WERROR winreg_printer_binding_handle(TALLOC_CTX *mem_ctx,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
struct dcerpc_binding_handle **winreg_binding_handle)
{
struct tsocket_address *local;
NTSTATUS status;
int rc;
rc = tsocket_address_inet_from_strings(mem_ctx,
"ip",
"127.0.0.1",
0,
&local);
if (rc < 0) {
return WERR_NOMEM;
}
status = rpcint_binding_handle(mem_ctx,
&ndr_table_winreg,
local,
session_info,
msg_ctx,
winreg_binding_handle);
talloc_free(local);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("winreg_printer_binding_handle: Could not connect to winreg pipe: %s\n",
nt_errstr(status)));
return ntstatus_to_werror(status);
}
return WERR_OK;
}
static void unbecomeDC_send_cldap(struct libnet_UnbecomeDC_state *s)
{
struct composite_context *c = s->creq;
struct tevent_req *req;
struct tsocket_address *dest_address;
int ret;
s->cldap.io.in.dest_address = NULL;
s->cldap.io.in.dest_port = 0;
s->cldap.io.in.realm = s->domain.dns_name;
s->cldap.io.in.host = s->dest_dsa.netbios_name;
s->cldap.io.in.user = NULL;
s->cldap.io.in.domain_guid = NULL;
s->cldap.io.in.domain_sid = NULL;
s->cldap.io.in.acct_control = -1;
s->cldap.io.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
s->cldap.io.in.map_response = true;
ret = tsocket_address_inet_from_strings(s, "ip",
s->source_dsa.address,
lpcfg_cldap_port(s->libnet->lp_ctx),
&dest_address);
if (ret != 0) {
c->status = map_nt_error_from_unix_common(errno);
if (!composite_is_ok(c)) return;
}
c->status = cldap_socket_init(s, NULL, dest_address, &s->cldap.sock);
if (!composite_is_ok(c)) return;
req = cldap_netlogon_send(s, s->libnet->event_ctx,
s->cldap.sock, &s->cldap.io);
if (composite_nomem(req, c)) return;
tevent_req_set_callback(req, unbecomeDC_recv_cldap, s);
}
_PUBLIC_ struct tsocket_address *socket_address_to_tsocket_address(TALLOC_CTX *mem_ctx,
const struct socket_address *a)
{
struct tsocket_address *r;
int ret;
if (!a) {
return NULL;
}
if (a->sockaddr) {
ret = tsocket_address_bsd_from_sockaddr(mem_ctx,
a->sockaddr,
a->sockaddrlen,
&r);
} else {
ret = tsocket_address_inet_from_strings(mem_ctx,
a->family,
a->addr,
a->port,
&r);
}
if (ret != 0) {
return NULL;
}
return r;
}
/*
start listening on the given address
*/
static NTSTATUS cldapd_add_socket(struct cldapd_server *cldapd, struct loadparm_context *lp_ctx,
const char *address)
{
struct cldap_socket *cldapsock;
struct tsocket_address *socket_address;
NTSTATUS status;
int ret;
ret = tsocket_address_inet_from_strings(cldapd,
"ip",
address,
lpcfg_cldap_port(lp_ctx),
&socket_address);
if (ret != 0) {
status = map_nt_error_from_unix_common(errno);
DEBUG(0,("invalid address %s:%d - %s:%s\n",
address, lpcfg_cldap_port(lp_ctx),
gai_strerror(ret), nt_errstr(status)));
return status;
}
/* listen for unicasts on the CLDAP port (389) */
status = cldap_socket_init(cldapd,
cldapd->task->event_ctx,
socket_address,
NULL,
&cldapsock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s - %s\n",
tsocket_address_string(socket_address, socket_address),
nt_errstr(status)));
talloc_free(socket_address);
return status;
}
talloc_free(socket_address);
cldap_set_incoming_handler(cldapsock, cldapd_request_handler, cldapd);
return NT_STATUS_OK;
}
static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *iface,
const struct dcerpc_binding_vector *bind_vec,
const struct GUID *object_guid,
const char *annotation,
uint32_t replace,
uint32_t unregister,
struct dcerpc_binding_handle **pbh)
{
struct rpc_pipe_client *cli = NULL;
struct dcerpc_binding_handle *h;
struct pipe_auth_data *auth;
const char *ncalrpc_sock;
const char *rpcsrv_type;
struct epm_entry_t *entries;
uint32_t num_ents, i;
TALLOC_CTX *tmp_ctx;
uint32_t result = EPMAPPER_STATUS_OK;
NTSTATUS status;
