Пример #1
0
/**
 * Obtain the client principal for this credentials context.
 * @param cred credentials context
 * @retval The username set on this context.
 * @note Return value will never be NULL except by programmer error.
 */
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
	if (cred->machine_account_pending) {
		cli_credentials_set_machine_account(cred);
	}

	if (cred->principal_obtained == CRED_CALLBACK && 
	    !cred->callback_running) {
	    	cred->callback_running = True;
		cred->principal = cred->principal_cb(cred);
	    	cred->callback_running = False;
		cred->principal_obtained = CRED_SPECIFIED;
	}

	if (cred->principal_obtained < cred->username_obtained) {
		if (cred->domain_obtained > cred->realm_obtained) {
			return talloc_asprintf(mem_ctx, "%s@%s", 
					       cli_credentials_get_username(cred),
					       cli_credentials_get_domain(cred));
		} else {
			return talloc_asprintf(mem_ctx, "%s@%s", 
					       cli_credentials_get_username(cred),
					       cli_credentials_get_realm(cred));
		}
	}
	return talloc_reference(mem_ctx, cred->principal);
}
Пример #2
0
/**
 * Obtain the client principal for this credentials context.
 * @param cred credentials context
 * @retval The username set on this context.
 * @note Return value will never be NULL except by programmer error.
 */
_PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
{
	if (cred->machine_account_pending) {
		cli_credentials_set_machine_account(cred,
					cred->machine_account_pending_lp_ctx);
	}

	if (cred->principal_obtained == CRED_CALLBACK && 
	    !cred->callback_running) {
	    	cred->callback_running = true;
		cred->principal = cred->principal_cb(cred);
	    	cred->callback_running = false;
		if (cred->principal_obtained == CRED_CALLBACK) {
			cred->principal_obtained = CRED_CALLBACK_RESULT;
			cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
		}
	}

	if (cred->principal_obtained < cred->username_obtained
	    || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
		if (cred->domain_obtained > cred->realm_obtained) {
			*obtained = MIN(cred->domain_obtained, cred->username_obtained);
			return talloc_asprintf(mem_ctx, "%s@%s", 
					       cli_credentials_get_username(cred),
					       cli_credentials_get_domain(cred));
		} else {
			*obtained = MIN(cred->domain_obtained, cred->username_obtained);
			return talloc_asprintf(mem_ctx, "%s@%s", 
					       cli_credentials_get_username(cred),
					       cli_credentials_get_realm(cred));
		}
	}
	*obtained = cred->principal_obtained;
	return talloc_strdup(mem_ctx, cred->principal);
}
Пример #3
0
static bool test_wbc_getgroups(struct torture_context *tctx)
{
    wbcErr ret;
    uint32_t num_groups;
    gid_t *groups;

    ret = wbcGetGroups(cli_credentials_get_username(cmdline_credentials), &num_groups, &groups);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcGetGroups for %s failed", cli_credentials_get_username(cmdline_credentials));
    wbcFreeMemory(groups);
    return true;
}
Пример #4
0
NTSTATUS rpccli_create_netlogon_creds_ctx(
	struct cli_credentials *creds,
	const char *server_computer,
	struct messaging_context *msg_ctx,
	TALLOC_CTX *mem_ctx,
	struct netlogon_creds_cli_context **creds_ctx)
{
	enum netr_SchannelType sec_chan_type;
	const char *server_netbios_domain;
	const char *server_dns_domain;
	const char *client_account;

	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
	client_account = cli_credentials_get_username(creds);
	server_netbios_domain = cli_credentials_get_domain(creds);
	server_dns_domain = cli_credentials_get_realm(creds);

	return rpccli_create_netlogon_creds(server_computer,
					    server_netbios_domain,
					    server_dns_domain,
					    client_account,
					    sec_chan_type,
					    msg_ctx, mem_ctx,
					    creds_ctx);
}
Пример #5
0
NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds,
						 const char *server_computer,
						 struct messaging_context *msg_ctx,
						 TALLOC_CTX *mem_ctx,
						 struct netlogon_creds_cli_context **netlogon_creds)
{
	enum netr_SchannelType sec_chan_type;
	const char *server_netbios_domain;
	const char *client_account;

	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
	if (sec_chan_type == SEC_CHAN_NULL) {
		return NT_STATUS_INVALID_PARAMETER_MIX;
	}

	client_account = cli_credentials_get_username(creds);
	server_netbios_domain = cli_credentials_get_domain(creds);

	return rpccli_create_netlogon_creds(server_computer,
					    server_netbios_domain,
					    client_account,
					    sec_chan_type,
					    msg_ctx, mem_ctx,
					    netlogon_creds);
}
Пример #6
0
/*
 * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
 *
 */
static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
{
	NTSTATUS status;

	struct gensec_security *gensec_client_context;

	DATA_BLOB client_to_server, server_to_client;

	void *dbdata;
	const char *argv[] = {
		"samba_dlz",
		"-H",
		lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
		NULL
	};
	tctx_static = tctx;
	torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata,
						  "log", dlz_bind9_log_wrapper,
						  "writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
				 ISC_R_SUCCESS,
				 "Failed to create samba_dlz");

	torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
						     ISC_R_SUCCESS,
				 "Failed to configure samba_dlz");

	status = gensec_client_start(tctx, &gensec_client_context,
				     lpcfg_gensec_settings(tctx, tctx->lp_ctx));
	torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");

	status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL));
	torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");

	status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
	torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");

	status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
	torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");

	server_to_client = data_blob(NULL, 0);

