/** * Obtain the client principal for this credentials context. * @param cred credentials context * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred); } if (cred->principal_obtained == CRED_CALLBACK && !cred->callback_running) { cred->callback_running = True; cred->principal = cred->principal_cb(cred); cred->callback_running = False; cred->principal_obtained = CRED_SPECIFIED; } if (cred->principal_obtained < cred->username_obtained) { if (cred->domain_obtained > cred->realm_obtained) { return talloc_asprintf(mem_ctx, "%s@%s", cli_credentials_get_username(cred), cli_credentials_get_domain(cred)); } else { return talloc_asprintf(mem_ctx, "%s@%s", cli_credentials_get_username(cred), cli_credentials_get_realm(cred)); } } return talloc_reference(mem_ctx, cred->principal); }
/** * Obtain the client principal for this credentials context. * @param cred credentials context * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, cred->machine_account_pending_lp_ctx); } if (cred->principal_obtained == CRED_CALLBACK && !cred->callback_running) { cred->callback_running = true; cred->principal = cred->principal_cb(cred); cred->callback_running = false; if (cred->principal_obtained == CRED_CALLBACK) { cred->principal_obtained = CRED_CALLBACK_RESULT; cli_credentials_invalidate_ccache(cred, cred->principal_obtained); } } if (cred->principal_obtained < cred->username_obtained || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) { if (cred->domain_obtained > cred->realm_obtained) { *obtained = MIN(cred->domain_obtained, cred->username_obtained); return talloc_asprintf(mem_ctx, "%s@%s", cli_credentials_get_username(cred), cli_credentials_get_domain(cred)); } else { *obtained = MIN(cred->domain_obtained, cred->username_obtained); return talloc_asprintf(mem_ctx, "%s@%s", cli_credentials_get_username(cred), cli_credentials_get_realm(cred)); } } *obtained = cred->principal_obtained; return talloc_strdup(mem_ctx, cred->principal); }
static bool test_wbc_getgroups(struct torture_context *tctx) { wbcErr ret; uint32_t num_groups; gid_t *groups; ret = wbcGetGroups(cli_credentials_get_username(cmdline_credentials), &num_groups, &groups); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcGetGroups for %s failed", cli_credentials_get_username(cmdline_credentials)); wbcFreeMemory(groups); return true; }
NTSTATUS rpccli_create_netlogon_creds_ctx( struct cli_credentials *creds, const char *server_computer, struct messaging_context *msg_ctx, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **creds_ctx) { enum netr_SchannelType sec_chan_type; const char *server_netbios_domain; const char *server_dns_domain; const char *client_account; sec_chan_type = cli_credentials_get_secure_channel_type(creds); client_account = cli_credentials_get_username(creds); server_netbios_domain = cli_credentials_get_domain(creds); server_dns_domain = cli_credentials_get_realm(creds); return rpccli_create_netlogon_creds(server_computer, server_netbios_domain, server_dns_domain, client_account, sec_chan_type, msg_ctx, mem_ctx, creds_ctx); }
NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds, const char *server_computer, struct messaging_context *msg_ctx, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **netlogon_creds) { enum netr_SchannelType sec_chan_type; const char *server_netbios_domain; const char *client_account; sec_chan_type = cli_credentials_get_secure_channel_type(creds); if (sec_chan_type == SEC_CHAN_NULL) { return NT_STATUS_INVALID_PARAMETER_MIX; } client_account = cli_credentials_get_username(creds); server_netbios_domain = cli_credentials_get_domain(creds); return rpccli_create_netlogon_creds(server_computer, server_netbios_domain, client_account, sec_chan_type, msg_ctx, mem_ctx, netlogon_creds); }
/* * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side * */ static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) { NTSTATUS status; struct gensec_security *gensec_client_context; DATA_BLOB client_to_server, server_to_client; void *dbdata; const char *argv[] = { "samba_dlz", "-H", lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), NULL }; tctx_static = tctx; torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata, "log", dlz_bind9_log_wrapper, "writeable_zone", dlz_bind9_writeable_zone_hook, NULL), ISC_R_SUCCESS, "Failed to create samba_dlz"); torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ISC_R_SUCCESS, "Failed to configure samba_dlz"); status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL)); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); server_to_client = data_blob(NULL, 0); /* Do one step of the client-server update dance */ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1", "type", "key", client_to_server.length, client_to_server.data, dbdata), ISC_R_SUCCESS, "Failed to check key for update rights samba_dlz"); dlz_destroy(dbdata); return true; }