if (iface == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (bind_vec == NULL || bind_vec->count == 0) {
return NT_STATUS_INVALID_PARAMETER;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server", "epmapper",
"none");
if (strcasecmp_m(rpcsrv_type, "embedded") == 0) {
struct tsocket_address *local;
int rc;
rc = tsocket_address_inet_from_strings(tmp_ctx,
"ip",
"127.0.0.1",
0,
&local);
if (rc < 0) {
return NT_STATUS_NO_MEMORY;
}
status = rpcint_binding_handle(tmp_ctx,
&ndr_table_epmapper,
local,
get_session_info_system(),
server_messaging_context(),
&h);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("dcerpc_ep_register: Could not connect to "
"epmapper (%s)", nt_errstr(status)));
goto done;
}
} else if (strcasecmp_m(rpcsrv_type, "daemon") == 0) {
/* Connect to the endpoint mapper locally */
ncalrpc_sock = talloc_asprintf(tmp_ctx,
"%s/%s",
lp_ncalrpc_dir(),
"EPMAPPER");
if (ncalrpc_sock == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = rpc_pipe_open_ncalrpc(tmp_ctx,
ncalrpc_sock,
&ndr_table_epmapper.syntax_id,
&cli);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = rpccli_ncalrpc_bind_data(cli, &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to initialize anonymous bind.\n"));
goto done;
}
status = rpc_pipe_bind(cli, auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind ncalrpc socket.\n"));
goto done;
}
h = cli->binding_handle;
} else {
status = NT_STATUS_INVALID_PARAMETER;
goto done;
}
num_ents = bind_vec->count;
entries = talloc_array(tmp_ctx, struct epm_entry_t, num_ents);
for (i = 0; i < num_ents; i++) {
struct dcerpc_binding *map_binding = &bind_vec->bindings[i];
struct epm_twr_t *map_tower;
map_tower = talloc_zero(entries, struct epm_twr_t);
if (map_tower == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = dcerpc_binding_build_tower(entries,
map_binding,
&map_tower->tower);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
entries[i].tower = map_tower;
if (annotation == NULL) {
entries[i].annotation = talloc_strdup(entries, "");
} else {
entries[i].annotation = talloc_strndup(entries,
annotation,
EPM_MAX_ANNOTATION_SIZE);
}
if (entries[i].annotation == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (object_guid != NULL) {
entries[i].object = *object_guid;
} else {
entries[i].object = map_binding->object.uuid;
}
}
if (unregister) {
status = dcerpc_epm_Delete(h,
tmp_ctx,
num_ents,
entries,
&result);
} else {
status = dcerpc_epm_Insert(h,
tmp_ctx,
num_ents,
entries,
replace,
&result);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_ep_register: Could not insert tower (%s)\n",
nt_errstr(status)));
goto done;
}
if (result != EPMAPPER_STATUS_OK) {
DEBUG(0, ("dcerpc_ep_register: Could not insert tower (0x%.8x)\n",
result));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (pbh != NULL) {
*pbh = talloc_move(mem_ctx, &h);
talloc_steal(*pbh, cli);
}
done:
talloc_free(tmp_ctx);
return status;
}
/*
initialise a cldap_sock
*/
NTSTATUS cldap_socket_init(TALLOC_CTX *mem_ctx,
const struct tsocket_address *local_addr,
const struct tsocket_address *remote_addr,
struct cldap_socket **_cldap)
{
struct cldap_socket *c = NULL;
struct tsocket_address *any = NULL;
NTSTATUS status;
int ret;
const char *fam = NULL;
if (local_addr == NULL && remote_addr == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
if (remote_addr) {
bool is_ipv4;
bool is_ipv6;
is_ipv4 = tsocket_address_is_inet(remote_addr, "ipv4");
is_ipv6 = tsocket_address_is_inet(remote_addr, "ipv6");
if (is_ipv4) {
fam = "ipv4";
} else if (is_ipv6) {
fam = "ipv6";
} else {
return NT_STATUS_INVALID_ADDRESS;
}
}
c = talloc_zero(mem_ctx, struct cldap_socket);
if (!c) {
goto nomem;
}
if (!local_addr) {
/*
* Here we know the address family of the remote address.