	/* Do one step of the client-server update dance */
	status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
		torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
	}

	torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
						    lpcfg_dnsdomain(tctx->lp_ctx),
						    "127.0.0.1", "type", "key",
						    client_to_server.length,
						    client_to_server.data,
						    dbdata),
				 ISC_R_SUCCESS,
				 "Failed to check key for update rights samba_dlz");

	dlz_destroy(dbdata);

	return true;
}
Пример #7
0
static bool test_NetrJoinDomain(struct torture_context *tctx,
				struct dcerpc_pipe *p)
{
	NTSTATUS status;
	struct wkssvc_NetrJoinDomain r;
	struct cli_credentials *creds = cmdline_credentials;
	const char *user = cli_credentials_get_username(creds);
	const char *admin_account = NULL;
	struct dcerpc_binding_handle *b = p->binding_handle;

	admin_account = talloc_asprintf(tctx, "%s\\%s",
					lpcfg_workgroup(tctx->lp_ctx),
					user);

	r.in.server_name = dcerpc_server_name(p);
	r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
	r.in.account_ou = NULL;
	r.in.Account = admin_account;
	r.in.password = NULL;
	r.in.join_flags = 0;

	torture_comment(tctx, "Testing NetrJoinDomain\n");

	status = dcerpc_wkssvc_NetrJoinDomain_r(b, tctx, &r);
	torture_assert_ntstatus_ok(tctx, status,
				   "NetrJoinDomain failed");
	torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
				  "NetrJoinDomain failed");
	return true;
}
Пример #8
0
_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
{
	const char *username;
	
	/* if bind dn is set it's not anonymous */
	if (cred->bind_dn) {
		return false;
	}

	if (cred->machine_account_pending) {
		cli_credentials_set_machine_account(cred,
						    cred->machine_account_pending_lp_ctx);
	}

	/* if principal is set, it's not anonymous */
	if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) {
		return false;
	}

	username = cli_credentials_get_username(cred);
	
	/* Yes, it is deliberate that we die if we have a NULL pointer
	 * here - anonymous is "", not NULL, which is 'never specified,
	 * never guessed', ie programmer bug */
	if (!username[0]) {
		return true;
	}

	return false;
}
Пример #9
0
bool torture_libnetapi_init_context(struct torture_context *tctx,
				    struct libnetapi_ctx **ctx_p)
{
	NET_API_STATUS status;
	struct libnetapi_ctx *ctx;
	TALLOC_CTX *frame = talloc_stackframe();

	if (!lp_load_global(lpcfg_configfile(tctx->lp_ctx))) {
		fprintf(stderr, "error loading %s\n", lpcfg_configfile(tctx->lp_ctx));
		talloc_free(frame);
		return W_ERROR_V(WERR_GENERAL_FAILURE);
	}

	init_names();
	load_interfaces();

	status = libnetapi_net_init(&ctx);
	if (status != 0) {
		talloc_free(frame);
		return false;
	}

	libnetapi_set_username(ctx,
		cli_credentials_get_username(cmdline_credentials));
	libnetapi_set_password(ctx,
		cli_credentials_get_password(cmdline_credentials));

	*ctx_p = ctx;

	talloc_free(frame);
	return true;
}
Пример #10
0
static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
						       struct cli_credentials *machine_account, 
						       struct smb_krb5_context *smb_krb5_context,
						       krb5_principal *salt_princ)
{
	krb5_error_code ret;
	char *machine_username;
	char *salt_body;
	char *lower_realm;
	const char *salt_principal;
	struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
	if (!mem_ctx) {
		return ENOMEM;
	}

	salt_principal = cli_credentials_get_salt_principal(machine_account);
	if (salt_principal) {
		ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ); 
	} else {
		machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
		
		if (!machine_username) {
			talloc_free(mem_ctx);
			return ENOMEM;
		}
		
		if (machine_username[strlen(machine_username)-1] == '$') {
			machine_username[strlen(machine_username)-1] = '\0';
		}
		lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
		if (!lower_realm) {
			talloc_free(mem_ctx);
			return ENOMEM;
		}
		
		salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, 
					    lower_realm);
		if (!salt_body) {
			talloc_free(mem_ctx);
		return ENOMEM;
		}
		
		ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, 
					  cli_credentials_get_realm(machine_account), 
					  "host", salt_body, NULL);
	} 

	if (ret == 0) {
		/* This song-and-dance effectivly puts the principal
		 * into talloc, so we can't loose it. */
		mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
		mem_ctx->principal = *salt_princ;
		talloc_set_destructor(mem_ctx, free_principal);
	}
	return ret;
}
Пример #11
0
static bool test_parse_string(struct torture_context *tctx)
{
	struct cli_credentials *creds = cli_credentials_init_anon(tctx);

	/* anonymous */
	cli_credentials_parse_string(creds, "%", CRED_SPECIFIED);

	torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
				 "", "domain");

	torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
				 "", "username");

	torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
				 "password");

	/* username + password */
	cli_credentials_parse_string(creds, "somebody%secret", 
				     CRED_SPECIFIED);

	torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
				 "", "domain");

	torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
				 "somebody", "username");

	torture_assert_str_equal(tctx, cli_credentials_get_password(creds),
				 "secret", "password");

