/**
* Obtain the client principal for this credentials context.
* @param cred credentials context
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
cred->callback_running = True;
cred->principal = cred->principal_cb(cred);
cred->callback_running = False;
cred->principal_obtained = CRED_SPECIFIED;
}
if (cred->principal_obtained < cred->username_obtained) {
if (cred->domain_obtained > cred->realm_obtained) {
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_domain(cred));
} else {
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
return talloc_reference(mem_ctx, cred->principal);
}
/**
* Obtain the client principal for this credentials context.
* @param cred credentials context
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
_PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred,
cred->machine_account_pending_lp_ctx);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
cred->callback_running = true;
cred->principal = cred->principal_cb(cred);
cred->callback_running = false;
if (cred->principal_obtained == CRED_CALLBACK) {
cred->principal_obtained = CRED_CALLBACK_RESULT;
cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
}
}
if (cred->principal_obtained < cred->username_obtained
|| cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
if (cred->domain_obtained > cred->realm_obtained) {
*obtained = MIN(cred->domain_obtained, cred->username_obtained);
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_domain(cred));
} else {
*obtained = MIN(cred->domain_obtained, cred->username_obtained);
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
*obtained = cred->principal_obtained;
return talloc_strdup(mem_ctx, cred->principal);
}
static bool test_wbc_getgroups(struct torture_context *tctx)
{
wbcErr ret;
uint32_t num_groups;
gid_t *groups;
ret = wbcGetGroups(cli_credentials_get_username(cmdline_credentials), &num_groups, &groups);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcGetGroups for %s failed", cli_credentials_get_username(cmdline_credentials));
wbcFreeMemory(groups);
return true;
}
NTSTATUS rpccli_create_netlogon_creds_ctx(
struct cli_credentials *creds,
const char *server_computer,
struct messaging_context *msg_ctx,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **creds_ctx)
{
enum netr_SchannelType sec_chan_type;
const char *server_netbios_domain;
const char *server_dns_domain;
const char *client_account;
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
client_account = cli_credentials_get_username(creds);
server_netbios_domain = cli_credentials_get_domain(creds);
server_dns_domain = cli_credentials_get_realm(creds);
return rpccli_create_netlogon_creds(server_computer,
server_netbios_domain,
server_dns_domain,
client_account,
sec_chan_type,
msg_ctx, mem_ctx,
creds_ctx);
}
NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds,
const char *server_computer,
struct messaging_context *msg_ctx,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **netlogon_creds)
{
enum netr_SchannelType sec_chan_type;
const char *server_netbios_domain;
const char *client_account;
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
client_account = cli_credentials_get_username(creds);
server_netbios_domain = cli_credentials_get_domain(creds);
return rpccli_create_netlogon_creds(server_computer,
server_netbios_domain,
client_account,
sec_chan_type,
msg_ctx, mem_ctx,
netlogon_creds);
}
/*
* Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
*
*/
static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
lpcfg_dnsdomain(tctx->lp_ctx),
"127.0.0.1", "type", "key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_R_SUCCESS,
"Failed to check key for update rights samba_dlz");
dlz_destroy(dbdata);
return true;
}
static bool test_NetrJoinDomain(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
NTSTATUS status;
struct wkssvc_NetrJoinDomain r;
struct cli_credentials *creds = cmdline_credentials;
const char *user = cli_credentials_get_username(creds);
const char *admin_account = NULL;
struct dcerpc_binding_handle *b = p->binding_handle;
admin_account = talloc_asprintf(tctx, "%s\\%s",
lpcfg_workgroup(tctx->lp_ctx),
user);
r.in.server_name = dcerpc_server_name(p);
r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
r.in.account_ou = NULL;
r.in.Account = admin_account;
r.in.password = NULL;
r.in.join_flags = 0;
torture_comment(tctx, "Testing NetrJoinDomain\n");
status = dcerpc_wkssvc_NetrJoinDomain_r(b, tctx, &r);
torture_assert_ntstatus_ok(tctx, status,
"NetrJoinDomain failed");
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
"NetrJoinDomain failed");