*/
if (fam == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
ret = tsocket_address_inet_from_strings(c, fam,
NULL, 0,
&any);
if (ret != 0) {
status = map_nt_error_from_unix_common(errno);
goto nterror;
}
local_addr = any;
}
c->searches.idr = idr_init(c);
if (!c->searches.idr) {
goto nomem;
}
ret = tdgram_inet_udp_socket(local_addr, remote_addr,
c, &c->sock);
if (ret != 0) {
status = map_nt_error_from_unix_common(errno);
goto nterror;
}
talloc_free(any);
if (remote_addr) {
c->connected = true;
}
c->send_queue = tevent_queue_create(c, "cldap_send_queue");
if (!c->send_queue) {
goto nomem;
}
talloc_set_destructor(c, cldap_socket_destructor);
*_cldap = c;
return NT_STATUS_OK;
nomem:
status = NT_STATUS_NO_MEMORY;
nterror:
talloc_free(c);
return status;
}
static NTSTATUS tcp_ldap_netlogon(void *conn,
TALLOC_CTX *mem_ctx,
struct cldap_netlogon *io)
{
struct cldap_search search;
struct ldap_SearchResEntry *res;
NTSTATUS status;
DATA_BLOB *blob;
ZERO_STRUCT(search);
search.in.attributes = (const char *[]) { "netlogon", NULL };
search.in.filter = cldap_netlogon_create_filter(mem_ctx, io);
if (search.in.filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = tcp_ldap_rootdse(conn, mem_ctx, &search);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
res = search.out.response;
if (res == NULL) {
return NT_STATUS_NOT_FOUND;
}
if (res->num_attributes != 1 ||
strcasecmp(res->attributes[0].name, "netlogon") != 0 ||
res->attributes[0].num_values != 1 ||
res->attributes[0].values->length < 2) {
return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
}
blob = res->attributes[0].values;
status = pull_netlogon_samlogon_response(blob, mem_ctx,
&io->out.netlogon);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (io->in.map_response) {
map_netlogon_samlogon_response(&io->out.netlogon);
}
return NT_STATUS_OK;
}
static NTSTATUS udp_ldap_rootdse(void *data, TALLOC_CTX *mem_ctx,
struct cldap_search *io)
{
struct cldap_socket *cldap = talloc_get_type(data,
struct cldap_socket);
return cldap_search(cldap, mem_ctx, io);
}
static bool test_netlogon_extra_attrs(struct torture_context *tctx,
request_rootdse_t request_rootdse,
void *conn)
{
struct cldap_search io;
NTSTATUS status;
const char *attrs[] = {
"netlogon",
"supportedCapabilities",
NULL
};
const char *attrs2[] = { "netlogon", "*", NULL };
struct ldb_message ldbmsg = { NULL, 0, NULL };
ZERO_STRUCT(io);
io.in.dest_address = NULL;
io.in.dest_port = 0;
io.in.timeout = 2;
io.in.retries = 2;
/* Additional attributes may be requested next to netlogon */
torture_comment(tctx, "Requesting netlogon with additional attribute\n");
io.in.filter =
talloc_asprintf(tctx, "(&"
"(NtVer=%s)(AAC=%s)"
/* Query for LDAP_CAP_ACTIVE_DIRECTORY_OID */
"(supportedCapabilities=1.2.840.113556.1.4.800)"
")",
ldap_encode_ndr_uint32(tctx,
NETLOGON_NT_VERSION_5EX),
ldap_encode_ndr_uint32(tctx, 0));
torture_assert(tctx, io.in.filter != NULL, "OOM");
io.in.attributes = attrs;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response != NULL, "No Entries found.");
CHECK_VAL(io.out.response->num_attributes, 2);
/* netlogon + '*' attr return zero results */
torture_comment(tctx, "Requesting netlogon and '*' attributes\n");
io.in.attributes = attrs2;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response != NULL, "No Entries found.");
ldbmsg.num_elements = io.out.response->num_attributes;
ldbmsg.elements = io.out.response->attributes;