	/* principal */
	cli_credentials_parse_string(creds, "prin@styx", 
				     CRED_SPECIFIED);

	torture_assert_str_equal(tctx, cli_credentials_get_realm(creds),
				 "STYX", "realm");

	torture_assert_str_equal(tctx, 
				 cli_credentials_get_principal(creds, tctx),
				 "prin@styx", "principal");

	return true;
}
Пример #12
0
static int net_password_change(struct net_context *ctx, int argc, const char **argv)
{
	NTSTATUS status;
	struct libnet_context *libnetctx;
	union libnet_ChangePassword r;
	char *password_prompt = NULL;
	const char *new_password;

	if (argc > 0 && argv[0]) {
		new_password = argv[0];
	} else {
		password_prompt = talloc_asprintf(ctx, "Enter new password for account [%s\\%s]:", 
							cli_credentials_get_domain(ctx->credentials), 
							cli_credentials_get_username(ctx->credentials));
		new_password = getpass(password_prompt);
	}

	libnetctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx);
	if (!libnetctx) {
		return -1;	
	}
	libnetctx->cred = ctx->credentials;

	/* prepare password change */
	r.generic.level			= LIBNET_CHANGE_PASSWORD_GENERIC;
	r.generic.in.account_name	= cli_credentials_get_username(ctx->credentials);
	r.generic.in.domain_name	= cli_credentials_get_domain(ctx->credentials);
	r.generic.in.oldpassword	= cli_credentials_get_password(ctx->credentials);
	r.generic.in.newpassword	= new_password;

	/* do password change */
	status = libnet_ChangePassword(libnetctx, ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0,("net_password_change: %s\n",r.generic.out.error_string));
		return -1;
	}

	talloc_free(libnetctx);

	return 0;
}
Пример #13
0
_PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
					      const char **username, 
					      const char **domain) 
{
	if (cred->principal_obtained > cred->username_obtained) {
		*domain = talloc_strdup(mem_ctx, "");
		*username = cli_credentials_get_principal(cred, mem_ctx);
	} else {
		*domain = cli_credentials_get_domain(cred);
		*username = cli_credentials_get_username(cred);
	}
}
Пример #14
0
static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
        const char *correct_password)
{
    struct wbcAuthUserParams params;
    struct wbcAuthUserInfo *info = NULL;
    struct wbcAuthErrorInfo *error = NULL;
    wbcErr ret;

    ret = wbcAuthenticateUser(cli_credentials_get_username(cmdline_credentials), correct_password);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcAuthenticateUser of %s failed",
                             cli_credentials_get_username(cmdline_credentials));

    ZERO_STRUCT(params);
    params.account_name		= cli_credentials_get_username(cmdline_credentials);
    params.level			= WBC_AUTH_USER_LEVEL_PLAIN;
    params.password.plaintext	= correct_password;

    ret = wbcAuthenticateUserEx(&params, &info, &error);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcAuthenticateUserEx of %s failed", params.account_name);
    wbcFreeMemory(info);
    info = NULL;

    wbcFreeMemory(error);
    error = NULL;

    params.password.plaintext       = "wrong";
    ret = wbcAuthenticateUserEx(&params, &info, &error);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
                             "wbcAuthenticateUserEx for %s succeeded where it "
                             "should have failed", params.account_name);
    wbcFreeMemory(info);
    info = NULL;

    wbcFreeMemory(error);
    error = NULL;

    return true;
}
Пример #15
0
static bool test_init_anonymous(struct torture_context *tctx)
{
	struct cli_credentials *creds = cli_credentials_init_anon(tctx);

	torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
				 "", "domain");

	torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
				 "", "username");

	torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
				 "password");

	return true;
}
Пример #16
0
static bool test_NetrWkstaUserGetInfo(struct torture_context *tctx,
				      struct dcerpc_pipe *p)
{
	NTSTATUS status;
	struct wkssvc_NetrWkstaUserGetInfo r;
	union wkssvc_NetrWkstaUserInfo info;
	const char *dom = lpcfg_workgroup(tctx->lp_ctx);
	struct cli_credentials *creds = cmdline_credentials;
	const char *user = cli_credentials_get_username(creds);
	int i;
	struct dcerpc_binding_handle *b = p->binding_handle;

	const struct {
		const char *unknown;
		uint32_t level;
		WERROR result;
	} tests[] = {
		{ NULL, 0, WERR_NO_SUCH_LOGON_SESSION },
		{ NULL, 1, WERR_NO_SUCH_LOGON_SESSION },
		{ NULL, 1101, WERR_OK },
		{ dom, 0, WERR_INVALID_PARAM },
		{ dom, 1, WERR_INVALID_PARAM },
		{ dom, 1101, WERR_INVALID_PARAM },
		{ user, 0, WERR_INVALID_PARAM },
		{ user, 1, WERR_INVALID_PARAM },
		{ user, 1101, WERR_INVALID_PARAM },
	};

	for (i=0; i<ARRAY_SIZE(tests); i++) {
		r.in.unknown = tests[i].unknown;
		r.in.level = tests[i].level;
		r.out.info = &info;

		torture_comment(tctx, "Testing NetrWkstaUserGetInfo level %u\n",
				r.in.level);

		status = dcerpc_wkssvc_NetrWkstaUserGetInfo_r(b, tctx, &r);
		torture_assert_ntstatus_ok(tctx, status,
					   "NetrWkstaUserGetInfo failed");
		torture_assert_werr_equal(tctx, r.out.result,
					  tests[i].result,
					  "NetrWkstaUserGetInfo failed");
	}

	return true;
}
Пример #17
0
bool torture_libsmbclient_init_context(struct torture_context *tctx,
				       SMBCCTX **ctx_p)
{
	SMBCCTX *ctx;

	ctx = smbc_new_context();
	torture_assert(tctx, ctx, "failed to get new context");
	torture_assert(tctx, smbc_init_context(ctx), "failed to init context");

	smbc_setDebug(ctx, DEBUGLEVEL);
	smbc_setOptionDebugToStderr(ctx, 1);