return true;
}
_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
{
const char *username;
/* if bind dn is set it's not anonymous */
if (cred->bind_dn) {
return false;
}
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred,
cred->machine_account_pending_lp_ctx);
}
/* if principal is set, it's not anonymous */
if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) {
return false;
}
username = cli_credentials_get_username(cred);
/* Yes, it is deliberate that we die if we have a NULL pointer
* here - anonymous is "", not NULL, which is 'never specified,
* never guessed', ie programmer bug */
if (!username[0]) {
return true;
}
return false;
}
bool torture_libnetapi_init_context(struct torture_context *tctx,
struct libnetapi_ctx **ctx_p)
{
NET_API_STATUS status;
struct libnetapi_ctx *ctx;
TALLOC_CTX *frame = talloc_stackframe();
if (!lp_load_global(lpcfg_configfile(tctx->lp_ctx))) {
fprintf(stderr, "error loading %s\n", lpcfg_configfile(tctx->lp_ctx));
talloc_free(frame);
return W_ERROR_V(WERR_GENERAL_FAILURE);
}
init_names();
load_interfaces();
status = libnetapi_net_init(&ctx);
if (status != 0) {
talloc_free(frame);
return false;
}
libnetapi_set_username(ctx,
cli_credentials_get_username(cmdline_credentials));
libnetapi_set_password(ctx,
cli_credentials_get_password(cmdline_credentials));
*ctx_p = ctx;
talloc_free(frame);
return true;
}
static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
struct cli_credentials *machine_account,
struct smb_krb5_context *smb_krb5_context,
krb5_principal *salt_princ)
{
krb5_error_code ret;
char *machine_username;
char *salt_body;
char *lower_realm;
const char *salt_principal;
struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
if (!mem_ctx) {
return ENOMEM;
}
salt_principal = cli_credentials_get_salt_principal(machine_account);
if (salt_principal) {
ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ);
} else {
machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
if (!machine_username) {
talloc_free(mem_ctx);
return ENOMEM;
}
if (machine_username[strlen(machine_username)-1] == '$') {
machine_username[strlen(machine_username)-1] = '\0';
}
lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
if (!lower_realm) {
talloc_free(mem_ctx);
return ENOMEM;
}
salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username,
lower_realm);
if (!salt_body) {
talloc_free(mem_ctx);
return ENOMEM;
}
ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
cli_credentials_get_realm(machine_account),
"host", salt_body, NULL);
}
if (ret == 0) {
/* This song-and-dance effectivly puts the principal
* into talloc, so we can't loose it. */
mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->principal = *salt_princ;
talloc_set_destructor(mem_ctx, free_principal);
}
return ret;
}
static bool test_parse_string(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init_anon(tctx);
/* anonymous */
cli_credentials_parse_string(creds, "%", CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"", "username");
torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
"password");
/* username + password */
cli_credentials_parse_string(creds, "somebody%secret",
CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"somebody", "username");
torture_assert_str_equal(tctx, cli_credentials_get_password(creds),
"secret", "password");
/* principal */
cli_credentials_parse_string(creds, "prin@styx",
CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_realm(creds),
"STYX", "realm");
torture_assert_str_equal(tctx,
cli_credentials_get_principal(creds, tctx),
"prin@styx", "principal");
return true;
}
static int net_password_change(struct net_context *ctx, int argc, const char **argv)
{
NTSTATUS status;
struct libnet_context *libnetctx;
union libnet_ChangePassword r;
char *password_prompt = NULL;
const char *new_password;
if (argc > 0 && argv[0]) {
new_password = argv[0];
} else {
password_prompt = talloc_asprintf(ctx, "Enter new password for account [%s\\%s]:",
cli_credentials_get_domain(ctx->credentials),
cli_credentials_get_username(ctx->credentials));
new_password = getpass(password_prompt);
}
libnetctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx);
if (!libnetctx) {
return -1;
}
libnetctx->cred = ctx->credentials;
/* prepare password change */
r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC;
r.generic.in.account_name = cli_credentials_get_username(ctx->credentials);
r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials);
r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials);
r.generic.in.newpassword = new_password;
/* do password change */
