static bool test_create_trust_and_set_info(struct dcerpc_pipe *p, struct torture_context *tctx, const char *trust_name, const char *trust_name_dns, struct dom_sid *domsid, struct lsa_TrustDomainInfoAuthInfoInternal *authinfo) { struct policy_handle *handle; NTSTATUS status; struct lsa_lsaRSetForestTrustInformation fti; struct lsa_ForestTrustCollisionInfo *collision_info = NULL; struct lsa_Close cr; struct policy_handle closed_handle; bool ret = true; struct lsa_CreateTrustedDomainEx2 r; struct lsa_TrustDomainInfoInfoEx trustinfo; struct policy_handle trustdom_handle; struct lsa_QueryTrustedDomainInfo q; union lsa_TrustedDomainInfo *info = NULL; if (!test_get_policy_handle(tctx, p, (LSA_POLICY_VIEW_LOCAL_INFORMATION | LSA_POLICY_TRUST_ADMIN | LSA_POLICY_CREATE_SECRET), &handle)) { return false; } torture_comment(tctx, "\nTesting CreateTrustedDomainEx2\n"); trustinfo.sid = domsid; trustinfo.netbios_name.string = trust_name; trustinfo.domain_name.string = trust_name_dns; trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; r.in.policy_handle = handle; r.in.info = &trustinfo; r.in.auth_info_internal = authinfo; /* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following * QueryTrustedDomainInfo call, although it seems that Windows does not * expect this */ r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME; r.out.trustdom_handle = &trustdom_handle; torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r), "CreateTrustedDomainEx2 failed"); if (!NT_STATUS_IS_OK(r.out.result)) { torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(r.out.result)); ret = false; } else { q.in.trustdom_handle = &trustdom_handle; q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX; q.out.info = &info; torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(p->binding_handle, tctx, &q), "QueryTrustedDomainInfo failed"); if (!NT_STATUS_IS_OK(q.out.result)) { torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(q.out.result)); ret = false; } else if (!q.out.info) { torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed to return an info pointer\n"); ret = false; } else { if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) { torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n", info->info_ex.netbios_name.string, trustinfo.netbios_name.string); ret = false; } if (info->info_ex.trust_type != trustinfo.trust_type) { torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", trust_name, info->info_ex.trust_type, trustinfo.trust_type); ret = false; } if (info->info_ex.trust_attributes != trustinfo.trust_attributes) { torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", trust_name, info->info_ex.trust_attributes, trustinfo.trust_attributes); ret = false; } if (info->info_ex.trust_direction != trustinfo.trust_direction) { torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", trust_name, info->info_ex.trust_direction, trustinfo.trust_direction); ret = false; } } } if (ret != false) { fti.in.handle = handle; fti.in.trusted_domain_name = talloc_zero(tctx, struct lsa_StringLarge); fti.in.trusted_domain_name->string = trust_name_dns; fti.in.highest_record_type = 2; fti.in.forest_trust_info = talloc_zero(tctx, struct lsa_ForestTrustInformation); fti.in.forest_trust_info->count = 2; fti.in.forest_trust_info->entries = talloc_array(tctx, struct lsa_ForestTrustRecord *, 2); fti.in.forest_trust_info->entries[0] = talloc_zero(tctx, struct lsa_ForestTrustRecord); fti.in.forest_trust_info->entries[0]->flags = 0; fti.in.forest_trust_info->entries[0]->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME; fti.in.forest_trust_info->entries[0]->time = 0; fti.in.forest_trust_info->entries[0]->forest_trust_data.top_level_name.string = trust_name_dns; fti.in.forest_trust_info->entries[1] = talloc_zero(tctx, struct lsa_ForestTrustRecord); fti.in.forest_trust_info->entries[1]->flags = 0; fti.in.forest_trust_info->entries[1]->type = LSA_FOREST_TRUST_DOMAIN_INFO; fti.in.forest_trust_info->entries[1]->time = 0; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.domain_sid = domsid; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.dns_domain_name.string = trust_name_dns; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.netbios_domain_name.string = trust_name; fti.in.check_only = 0; fti.out.collision_info = &collision_info; torture_comment(tctx, "\nTesting SetForestTrustInformation\n"); torture_assert_ntstatus_ok(tctx, dcerpc_lsa_lsaRSetForestTrustInformation_r(p->binding_handle, tctx, &fti), "lsaRSetForestTrustInformation failed"); if (!NT_STATUS_IS_OK(fti.out.result)) { torture_comment(tctx, "lsaRSetForestTrustInformation failed - %s\n", nt_errstr(fti.out.result)); ret = false; } }