	/* yes, libsmbclient API frees the username when freeing the context, so
	 * have to pass malloced data here */
	smbc_setUser(ctx, strdup(cli_credentials_get_username(cmdline_credentials)));

	*ctx_p = ctx;

	return true;
}
Пример #18
0
static bool test_init(struct torture_context *tctx)
{
	struct cli_credentials *creds = cli_credentials_init(tctx);

	cli_credentials_set_domain(creds, "bla", CRED_SPECIFIED);

	torture_assert_str_equal(tctx, "BLA", cli_credentials_get_domain(creds),
				 "domain");

	cli_credentials_set_username(creds, "someuser", CRED_SPECIFIED);

	torture_assert_str_equal(tctx, "someuser", 
				 cli_credentials_get_username(creds), 
				 "username");

	cli_credentials_set_password(creds, "p4ssw0rd", CRED_SPECIFIED);

	torture_assert_str_equal(tctx, "p4ssw0rd", 
				 cli_credentials_get_password(creds),
				 "password");

	return true;
}
Пример #19
0
static PyObject *py_creds_get_username(PyObject *self, PyObject *unused)
{
	return PyString_FromStringOrNULL(cli_credentials_get_username(PyCredentials_AsCliCredentials(self)));
}
Пример #20
0
/* Get the keytab (actually, a container containing the krb5_keytab)
 * attached to this context.  If this hasn't been done or set before,
 * it will be generated from the password.
 */
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, 
					struct loadparm_context *lp_ctx,
					struct keytab_container **_ktc)
{
	krb5_error_code ret;
	struct keytab_container *ktc;
	struct smb_krb5_context *smb_krb5_context;
	const char *keytab_name;
	krb5_keytab keytab;
	TALLOC_CTX *mem_ctx;

	if (cred->keytab_obtained >= (MAX(cred->principal_obtained, 
					  cred->username_obtained))) {
		*_ktc = cred->keytab;
		return 0;
	}

	if (cli_credentials_is_anonymous(cred)) {
		return EINVAL;
	}

	ret = cli_credentials_get_krb5_context(cred, lp_ctx,
					       &smb_krb5_context);
	if (ret) {
		return ret;
	}

	mem_ctx = talloc_new(cred);
	if (!mem_ctx) {
		return ENOMEM;
	}

	ret = smb_krb5_create_memory_keytab(mem_ctx,
					smb_krb5_context->krb5_context,
					cli_credentials_get_password(cred),
					cli_credentials_get_username(cred),
					cli_credentials_get_realm(cred),
					cli_credentials_get_kvno(cred),
					&keytab, &keytab_name);
	if (ret) {
		talloc_free(mem_ctx);
		return ret;
	}

	ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
					    keytab, keytab_name, &ktc);
	if (ret) {
		talloc_free(mem_ctx);
		return ret;
	}

	cred->keytab_obtained = (MAX(cred->principal_obtained, 
				     cred->username_obtained));

	/* We make this keytab up based on a password.  Therefore
	 * match-by-key is acceptable, we can't match on the wrong
	 * principal */
	ktc->password_based = true;

	talloc_steal(cred, ktc);
	cred->keytab = ktc;
	*_ktc = cred->keytab;
	talloc_free(mem_ctx);
	return ret;
}
Пример #21
0
static bool test_wbc_logon_user(struct torture_context *tctx)
{
    struct wbcLogonUserParams params;
    struct wbcLogonUserInfo *info = NULL;
    struct wbcAuthErrorInfo *error = NULL;
    struct wbcUserPasswordPolicyInfo *policy = NULL;
    struct wbcInterfaceDetails *iface;
    struct wbcDomainSid sid;
    enum wbcSidType sidtype;
    char *sidstr;
    wbcErr ret;

    ZERO_STRUCT(params);

    ret = wbcLogonUser(&params, &info, &error, &policy);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_INVALID_PARAM,
                             "%s", "wbcLogonUser succeeded for NULL where it should "
                             "have failed");

    params.username = cli_credentials_get_username(cmdline_credentials);
    params.password = cli_credentials_get_password(cmdline_credentials);

    ret = wbcAddNamedBlob(&params.num_blobs, &params.blobs,
                          "foo", 0, discard_const_p(uint8_t, "bar"), 4);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "%s", "wbcAddNamedBlob failed");

    ret = wbcLogonUser(&params, &info, &error, &policy);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcLogonUser for %s failed", params.username);
    wbcFreeMemory(info);
    info = NULL;
    wbcFreeMemory(error);
    error = NULL;
    wbcFreeMemory(policy);
    policy = NULL;

    params.password = "******";

