_TEST_USER, 0, (uint8_t *)&u0, &parm_err);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserSetInfo");
goto out;
}
/* delete */
torture_comment(tctx, "Testing NetUserDel\n");
status = NetUserDel(hostname, TORTURE_TEST_USER2);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserDel");
goto out;
}
/* should not exist anymore */
status = NetUserGetInfo(hostname, TORTURE_TEST_USER2, 0, &buffer);
if (status == 0) {
NETAPI_STATUS(tctx, ctx, status, "NetUserGetInfo");
status = -1;
goto out;
}
status = test_netusermodals(tctx, ctx, hostname);
if (status) {
goto out;
}
status = 0;
torture_comment(tctx, "NetUser tests succeeded\n");
out:
/* cleanup */
NetUserDel(hostname, TORTURE_TEST_USER);
NetUserDel(hostname, TORTURE_TEST_USER2);
if (status != 0) {
torture_comment(tctx, "NetUser testsuite failed with: %s\n",
libnetapi_get_error_string(ctx, status));
libnetapi_free(ctx);
return false;
}
libnetapi_free(ctx);
return true;
}
static bool torture_rpc_spoolss_access_setup_common(struct torture_context *tctx, struct torture_access_context *t)
{
void *testuser;
const char *testuser_passwd;
struct cli_credentials *test_credentials;
struct dom_sid *test_sid;
struct dcerpc_pipe *p;
const char *printername;
const char *binding = torture_setting_string(tctx, "binding", NULL);
struct dcerpc_pipe *spoolss_pipe;
testuser = torture_create_testuser_max_pwlen(tctx, t->user.username,
torture_setting_string(tctx, "workgroup", NULL),
ACB_NORMAL,
&testuser_passwd,
32);
if (!testuser) {
torture_fail(tctx, "Failed to create test user");
}
test_credentials = cli_credentials_init(tctx);
cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
cli_credentials_set_domain(test_credentials, lpcfg_workgroup(tctx->lp_ctx),
CRED_SPECIFIED);
cli_credentials_set_username(test_credentials, t->user.username, CRED_SPECIFIED);
cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
test_sid = discard_const_p(struct dom_sid,
torture_join_user_sid(testuser));
if (t->user.num_builtin_memberships) {
struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(testuser);
torture_assert(tctx,
spoolss_access_setup_membership(tctx, samr_pipe,
t->user.num_builtin_memberships,
t->user.builtin_memberships,
test_sid),
"failed to setup membership");
}
if (t->user.num_privs) {
struct dcerpc_pipe *lsa_pipe;
torture_assert_ntstatus_ok(tctx,
torture_rpc_connection(tctx, &lsa_pipe, &ndr_table_lsarpc),
"Error connecting to server");
torture_assert(tctx,
spoolss_access_setup_privs(tctx, lsa_pipe,
t->user.num_privs,
t->user.privs,
test_sid,
&t->user.privs_present),
"failed to setup privs");
talloc_free(lsa_pipe);
}
torture_assert_ntstatus_ok(tctx,
torture_rpc_connection(tctx, &spoolss_pipe, &ndr_table_spoolss),
"Error connecting to server");
torture_assert(tctx,
test_EnumPrinters_findone(tctx, spoolss_pipe, &printername),
"failed to enumerate printers");
if (t->user.sd && printername) {
torture_assert(tctx,
spoolss_access_setup_sd(tctx, spoolss_pipe,
printername,
test_sid,
&t->sd_orig),
"failed to setup sd");
}
talloc_free(spoolss_pipe);
torture_assert_ntstatus_ok(tctx,
dcerpc_pipe_connect(tctx, &p, binding, &ndr_table_spoolss,
test_credentials, tctx->ev, tctx->lp_ctx),
"Error connecting to server");
t->spoolss_pipe = p;
t->printername = printername;
t->user.testuser = testuser;
return true;
}
/*
test a schannel connection with the given flags
*/
static bool test_schannel(struct torture_context *tctx,
uint16_t acct_flags, uint32_t dcerpc_flags,
int i)
{
struct test_join *join_ctx;
NTSTATUS status;
const char *binding = torture_setting_string(tctx, "binding", NULL);
struct dcerpc_binding *b;
struct dcerpc_pipe *p = NULL;
struct dcerpc_pipe *p_netlogon = NULL;
struct dcerpc_pipe *p_netlogon2 = NULL;
struct dcerpc_pipe *p_netlogon3 = NULL;
struct dcerpc_pipe *p_samr2 = NULL;
struct dcerpc_pipe *p_lsa = NULL;
struct netlogon_creds_CredentialState *creds;
struct cli_credentials *credentials;
enum dcerpc_transport_t transport;
join_ctx = torture_join_domain(tctx,
talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
acct_flags, &credentials);
torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
status = dcerpc_parse_binding(tctx, binding, &b);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status,
"Failed to connect to samr with schannel");
torture_assert(tctx, test_samr_ops(tctx, p->binding_handle),
"Failed to process schannel secured SAMR ops");
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
/* Swap the binding details from SAMR to NETLOGON */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm map");
status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_secondary_auth_connection(p, b, &ndr_table_netlogon,
credentials, tctx->lp_ctx,
tctx, &p_netlogon);
torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
creds = cli_credentials_get_netlogon_creds(credentials);
torture_assert(tctx, (creds != NULL), "schannel creds");
/* checks the capabilities */
torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
"Failed to process schannel secured capability ops (on fresh connection)");
/* do a couple of logins */
torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON ops");
torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON EX ops");
/* we *MUST* use ncacn_np for openpolicy etc. */
transport = dcerpc_binding_get_transport(b);
status = dcerpc_binding_set_transport(b, NCACN_NP);
torture_assert_ntstatus_ok(tctx, status, "set transport");
/* Swap the binding details from SAMR to LSARPC */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm map");
torture_assert_ntstatus_ok(tctx,
dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc,
credentials, tctx->ev, tctx->lp_ctx),
"failed to connect lsarpc with schannel");
torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
"Failed to process schannel secured LSA ops");
talloc_free(p_lsa);
p_lsa = NULL;
/* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */
status = dcerpc_binding_set_transport(b, NCACN_IP_TCP);
torture_assert_ntstatus_ok(tctx, status, "set transport");
torture_assert_ntstatus_ok(tctx,
dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx),
"failed to call epm map");
torture_assert_ntstatus_ok(tctx,
dcerpc_pipe_connect_b(tctx, &p_lsa, b, &ndr_table_lsarpc,
credentials, tctx->ev, tctx->lp_ctx),
"failed to connect lsarpc with schannel");
torture_assert(tctx,
test_many_LookupSids(p_lsa, tctx, NULL),
"LsaLookupSids3 failed!\n");
status = dcerpc_binding_set_transport(b, transport);
torture_assert_ntstatus_ok(tctx, status, "set transport");
/* Drop the socket, we want to start from scratch */
talloc_free(p);
p = NULL;
/* Now see what we are still allowed to do */
status = dcerpc_parse_binding(tctx, binding, &b);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status,
"Failed to connect with schannel");
/* do a some SAMR operations. We have *not* done a new serverauthenticate */
torture_assert (tctx, test_samr_ops(tctx, p_samr2->binding_handle),
"Failed to process schannel secured SAMR ops (on fresh connection)");
/* Swap the binding details from SAMR to NETLOGON */
status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "epm");
status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_secondary_auth_connection(p_samr2, b, &ndr_table_netlogon,
credentials, tctx->lp_ctx,
tctx, &p_netlogon2);
torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
/* checks the capabilities */
torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
"Failed to process schannel secured capability ops (on fresh connection)");
/* Try the schannel-only SamLogonEx operation */
torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
/* And the more traditional style, proving that the
* credentials chaining state is fully present */
torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
"Failed to process schannel secured NETLOGON ops (on fresh connection)");
/* Drop the socket, we want to start from scratch (again) */
talloc_free(p_samr2);