status = libnet_ChangePassword(libnetctx, ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("net_password_change: %s\n",r.generic.out.error_string));
return -1;
}
talloc_free(libnetctx);
return 0;
}
_PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
const char **username,
const char **domain)
{
if (cred->principal_obtained > cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
*domain = cli_credentials_get_domain(cred);
*username = cli_credentials_get_username(cred);
}
}
static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
const char *correct_password)
{
struct wbcAuthUserParams params;
struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *error = NULL;
wbcErr ret;
ret = wbcAuthenticateUser(cli_credentials_get_username(cmdline_credentials), correct_password);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcAuthenticateUser of %s failed",
cli_credentials_get_username(cmdline_credentials));
ZERO_STRUCT(params);
params.account_name = cli_credentials_get_username(cmdline_credentials);
params.level = WBC_AUTH_USER_LEVEL_PLAIN;
params.password.plaintext = correct_password;
ret = wbcAuthenticateUserEx(¶ms, &info, &error);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcAuthenticateUserEx of %s failed", params.account_name);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
params.password.plaintext = "wrong";
ret = wbcAuthenticateUserEx(¶ms, &info, &error);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
"wbcAuthenticateUserEx for %s succeeded where it "
"should have failed", params.account_name);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
return true;
}
static bool test_init_anonymous(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init_anon(tctx);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"", "username");
torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
"password");
return true;
}
static bool test_NetrWkstaUserGetInfo(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
NTSTATUS status;
struct wkssvc_NetrWkstaUserGetInfo r;
union wkssvc_NetrWkstaUserInfo info;
const char *dom = lpcfg_workgroup(tctx->lp_ctx);
struct cli_credentials *creds = cmdline_credentials;
const char *user = cli_credentials_get_username(creds);
int i;
struct dcerpc_binding_handle *b = p->binding_handle;
const struct {
const char *unknown;
uint32_t level;
WERROR result;
} tests[] = {
{ NULL, 0, WERR_NO_SUCH_LOGON_SESSION },
{ NULL, 1, WERR_NO_SUCH_LOGON_SESSION },
{ NULL, 1101, WERR_OK },
{ dom, 0, WERR_INVALID_PARAM },
{ dom, 1, WERR_INVALID_PARAM },
{ dom, 1101, WERR_INVALID_PARAM },
{ user, 0, WERR_INVALID_PARAM },
{ user, 1, WERR_INVALID_PARAM },
{ user, 1101, WERR_INVALID_PARAM },
};
for (i=0; i<ARRAY_SIZE(tests); i++) {
r.in.unknown = tests[i].unknown;
r.in.level = tests[i].level;
r.out.info = &info;
torture_comment(tctx, "Testing NetrWkstaUserGetInfo level %u\n",
r.in.level);
status = dcerpc_wkssvc_NetrWkstaUserGetInfo_r(b, tctx, &r);
torture_assert_ntstatus_ok(tctx, status,
"NetrWkstaUserGetInfo failed");
torture_assert_werr_equal(tctx, r.out.result,
tests[i].result,
"NetrWkstaUserGetInfo failed");
}
return true;
}
bool torture_libsmbclient_init_context(struct torture_context *tctx,
SMBCCTX **ctx_p)
{
SMBCCTX *ctx;
ctx = smbc_new_context();
torture_assert(tctx, ctx, "failed to get new context");
torture_assert(tctx, smbc_init_context(ctx), "failed to init context");
smbc_setDebug(ctx, DEBUGLEVEL);
smbc_setOptionDebugToStderr(ctx, 1);
/* yes, libsmbclient API frees the username when freeing the context, so
* have to pass malloced data here */
smbc_setUser(ctx, strdup(cli_credentials_get_username(cmdline_credentials)));
*ctx_p = ctx;
return true;
}
static bool test_init(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init(tctx);
cli_credentials_set_domain(creds, "bla", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "BLA", cli_credentials_get_domain(creds),
"domain");
cli_credentials_set_username(creds, "someuser", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "someuser",
cli_credentials_get_username(creds),
"username");
cli_credentials_set_password(creds, "p4ssw0rd", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "p4ssw0rd",
cli_credentials_get_password(creds),
"password");
return true;
}
static PyObject *py_creds_get_username(PyObject *self, PyObject *unused)
{
return PyString_FromStringOrNULL(cli_credentials_get_username(PyCredentials_AsCliCredentials(self)));
}
/* Get the keytab (actually, a container containing the krb5_keytab)
* attached to this context. If this hasn't been done or set before,
* it will be generated from the password.