    ret = wbcLogonUser(&params, &info, &error, &policy);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
                             "wbcLogonUser for %s should have failed with "
                             "WBC_ERR_AUTH_ERROR", params.username);
    wbcFreeMemory(info);
    info = NULL;
    wbcFreeMemory(error);
    error = NULL;
    wbcFreeMemory(policy);
    policy = NULL;

    ret = wbcAddNamedBlob(&params.num_blobs, &params.blobs,
                          "membership_of", 0,
                          discard_const_p(uint8_t, "S-1-2-3-4"),
                          strlen("S-1-2-3-4")+1);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "%s", "wbcAddNamedBlob failed");
    params.password = cli_credentials_get_password(cmdline_credentials);
    ret = wbcLogonUser(&params, &info, &error, &policy);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
                             "wbcLogonUser for %s should have failed with "
                             "WBC_ERR_AUTH_ERROR", params.username);
    wbcFreeMemory(info);
    info = NULL;
    wbcFreeMemory(error);
    error = NULL;
    wbcFreeMemory(policy);
    policy = NULL;
    wbcFreeMemory(params.blobs);
    params.blobs = NULL;
    params.num_blobs = 0;

    ret = wbcInterfaceDetails(&iface);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "%s", "wbcInterfaceDetails failed");

    ret = wbcLookupName(iface->netbios_domain, cli_credentials_get_username(cmdline_credentials), &sid,
                        &sidtype);
    wbcFreeMemory(iface);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcLookupName for %s failed", cli_credentials_get_username(cmdline_credentials));

    ret = wbcSidToString(&sid, &sidstr);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "%s", "wbcSidToString failed");

    ret = wbcAddNamedBlob(&params.num_blobs, &params.blobs,
                          "membership_of", 0,
                          (uint8_t *)sidstr, strlen(sidstr)+1);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "%s", "wbcAddNamedBlob failed");
    wbcFreeMemory(sidstr);
    params.password = cli_credentials_get_password(cmdline_credentials);
    ret = wbcLogonUser(&params, &info, &error, &policy);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcLogonUser for %s failed", params.username);
    wbcFreeMemory(info);
    info = NULL;
    wbcFreeMemory(error);
    error = NULL;
    wbcFreeMemory(policy);
    policy = NULL;
    wbcFreeMemory(params.blobs);
    params.blobs = NULL;
    params.num_blobs = 0;

    return true;
}
Пример #22
0
static bool test_wbc_change_password(struct torture_context *tctx)
{
    wbcErr ret;
    const char *oldpass = cli_credentials_get_password(cmdline_credentials);
    const char *newpass = "******";

    struct samr_CryptPassword new_nt_password;
    struct samr_CryptPassword new_lm_password;
    struct samr_Password old_nt_hash_enc;
    struct samr_Password old_lanman_hash_enc;

    uint8_t old_nt_hash[16];
    uint8_t old_lanman_hash[16];
    uint8_t new_nt_hash[16];
    uint8_t new_lanman_hash[16];

    struct wbcChangePasswordParams params;

    if (oldpass == NULL) {
        torture_skip(tctx,
                     "skipping wbcChangeUserPassword test as old password cannot be retrieved\n");
    }

    ZERO_STRUCT(params);

    E_md4hash(oldpass, old_nt_hash);
    E_md4hash(newpass, new_nt_hash);

    if (lpcfg_client_lanman_auth(tctx->lp_ctx) &&
            E_deshash(newpass, new_lanman_hash) &&
            E_deshash(oldpass, old_lanman_hash)) {

        /* E_deshash returns false for 'long' passwords (> 14
           DOS chars).  This allows us to match Win2k, which
           does not store a LM hash for these passwords (which
           would reduce the effective password length to 14) */

        encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE);
        arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
        E_old_pw_hash(new_nt_hash, old_lanman_hash,
                      old_lanman_hash_enc.hash);

        params.old_password.response.old_lm_hash_enc_length =
            sizeof(old_lanman_hash_enc.hash);
        params.old_password.response.old_lm_hash_enc_data =
            old_lanman_hash_enc.hash;
        params.new_password.response.lm_length =
            sizeof(new_lm_password.data);
        params.new_password.response.lm_data =
            new_lm_password.data;
    } else {
        ZERO_STRUCT(new_lm_password);
        ZERO_STRUCT(old_lanman_hash_enc);
    }

    encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE);

    arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
    E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);

    params.old_password.response.old_nt_hash_enc_length =
        sizeof(old_nt_hash_enc.hash);
    params.old_password.response.old_nt_hash_enc_data =
        old_nt_hash_enc.hash;
    params.new_password.response.nt_length = sizeof(new_nt_password.data);
    params.new_password.response.nt_data = new_nt_password.data;

    params.level = WBC_CHANGE_PASSWORD_LEVEL_RESPONSE;
    params.account_name = cli_credentials_get_username(cmdline_credentials);
    params.domain_name = cli_credentials_get_domain(cmdline_credentials);

    ret = wbcChangeUserPasswordEx(&params, NULL, NULL, NULL);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcChangeUserPassword for %s failed", params.account_name);

    if (!test_wbc_authenticate_user_int(tctx, newpass)) {
        return false;
    }

    ret = wbcChangeUserPassword(cli_credentials_get_username(cmdline_credentials), newpass,
                                cli_credentials_get_password(cmdline_credentials));
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcChangeUserPassword for %s failed", params.account_name);