/* We don't want schannel for this test */
status = dcerpc_binding_set_flags(b, 0, DCERPC_AUTH_OPTIONS);
torture_assert_ntstatus_ok(tctx, status, "set flags");
status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
credentials, tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
"Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
/* Required because the previous call will mark the current context as having failed */
tctx->last_result = TORTURE_OK;
tctx->last_reason = NULL;
torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
"Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
torture_leave_domain(tctx, join_ctx);
return true;
}
bool torture_libnetapi_group(struct torture_context *tctx)
{
NET_API_STATUS status = 0;
const char *username, *groupname, *groupname2;
uint8_t *buffer = NULL;
struct GROUP_INFO_0 g0;
uint32_t parm_err = 0;
uint32_t levels[] = { 0, 1, 2, 3};
uint32_t enum_levels[] = { 0, 1, 2, 3};
uint32_t getmem_levels[] = { 0, 1};
int i;
const char *hostname = torture_setting_string(tctx, "host", NULL);
struct libnetapi_ctx *ctx;
torture_assert(tctx, torture_libnetapi_init_context(tctx, &ctx),
"failed to initialize libnetapi");
torture_comment(tctx, "NetGroup tests\n");
username = "******";
groupname = "torture_test_group";
groupname2 = "torture_test_group2";
/* cleanup */
NetGroupDel(hostname, groupname);
NetGroupDel(hostname, groupname2);
NetUserDel(hostname, username);
/* add a group */
g0.grpi0_name = groupname;
torture_comment(tctx, "Testing NetGroupAdd\n");
status = NetGroupAdd(hostname, 0, (uint8_t *)&g0, &parm_err);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupAdd");
goto out;
}
/* 2nd add must fail */
status = NetGroupAdd(hostname, 0, (uint8_t *)&g0, &parm_err);
if (status == 0) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupAdd");
status = -1;
goto out;
}
/* test enum */
for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
status = test_netgroupenum(tctx, hostname, enum_levels[i], groupname);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupEnum");
goto out;
}
}
/* basic queries */
for (i=0; i<ARRAY_SIZE(levels); i++) {
torture_comment(tctx, "Testing NetGroupGetInfo level %d\n", levels[i]);
status = NetGroupGetInfo(hostname, groupname, levels[i], &buffer);
if (status && status != 124) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetInfo");
goto out;
}
}
/* group rename */
g0.grpi0_name = groupname2;
torture_comment(tctx, "Testing NetGroupSetInfo level 0\n");
status = NetGroupSetInfo(hostname, groupname, 0, (uint8_t *)&g0, &parm_err);
switch ((uint32_t)status) {
case 0:
break;
case 50: /* not supported */
case 124: /* not implemented */
groupname2 = groupname;
goto skip_rename;
default:
NETAPI_STATUS(tctx, ctx, status, "NetGroupSetInfo");
goto out;
}
/* should not exist anymore */
status = NetGroupDel(hostname, groupname);
if (status == 0) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupDel");
goto out;
}
skip_rename:
/* query info */
for (i=0; i<ARRAY_SIZE(levels); i++) {
status = NetGroupGetInfo(hostname, groupname2, levels[i], &buffer);
if (status && status != 124) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetInfo");
goto out;
}
}
/* add user to group */
status = test_netuseradd(tctx, hostname, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserAdd");
goto out;
}
/* should not be member */
for (i=0; i<ARRAY_SIZE(getmem_levels); i++) {
status = test_netgroupgetusers(tctx, hostname, getmem_levels[i], groupname2, NULL);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetUsers");
goto out;
}
}
torture_comment(tctx, "Testing NetGroupAddUser\n");
status = NetGroupAddUser(hostname, groupname2, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupAddUser");
goto out;
}
/* should be member */
for (i=0; i<ARRAY_SIZE(getmem_levels); i++) {
status = test_netgroupgetusers(tctx, hostname, getmem_levels[i], groupname2, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetUsers");
goto out;
}
}
