search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drsuapi.idl: fix source_dsa spelling
[samba4-gss.git] / source4 / torture / rpc / samba3rpc.c
blob6592d996b61f86c302b942236eb2026b44ca18b6
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc torture tests, designed to walk Samba3 code paths
5
6 Copyright (C) Volker Lendecke 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/raw/libcliraw.h"
24 #include "libcli/raw/raw_proto.h"
25 #include "torture/util.h"
26 #include "libcli/rap/rap.h"
27 #include "librpc/gen_ndr/ndr_lsa_c.h"
28 #include "librpc/gen_ndr/ndr_samr_c.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "librpc/gen_ndr/ndr_srvsvc_c.h"
31 #include "librpc/gen_ndr/ndr_spoolss_c.h"
32 #include "librpc/gen_ndr/ndr_winreg_c.h"
33 #include "librpc/gen_ndr/ndr_wkssvc_c.h"
34 #include "librpc/gen_ndr/ndr_svcctl_c.h"
35 #include "lib/cmdline/cmdline.h"
36 #include "torture/rpc/torture_rpc.h"
37 #include "libcli/libcli.h"
38 #include "libcli/smb_composite/smb_composite.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "libcli/security/security.h"
41 #include "param/param.h"
42 #include "lib/registry/registry.h"
43 #include "libcli/resolve/resolve.h"
44 #include "torture/ndr/ndr.h"
45 #include "libcli/smb2/smb2.h"
46 #include "libcli/smb2/smb2_calls.h"
47 #include "librpc/rpc/dcerpc.h"
48 #include "librpc/rpc/dcerpc_proto.h"
49 #include "libcli/smb/smbXcli_base.h"
50 #include "source3/rpc_client/init_samr.h"
51
52 /*
53 * open pipe and bind, given an IPC$ context
54 */
55
56 static NTSTATUS pipe_bind_smb(struct torture_context *tctx,
57 TALLOC_CTX *mem_ctx,
58 struct smbcli_tree *tree,
59 const char *pipe_name,
60 const struct ndr_interface_table *iface,
61 struct dcerpc_pipe **p)
62 {
63 struct dcerpc_pipe *result;
64 NTSTATUS status;
65
66 if (!(result = dcerpc_pipe_init(mem_ctx, tctx->ev))) {
67 return NT_STATUS_NO_MEMORY;
68 }
69
70 status = dcerpc_pipe_open_smb(result, tree, pipe_name);
71 if (!NT_STATUS_IS_OK(status)) {
72 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
73 nt_errstr(status));
74 talloc_free(result);
75 return status;
76 }
77
78 status = dcerpc_bind_auth_none(result, iface);
79 if (!NT_STATUS_IS_OK(status)) {
80 torture_comment(tctx, "dcerpc_bind_auth_none failed: %s\n", nt_errstr(status));
81 talloc_free(result);
82 return status;
83 }
84
85 *p = result;
86 return NT_STATUS_OK;
87 }
88
89 static NTSTATUS pipe_bind_smb2(struct torture_context *tctx,
90 TALLOC_CTX *mem_ctx,
91 struct smb2_tree *tree,
92 const char *pipe_name,
93 const struct ndr_interface_table *iface,
94 struct dcerpc_pipe **p)
95 {
96 struct dcerpc_pipe *result;
97 NTSTATUS status;
98
99 if (!(result = dcerpc_pipe_init(mem_ctx, tctx->ev))) {
100 return NT_STATUS_NO_MEMORY;
101 }
102
103 status = dcerpc_pipe_open_smb2(result, tree, pipe_name);
104 if (!NT_STATUS_IS_OK(status)) {
105 torture_comment(tctx, "dcerpc_pipe_open_smb2 failed: %s\n",
106 nt_errstr(status));
107 talloc_free(result);
108 return status;
109 }
110
111 status = dcerpc_bind_auth_none(result, iface);
112 if (!NT_STATUS_IS_OK(status)) {
113 torture_comment(tctx, "dcerpc_bind_auth_none failed: %s\n", nt_errstr(status));
114 talloc_free(result);
115 return status;
116 }
117
118 *p = result;
119 return NT_STATUS_OK;
120 }
121
122 static NTSTATUS pipe_bind_smb_auth(struct torture_context *tctx,
123 TALLOC_CTX *mem_ctx,
124 struct smbcli_tree *tree,
125 struct cli_credentials *creds,
126 uint8_t auth_type,
127 uint8_t auth_level,
128 const char *pipe_name,
129 const struct ndr_interface_table *iface,
130 struct dcerpc_pipe **p)
131 {
132 struct dcerpc_pipe *result;
133 NTSTATUS status;
134
135 if (!(result = dcerpc_pipe_init(mem_ctx, tctx->ev))) {
136 return NT_STATUS_NO_MEMORY;
137 }
138
139 status = dcerpc_pipe_open_smb(result, tree, pipe_name);