static bool test_NetrJoinDomain(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; struct wkssvc_NetrJoinDomain r; struct cli_credentials *creds = cmdline_credentials; const char *user = cli_credentials_get_username(creds); const char *admin_account = NULL; struct dcerpc_binding_handle *b = p->binding_handle; admin_account = talloc_asprintf(tctx, "%s\\%s", lpcfg_workgroup(tctx->lp_ctx), user); r.in.server_name = dcerpc_server_name(p); r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx); r.in.account_ou = NULL; r.in.Account = admin_account; r.in.password = NULL; r.in.join_flags = 0; torture_comment(tctx, "Testing NetrJoinDomain\n"); status = dcerpc_wkssvc_NetrJoinDomain_r(b, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "NetrJoinDomain failed"); torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "NetrJoinDomain failed"); return true; }
_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred) { const char *username; /* if bind dn is set it's not anonymous */ if (cred->bind_dn) { return false; } if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, cred->machine_account_pending_lp_ctx); } /* if principal is set, it's not anonymous */ if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) { return false; } username = cli_credentials_get_username(cred); /* Yes, it is deliberate that we die if we have a NULL pointer * here - anonymous is "", not NULL, which is 'never specified, * never guessed', ie programmer bug */ if (!username[0]) { return true; } return false; }
bool torture_libnetapi_init_context(struct torture_context *tctx, struct libnetapi_ctx **ctx_p) { NET_API_STATUS status; struct libnetapi_ctx *ctx; TALLOC_CTX *frame = talloc_stackframe(); if (!lp_load_global(lpcfg_configfile(tctx->lp_ctx))) { fprintf(stderr, "error loading %s\n", lpcfg_configfile(tctx->lp_ctx)); talloc_free(frame); return W_ERROR_V(WERR_GENERAL_FAILURE); } init_names(); load_interfaces(); status = libnetapi_net_init(&ctx); if (status != 0) { talloc_free(frame); return false; } libnetapi_set_username(ctx, cli_credentials_get_username(cmdline_credentials)); libnetapi_set_password(ctx, cli_credentials_get_password(cmdline_credentials)); *ctx_p = ctx; talloc_free(frame); return true; }
static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, struct cli_credentials *machine_account, struct smb_krb5_context *smb_krb5_context, krb5_principal *salt_princ) { krb5_error_code ret; char *machine_username; char *salt_body; char *lower_realm; const char *salt_principal; struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container); if (!mem_ctx) { return ENOMEM; } salt_principal = cli_credentials_get_salt_principal(machine_account); if (salt_principal) { ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ); } else { machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account)); if (!machine_username) { talloc_free(mem_ctx); return ENOMEM; } if (machine_username[strlen(machine_username)-1] == '$') { machine_username[strlen(machine_username)-1] = '\0'; } lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account)); if (!lower_realm) { talloc_free(mem_ctx); return ENOMEM; } salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, lower_realm); if (!salt_body) { talloc_free(mem_ctx); return ENOMEM; } ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, cli_credentials_get_realm(machine_account), "host", salt_body, NULL); } if (ret == 0) { /* This song-and-dance effectivly puts the principal * into talloc, so we can't loose it. */ mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context); mem_ctx->principal = *salt_princ; talloc_set_destructor(mem_ctx, free_principal); } return ret; }