torture_comment(tctx, "Testing NetGroupDelUser\n");
status = NetGroupDelUser(hostname, groupname2, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupDelUser");
goto out;
}
/* should not be member */
status = test_netgroupgetusers(tctx, hostname, 0, groupname2, NULL);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetUsers");
goto out;
}
/* set it again via exlicit member set */
status = test_netgroupsetusers(tctx, hostname, groupname2, 0, 1, &username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupSetUsers");
goto out;
}
/* should be member */
status = test_netgroupgetusers(tctx, hostname, 0, groupname2, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetUsers");
goto out;
}
#if 0
/* wipe out member list */
status = test_netgroupsetusers(hostname, groupname2, 0, 0, NULL);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupSetUsers");
goto out;
}
/* should not be member */
status = test_netgroupgetusers(hostname, 0, groupname2, NULL);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupGetUsers");
goto out;
}
#endif
status = NetUserDel(hostname, username);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetUserDel");
goto out;
}
/* delete */
torture_comment(tctx, "Testing NetGroupDel\n");
status = NetGroupDel(hostname, groupname2);
if (status) {
NETAPI_STATUS(tctx, ctx, status, "NetGroupDel");
goto out;
};
/* should not exist anymore */
status = NetGroupGetInfo(hostname, groupname2, 0, &buffer);
if (status == 0) {
NETAPI_STATUS_MSG(tctx, ctx, status, "NetGroupGetInfo", "expected failure and error code");
status = -1;
goto out;
};
status = 0;
torture_comment(tctx, "NetGroup tests succeeded\n");
out:
if (status != 0) {
torture_comment(tctx, "NetGroup testsuite failed with: %s\n",
libnetapi_get_error_string(ctx, status));
libnetapi_free(ctx);
return false;
}
libnetapi_free(ctx);
return true;
}
bool torture_samba3_hide(struct torture_context *torture)
{
struct smbcli_state *cli;
const char *fname = "test.txt";
int fnum;
NTSTATUS status;
struct smbcli_tree *hideunread;
struct smbcli_tree *hideunwrite;
if (!torture_open_connection_share(
torture, &cli, torture, torture_setting_string(torture, "host", NULL),
torture_setting_string(torture, "share", NULL), torture->ev)) {
torture_fail(torture, "torture_open_connection_share failed\n");
}
status = torture_second_tcon(torture, cli->session, "hideunread",
&hideunread);
torture_assert_ntstatus_ok(torture, status, "second_tcon(hideunread) failed\n");
status = torture_second_tcon(torture, cli->session, "hideunwrite",
&hideunwrite);
torture_assert_ntstatus_ok(torture, status, "second_tcon(hideunwrite) failed\n");
status = smbcli_unlink(cli->tree, fname);
if (NT_STATUS_EQUAL(status, NT_STATUS_CANNOT_DELETE)) {
smbcli_setatr(cli->tree, fname, 0, -1);
smbcli_unlink(cli->tree, fname);
}
fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);
if (fnum == -1) {
torture_fail(torture,
talloc_asprintf(torture, "Failed to create %s - %s\n", fname, smbcli_errstr(cli->tree)));
}
smbcli_close(cli->tree, fnum);
if (!smbcli_file_exists(cli->tree, fname)) {
torture_fail(torture, talloc_asprintf(torture, "%s does not exist\n", fname));
}
/* R/W file should be visible everywhere */
status = smbcli_chmod(cli->tree, fname, UNIX_R_USR|UNIX_W_USR);
torture_assert_ntstatus_ok(torture, status, "smbcli_chmod failed\n");
if (!is_writeable(torture, cli->tree, fname)) {
torture_fail(torture, "File not writable\n");
}
if (!is_readable(cli->tree, fname)) {
torture_fail(torture, "File not readable\n");
}
if (!is_visible(cli->tree, fname)) {
torture_fail(torture, "r/w file not visible via normal share\n");
}
if (!is_visible(hideunread, fname)) {
torture_fail(torture, "r/w file not visible via hide unreadable\n");
}
if (!is_visible(hideunwrite, fname)) {
torture_fail(torture, "r/w file not visible via hide unwriteable\n");
}
/* R/O file should not be visible via hide unwriteable files */
status = smbcli_chmod(cli->tree, fname, UNIX_R_USR);