140 if (!NT_STATUS_IS_OK(status)) {
141 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
142 nt_errstr(status));
143 talloc_free(result);
144 return status;
145 }
146
147 status = dcerpc_bind_auth(result, iface, creds,
148 lpcfg_gensec_settings(tctx->lp_ctx, tctx->lp_ctx),
149 auth_type, auth_level, NULL);
150 if (!NT_STATUS_IS_OK(status)) {
151 torture_comment(tctx, "dcerpc_bind_auth failed: %s\n", nt_errstr(status));
152 talloc_free(result);
153 return status;
154 }
155
156 *p = result;
157 return NT_STATUS_OK;
158 }
159
160 /*
161 * This tests a RPC call using an invalid vuid
162 */
163
164 bool torture_bind_authcontext(struct torture_context *torture)
165 {
166 TALLOC_CTX *mem_ctx;
167 NTSTATUS status;
168 bool ret = false;
169 struct lsa_ObjectAttribute objectattr;
170 struct lsa_OpenPolicy2 openpolicy;
171 struct policy_handle handle;
172 struct lsa_Close close_handle;
173 struct smbcli_session *tmp;
174 uint16_t tmp_vuid;
175 struct smbcli_session *session2;
176 struct smbcli_state *cli;
177 struct dcerpc_pipe *lsa_pipe;
178 struct dcerpc_binding_handle *lsa_handle;
179 struct cli_credentials *anon_creds;
180 struct smb_composite_sesssetup setup;
181 struct smbcli_options options;
182 struct smbcli_session_options session_options;
183
184 mem_ctx = talloc_init("torture_bind_authcontext");
185
186 if (mem_ctx == NULL) {
187 torture_comment(torture, "talloc_init failed\n");
188 return false;
189 }
190
191 lpcfg_smbcli_options(torture->lp_ctx, &options);
192 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
193
194 status = smbcli_full_connection(mem_ctx, &cli,
195 torture_setting_string(torture, "host", NULL),
196 lpcfg_smb_ports(torture->lp_ctx),
197 "IPC$", NULL,
198 lpcfg_socket_options(torture->lp_ctx),
199 samba_cmdline_get_creds(),
200 lpcfg_resolve_context(torture->lp_ctx),
201 torture->ev, &options, &session_options,
202 lpcfg_gensec_settings(torture, torture->lp_ctx));
203 if (!NT_STATUS_IS_OK(status)) {
204 torture_comment(torture, "smbcli_full_connection failed: %s\n",
205 nt_errstr(status));
206 goto done;
207 }
208
209 status = pipe_bind_smb(torture, mem_ctx, cli->tree, "\\lsarpc",
210 &ndr_table_lsarpc, &lsa_pipe);
211 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
212 "pipe_bind_smb failed");
213 lsa_handle = lsa_pipe->binding_handle;
214
215 openpolicy.in.system_name =talloc_asprintf(
216 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
217 ZERO_STRUCT(objectattr);
218 openpolicy.in.attr = &objectattr;
219 openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
220 openpolicy.out.handle = &handle;
221
222 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
223
224 if (!NT_STATUS_IS_OK(status)) {
225 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
226 nt_errstr(status));
227 goto done;
228 }
229 if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
230 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
231 nt_errstr(openpolicy.out.result));
232 goto done;
233 }
234
235 close_handle.in.handle = &handle;
236 close_handle.out.handle = &handle;
237
238 status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
239 if (!NT_STATUS_IS_OK(status)) {
240 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
241 nt_errstr(status));
242 goto done;
243 }
244 if (!NT_STATUS_IS_OK(close_handle.out.result)) {
245 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
246 nt_errstr(close_handle.out.result));
247 goto done;
248 }
249
250 session2 = smbcli_session_init(cli->transport, mem_ctx, false, session_options);
251 if (session2 == NULL) {
252 torture_comment(torture, "smbcli_session_init failed\n");
253 goto done;
254 }
255
256 if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) {
257 torture_comment(torture, "create_anon_creds failed\n");
258 goto done;
259 }
260