torture_assert(tctx, ldb_msg_find_element(&ldbmsg, "netlogon") != NULL,
"Attribute netlogon not found in Result Entry\n");
/* Wildcards are not allowed in filters when netlogon is requested. */
torture_comment(tctx, "Requesting netlogon with invalid attr filter\n");
io.in.filter =
talloc_asprintf(tctx,
"(&(NtVer=%s)(AAC=%s)(supportedCapabilities=*))",
ldap_encode_ndr_uint32(tctx,
NETLOGON_NT_VERSION_5EX),
ldap_encode_ndr_uint32(tctx, 0));
torture_assert(tctx, io.in.filter != NULL, "OOM");
io.in.attributes = attrs;
status = request_rootdse(conn, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
torture_assert(tctx, io.out.response == NULL,
"A wildcard filter should return no entries.");
return true;
}
bool torture_netlogon_tcp(struct torture_context *tctx)
{
const char *host = torture_setting_string(tctx, "host", NULL);
bool ret = true;
NTSTATUS status;
struct ldap_connection *conn;
TALLOC_CTX *mem_ctx;
const char *url;
mem_ctx = talloc_init("torture_ldap_netlogon");
url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
status = torture_ldap_connection(tctx, &conn, url);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
ret &= test_ldap_netlogon(tctx, tcp_ldap_netlogon, conn, host);
ret &= test_ldap_netlogon_flags(tctx, tcp_ldap_netlogon, conn, host);
ret &= test_netlogon_extra_attrs(tctx, tcp_ldap_rootdse, conn);
return ret;
}
static NTSTATUS udp_ldap_netlogon(void *data,
TALLOC_CTX *mem_ctx,
struct cldap_netlogon *io)
{
struct cldap_socket *cldap = talloc_get_type(data,
struct cldap_socket);
return cldap_netlogon(cldap, mem_ctx, io);
}
bool torture_netlogon_udp(struct torture_context *tctx)
{
const char *host = torture_setting_string(tctx, "host", NULL);
bool ret = true;
int r;
struct cldap_socket *cldap;
NTSTATUS status;
struct tsocket_address *dest_addr;
r = tsocket_address_inet_from_strings(tctx, "ip",
host,
lpcfg_cldap_port(tctx->lp_ctx),
&dest_addr);
CHECK_VAL(r, 0);
/* cldap_socket_init should now know about the dest. address */
status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
CHECK_STATUS(status, NT_STATUS_OK);
ret &= test_ldap_netlogon(tctx, udp_ldap_netlogon, cldap, host);
ret &= test_ldap_netlogon_flags(tctx, udp_ldap_netlogon, cldap, host);
ret &= test_netlogon_extra_attrs(tctx, udp_ldap_rootdse, cldap);
return ret;
}
/*
test netlogon operations
*/
static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
{
struct cldap_socket *cldap;
NTSTATUS status;
struct cldap_netlogon search, empty_search;
struct netlogon_samlogon_response n1;
struct GUID guid;
int i;
struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
struct tsocket_address *dest_addr;
int ret;
ret = tsocket_address_inet_from_strings(tctx, "ip",
dest,
lp_cldap_port(tctx->lp_ctx),
&dest_addr);
status = cldap_socket_init(tctx, NULL, NULL, dest_addr, &cldap);
CHECK_STATUS(status, NT_STATUS_OK);
ZERO_STRUCT(search);
search.in.dest_address = NULL;
search.in.dest_port = 0;
search.in.acct_control = -1;
search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
search.in.map_response = true;
empty_search = search;
printf("Trying without any attributes\n");
search = empty_search;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
n1 = search.out.netlogon;
search.in.user = "******";
search.in.realm = n1.data.nt5_ex.dns_domain;
search.in.host = "__cldap_torture__";
printf("Scanning for netlogon levels\n");
for (i=0;i<256;i++) {
search.in.version = i;
printf("Trying netlogon level %d\n", i);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