*/
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc)
{
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
const char *keytab_name;
krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
*_ktc = cred->keytab;
return 0;
}
if (cli_credentials_is_anonymous(cred)) {
return EINVAL;
}
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&smb_krb5_context);
if (ret) {
return ret;
}
mem_ctx = talloc_new(cred);
if (!mem_ctx) {
return ENOMEM;
}
ret = smb_krb5_create_memory_keytab(mem_ctx,
smb_krb5_context->krb5_context,
cli_credentials_get_password(cred),
cli_credentials_get_username(cred),
cli_credentials_get_realm(cred),
cli_credentials_get_kvno(cred),
&keytab, &keytab_name);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
keytab, keytab_name, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
/* We make this keytab up based on a password. Therefore
* match-by-key is acceptable, we can't match on the wrong
* principal */
ktc->password_based = true;
talloc_steal(cred, ktc);
cred->keytab = ktc;
*_ktc = cred->keytab;
talloc_free(mem_ctx);
return ret;
}
static bool test_wbc_logon_user(struct torture_context *tctx)
{
struct wbcLogonUserParams params;
struct wbcLogonUserInfo *info = NULL;
struct wbcAuthErrorInfo *error = NULL;
struct wbcUserPasswordPolicyInfo *policy = NULL;
struct wbcInterfaceDetails *iface;
struct wbcDomainSid sid;
enum wbcSidType sidtype;
char *sidstr;
wbcErr ret;
ZERO_STRUCT(params);
ret = wbcLogonUser(¶ms, &info, &error, &policy);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_INVALID_PARAM,
"%s", "wbcLogonUser succeeded for NULL where it should "
"have failed");
params.username = cli_credentials_get_username(cmdline_credentials);
params.password = cli_credentials_get_password(cmdline_credentials);
ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs,
"foo", 0, discard_const_p(uint8_t, "bar"), 4);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"%s", "wbcAddNamedBlob failed");
ret = wbcLogonUser(¶ms, &info, &error, &policy);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcLogonUser for %s failed", params.username);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
wbcFreeMemory(policy);
policy = NULL;
params.password = "******";
ret = wbcLogonUser(¶ms, &info, &error, &policy);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
"wbcLogonUser for %s should have failed with "
"WBC_ERR_AUTH_ERROR", params.username);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
wbcFreeMemory(policy);
policy = NULL;
ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs,
"membership_of", 0,
discard_const_p(uint8_t, "S-1-2-3-4"),
strlen("S-1-2-3-4")+1);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"%s", "wbcAddNamedBlob failed");
params.password = cli_credentials_get_password(cmdline_credentials);
ret = wbcLogonUser(¶ms, &info, &error, &policy);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
"wbcLogonUser for %s should have failed with "
"WBC_ERR_AUTH_ERROR", params.username);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
wbcFreeMemory(policy);
policy = NULL;
wbcFreeMemory(params.blobs);
params.blobs = NULL;
params.num_blobs = 0;
ret = wbcInterfaceDetails(&iface);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"%s", "wbcInterfaceDetails failed");
ret = wbcLookupName(iface->netbios_domain, cli_credentials_get_username(cmdline_credentials), &sid,
&sidtype);
wbcFreeMemory(iface);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcLookupName for %s failed", cli_credentials_get_username(cmdline_credentials));
ret = wbcSidToString(&sid, &sidstr);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"%s", "wbcSidToString failed");
ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs,
"membership_of", 0,
(uint8_t *)sidstr, strlen(sidstr)+1);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"%s", "wbcAddNamedBlob failed");
wbcFreeMemory(sidstr);
params.password = cli_credentials_get_password(cmdline_credentials);
ret = wbcLogonUser(¶ms, &info, &error, &policy);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcLogonUser for %s failed", params.username);
wbcFreeMemory(info);
info = NULL;
wbcFreeMemory(error);
error = NULL;
wbcFreeMemory(policy);
policy = NULL;
wbcFreeMemory(params.blobs);
params.blobs = NULL;
params.num_blobs = 0;
return true;
}
static bool test_wbc_change_password(struct torture_context *tctx)
{
wbcErr ret;
const char *oldpass = cli_credentials_get_password(cmdline_credentials);