261 setup.in.sesskey = cli->transport->negotiate.sesskey;
262 setup.in.capabilities = cli->transport->negotiate.capabilities;
263 setup.in.workgroup = "";
264 setup.in.credentials = anon_creds;
265 setup.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
266
267 status = smb_composite_sesssetup(session2, &setup);
268 if (!NT_STATUS_IS_OK(status)) {
269 torture_comment(torture, "anon session setup failed: %s\n",
270 nt_errstr(status));
271 goto done;
272 }
273 session2->vuid = setup.out.vuid;
274
275 tmp = cli->tree->session;
276 tmp_vuid = smb1cli_session_current_id(tmp->smbXcli);
277 smb1cli_session_set_id(tmp->smbXcli, session2->vuid);
278 cli->tree->session = session2;
279
280 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
281
282 torture_assert(torture, smbXcli_conn_is_connected(cli->transport->conn),
283 "smb still connected");
284 torture_assert(torture, !dcerpc_binding_handle_is_connected(lsa_handle),
285 "dcerpc disconnected");
286
287 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
288 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 with wrong vuid gave %s, "
289 "expected NT_STATUS_CONNECTION_DISCONNECTED\n",
290 nt_errstr(status));
291 status = NT_STATUS_CONNECTION_DISCONNECTED;
292 }
293 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR)) {
294 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 with wrong vuid gave %s, "
295 "expected NT_STATUS_CONNECTION_DISCONNECTED\n",
296 nt_errstr(status));
297 status = NT_STATUS_CONNECTION_DISCONNECTED;
298 }
299
300 torture_assert_ntstatus_equal(torture, status, NT_STATUS_CONNECTION_DISCONNECTED,
301 "lsa connection disconnected");
302
303 smb1cli_session_set_id(tmp->smbXcli, tmp_vuid);
304 cli->tree->session = tmp;
305 talloc_free(lsa_pipe);
306 lsa_pipe = NULL;
307
308 ret = true;
309 done:
310 talloc_free(mem_ctx);
311 return ret;
312 }
313
314 /*
315 * Bind to lsa using a specific auth method
316 */
317
318 static bool bindtest(struct torture_context *tctx,
319 struct smbcli_state *cli,
320 struct cli_credentials *credentials,
321 uint8_t auth_type, uint8_t auth_level)
322 {
323 TALLOC_CTX *mem_ctx;
324 bool ret = false;
325 NTSTATUS status;
326
327 struct dcerpc_pipe *lsa_pipe;
328 struct dcerpc_binding_handle *lsa_handle;
329 struct lsa_ObjectAttribute objectattr;
330 struct lsa_OpenPolicy2 openpolicy;
331 struct lsa_QueryInfoPolicy query;
332 union lsa_PolicyInformation *info = NULL;
333 struct policy_handle handle;
334 struct lsa_Close close_handle;
335
336 if ((mem_ctx = talloc_init("bindtest")) == NULL) {
337 torture_comment(tctx, "talloc_init failed\n");
338 return false;
339 }
340
341 status = pipe_bind_smb_auth(tctx, mem_ctx, cli->tree,
342 credentials, auth_type, auth_level,
343 "\\lsarpc", &ndr_table_lsarpc, &lsa_pipe);
344 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
345 "pipe_bind_smb_auth failed");
346 lsa_handle = lsa_pipe->binding_handle;
347
348 openpolicy.in.system_name =talloc_asprintf(
349 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
350 ZERO_STRUCT(objectattr);
351 openpolicy.in.attr = &objectattr;
352 openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
353 openpolicy.out.handle = &handle;
354
355 status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
356
357 if (!NT_STATUS_IS_OK(status)) {
358 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
359 nt_errstr(status));
360 goto done;
361 }
362 if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
363 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
364 nt_errstr(openpolicy.out.result));
365 goto done;
366 }
367
368 query.in.handle = &handle;
369 query.in.level = LSA_POLICY_INFO_DOMAIN;
370 query.out.info = &info;
371
372 status = dcerpc_lsa_QueryInfoPolicy_r(lsa_handle, mem_ctx, &query);
373 if (!NT_STATUS_IS_OK(status)) {
374 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