}
printf("Scanning for netlogon level bits\n");
for (i=0;i<31;i++) {
search.in.version = (1<<i);
printf("Trying netlogon level 0x%x\n", i);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
}
search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
printf("Trying with User=NULL\n");
search.in.user = NULL;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
printf("Trying with User=Administrator\n");
search.in.user = "******";
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
search.in.version = NETLOGON_NT_VERSION_5;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
printf("Trying with User=NULL\n");
search.in.user = NULL;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
printf("Trying with User=Administrator\n");
search.in.user = "******";
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
printf("Trying with a GUID\n");
search.in.realm = NULL;
search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
CHECK_STRING(GUID_string(tctx, &search.out.netlogon.data.nt5_ex.domain_uuid), search.in.domain_guid);
printf("Trying with a incorrect GUID\n");
guid = GUID_random();
search.in.user = NULL;
search.in.domain_guid = GUID_string(tctx, &guid);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
printf("Trying with a AAC\n");
search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
search.in.realm = n1.data.nt5_ex.dns_domain;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
printf("Trying with a zero AAC\n");
search.in.acct_control = 0x0;
search.in.realm = n1.data.nt5_ex.dns_domain;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
printf("Trying with a zero AAC and user=Administrator\n");
search.in.acct_control = 0x0;
search.in.user = "******";
search.in.realm = n1.data.nt5_ex.dns_domain;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "Administrator");
printf("Trying with a bad AAC\n");
search.in.user = NULL;
search.in.acct_control = 0xFF00FF00;
search.in.realm = n1.data.nt5_ex.dns_domain;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
printf("Trying with a user only\n");
search = empty_search;
search.in.user = "******";
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
printf("Trying with just a bad username\n");
search.in.user = "******";
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
printf("Trying with just a bad domain\n");
search = empty_search;
search.in.realm = "___no_such_domain___";
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
printf("Trying with a incorrect domain and correct guid\n");
search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
printf("Trying with a incorrect domain and incorrect guid\n");
search.in.domain_guid = GUID_string(tctx, &guid);
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
printf("Trying with a incorrect GUID and correct domain\n");
search.in.domain_guid = GUID_string(tctx, &guid);
search.in.realm = n1.data.nt5_ex.dns_domain;
status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
return true;
}
/*
test generic cldap operations
*/
static bool test_cldap_generic(struct torture_context *tctx, const char *dest)
{
struct cldap_socket *cldap;
NTSTATUS status;
struct cldap_search search;
const char *attrs1[] = { "currentTime", "highestCommittedUSN", NULL };
const char *attrs2[] = { "currentTime", "highestCommittedUSN", "netlogon", NULL };
const char *attrs3[] = { "netlogon", NULL };
struct tsocket_address *dest_addr;
int ret;
ret = tsocket_address_inet_from_strings(tctx, "ip",
