static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
struct torture_context *tctx,
const char *trust_name,
const char *trust_name_dns,
struct dom_sid *domsid,
struct lsa_TrustDomainInfoAuthInfoInternal *authinfo)
{
struct policy_handle *handle;
NTSTATUS status;
struct lsa_lsaRSetForestTrustInformation fti;
struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
struct lsa_Close cr;
struct policy_handle closed_handle;
bool ret = true;
struct lsa_CreateTrustedDomainEx2 r;
struct lsa_TrustDomainInfoInfoEx trustinfo;
struct policy_handle trustdom_handle;
struct lsa_QueryTrustedDomainInfo q;
union lsa_TrustedDomainInfo *info = NULL;
if (!test_get_policy_handle(tctx, p,
(LSA_POLICY_VIEW_LOCAL_INFORMATION |
LSA_POLICY_TRUST_ADMIN |
LSA_POLICY_CREATE_SECRET), &handle)) {
return false;
}
torture_comment(tctx, "\nTesting CreateTrustedDomainEx2\n");
trustinfo.sid = domsid;
trustinfo.netbios_name.string = trust_name;
trustinfo.domain_name.string = trust_name_dns;
trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND |
LSA_TRUST_DIRECTION_OUTBOUND;
trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
r.in.policy_handle = handle;
r.in.info = &trustinfo;
r.in.auth_info_internal = authinfo;
/* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following
* QueryTrustedDomainInfo call, although it seems that Windows does not
* expect this */
r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME;
r.out.trustdom_handle = &trustdom_handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r),
"CreateTrustedDomainEx2 failed");
if (!NT_STATUS_IS_OK(r.out.result)) {
torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(r.out.result));
ret = false;
} else {
q.in.trustdom_handle = &trustdom_handle;
q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
q.out.info = &info;
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_QueryTrustedDomainInfo_r(p->binding_handle, tctx, &q),
"QueryTrustedDomainInfo failed");
if (!NT_STATUS_IS_OK(q.out.result)) {
torture_comment(tctx,
"QueryTrustedDomainInfo level 1 failed - %s\n",
nt_errstr(q.out.result));
ret = false;
} else if (!q.out.info) {
torture_comment(tctx,
"QueryTrustedDomainInfo level 1 failed to return an info pointer\n");
ret = false;
} else {
if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) {
torture_comment(tctx,
"QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
info->info_ex.netbios_name.string,
trustinfo.netbios_name.string);
ret = false;
}
if (info->info_ex.trust_type != trustinfo.trust_type) {
torture_comment(tctx,
"QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
trust_name,
info->info_ex.trust_type,
trustinfo.trust_type);
ret = false;
}
if (info->info_ex.trust_attributes != trustinfo.trust_attributes) {
torture_comment(tctx,
"QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
trust_name,
info->info_ex.trust_attributes,
trustinfo.trust_attributes);
ret = false;
}
if (info->info_ex.trust_direction != trustinfo.trust_direction) {
torture_comment(tctx,
"QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
trust_name,
info->info_ex.trust_direction,
trustinfo.trust_direction);
ret = false;
}
}
}
if (ret != false) {
fti.in.handle = handle;
fti.in.trusted_domain_name = talloc_zero(tctx, struct lsa_StringLarge);
fti.in.trusted_domain_name->string = trust_name_dns;
fti.in.highest_record_type = 2;
fti.in.forest_trust_info = talloc_zero(tctx, struct lsa_ForestTrustInformation);
fti.in.forest_trust_info->count = 2;
fti.in.forest_trust_info->entries = talloc_array(tctx, struct lsa_ForestTrustRecord *, 2);
fti.in.forest_trust_info->entries[0] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
fti.in.forest_trust_info->entries[0]->flags = 0;
fti.in.forest_trust_info->entries[0]->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
fti.in.forest_trust_info->entries[0]->time = 0;
fti.in.forest_trust_info->entries[0]->forest_trust_data.top_level_name.string = trust_name_dns;
fti.in.forest_trust_info->entries[1] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
fti.in.forest_trust_info->entries[1]->flags = 0;
fti.in.forest_trust_info->entries[1]->type = LSA_FOREST_TRUST_DOMAIN_INFO;
fti.in.forest_trust_info->entries[1]->time = 0;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.domain_sid = domsid;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.dns_domain_name.string = trust_name_dns;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.netbios_domain_name.string = trust_name;
fti.in.check_only = 0;
fti.out.collision_info = &collision_info;
torture_comment(tctx, "\nTesting SetForestTrustInformation\n");
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_lsaRSetForestTrustInformation_r(p->binding_handle, tctx, &fti),
"lsaRSetForestTrustInformation failed");
if (!NT_STATUS_IS_OK(fti.out.result)) {
torture_comment(tctx,
"lsaRSetForestTrustInformation failed - %s\n",
nt_errstr(fti.out.result));