375 nt_errstr(status));
376 goto done;
377 }
378 if (!NT_STATUS_IS_OK(query.out.result)) {
379 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
380 nt_errstr(query.out.result));
381 goto done;
382 }
383
384 close_handle.in.handle = &handle;
385 close_handle.out.handle = &handle;
386
387 status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
388 if (!NT_STATUS_IS_OK(status)) {
389 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
390 nt_errstr(status));
391 goto done;
392 }
393 if (!NT_STATUS_IS_OK(close_handle.out.result)) {
394 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
395 nt_errstr(close_handle.out.result));
396 goto done;
397 }
398
399
400 ret = true;
401 done:
402 talloc_free(mem_ctx);
403 return ret;
404 }
405
406 /*
407 * test authenticated RPC binds with the variants Samba3 does support
408 */
409
410 static bool torture_bind_samba3(struct torture_context *torture)
411 {
412 TALLOC_CTX *mem_ctx;
413 NTSTATUS status;
414 bool ret = false;
415 struct smbcli_state *cli;
416 struct smbcli_options options;
417 struct smbcli_session_options session_options;
418
419 mem_ctx = talloc_init("torture_bind_authcontext");
420
421 if (mem_ctx == NULL) {
422 torture_comment(torture, "talloc_init failed\n");
423 return false;
424 }
425
426 lpcfg_smbcli_options(torture->lp_ctx, &options);
427 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
428
429 status = smbcli_full_connection(mem_ctx, &cli,
430 torture_setting_string(torture, "host", NULL),
431 lpcfg_smb_ports(torture->lp_ctx),
432 "IPC$", NULL,
433 lpcfg_socket_options(torture->lp_ctx),
434 samba_cmdline_get_creds(),
435 lpcfg_resolve_context(torture->lp_ctx),
436 torture->ev, &options, &session_options,
437 lpcfg_gensec_settings(torture, torture->lp_ctx));
438 if (!NT_STATUS_IS_OK(status)) {
439 torture_comment(torture, "smbcli_full_connection failed: %s\n",
440 nt_errstr(status));
441 goto done;
442 }
443
444 ret = true;
445
446 ret &= bindtest(torture, cli, samba_cmdline_get_creds(),
447 DCERPC_AUTH_TYPE_NTLMSSP,
448 DCERPC_AUTH_LEVEL_INTEGRITY);
449 ret &= bindtest(torture, cli, samba_cmdline_get_creds(),
450 DCERPC_AUTH_TYPE_NTLMSSP,
451 DCERPC_AUTH_LEVEL_PRIVACY);
452 ret &= bindtest(torture, cli, samba_cmdline_get_creds(),
453 DCERPC_AUTH_TYPE_SPNEGO,
454 DCERPC_AUTH_LEVEL_INTEGRITY);
455 ret &= bindtest(torture, cli, samba_cmdline_get_creds(),
456 DCERPC_AUTH_TYPE_SPNEGO,
457 DCERPC_AUTH_LEVEL_PRIVACY);
458
459 done:
460 talloc_free(mem_ctx);
461 return ret;
462 }
463
464 /*
465 * Lookup or create a user and return all necessary info
466 */
467
468 static bool get_usr_handle(struct torture_context *tctx,
469 struct smbcli_state *cli,
470 TALLOC_CTX *mem_ctx,
471 struct cli_credentials *admin_creds,
472 uint8_t auth_type,
473 uint8_t auth_level,
474 const char *username,
475 char **domain,
476 struct dcerpc_pipe **result_pipe,
477 struct policy_handle **result_handle,
478 struct dom_sid **sid_p)
479 {
480 struct dcerpc_pipe *samr_pipe;
481 struct dcerpc_binding_handle *samr_handle;
482 NTSTATUS status;
483 struct policy_handle conn_handle;
484 struct policy_handle domain_handle;
485 struct policy_handle *user_handle;
486 struct samr_Connect2 conn;
487 struct samr_EnumDomains enumdom;
488 uint32_t resume_handle = 0;
489 uint32_t num_entries = 0;
490 struct samr_SamArray *sam = NULL;
491 struct samr_LookupDomain l;
492 struct dom_sid2 *sid = NULL;
493 int dom_idx;
494 struct lsa_String domain_name;
495 struct lsa_String user_name;
496 struct samr_OpenDomain o;
497 struct samr_CreateUser2 c;
498 uint32_t user_rid,access_granted;
499
500 if (admin_creds != NULL) {
501 status = pipe_bind_smb_auth(tctx, mem_ctx, cli->tree,
502 admin_creds, auth_type, auth_level,
503 "\\samr", &ndr_table_samr, &samr_pipe);