const char *newpass = "******";
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
struct samr_Password old_lanman_hash_enc;
uint8_t old_nt_hash[16];
uint8_t old_lanman_hash[16];
uint8_t new_nt_hash[16];
uint8_t new_lanman_hash[16];
struct wbcChangePasswordParams params;
if (oldpass == NULL) {
torture_skip(tctx,
"skipping wbcChangeUserPassword test as old password cannot be retrieved\n");
}
ZERO_STRUCT(params);
E_md4hash(oldpass, old_nt_hash);
E_md4hash(newpass, new_nt_hash);
if (lpcfg_client_lanman_auth(tctx->lp_ctx) &&
E_deshash(newpass, new_lanman_hash) &&
E_deshash(oldpass, old_lanman_hash)) {
/* E_deshash returns false for 'long' passwords (> 14
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE);
arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash,
old_lanman_hash_enc.hash);
params.old_password.response.old_lm_hash_enc_length =
sizeof(old_lanman_hash_enc.hash);
params.old_password.response.old_lm_hash_enc_data =
old_lanman_hash_enc.hash;
params.new_password.response.lm_length =
sizeof(new_lm_password.data);
params.new_password.response.lm_data =
new_lm_password.data;
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE);
arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
params.old_password.response.old_nt_hash_enc_length =
sizeof(old_nt_hash_enc.hash);
params.old_password.response.old_nt_hash_enc_data =
old_nt_hash_enc.hash;
params.new_password.response.nt_length = sizeof(new_nt_password.data);
params.new_password.response.nt_data = new_nt_password.data;
params.level = WBC_CHANGE_PASSWORD_LEVEL_RESPONSE;
params.account_name = cli_credentials_get_username(cmdline_credentials);
params.domain_name = cli_credentials_get_domain(cmdline_credentials);
ret = wbcChangeUserPasswordEx(¶ms, NULL, NULL, NULL);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcChangeUserPassword for %s failed", params.account_name);
if (!test_wbc_authenticate_user_int(tctx, newpass)) {
return false;
}
ret = wbcChangeUserPassword(cli_credentials_get_username(cmdline_credentials), newpass,
cli_credentials_get_password(cmdline_credentials));
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcChangeUserPassword for %s failed", params.account_name);
return test_wbc_authenticate_user_int(tctx, cli_credentials_get_password(cmdline_credentials));
}
/*
* Test some updates
*/
static bool test_dlz_bind9_update01(struct torture_context *tctx)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
void *version = NULL;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
struct test_expected_rr *expected1 = NULL;
char *name = NULL;
char *data0 = NULL;
char *data1 = NULL;
char *data2 = NULL;
bool ret = false;
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook,
"putrr", dlz_bind9_putrr_hook,
"putnamedrr", dlz_bind9_putnamedrr_hook,
NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
expected1 = talloc_zero(tctx, struct test_expected_rr);
torture_assert(tctx, expected1 != NULL, "talloc failed");
expected1->tctx = tctx;
expected1->query_name = __func__;
name = talloc_asprintf(expected1, "%s.%s",
expected1->query_name,
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, name != NULL, "talloc failed");
expected1->num_records = 2;
expected1->records = talloc_zero_array(expected1,
struct test_expected_record,
expected1->num_records);
torture_assert(tctx, expected1->records != NULL, "talloc failed");
expected1->records[0].name = expected1->query_name;
expected1->records[0].type = "a";
expected1->records[0].ttl = 3600;
expected1->records[0].data = "127.1.2.3";
expected1->records[0].printed = false;
data0 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[0].ttl,
"in",
expected1->records[0].type,
expected1->records[0].data);
torture_assert(tctx, data0 != NULL, "talloc failed");
expected1->records[1].name = expected1->query_name;
expected1->records[1].type = "a";
expected1->records[1].ttl = 3600;
expected1->records[1].data = "127.3.2.1";
expected1->records[1].printed = false;
data1 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[1].ttl,
"in",
expected1->records[1].type,
expected1->records[1].data);
torture_assert(tctx, data1 != NULL, "talloc failed");
data2 = talloc_asprintf(expected1,
"%s.\t" "0\t" "in\t" "a\t" "127.3.3.3",
name);
torture_assert(tctx, data2 != NULL, "talloc failed");
/*
* Prepare session info
*/
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
/*
* dlz_bind9 use the special dns/host.domain account
*/
status = gensec_set_target_hostname(gensec_client_context,