static bool test_parse_string(struct torture_context *tctx) { struct cli_credentials *creds = cli_credentials_init_anon(tctx); /* anonymous */ cli_credentials_parse_string(creds, "%", CRED_SPECIFIED); torture_assert_str_equal(tctx, cli_credentials_get_domain(creds), "", "domain"); torture_assert_str_equal(tctx, cli_credentials_get_username(creds), "", "username"); torture_assert(tctx, cli_credentials_get_password(creds) == NULL, "password"); /* username + password */ cli_credentials_parse_string(creds, "somebody%secret", CRED_SPECIFIED); torture_assert_str_equal(tctx, cli_credentials_get_domain(creds), "", "domain"); torture_assert_str_equal(tctx, cli_credentials_get_username(creds), "somebody", "username"); torture_assert_str_equal(tctx, cli_credentials_get_password(creds), "secret", "password"); /* principal */ cli_credentials_parse_string(creds, "prin@styx", CRED_SPECIFIED); torture_assert_str_equal(tctx, cli_credentials_get_realm(creds), "STYX", "realm"); torture_assert_str_equal(tctx, cli_credentials_get_principal(creds, tctx), "prin@styx", "principal"); return true; }
static int net_password_change(struct net_context *ctx, int argc, const char **argv) { NTSTATUS status; struct libnet_context *libnetctx; union libnet_ChangePassword r; char *password_prompt = NULL; const char *new_password; if (argc > 0 && argv[0]) { new_password = argv[0]; } else { password_prompt = talloc_asprintf(ctx, "Enter new password for account [%s\\%s]:", cli_credentials_get_domain(ctx->credentials), cli_credentials_get_username(ctx->credentials)); new_password = getpass(password_prompt); } libnetctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx); if (!libnetctx) { return -1; } libnetctx->cred = ctx->credentials; /* prepare password change */ r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC; r.generic.in.account_name = cli_credentials_get_username(ctx->credentials); r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials); r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials); r.generic.in.newpassword = new_password; /* do password change */ status = libnet_ChangePassword(libnetctx, ctx, &r); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("net_password_change: %s\n",r.generic.out.error_string)); return -1; } talloc_free(libnetctx); return 0; }
_PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, const char **username, const char **domain) { if (cred->principal_obtained > cred->username_obtained) { *domain = talloc_strdup(mem_ctx, ""); *username = cli_credentials_get_principal(cred, mem_ctx); } else { *domain = cli_credentials_get_domain(cred); *username = cli_credentials_get_username(cred); } }
static bool test_wbc_authenticate_user_int(struct torture_context *tctx, const char *correct_password) { struct wbcAuthUserParams params; struct wbcAuthUserInfo *info = NULL; struct wbcAuthErrorInfo *error = NULL; wbcErr ret; ret = wbcAuthenticateUser(cli_credentials_get_username(cmdline_credentials), correct_password); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcAuthenticateUser of %s failed", cli_credentials_get_username(cmdline_credentials)); ZERO_STRUCT(params); params.account_name = cli_credentials_get_username(cmdline_credentials); params.level = WBC_AUTH_USER_LEVEL_PLAIN; params.password.plaintext = correct_password; ret = wbcAuthenticateUserEx(¶ms, &info, &error); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcAuthenticateUserEx of %s failed", params.account_name); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; params.password.plaintext = "wrong"; ret = wbcAuthenticateUserEx(¶ms, &info, &error); torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR, "wbcAuthenticateUserEx for %s succeeded where it " "should have failed", params.account_name); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; return true; }
static bool test_init_anonymous(struct torture_context *tctx) { struct cli_credentials *creds = cli_credentials_init_anon(tctx); torture_assert_str_equal(tctx, cli_credentials_get_domain(creds), "", "domain"); torture_assert_str_equal(tctx, cli_credentials_get_username(creds), "", "username"); torture_assert(tctx, cli_credentials_get_password(creds) == NULL, "password"); return true; }