    return test_wbc_authenticate_user_int(tctx, cli_credentials_get_password(cmdline_credentials));
}
Пример #23
0
/*
 * Test some updates
 */
static bool test_dlz_bind9_update01(struct torture_context *tctx)
{
	NTSTATUS status;
	struct gensec_security *gensec_client_context;
	DATA_BLOB client_to_server, server_to_client;
	void *dbdata;
	void *version = NULL;
	const char *argv[] = {
		"samba_dlz",
		"-H",
		lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
		NULL
	};
	struct test_expected_rr *expected1 = NULL;
	char *name = NULL;
	char *data0 = NULL;
	char *data1 = NULL;
	char *data2 = NULL;
	bool ret = false;

	tctx_static = tctx;
	torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
						  "log", dlz_bind9_log_wrapper,
						  "writeable_zone", dlz_bind9_writeable_zone_hook,
						  "putrr", dlz_bind9_putrr_hook,
						  "putnamedrr", dlz_bind9_putnamedrr_hook,
						  NULL),
				 ISC_R_SUCCESS,
				 "Failed to create samba_dlz");

	torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
						     ISC_R_SUCCESS,
				 "Failed to configure samba_dlz");

	expected1 = talloc_zero(tctx, struct test_expected_rr);
	torture_assert(tctx, expected1 != NULL, "talloc failed");
	expected1->tctx = tctx;

	expected1->query_name = __func__;

	name = talloc_asprintf(expected1, "%s.%s",
				expected1->query_name,
				lpcfg_dnsdomain(tctx->lp_ctx));
	torture_assert(tctx, name != NULL, "talloc failed");

	expected1->num_records = 2;
	expected1->records = talloc_zero_array(expected1,
					       struct test_expected_record,
					       expected1->num_records);
	torture_assert(tctx, expected1->records != NULL, "talloc failed");

	expected1->records[0].name = expected1->query_name;
	expected1->records[0].type = "a";
	expected1->records[0].ttl = 3600;
	expected1->records[0].data = "127.1.2.3";
	expected1->records[0].printed = false;

	data0 = talloc_asprintf(expected1,
				"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
				name,
				(unsigned)expected1->records[0].ttl,
				"in",
				expected1->records[0].type,
				expected1->records[0].data);
	torture_assert(tctx, data0 != NULL, "talloc failed");

	expected1->records[1].name = expected1->query_name;
	expected1->records[1].type = "a";
	expected1->records[1].ttl = 3600;
	expected1->records[1].data = "127.3.2.1";
	expected1->records[1].printed = false;

	data1 = talloc_asprintf(expected1,
				"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
				name,
				(unsigned)expected1->records[1].ttl,
				"in",
				expected1->records[1].type,
				expected1->records[1].data);
	torture_assert(tctx, data1 != NULL, "talloc failed");

	data2 = talloc_asprintf(expected1,
				"%s.\t" "0\t" "in\t" "a\t" "127.3.3.3",
				name);
	torture_assert(tctx, data2 != NULL, "talloc failed");

	/*
	 * Prepare session info
	 */
	status = gensec_client_start(tctx, &gensec_client_context,
				     lpcfg_gensec_settings(tctx, tctx->lp_ctx));
	torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");

	/*
	 * dlz_bind9 use the special dns/host.domain account
	 */
	status = gensec_set_target_hostname(gensec_client_context,
					    talloc_asprintf(tctx,
				"%s.%s",
				torture_setting_string(tctx, "host", NULL),
				lpcfg_dnsdomain(tctx->lp_ctx)));
	torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");

	status = gensec_set_target_service(gensec_client_context, "dns");
	torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed");

	status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
	torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");

	status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO");
	torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");

	server_to_client = data_blob(NULL, 0);

	/* Do one step of the client-server update dance */
	status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
		torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
	}

	torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
						    name,
						    "127.0.0.1",
						    expected1->records[0].type,
						    "key",
						    client_to_server.length,
						    client_to_server.data,
						    dbdata),
				 ISC_TRUE,
				 "Failed to check key for update rights samba_dlz");

	/*
	 * We test the following:
	 *
	 *  1. lookup the records => NOT_FOUND
	 *  2. delete all records => NOT_FOUND
	 *  3. delete 1st record => NOT_FOUND
	 *  4. create 1st record => SUCCESS
	 *  5. lookup the records => found 1st
	 *  6. create 2nd record => SUCCESS
	 *  7. lookup the records => found 1st and 2nd
	 *  8. delete unknown record => NOT_FOUND
	 *  9. lookup the records => found 1st and 2nd
	 * 10. delete 1st record => SUCCESS
	 * 11. lookup the records => found 2nd
	 * 12. delete 2nd record => SUCCESS
	 * 13. lookup the records => NOT_FOUND
	 * 14. create 1st record => SUCCESS
	 * 15. lookup the records => found 1st
	 * 16. create 2nd record => SUCCESS
	 * 17. lookup the records => found 1st and 2nd
	 * 18. update 1st record => SUCCESS
	 * 19. lookup the records => found 1st and 2nd
	 * 20. delete all unknown type records => NOT_FOUND
	 * 21. lookup the records => found 1st and 2nd
	 * 22. delete all records => SUCCESS
	 * 23. lookup the records => NOT_FOUND
	 */

	/* Step 1. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_NOTFOUND,
				 "Found hostname");
	torture_assert_int_equal(tctx, expected1->num_rr, 0,
				 "Got wrong record count");