504 torture_assert_ntstatus_ok(tctx, status, "pipe_bind_smb_auth failed");
505 } else {
506 /* We must have an authenticated SMB connection */
507 status = pipe_bind_smb(tctx, mem_ctx, cli->tree,
508 "\\samr", &ndr_table_samr, &samr_pipe);
509 torture_assert_ntstatus_ok(tctx, status, "pipe_bind_smb_auth failed");
510 }
511 #if 0
512 samr_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
513 #endif
514 samr_handle = samr_pipe->binding_handle;
515
516 conn.in.system_name = talloc_asprintf(
517 mem_ctx, "\\\\%s", dcerpc_server_name(samr_pipe));
518 conn.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
519 conn.out.connect_handle = &conn_handle;
520
521 torture_assert_ntstatus_ok(tctx,
522 dcerpc_samr_Connect2_r(samr_handle, mem_ctx, &conn),
523 "samr_Connect2 failed");
524 torture_assert_ntstatus_ok(tctx, conn.out.result,
525 "samr_Connect2 failed");
526
527 enumdom.in.connect_handle = &conn_handle;
528 enumdom.in.resume_handle = &resume_handle;
529 enumdom.in.buf_size = (uint32_t)-1;
530 enumdom.out.resume_handle = &resume_handle;
531 enumdom.out.num_entries = &num_entries;
532 enumdom.out.sam = &sam;
533
534 torture_assert_ntstatus_ok(tctx,
535 dcerpc_samr_EnumDomains_r(samr_handle, mem_ctx, &enumdom),
536 "samr_EnumDomains failed");
537 torture_assert_ntstatus_ok(tctx, enumdom.out.result,
538 "samr_EnumDomains failed");
539
540 torture_assert_int_equal(tctx, *enumdom.out.num_entries, 2,
541 "samr_EnumDomains returned unexpected num_entries");
542
543 dom_idx = strequal(sam->entries[0].name.string,
544 "builtin") ? 1:0;
545
546 l.in.connect_handle = &conn_handle;
547 domain_name.string = sam->entries[dom_idx].name.string;
548 *domain = talloc_strdup(mem_ctx, domain_name.string);
549 l.in.domain_name = &domain_name;
550 l.out.sid = &sid;
551
552 torture_assert_ntstatus_ok(tctx,
553 dcerpc_samr_LookupDomain_r(samr_handle, mem_ctx, &l),
554 "samr_LookupDomain failed");
555 torture_assert_ntstatus_ok(tctx, l.out.result,
556 "samr_LookupDomain failed");
557
558 o.in.connect_handle = &conn_handle;
559 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
560 o.in.sid = *l.out.sid;
561 o.out.domain_handle = &domain_handle;
562
563 torture_assert_ntstatus_ok(tctx,
564 dcerpc_samr_OpenDomain_r(samr_handle, mem_ctx, &o),
565 "samr_OpenDomain failed");
566 torture_assert_ntstatus_ok(tctx, o.out.result,
567 "samr_OpenDomain failed");
568
569 c.in.domain_handle = &domain_handle;
570 user_name.string = username;
571 c.in.account_name = &user_name;
572 c.in.acct_flags = ACB_NORMAL;
573 c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
574 user_handle = talloc(mem_ctx, struct policy_handle);
575 c.out.user_handle = user_handle;
576 c.out.access_granted = &access_granted;
577 c.out.rid = &user_rid;
578
579 torture_assert_ntstatus_ok(tctx,
580 dcerpc_samr_CreateUser2_r(samr_handle, mem_ctx, &c),
581 "samr_CreateUser2 failed");
582
583 if (NT_STATUS_EQUAL(c.out.result, NT_STATUS_USER_EXISTS)) {
584 struct samr_LookupNames ln;
585 struct samr_OpenUser ou;
586 struct samr_Ids rids, types;
587
588 ln.in.domain_handle = &domain_handle;
589 ln.in.num_names = 1;
590 ln.in.names = &user_name;
591 ln.out.rids = &rids;
592 ln.out.types = &types;
593
594 torture_assert_ntstatus_ok(tctx,
595 dcerpc_samr_LookupNames_r(samr_handle, mem_ctx, &ln),
596 "samr_LookupNames failed");
597 torture_assert_ntstatus_ok(tctx, ln.out.result,
598 "samr_LookupNames failed");
599
600 ou.in.domain_handle = &domain_handle;
601 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
602 user_rid = ou.in.rid = ln.out.rids->ids[0];
603 ou.out.user_handle = user_handle;
604
605 torture_assert_ntstatus_ok(tctx,
606 dcerpc_samr_OpenUser_r(samr_handle, mem_ctx, &ou),
607 "samr_OpenUser failed");
608 status = ou.out.result;
609 } else {
610 status = c.out.result;
611 }
612
613 torture_assert_ntstatus_ok(tctx, status,