static bool test_NetrWkstaUserGetInfo(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; struct wkssvc_NetrWkstaUserGetInfo r; union wkssvc_NetrWkstaUserInfo info; const char *dom = lpcfg_workgroup(tctx->lp_ctx); struct cli_credentials *creds = cmdline_credentials; const char *user = cli_credentials_get_username(creds); int i; struct dcerpc_binding_handle *b = p->binding_handle; const struct { const char *unknown; uint32_t level; WERROR result; } tests[] = { { NULL, 0, WERR_NO_SUCH_LOGON_SESSION }, { NULL, 1, WERR_NO_SUCH_LOGON_SESSION }, { NULL, 1101, WERR_OK }, { dom, 0, WERR_INVALID_PARAM }, { dom, 1, WERR_INVALID_PARAM }, { dom, 1101, WERR_INVALID_PARAM }, { user, 0, WERR_INVALID_PARAM }, { user, 1, WERR_INVALID_PARAM }, { user, 1101, WERR_INVALID_PARAM }, }; for (i=0; i<ARRAY_SIZE(tests); i++) { r.in.unknown = tests[i].unknown; r.in.level = tests[i].level; r.out.info = &info; torture_comment(tctx, "Testing NetrWkstaUserGetInfo level %u\n", r.in.level); status = dcerpc_wkssvc_NetrWkstaUserGetInfo_r(b, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "NetrWkstaUserGetInfo failed"); torture_assert_werr_equal(tctx, r.out.result, tests[i].result, "NetrWkstaUserGetInfo failed"); } return true; }
bool torture_libsmbclient_init_context(struct torture_context *tctx, SMBCCTX **ctx_p) { SMBCCTX *ctx; ctx = smbc_new_context(); torture_assert(tctx, ctx, "failed to get new context"); torture_assert(tctx, smbc_init_context(ctx), "failed to init context"); smbc_setDebug(ctx, DEBUGLEVEL); smbc_setOptionDebugToStderr(ctx, 1); /* yes, libsmbclient API frees the username when freeing the context, so * have to pass malloced data here */ smbc_setUser(ctx, strdup(cli_credentials_get_username(cmdline_credentials))); *ctx_p = ctx; return true; }
static bool test_init(struct torture_context *tctx) { struct cli_credentials *creds = cli_credentials_init(tctx); cli_credentials_set_domain(creds, "bla", CRED_SPECIFIED); torture_assert_str_equal(tctx, "BLA", cli_credentials_get_domain(creds), "domain"); cli_credentials_set_username(creds, "someuser", CRED_SPECIFIED); torture_assert_str_equal(tctx, "someuser", cli_credentials_get_username(creds), "username"); cli_credentials_set_password(creds, "p4ssw0rd", CRED_SPECIFIED); torture_assert_str_equal(tctx, "p4ssw0rd", cli_credentials_get_password(creds), "password"); return true; }
static PyObject *py_creds_get_username(PyObject *self, PyObject *unused) { return PyString_FromStringOrNULL(cli_credentials_get_username(PyCredentials_AsCliCredentials(self))); }
/* Get the keytab (actually, a container containing the krb5_keytab) * attached to this context. If this hasn't been done or set before, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc) { krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; const char *keytab_name; krb5_keytab keytab; TALLOC_CTX *mem_ctx; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { *_ktc = cred->keytab; return 0; } if (cli_credentials_is_anonymous(cred)) { return EINVAL; } ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } mem_ctx = talloc_new(cred); if (!mem_ctx) { return ENOMEM; } ret = smb_krb5_create_memory_keytab(mem_ctx, smb_krb5_context->krb5_context, cli_credentials_get_password(cred), cli_credentials_get_username(cred), cli_credentials_get_realm(cred), cli_credentials_get_kvno(cred), &keytab, &keytab_name); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, keytab, keytab_name, &ktc); if (ret) { talloc_free(mem_ctx); return ret; } cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); /* We make this keytab up based on a password. Therefore * match-by-key is acceptable, we can't match on the wrong * principal */ ktc->password_based = true; talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; talloc_free(mem_ctx); return ret; }
static bool test_wbc_logon_user(struct torture_context *tctx) { struct wbcLogonUserParams params; struct wbcLogonUserInfo *info = NULL; struct wbcAuthErrorInfo *error = NULL; struct wbcUserPasswordPolicyInfo *policy = NULL; struct wbcInterfaceDetails *iface; struct wbcDomainSid sid; enum wbcSidType sidtype; char *sidstr; wbcErr ret; ZERO_STRUCT(params); ret = wbcLogonUser(¶ms, &info, &error, &policy); torture_assert_wbc_equal(tctx, ret, WBC_ERR_INVALID_PARAM, "%s", "wbcLogonUser succeeded for NULL where it should " "have failed"); params.username = cli_credentials_get_username(cmdline_credentials); params.password = cli_credentials_get_password(cmdline_credentials); ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs, "foo", 0, discard_const_p(uint8_t, "bar"), 4); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "%s", "wbcAddNamedBlob failed"); ret = wbcLogonUser(¶ms, &info, &error, &policy); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcLogonUser for %s failed", params.username); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; wbcFreeMemory(policy); policy = NULL; params.password = "******"; ret = wbcLogonUser(¶ms, &info, &error, &policy); torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR, "wbcLogonUser for %s should have failed with " "WBC_ERR_AUTH_ERROR", params.username); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; wbcFreeMemory(policy); policy = NULL; ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs, "membership_of", 0, discard_const_p(uint8_t, "S-1-2-3-4"), strlen("S-1-2-3-4")+1); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "%s", "wbcAddNamedBlob failed"); params.password = cli_credentials_get_password(cmdline_credentials); ret = wbcLogonUser(¶ms, &info, &error, &policy); torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR, "wbcLogonUser for %s should have failed with " "WBC_ERR_AUTH_ERROR", params.username); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; wbcFreeMemory(policy); policy = NULL; wbcFreeMemory(params.blobs); params.blobs = NULL; params.num_blobs = 0; ret = wbcInterfaceDetails(&iface); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "%s", "wbcInterfaceDetails failed"); ret = wbcLookupName(iface->netbios_domain, cli_credentials_get_username(cmdline_credentials), &sid, &sidtype); wbcFreeMemory(iface); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcLookupName for %s failed", cli_credentials_get_username(cmdline_credentials)); ret = wbcSidToString(&sid, &sidstr); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "%s", "wbcSidToString failed"); ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs, "membership_of", 0, (uint8_t *)sidstr, strlen(sidstr)+1); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "%s", "wbcAddNamedBlob failed"); wbcFreeMemory(sidstr); params.password = cli_credentials_get_password(cmdline_credentials); ret = wbcLogonUser(¶ms, &info, &error, &policy); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcLogonUser for %s failed", params.username); wbcFreeMemory(info); info = NULL; wbcFreeMemory(error); error = NULL; wbcFreeMemory(policy); policy = NULL; wbcFreeMemory(params.blobs); params.blobs = NULL; params.num_blobs = 0; return true; }
static bool test_wbc_change_password(struct torture_context *tctx) { wbcErr ret; const char *oldpass = cli_credentials_get_password(cmdline_credentials); const char *newpass = "******"; struct samr_CryptPassword new_nt_password; struct samr_CryptPassword new_lm_password; struct samr_Password old_nt_hash_enc; struct samr_Password old_lanman_hash_enc; uint8_t old_nt_hash[16]; uint8_t old_lanman_hash[16]; uint8_t new_nt_hash[16]; uint8_t new_lanman_hash[16]; struct wbcChangePasswordParams params; if (oldpass == NULL) { torture_skip(tctx, "skipping wbcChangeUserPassword test as old password cannot be retrieved\n"); } ZERO_STRUCT(params); E_md4hash(oldpass, old_nt_hash); E_md4hash(newpass, new_nt_hash); if (lpcfg_client_lanman_auth(tctx->lp_ctx) && E_deshash(newpass, new_lanman_hash) && E_deshash(oldpass, old_lanman_hash)) { /* E_deshash returns false for 'long' passwords (> 14 DOS chars). This allows us to match Win2k, which does not store a LM hash for these passwords (which would reduce the effective password length to 14) */ encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE); arcfour_crypt(new_lm_password.data, old_nt_hash, 516); E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); params.old_password.response.old_lm_hash_enc_length = sizeof(old_lanman_hash_enc.hash); params.old_password.response.old_lm_hash_enc_data = old_lanman_hash_enc.hash; params.new_password.response.lm_length = sizeof(new_lm_password.data); params.new_password.response.lm_data = new_lm_password.data; } else { ZERO_STRUCT(new_lm_password); ZERO_STRUCT(old_lanman_hash_enc); } encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE); arcfour_crypt(new_nt_password.data, old_nt_hash, 516); E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); params.old_password.response.old_nt_hash_enc_length = sizeof(old_nt_hash_enc.hash); params.old_password.response.old_nt_hash_enc_data = old_nt_hash_enc.hash; params.new_password.response.nt_length = sizeof(new_nt_password.data); params.new_password.response.nt_data = new_nt_password.data; params.level = WBC_CHANGE_PASSWORD_LEVEL_RESPONSE; params.account_name = cli_credentials_get_username(cmdline_credentials); params.domain_name = cli_credentials_get_domain(cmdline_credentials); ret = wbcChangeUserPasswordEx(¶ms, NULL, NULL, NULL); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcChangeUserPassword for %s failed", params.account_name); if (!test_wbc_authenticate_user_int(tctx, newpass)) { return false; } ret = wbcChangeUserPassword(cli_credentials_get_username(cmdline_credentials), newpass, cli_credentials_get_password(cmdline_credentials)); torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS, "wbcChangeUserPassword for %s failed", params.account_name); return test_wbc_authenticate_user_int(tctx, cli_credentials_get_password(cmdline_credentials)); }
/* * Test some updates */ static bool test_dlz_bind9_update01(struct torture_context *tctx) { NTSTATUS status; struct gensec_security *gensec_client_context; DATA_BLOB client_to_server, server_to_client; void *dbdata; void *version = NULL; const char *argv[] = { "samba_dlz", "-H", lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), NULL }; struct test_expected_rr *expected1 = NULL; char *name = NULL; char *data0 = NULL; char *data1 = NULL; char *data2 = NULL; bool ret = false; tctx_static = tctx; torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, "log", dlz_bind9_log_wrapper, "writeable_zone", dlz_bind9_writeable_zone_hook, "putrr", dlz_bind9_putrr_hook, "putnamedrr", dlz_bind9_putnamedrr_hook, NULL), ISC_R_SUCCESS, "Failed to create samba_dlz"); torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ISC_R_SUCCESS, "Failed to configure samba_dlz"); expected1 = talloc_zero(tctx, struct test_expected_rr); torture_assert(tctx, expected1 != NULL, "talloc failed"); expected1->tctx = tctx; expected1->query_name = __func__; name = talloc_asprintf(expected1, "%s.%s", expected1->query_name, lpcfg_dnsdomain(tctx->lp_ctx)); torture_assert(tctx, name != NULL, "talloc failed"); expected1->num_records = 2; expected1->records = talloc_zero_array(expected1, struct test_expected_record, expected1->num_records); torture_assert(tctx, expected1->records != NULL, "talloc failed"); expected1->records[0].name = expected1->query_name; expected1->records[0].type = "a"; expected1->records[0].ttl = 3600; expected1->records[0].data = "127.1.2.3"; expected1->records[0].printed = false; data0 = talloc_asprintf(expected1, "%s.\t" "%u\t" "%s\t" "%s\t" "%s", name, (unsigned)expected1->records[0].ttl, "in", expected1->records[0].type, expected1->records[0].data); torture_assert(tctx, data0 != NULL, "talloc failed"); expected1->records[1].name = expected1->query_name; expected1->records[1].type = "a"; expected1->records[1].ttl = 3600; expected1->records[1].data = "127.3.2.1"; expected1->records[1].printed = false; data1 = talloc_asprintf(expected1, "%s.\t" "%u\t" "%s\t" "%s\t" "%s", name, (unsigned)expected1->records[1].ttl, "in", expected1->records[1].type, expected1->records[1].data); torture_assert(tctx, data1 != NULL, "talloc failed"); data2 = talloc_asprintf(expected1, "%s.\t" "0\t" "in\t" "a\t" "127.3.3.3", name); torture_assert(tctx, data2 != NULL, "talloc failed"); /* * Prepare session info */ status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); /* * dlz_bind9 use the special dns/host.domain account */ status = gensec_set_target_hostname(gensec_client_context, talloc_asprintf(tctx, "%s.%s", torture_setting_string(tctx, "host", NULL), lpcfg_dnsdomain(tctx->lp_ctx))); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); status = gensec_set_target_service(gensec_client_context, "dns"); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed"); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); server_to_client = data_blob(NULL, 0); /* Do one step of the client-server update dance */ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), name, "127.0.0.1", expected1->records[0].type, "key", client_to_server.length, client_to_server.data, dbdata), ISC_TRUE, "Failed to check key for update rights samba_dlz"); /* * We test the following: * * 1. lookup the records => NOT_FOUND * 2. delete all records => NOT_FOUND * 3. delete 1st record => NOT_FOUND * 4. create 1st record => SUCCESS * 5. lookup the records => found 1st * 6. create 2nd record => SUCCESS * 7. lookup the records => found 1st and 2nd * 8. delete unknown record => NOT_FOUND * 9. lookup the records => found 1st and 2nd * 10. delete 1st record => SUCCESS * 11. lookup the records => found 2nd * 12. delete 2nd record => SUCCESS * 13. lookup the records => NOT_FOUND * 14. create 1st record => SUCCESS * 15. lookup the records => found 1st * 16. create 2nd record => SUCCESS * 17. lookup the records => found 1st and 2nd * 18. update 1st record => SUCCESS * 19. lookup the records => found 1st and 2nd * 20. delete all unknown type records => NOT_FOUND * 21. lookup the records => found 1st and 2nd * 22. delete all records => SUCCESS * 23. lookup the records => NOT_FOUND */ /* Step 1. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); /* Step 2. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, expected1->records[0].type, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n", name, expected1->records[0].type)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 3. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data0, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 4. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 5. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 6. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 7. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 8. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data2, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n", name, data2)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 9. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 10. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 11. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 12. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 13. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); /* Step 14. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 15. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 16. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 17. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 18. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 19. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 20. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, "txt", dbdata, version), ISC_R_FAILURE, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n", name, "txt")); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 21. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 22. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, expected1->records[0].type, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n", name, expected1->records[0].type)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 23. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); dlz_destroy(dbdata); return true; cancel_version: dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); return ret; }
static struct bkrp_BackupKey *createRestoreGUIDStruct(struct torture_context *tctx, struct dcerpc_pipe *p, int version, DATA_BLOB *out, bool norevert, bool broken_version, bool broken_user, bool broken_magic_secret, bool broken_magic_access, bool broken_hash_access, bool broken_cert_guid) { struct dcerpc_binding_handle *b = p->binding_handle; struct bkrp_client_side_wrapped data; DATA_BLOB *xs; DATA_BLOB *sec; DATA_BLOB *enc_sec; DATA_BLOB *enc_xs; DATA_BLOB *blob2; DATA_BLOB enc_sec_reverted; DATA_BLOB des3_key; DATA_BLOB aes_key; DATA_BLOB iv; DATA_BLOB out_blob; struct GUID *guid, *g; int t; uint32_t size; enum ndr_err_code ndr_err; NTSTATUS status; const char *user; struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, version, &out_blob); if (r == NULL) { return NULL; } if (broken_user) { /* we take a fake user*/ user = "******"; } else { user = cli_credentials_get_username(cmdline_credentials); } torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Get GUID"); /* * We have to set it outside of the function createRetreiveBackupKeyGUIDStruct * the len of the blob, this is due to the fact that they don't have the * same size (one is 32bits the other 64bits) */ out_blob.length = *r->out.data_out_len; sec = create_unencryptedsecret(tctx, broken_magic_secret, version); if (sec == NULL) { return NULL; } xs = create_access_check(tctx, p, tctx, user, broken_hash_access, version); if (xs == NULL) { return NULL; } if (broken_magic_access){ /* The start of the access_check structure contains the * GUID of the certificate */ xs->data[0]++; } enc_sec = encrypt_blob_pk(tctx, tctx, out_blob.data, out_blob.length, sec); if (!enc_sec) { return NULL; } enc_sec_reverted.data = talloc_array(tctx, uint8_t, enc_sec->length); if (enc_sec_reverted.data == NULL) { return NULL; } enc_sec_reverted.length = enc_sec->length; /* * We DO NOT revert the array on purpose it's in order to check that * when the server is not able to decrypt then it answer the correct error */ if (norevert) { for(t=0; t< enc_sec->length; t++) { enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[t]; } } else { for(t=0; t< enc_sec->length; t++) { enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[enc_sec->length - t -1]; } } size = sec->length; if (version ==2) { const AlgorithmIdentifier *alg = hx509_crypto_des_rsdi_ede3_cbc(); iv.data = sec->data+(size - 8); iv.length = 8; des3_key.data = sec->data+(size - 32); des3_key.length = 24; enc_xs = encrypt_blob(tctx, tctx, &des3_key, &iv, xs, alg); } if (version == 3) { const AlgorithmIdentifier *alg = hx509_crypto_aes256_cbc(); iv.data = sec->data+(size-16); iv.length = 16; aes_key.data = sec->data+(size-48); aes_key.length = 32; enc_xs = encrypt_blob(tctx, tctx, &aes_key, &iv, xs, alg); } if (!enc_xs) { return NULL; } /* To cope with the fact that heimdal do padding at the end for the moment */ enc_xs->length = xs->length; guid = get_cert_guid(tctx, tctx, out_blob.data, out_blob.length); if (guid == NULL) { return NULL; } if (broken_version) { data.version = 1; } else { data.version = version; } data.guid = *guid; data.encrypted_secret = enc_sec_reverted.data; data.access_check = enc_xs->data; data.encrypted_secret_len = enc_sec->length; data.access_check_len = enc_xs->length; /* We want the blob to persist after this function so we don't * allocate it in the stack */ blob2 = talloc(tctx, DATA_BLOB); if (blob2 == NULL) { return NULL; } ndr_err = ndr_push_struct_blob(blob2, tctx, &data, (ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return NULL; } if (broken_cert_guid) { blob2->data[12]++; } ZERO_STRUCT(*r); g = talloc(tctx, struct GUID); if (g == NULL) { return NULL; } status = GUID_from_string(BACKUPKEY_RESTORE_GUID, g); if (!NT_STATUS_IS_OK(status)) { return NULL; } r->in.guidActionAgent = g; r->in.data_in = blob2->data; r->in.data_in_len = blob2->length; r->in.param = 0; r->out.data_out = &(out->data); r->out.data_out_len = talloc(r, uint32_t); return r; }
/* Get the keytab (actually, a container containing the krb5_keytab) * attached to this context. If this hasn't been done or set before, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc) { krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; const char *keytab_name; krb5_keytab keytab; TALLOC_CTX *mem_ctx; const char *username = cli_credentials_get_username(cred); const char *realm = cli_credentials_get_realm(cred); const char *error_string; const char *salt_principal; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { *_ktc = cred->keytab; return 0; } if (cli_credentials_is_anonymous(cred)) { return EINVAL; } ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } mem_ctx = talloc_new(cred); if (!mem_ctx) { return ENOMEM; } /* * FIXME: Currently there is no better way than to create the correct * salt principal by checking if the username ends with a '$'. It would * be better if it is part of the credentials. */ ret = smb_krb5_create_salt_principal(mem_ctx, username, realm, &salt_principal, &error_string); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_create_memory_keytab(mem_ctx, smb_krb5_context->krb5_context, cli_credentials_get_password(cred), username, realm, salt_principal, cli_credentials_get_kvno(cred), &keytab, &keytab_name); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, keytab, keytab_name, &ktc); if (ret) { talloc_free(mem_ctx); return ret; } cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); /* We make this keytab up based on a password. Therefore * match-by-key is acceptable, we can't match on the wrong * principal */ ktc->password_based = true; talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; talloc_free(mem_ctx); return ret; }