torture_assert_ntstatus_ok(torture, status, "smbcli_chmod failed\n");
if (is_writeable(torture, cli->tree, fname)) {
torture_fail(torture, "r/o is writable\n");
}
if (!is_readable(cli->tree, fname)) {
torture_fail(torture, "r/o not readable\n");
}
if (!is_visible(cli->tree, fname)) {
torture_fail(torture, "r/o file not visible via normal share\n");
}
if (!is_visible(hideunread, fname)) {
torture_fail(torture, "r/o file not visible via hide unreadable\n");
}
if (is_visible(hideunwrite, fname)) {
torture_fail(torture, "r/o file visible via hide unwriteable\n");
}
/* inaccessible file should be only visible on normal share */
status = smbcli_chmod(cli->tree, fname, 0);
torture_assert_ntstatus_ok(torture, status, "smbcli_chmod failed\n");
if (is_writeable(torture, cli->tree, fname)) {
torture_fail(torture, "inaccessible file is writable\n");
}
if (is_readable(cli->tree, fname)) {
torture_fail(torture, "inaccessible file is readable\n");
}
if (!is_visible(cli->tree, fname)) {
torture_fail(torture, "inaccessible file not visible via normal share\n");
}
if (is_visible(hideunread, fname)) {
torture_fail(torture, "inaccessible file visible via hide unreadable\n");
}
if (is_visible(hideunwrite, fname)) {
torture_fail(torture, "inaccessible file visible via hide unwriteable\n");
}
smbcli_chmod(cli->tree, fname, UNIX_R_USR|UNIX_W_USR);
smbcli_unlink(cli->tree, fname);
return true;
}
/*
test a simple savefile/loadfile combination
*/
static bool test_fetchfile(struct smbcli_state *cli, struct torture_context *tctx)
{
const char *fname = BASEDIR "\\test.txt";
NTSTATUS status;
struct smb_composite_savefile io1;
struct smb_composite_fetchfile io2;
struct composite_context **c;
uint8_t *data;
int i;
size_t len = random() % 10000;
extern int torture_numops;
struct tevent_context *event_ctx;
int *count = talloc_zero(tctx, int);
bool ret = true;
data = talloc_array(tctx, uint8_t, len);
generate_random_buffer(data, len);
io1.in.fname = fname;
io1.in.data = data;
io1.in.size = len;
printf("testing savefile\n");
status = smb_composite_savefile(cli->tree, &io1);
if (!NT_STATUS_IS_OK(status)) {
printf("(%s) savefile failed: %s\n",__location__, nt_errstr(status));
return false;
}
io2.in.dest_host = torture_setting_string(tctx, "host", NULL);
io2.in.ports = lp_smb_ports(tctx->lp_ctx);
io2.in.called_name = torture_setting_string(tctx, "host", NULL);
io2.in.service = torture_setting_string(tctx, "share", NULL);
io2.in.service_type = "A:";
io2.in.credentials = cmdline_credentials;
io2.in.workgroup = lp_workgroup(tctx->lp_ctx);
io2.in.filename = fname;
io2.in.resolve_ctx = lp_resolve_context(tctx->lp_ctx);
io2.in.iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
io2.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx);
lp_smbcli_options(tctx->lp_ctx, &io2.in.options);
lp_smbcli_session_options(tctx->lp_ctx, &io2.in.session_options);
printf("testing parallel fetchfile with %d ops\n", torture_numops);
event_ctx = cli->transport->socket->event.ctx;
c = talloc_array(tctx, struct composite_context *, torture_numops);
for (i=0; i<torture_numops; i++) {
c[i] = smb_composite_fetchfile_send(&io2, event_ctx);
c[i]->async.fn = loadfile_complete;
c[i]->async.private_data = count;
}
printf("waiting for completion\n");
while (*count != torture_numops) {
event_loop_once(event_ctx);
if (torture_setting_bool(tctx, "progress", true)) {
printf("(%s) count=%d\r", __location__, *count);
fflush(stdout);
}
}
printf("count=%d\n", *count);
for (i=0;i<torture_numops;i++) {
status = smb_composite_fetchfile_recv(c[i], tctx);
if (!NT_STATUS_IS_OK(status)) {
printf("(%s) loadfile[%d] failed - %s\n", __location__, i,
nt_errstr(status));
ret = false;
continue;
}
if (io2.out.size != len) {
printf("(%s) wrong length in returned data - %d "
"should be %d\n", __location__,
io2.out.size, (int)len);
ret = false;
continue;
}
if (memcmp(io2.out.data, data, len) != 0) {
printf("(%s) wrong data in loadfile!\n", __location__);
ret = false;
continue;
}
}
return ret;
}