dest,
lpcfg_cldap_port(tctx->lp_ctx),
&dest_addr);
CHECK_VAL(ret, 0);
/* cldap_socket_init should now know about the dest. address */
status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
CHECK_STATUS(status, NT_STATUS_OK);
ZERO_STRUCT(search);
search.in.dest_address = NULL;
search.in.dest_port = 0;
search.in.timeout = 10;
search.in.retries = 3;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
printf("fetching whole rootDSE\n");
search.in.filter = "(objectclass=*)";
search.in.attributes = NULL;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
if (DEBUGLVL(3)) cldap_dump_results(&search);
printf("fetching currentTime and USN\n");
search.in.filter = "(objectclass=*)";
search.in.attributes = attrs1;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
if (DEBUGLVL(3)) cldap_dump_results(&search);
printf("Testing currentTime, USN and netlogon\n");
search.in.filter = "(objectclass=*)";
search.in.attributes = attrs2;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
if (DEBUGLVL(3)) cldap_dump_results(&search);
printf("Testing objectClass=* and netlogon\n");
search.in.filter = "(objectclass2=*)";
search.in.attributes = attrs3;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
if (DEBUGLVL(3)) cldap_dump_results(&search);
printf("Testing a false expression\n");
search.in.filter = "(&(objectclass=*)(highestCommittedUSN=2))";
search.in.attributes = attrs1;
status = cldap_search(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
if (DEBUGLVL(3)) cldap_dump_results(&search);
return true;
}
/*
test cldap netlogon server type flags
*/
static bool test_cldap_netlogon_flags(struct torture_context *tctx,
const char *dest)
{
struct cldap_socket *cldap;
NTSTATUS status;
struct cldap_netlogon search;
struct netlogon_samlogon_response n1;
uint32_t server_type;
struct tsocket_address *dest_addr;
int ret;
ret = tsocket_address_inet_from_strings(tctx, "ip",
dest,
lpcfg_cldap_port(tctx->lp_ctx),
&dest_addr);
CHECK_VAL(ret, 0);
/* cldap_socket_init should now know about the dest. address */
status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
CHECK_STATUS(status, NT_STATUS_OK);
printf("Printing out netlogon server type flags: %s\n", dest);
ZERO_STRUCT(search);
search.in.dest_address = NULL;
search.in.dest_port = 0;
search.in.acct_control = -1;
search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
search.in.map_response = true;
status = cldap_netlogon(cldap, tctx, &search);
CHECK_STATUS(status, NT_STATUS_OK);
n1 = search.out.netlogon;
if (n1.ntver == NETLOGON_NT_VERSION_5)
server_type = n1.data.nt5.server_type;
else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
server_type = n1.data.nt5_ex.server_type;
printf("The word is: %i\n", server_type);
if (server_type & NBT_SERVER_PDC)
printf("NBT_SERVER_PDC ");
if (server_type & NBT_SERVER_GC)
printf("NBT_SERVER_GC ");
if (server_type & NBT_SERVER_LDAP)
printf("NBT_SERVER_LDAP ");
if (server_type & NBT_SERVER_DS)
printf("NBT_SERVER_DS ");
if (server_type & NBT_SERVER_KDC)
printf("NBT_SERVER_KDC ");
if (server_type & NBT_SERVER_TIMESERV)
printf("NBT_SERVER_TIMESERV ");
if (server_type & NBT_SERVER_CLOSEST)
printf("NBT_SERVER_CLOSEST ");
if (server_type & NBT_SERVER_WRITABLE)
printf("NBT_SERVER_WRITABLE ");
if (server_type & NBT_SERVER_GOOD_TIMESERV)
printf("NBT_SERVER_GOOD_TIMESERV ");
if (server_type & NBT_SERVER_NDNC)
printf("NBT_SERVER_NDNC ");
if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6)
printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6");
if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6)
printf("NBT_SERVER_FULL_SECRET_DOMAIN_6");
if (server_type & DS_DNS_CONTROLLER)
printf("DS_DNS_CONTROLLER ");
if (server_type & DS_DNS_DOMAIN)
printf("DS_DNS_DOMAIN ");
if (server_type & DS_DNS_FOREST_ROOT)
printf("DS_DNS_FOREST_ROOT ");
printf("\n");
return true;
}
/*
initialise a cldap_sock
*/
NTSTATUS cldap_socket_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
const struct tsocket_address *local_addr,
const struct tsocket_address *remote_addr,
struct cldap_socket **_cldap)
{
struct cldap_socket *c = NULL;
struct tsocket_address *any = NULL;
NTSTATUS status;
int ret;
c = talloc_zero(mem_ctx, struct cldap_socket);
if (!c) {
goto nomem;
}
if (!ev) {
ev = tevent_context_init(c);
if (!ev) {
goto nomem;
}
c->event.allow_poll = true;
}
c->event.ctx = ev;
if (!local_addr) {
ret = tsocket_address_inet_from_strings(c, "ipv4",
NULL, 0,
&any);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
goto nterror;
}
local_addr = any;
}
c->searches.idr = idr_init(c);
if (!c->searches.idr) {
goto nomem;
}
ret = tdgram_inet_udp_socket(local_addr, remote_addr,
c, &c->sock);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
goto nterror;
}
talloc_free(any);
if (remote_addr) {
c->connected = true;
}
c->send_queue = tevent_queue_create(c, "cldap_send_queue");
if (!c->send_queue) {
goto nomem;
}
talloc_set_destructor(c, cldap_socket_destructor);
*_cldap = c;
return NT_STATUS_OK;
nomem:
status = NT_STATUS_NO_MEMORY;
nterror:
talloc_free(c);
return status;
}
bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
const char *server,
const char *realm,
uint32_t nt_version,
struct netlogon_samlogon_response **_reply)
{
struct cldap_socket *cldap;
struct cldap_netlogon io;
struct netlogon_samlogon_response *reply;
NTSTATUS status;
struct in_addr addr;
char addrstr[INET_ADDRSTRLEN];
const char *dest_str;
int ret;
struct tsocket_address *dest_addr;
addr = interpret_addr2(server);
dest_str = inet_ntop(AF_INET, &addr,
addrstr, sizeof(addrstr));
if (!dest_str) {
DEBUG(2,("Failed to resolve[%s] into an address for cldap\n",
server));
return false;
}
ret = tsocket_address_inet_from_strings(mem_ctx, "ipv4",
dest_str, LDAP_PORT,
&dest_addr);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
DEBUG(2,("Failed to create cldap tsocket_address for %s - %s\n",
dest_str, nt_errstr(status)));
return false;
}
/*
* as we use a connected udp socket
*/
status = cldap_socket_init(mem_ctx, NULL, NULL, dest_addr, &cldap);
TALLOC_FREE(dest_addr);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2,("Failed to create cldap socket to %s: %s\n",
dest_str, nt_errstr(status)));
return false;
}
reply = talloc(cldap, struct netlogon_samlogon_response);
if (!reply) {
goto failed;
}
/*
* as we use a connected socket, so we don't need to specify the
* destination
*/
io.in.dest_address = NULL;
io.in.dest_port = 0;
io.in.realm = realm;
io.in.host = NULL;
io.in.user = NULL;
io.in.domain_guid = NULL;
io.in.domain_sid = NULL;
io.in.acct_control = 0;
io.in.version = nt_version;
io.in.map_response = false;
status = cldap_netlogon(cldap, NULL, reply, &io);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2,("cldap_netlogon() failed: %s\n", nt_errstr(status)));
goto failed;
}
*reply = io.out.netlogon;
*_reply = talloc_move(mem_ctx, &reply);
TALLOC_FREE(cldap);
return true;
failed:
TALLOC_FREE(cldap);
return false;
}