static bool test_create_trust_and_set_info(struct dcerpc_pipe *p, struct torture_context *tctx, const char *trust_name, const char *trust_name_dns, struct dom_sid *domsid, struct lsa_TrustDomainInfoAuthInfoInternal *authinfo) { struct policy_handle *handle; struct lsa_lsaRSetForestTrustInformation fti; struct lsa_ForestTrustCollisionInfo *collision_info = NULL; struct lsa_Close cr; struct policy_handle closed_handle; struct lsa_CreateTrustedDomainEx2 r; struct lsa_TrustDomainInfoInfoEx trustinfo; struct policy_handle trustdom_handle; struct lsa_QueryTrustedDomainInfo q; union lsa_TrustedDomainInfo *info = NULL; if (!test_get_policy_handle(tctx, p, (LSA_POLICY_VIEW_LOCAL_INFORMATION | LSA_POLICY_TRUST_ADMIN | LSA_POLICY_CREATE_SECRET), &handle)) { return false; } torture_comment(tctx, "\nTesting CreateTrustedDomainEx2\n"); trustinfo.sid = domsid; trustinfo.netbios_name.string = trust_name; trustinfo.domain_name.string = trust_name_dns; trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; /* * MS-LSAD: Section 3.1.4.7.10 makes it clear that Win2k3 * functional level and above return * NT_STATUS_INVALID_DOMAIN_STATE if * TRUST_ATTRIBUTE_FOREST_TRANSITIVE or * TRUST_ATTRIBUTE_CROSS_ORGANIZATION is set here. * * But we really want to test forest trusts here. */ trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; r.in.policy_handle = handle; r.in.info = &trustinfo; r.in.auth_info_internal = authinfo; /* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following * QueryTrustedDomainInfo call, although it seems that Windows does not * expect this */ r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME; r.out.trustdom_handle = &trustdom_handle; torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r), "CreateTrustedDomainEx2 failed"); torture_assert_ntstatus_ok(tctx, r.out.result, "CreateTrustedDomainEx2 failed"); q.in.trustdom_handle = &trustdom_handle; q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX; q.out.info = &info; torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(p->binding_handle, tctx, &q), "QueryTrustedDomainInfo failed"); torture_assert_ntstatus_ok(tctx, q.out.result, "QueryTrustedDomainInfo level 1"); torture_assert(tctx, q.out.info != NULL, "QueryTrustedDomainInfo level 1 failed to return an info pointer"); torture_assert_str_equal(tctx, info->info_ex.netbios_name.string, trustinfo.netbios_name.string, "QueryTrustedDomainInfo returned inconsistent short name"); torture_assert_int_equal(tctx, info->info_ex.trust_type, trustinfo.trust_type, "QueryTrustedDomainInfo returned incorrect trust type"); torture_assert_int_equal(tctx, info->info_ex.trust_attributes, trustinfo.trust_attributes, "QueryTrustedDomainInfo of returned incorrect trust attributes"); torture_assert_int_equal(tctx, info->info_ex.trust_direction, trustinfo.trust_direction, "QueryTrustedDomainInfo of returned incorrect trust direction"); fti.in.handle = handle; fti.in.trusted_domain_name = talloc_zero(tctx, struct lsa_StringLarge); fti.in.trusted_domain_name->string = trust_name_dns; fti.in.highest_record_type = 2; fti.in.forest_trust_info = talloc_zero(tctx, struct lsa_ForestTrustInformation); fti.in.forest_trust_info->count = 2; fti.in.forest_trust_info->entries = talloc_array(tctx, struct lsa_ForestTrustRecord *, 2); fti.in.forest_trust_info->entries[0] = talloc_zero(tctx, struct lsa_ForestTrustRecord); fti.in.forest_trust_info->entries[0]->flags = 0; fti.in.forest_trust_info->entries[0]->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME; fti.in.forest_trust_info->entries[0]->time = 0; fti.in.forest_trust_info->entries[0]->forest_trust_data.top_level_name.string = trust_name_dns; fti.in.forest_trust_info->entries[1] = talloc_zero(tctx, struct lsa_ForestTrustRecord); fti.in.forest_trust_info->entries[1]->flags = 0; fti.in.forest_trust_info->entries[1]->type = LSA_FOREST_TRUST_DOMAIN_INFO; fti.in.forest_trust_info->entries[1]->time = 0; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.domain_sid = domsid; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.dns_domain_name.string = trust_name_dns; fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.netbios_domain_name.string = trust_name; fti.in.check_only = 0; fti.out.collision_info = &collision_info; torture_comment(tctx, "\nTesting SetForestTrustInformation\n"); torture_assert_ntstatus_ok(tctx, dcerpc_lsa_lsaRSetForestTrustInformation_r(p->binding_handle, tctx, &fti), "lsaRSetForestTrustInformation failed"); torture_assert_ntstatus_ok(tctx, fti.out.result, "lsaRSetForestTrustInformation failed"); cr.in.handle = handle; cr.out.handle = &closed_handle; torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr), "Close failed"); torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed"); return true; }