	/* Step 2. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_delrdataset(name,
					expected1->records[0].type,
					dbdata, version),
			ISC_R_NOTFOUND, ret, cancel_version,
			talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
			name, expected1->records[0].type));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);

	/* Step 3. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_subrdataset(name, data0, dbdata, version),
			ISC_R_NOTFOUND, ret, cancel_version,
			talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
			name, data0));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);

	/* Step 4. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_addrdataset(name, data0, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
			name, data0));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 5. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 1,
				 "Got wrong record count");

	/* Step 6. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_addrdataset(name, data1, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
			name, data1));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 7. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 2,
				 "Got wrong record count");

	/* Step 8. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_subrdataset(name, data2, dbdata, version),
			ISC_R_NOTFOUND, ret, cancel_version,
			talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
			name, data2));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 9. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 2,
				 "Got wrong record count");

	/* Step 10. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_subrdataset(name, data0, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
			name, data0));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 11. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 1,
				 "Got wrong record count");

	/* Step 12. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_subrdataset(name, data1, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
			name, data1));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 13. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_NOTFOUND,
				 "Found hostname");
	torture_assert_int_equal(tctx, expected1->num_rr, 0,
				 "Got wrong record count");

	/* Step 14. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_addrdataset(name, data0, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
			name, data0));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 15. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 1,
				 "Got wrong record count");

	/* Step 16. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_addrdataset(name, data1, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
			name, data1));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 17. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 2,
				 "Got wrong record count");

	/* Step 18. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_addrdataset(name, data0, dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n",
			name, data0));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 19. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 2,
				 "Got wrong record count");

	/* Step 20. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_delrdataset(name, "txt", dbdata, version),
			ISC_R_FAILURE, ret, cancel_version,
			talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
			name, "txt"));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);

	/* Step 21. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_SUCCESS,
				 "Not found hostname");
	torture_assert(tctx, expected1->records[0].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[0].name,
		       expected1->records[0].type));
	torture_assert(tctx, expected1->records[1].printed,
		       talloc_asprintf(tctx,
		       "Failed to have putrr callback run name[%s] for type %s",
		       expected1->records[1].name,
		       expected1->records[1].type));
	torture_assert_int_equal(tctx, expected1->num_rr, 2,
				 "Got wrong record count");

	/* Step 22. */
	torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
						      dbdata, &version),
				 ISC_R_SUCCESS,
				 "Failed to start transaction");
	torture_assert_int_equal_goto(tctx,
			dlz_delrdataset(name,
					expected1->records[0].type,
					dbdata, version),
			ISC_R_SUCCESS, ret, cancel_version,
			talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n",
			name, expected1->records[0].type));
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);

	/* Step 23. */
	expected1->num_rr = 0;
	expected1->records[0].printed = false;
	expected1->records[1].printed = false;
	torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
						  expected1->query_name, dbdata,
						  (dns_sdlzlookup_t *)expected1),
				 ISC_R_NOTFOUND,
				 "Found hostname");
	torture_assert_int_equal(tctx, expected1->num_rr, 0,
				 "Got wrong record count");

	dlz_destroy(dbdata);

	return true;

cancel_version:
	dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
	return ret;
}
Пример #24
0
static struct bkrp_BackupKey *createRestoreGUIDStruct(struct torture_context *tctx,
				struct dcerpc_pipe *p, int version, DATA_BLOB *out,
				bool norevert,
				bool broken_version,
				bool broken_user,
				bool broken_magic_secret,
				bool broken_magic_access,
				bool broken_hash_access,
				bool broken_cert_guid)
{
	struct dcerpc_binding_handle *b = p->binding_handle;
	struct bkrp_client_side_wrapped data;
	DATA_BLOB *xs;
	DATA_BLOB *sec;
	DATA_BLOB *enc_sec;
	DATA_BLOB *enc_xs;
	DATA_BLOB *blob2;
	DATA_BLOB enc_sec_reverted;
	DATA_BLOB des3_key;
	DATA_BLOB aes_key;
	DATA_BLOB iv;
	DATA_BLOB out_blob;
	struct GUID *guid, *g;
	int t;
	uint32_t size;
	enum ndr_err_code ndr_err;
	NTSTATUS status;
	const char *user;
	struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, version, &out_blob);
	if (r == NULL) {
		return NULL;
	}

	if (broken_user) {
		/* we take a fake user*/
		user = "******";
	} else {
		user = cli_credentials_get_username(cmdline_credentials);
	}


	torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
					"Get GUID");
	/*
	 * We have to set it outside of the function createRetreiveBackupKeyGUIDStruct
	 * the len of the blob, this is due to the fact that they don't have the
	 * same size (one is 32bits the other 64bits)
	 */
	out_blob.length = *r->out.data_out_len;

	sec = create_unencryptedsecret(tctx, broken_magic_secret, version);
	if (sec == NULL) {
		return NULL;
	}

	xs = create_access_check(tctx, p, tctx, user, broken_hash_access, version);
	if (xs == NULL) {
		return NULL;
	}

	if (broken_magic_access){
		/* The start of the access_check structure contains the 
		 * GUID of the certificate
		 */
		xs->data[0]++;
	}

	enc_sec = encrypt_blob_pk(tctx, tctx, out_blob.data, out_blob.length, sec);
	if (!enc_sec) {
		return NULL;
	}
	enc_sec_reverted.data = talloc_array(tctx, uint8_t, enc_sec->length);
	if (enc_sec_reverted.data == NULL) {
		return NULL;
	}
	enc_sec_reverted.length = enc_sec->length;