talloc_asprintf(tctx,
"%s.%s",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx)));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_target_service(gensec_client_context, "dns");
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO");
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
name,
"127.0.0.1",
expected1->records[0].type,
"key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_TRUE,
"Failed to check key for update rights samba_dlz");
/*
* We test the following:
*
* 1. lookup the records => NOT_FOUND
* 2. delete all records => NOT_FOUND
* 3. delete 1st record => NOT_FOUND
* 4. create 1st record => SUCCESS
* 5. lookup the records => found 1st
* 6. create 2nd record => SUCCESS
* 7. lookup the records => found 1st and 2nd
* 8. delete unknown record => NOT_FOUND
* 9. lookup the records => found 1st and 2nd
* 10. delete 1st record => SUCCESS
* 11. lookup the records => found 2nd
* 12. delete 2nd record => SUCCESS
* 13. lookup the records => NOT_FOUND
* 14. create 1st record => SUCCESS
* 15. lookup the records => found 1st
* 16. create 2nd record => SUCCESS
* 17. lookup the records => found 1st and 2nd
* 18. update 1st record => SUCCESS
* 19. lookup the records => found 1st and 2nd
* 20. delete all unknown type records => NOT_FOUND
* 21. lookup the records => found 1st and 2nd
* 22. delete all records => SUCCESS
* 23. lookup the records => NOT_FOUND
*/
/* Step 1. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 2. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 3. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 4. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 5. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 6. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 7. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 8. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data2, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data2));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 9. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 10. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 11. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 12. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 13. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 14. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 15. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 16. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 17. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 18. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 19. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 20. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name, "txt", dbdata, version),
ISC_R_FAILURE, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, "txt"));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 21. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 22. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 23. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
dlz_destroy(dbdata);
return true;
cancel_version:
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
return ret;
}
static struct bkrp_BackupKey *createRestoreGUIDStruct(struct torture_context *tctx,
struct dcerpc_pipe *p, int version, DATA_BLOB *out,
bool norevert,
bool broken_version,
bool broken_user,
bool broken_magic_secret,
bool broken_magic_access,
bool broken_hash_access,
bool broken_cert_guid)
{
struct dcerpc_binding_handle *b = p->binding_handle;
struct bkrp_client_side_wrapped data;
DATA_BLOB *xs;
DATA_BLOB *sec;
DATA_BLOB *enc_sec;
DATA_BLOB *enc_xs;
DATA_BLOB *blob2;
DATA_BLOB enc_sec_reverted;
DATA_BLOB des3_key;
DATA_BLOB aes_key;
DATA_BLOB iv;
DATA_BLOB out_blob;
struct GUID *guid, *g;
int t;
uint32_t size;
enum ndr_err_code ndr_err;
NTSTATUS status;
const char *user;
struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, version, &out_blob);
if (r == NULL) {
return NULL;
}
if (broken_user) {
/* we take a fake user*/
user = "******";
} else {
user = cli_credentials_get_username(cmdline_credentials);
}
torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
"Get GUID");
/*
* We have to set it outside of the function createRetreiveBackupKeyGUIDStruct
* the len of the blob, this is due to the fact that they don't have the
* same size (one is 32bits the other 64bits)
*/
out_blob.length = *r->out.data_out_len;
sec = create_unencryptedsecret(tctx, broken_magic_secret, version);