ret = false;
}
}
static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
struct torture_context *tctx,
const char *trust_name,
const char *trust_name_dns,
struct dom_sid *domsid,
struct lsa_TrustDomainInfoAuthInfoInternal *authinfo)
{
struct policy_handle *handle;
struct lsa_lsaRSetForestTrustInformation fti;
struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
struct lsa_Close cr;
struct policy_handle closed_handle;
struct lsa_CreateTrustedDomainEx2 r;
struct lsa_TrustDomainInfoInfoEx trustinfo;
struct policy_handle trustdom_handle;
struct lsa_QueryTrustedDomainInfo q;
union lsa_TrustedDomainInfo *info = NULL;
if (!test_get_policy_handle(tctx, p,
(LSA_POLICY_VIEW_LOCAL_INFORMATION |
LSA_POLICY_TRUST_ADMIN |
LSA_POLICY_CREATE_SECRET), &handle)) {
return false;
}
torture_comment(tctx, "\nTesting CreateTrustedDomainEx2\n");
trustinfo.sid = domsid;
trustinfo.netbios_name.string = trust_name;
trustinfo.domain_name.string = trust_name_dns;
trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND |
LSA_TRUST_DIRECTION_OUTBOUND;
trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
/*
* MS-LSAD: Section 3.1.4.7.10 makes it clear that Win2k3
* functional level and above return
* NT_STATUS_INVALID_DOMAIN_STATE if
* TRUST_ATTRIBUTE_FOREST_TRANSITIVE or
* TRUST_ATTRIBUTE_CROSS_ORGANIZATION is set here.
*
* But we really want to test forest trusts here.
*/
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
r.in.policy_handle = handle;
r.in.info = &trustinfo;
r.in.auth_info_internal = authinfo;
/* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following
* QueryTrustedDomainInfo call, although it seems that Windows does not
* expect this */
r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME;
r.out.trustdom_handle = &trustdom_handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r),
"CreateTrustedDomainEx2 failed");
torture_assert_ntstatus_ok(tctx, r.out.result, "CreateTrustedDomainEx2 failed");
q.in.trustdom_handle = &trustdom_handle;
q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
q.out.info = &info;
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_QueryTrustedDomainInfo_r(p->binding_handle, tctx, &q),
"QueryTrustedDomainInfo failed");
torture_assert_ntstatus_ok(tctx, q.out.result, "QueryTrustedDomainInfo level 1");
torture_assert(tctx, q.out.info != NULL, "QueryTrustedDomainInfo level 1 failed to return an info pointer");
torture_assert_str_equal(tctx, info->info_ex.netbios_name.string,
trustinfo.netbios_name.string,
"QueryTrustedDomainInfo returned inconsistent short name");
torture_assert_int_equal(tctx, info->info_ex.trust_type, trustinfo.trust_type,
"QueryTrustedDomainInfo returned incorrect trust type");
torture_assert_int_equal(tctx, info->info_ex.trust_attributes, trustinfo.trust_attributes,
"QueryTrustedDomainInfo of returned incorrect trust attributes");
torture_assert_int_equal(tctx, info->info_ex.trust_direction, trustinfo.trust_direction,
"QueryTrustedDomainInfo of returned incorrect trust direction");
fti.in.handle = handle;
fti.in.trusted_domain_name = talloc_zero(tctx, struct lsa_StringLarge);
fti.in.trusted_domain_name->string = trust_name_dns;
fti.in.highest_record_type = 2;
fti.in.forest_trust_info = talloc_zero(tctx, struct lsa_ForestTrustInformation);
fti.in.forest_trust_info->count = 2;
fti.in.forest_trust_info->entries = talloc_array(tctx, struct lsa_ForestTrustRecord *, 2);
fti.in.forest_trust_info->entries[0] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
fti.in.forest_trust_info->entries[0]->flags = 0;
fti.in.forest_trust_info->entries[0]->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
fti.in.forest_trust_info->entries[0]->time = 0;
fti.in.forest_trust_info->entries[0]->forest_trust_data.top_level_name.string = trust_name_dns;
fti.in.forest_trust_info->entries[1] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
fti.in.forest_trust_info->entries[1]->flags = 0;
fti.in.forest_trust_info->entries[1]->type = LSA_FOREST_TRUST_DOMAIN_INFO;
fti.in.forest_trust_info->entries[1]->time = 0;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.domain_sid = domsid;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.dns_domain_name.string = trust_name_dns;
fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.netbios_domain_name.string = trust_name;
fti.in.check_only = 0;
fti.out.collision_info = &collision_info;
torture_comment(tctx, "\nTesting SetForestTrustInformation\n");
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_lsaRSetForestTrustInformation_r(p->binding_handle, tctx, &fti),
"lsaRSetForestTrustInformation failed");
torture_assert_ntstatus_ok(tctx, fti.out.result, "lsaRSetForestTrustInformation failed");
cr.in.handle = handle;
cr.out.handle = &closed_handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
"Close failed");
torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
return true;
}