	/*
	* We DO NOT revert the array on purpose it's in order to check that
	* when the server is not able to decrypt then it answer the correct error
	*/
	if (norevert) {
		for(t=0; t< enc_sec->length; t++) {
			enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[t];
		}
	} else {
		for(t=0; t< enc_sec->length; t++) {
			enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[enc_sec->length - t -1];
		}
	}

	size = sec->length;
	if (version ==2) {
		const AlgorithmIdentifier *alg = hx509_crypto_des_rsdi_ede3_cbc();
		iv.data = sec->data+(size - 8);
		iv.length = 8;

		des3_key.data = sec->data+(size - 32);
		des3_key.length = 24;

		enc_xs = encrypt_blob(tctx, tctx, &des3_key, &iv, xs, alg);
	}
	if (version == 3) {
		const AlgorithmIdentifier *alg = hx509_crypto_aes256_cbc();
		iv.data = sec->data+(size-16);
		iv.length = 16;

		aes_key.data = sec->data+(size-48);
		aes_key.length = 32;

		enc_xs = encrypt_blob(tctx, tctx, &aes_key, &iv, xs, alg);
	}

	if (!enc_xs) {
		return NULL;
	}

	/* To cope with the fact that heimdal do padding at the end for the moment */
	enc_xs->length = xs->length;

	guid = get_cert_guid(tctx, tctx, out_blob.data, out_blob.length);
	if (guid == NULL) {
		return NULL;
	}

	if (broken_version) {
		data.version = 1;
	} else {
		data.version = version;
	}

	data.guid = *guid;
	data.encrypted_secret = enc_sec_reverted.data;
	data.access_check = enc_xs->data;
	data.encrypted_secret_len = enc_sec->length;
	data.access_check_len = enc_xs->length;

	/* We want the blob to persist after this function so we don't
	 * allocate it in the stack
	 */
	blob2 = talloc(tctx, DATA_BLOB);
	if (blob2 == NULL) {
		return NULL;
	}

	ndr_err = ndr_push_struct_blob(blob2, tctx, &data,
			(ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		return NULL;
	}

	if (broken_cert_guid) {
		blob2->data[12]++;
	}

	ZERO_STRUCT(*r);

	g = talloc(tctx, struct GUID);
	if (g == NULL) {
		return NULL;
	}

	status = GUID_from_string(BACKUPKEY_RESTORE_GUID, g);
	if (!NT_STATUS_IS_OK(status)) {
		return NULL;
	}

	r->in.guidActionAgent = g;
	r->in.data_in = blob2->data;
	r->in.data_in_len = blob2->length;
	r->in.param = 0;
	r->out.data_out = &(out->data);
	r->out.data_out_len = talloc(r, uint32_t);
	return r;
}
Пример #25
0
/* Get the keytab (actually, a container containing the krb5_keytab)
 * attached to this context.  If this hasn't been done or set before,
 * it will be generated from the password.
 */
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, 
					struct loadparm_context *lp_ctx,
					struct keytab_container **_ktc)
{
	krb5_error_code ret;
	struct keytab_container *ktc;
	struct smb_krb5_context *smb_krb5_context;
	const char *keytab_name;
	krb5_keytab keytab;
	TALLOC_CTX *mem_ctx;
	const char *username = cli_credentials_get_username(cred);
	const char *realm = cli_credentials_get_realm(cred);
	const char *error_string;
	const char *salt_principal;

	if (cred->keytab_obtained >= (MAX(cred->principal_obtained, 
					  cred->username_obtained))) {
		*_ktc = cred->keytab;
		return 0;
	}

	if (cli_credentials_is_anonymous(cred)) {
		return EINVAL;
	}

	ret = cli_credentials_get_krb5_context(cred, lp_ctx,
					       &smb_krb5_context);
	if (ret) {
		return ret;
	}

	mem_ctx = talloc_new(cred);
	if (!mem_ctx) {
		return ENOMEM;
	}

	/*
	 * FIXME: Currently there is no better way than to create the correct
	 * salt principal by checking if the username ends with a '$'. It would
	 * be better if it is part of the credentials.
	 */
	ret = smb_krb5_create_salt_principal(mem_ctx,
					     username,
					     realm,
					     &salt_principal,
					     &error_string);
	if (ret) {
		talloc_free(mem_ctx);
		return ret;
	}

	ret = smb_krb5_create_memory_keytab(mem_ctx,
					    smb_krb5_context->krb5_context,
					    cli_credentials_get_password(cred),
					    username,
					    realm,
					    salt_principal,
					    cli_credentials_get_kvno(cred),
					    &keytab,
					    &keytab_name);
	if (ret) {
		talloc_free(mem_ctx);
		return ret;
	}

	ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
					    keytab, keytab_name, &ktc);
	if (ret) {
		talloc_free(mem_ctx);
		return ret;
	}

	cred->keytab_obtained = (MAX(cred->principal_obtained, 
				     cred->username_obtained));

	/* We make this keytab up based on a password.  Therefore
	 * match-by-key is acceptable, we can't match on the wrong
	 * principal */
	ktc->password_based = true;

	talloc_steal(cred, ktc);
	cred->keytab = ktc;
	*_ktc = cred->keytab;
	talloc_free(mem_ctx);
	return ret;
}