if (sec == NULL) {
return NULL;
}
xs = create_access_check(tctx, p, tctx, user, broken_hash_access, version);
if (xs == NULL) {
return NULL;
}
if (broken_magic_access){
/* The start of the access_check structure contains the
* GUID of the certificate
*/
xs->data[0]++;
}
enc_sec = encrypt_blob_pk(tctx, tctx, out_blob.data, out_blob.length, sec);
if (!enc_sec) {
return NULL;
}
enc_sec_reverted.data = talloc_array(tctx, uint8_t, enc_sec->length);
if (enc_sec_reverted.data == NULL) {
return NULL;
}
enc_sec_reverted.length = enc_sec->length;
/*
* We DO NOT revert the array on purpose it's in order to check that
* when the server is not able to decrypt then it answer the correct error
*/
if (norevert) {
for(t=0; t< enc_sec->length; t++) {
enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[t];
}
} else {
for(t=0; t< enc_sec->length; t++) {
enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[enc_sec->length - t -1];
}
}
size = sec->length;
if (version ==2) {
const AlgorithmIdentifier *alg = hx509_crypto_des_rsdi_ede3_cbc();
iv.data = sec->data+(size - 8);
iv.length = 8;
des3_key.data = sec->data+(size - 32);
des3_key.length = 24;
enc_xs = encrypt_blob(tctx, tctx, &des3_key, &iv, xs, alg);
}
if (version == 3) {
const AlgorithmIdentifier *alg = hx509_crypto_aes256_cbc();
iv.data = sec->data+(size-16);
iv.length = 16;
aes_key.data = sec->data+(size-48);
aes_key.length = 32;
enc_xs = encrypt_blob(tctx, tctx, &aes_key, &iv, xs, alg);
}
if (!enc_xs) {
return NULL;
}
/* To cope with the fact that heimdal do padding at the end for the moment */
enc_xs->length = xs->length;
guid = get_cert_guid(tctx, tctx, out_blob.data, out_blob.length);
if (guid == NULL) {
return NULL;
}
if (broken_version) {
data.version = 1;
} else {
data.version = version;
}
data.guid = *guid;
data.encrypted_secret = enc_sec_reverted.data;
data.access_check = enc_xs->data;
data.encrypted_secret_len = enc_sec->length;
data.access_check_len = enc_xs->length;
/* We want the blob to persist after this function so we don't
* allocate it in the stack
*/
blob2 = talloc(tctx, DATA_BLOB);
if (blob2 == NULL) {
return NULL;
}
ndr_err = ndr_push_struct_blob(blob2, tctx, &data,
(ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return NULL;
}
if (broken_cert_guid) {
blob2->data[12]++;
}
ZERO_STRUCT(*r);
g = talloc(tctx, struct GUID);
if (g == NULL) {
return NULL;
}
status = GUID_from_string(BACKUPKEY_RESTORE_GUID, g);
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
r->in.guidActionAgent = g;
r->in.data_in = blob2->data;
r->in.data_in_len = blob2->length;
r->in.param = 0;
r->out.data_out = &(out->data);
r->out.data_out_len = talloc(r, uint32_t);
return r;
}
/* Get the keytab (actually, a container containing the krb5_keytab)
* attached to this context. If this hasn't been done or set before,
* it will be generated from the password.
*/
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc)
{
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
const char *keytab_name;
krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
const char *username = cli_credentials_get_username(cred);
const char *realm = cli_credentials_get_realm(cred);
const char *error_string;
const char *salt_principal;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
*_ktc = cred->keytab;
return 0;
}
if (cli_credentials_is_anonymous(cred)) {
return EINVAL;
}
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&smb_krb5_context);
if (ret) {
return ret;
}
mem_ctx = talloc_new(cred);
if (!mem_ctx) {
return ENOMEM;
}
/*
* FIXME: Currently there is no better way than to create the correct
* salt principal by checking if the username ends with a '$'. It would
* be better if it is part of the credentials.
*/
ret = smb_krb5_create_salt_principal(mem_ctx,
username,
realm,
&salt_principal,
&error_string);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
ret = smb_krb5_create_memory_keytab(mem_ctx,
smb_krb5_context->krb5_context,
cli_credentials_get_password(cred),
username,
realm,
salt_principal,
cli_credentials_get_kvno(cred),
&keytab,
&keytab_name);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
keytab, keytab_name, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
/* We make this keytab up based on a password. Therefore
* match-by-key is acceptable, we can't match on the wrong
* principal */
ktc->password_based = true;
talloc_steal(cred, ktc);
cred->keytab = ktc;
*_ktc = cred->keytab;
talloc_free(mem_ctx);
return ret;
}