614 "samr_CreateUser failed");
615
616 *result_pipe = samr_pipe;
617 *result_handle = user_handle;
618 if (sid_p != NULL) {
619 *sid_p = dom_sid_add_rid(mem_ctx, *l.out.sid, user_rid);
620 }
621 return true;
622
623 }
624
625 /*
626 * Create a test user
627 */
628
629 static bool create_user(struct torture_context *tctx,
630 TALLOC_CTX *mem_ctx, struct smbcli_state *cli,
631 struct cli_credentials *admin_creds,
632 const char *username, const char *password,
633 char **domain_name,
634 struct dom_sid **user_sid)
635 {
636 TALLOC_CTX *tmp_ctx;
637 NTSTATUS status;
638 struct dcerpc_pipe *samr_pipe;
639 struct dcerpc_binding_handle *samr_handle;
640 struct policy_handle *wks_handle;
641 bool ret = false;
642
643 if (!(tmp_ctx = talloc_new(mem_ctx))) {
644 torture_comment(tctx, "talloc_init failed\n");
645 return false;
646 }
647
648 ret = get_usr_handle(tctx, cli, tmp_ctx, admin_creds,
649 DCERPC_AUTH_TYPE_NTLMSSP,
650 DCERPC_AUTH_LEVEL_INTEGRITY,
651 username, domain_name, &samr_pipe, &wks_handle,
652 user_sid);
653 if (ret == false) {
654 torture_comment(tctx, "get_usr_handle failed\n");
655 goto done;
656 }
657 samr_handle = samr_pipe->binding_handle;
658
659 {
660 struct samr_SetUserInfo2 sui2;
661 struct samr_SetUserInfo sui;
662 struct samr_QueryUserInfo qui;
663 union samr_UserInfo u_info;
664 union samr_UserInfo *info;
665 DATA_BLOB session_key;
666
667 ZERO_STRUCT(u_info);
668 encode_pw_buffer(u_info.info23.password.data, password,
669 STR_UNICODE);
670
671 status = dcerpc_binding_handle_transport_session_key(samr_handle,
672 tctx,
673 &session_key);
674 if (!NT_STATUS_IS_OK(status)) {
675 torture_comment(tctx, "transport_session_key failed\n");
676 goto done;
677 }
678
679 status = init_samr_CryptPassword(password,
680 &session_key,
681 &u_info.info23.password);
682 if (!NT_STATUS_IS_OK(status)) {
683 torture_comment(tctx, "init_samr_CryptPassword failed\n");
684 goto done;
685 }
686
687 u_info.info23.info.password_expired = 0;
688 u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT |
689 SAMR_FIELD_LM_PASSWORD_PRESENT |
690 SAMR_FIELD_EXPIRED_FLAG;
691 sui2.in.user_handle = wks_handle;
692 sui2.in.info = &u_info;
693 sui2.in.level = 23;
694
695 status = dcerpc_samr_SetUserInfo2_r(samr_handle, tmp_ctx, &sui2);
696 if (!NT_STATUS_IS_OK(status)) {
697 torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
698 nt_errstr(status));
699 goto done;
700 }
701 if (!NT_STATUS_IS_OK(sui2.out.result)) {
702 torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
703 nt_errstr(sui2.out.result));
704 goto done;
705 }
706
707 u_info.info16.acct_flags = ACB_NORMAL;
708 sui.in.user_handle = wks_handle;
709 sui.in.info = &u_info;
710 sui.in.level = 16;
711
712 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
713 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
714 torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
715 goto done;
716 }
717
718 qui.in.user_handle = wks_handle;
719 qui.in.level = 21;
720 qui.out.info = &info;
721
722 status = dcerpc_samr_QueryUserInfo_r(samr_handle, tmp_ctx, &qui);
723 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(qui.out.result)) {
724 torture_comment(tctx, "samr_QueryUserInfo(21) failed\n");
725 goto done;
726 }
727
728 info->info21.allow_password_change = 0;
729 info->info21.force_password_change = 0;
730 info->info21.account_name.string = NULL;
731 info->info21.rid = 0;
732 info->info21.acct_expiry = 0;
733 info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */
734
735 u_info.info21 = info->info21;
736 sui.in.user_handle = wks_handle;
737 sui.in.info = &u_info;
738 sui.in.level = 21;
739
740 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
741 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
742 torture_comment(tctx, "samr_SetUserInfo(21) failed\n");
743 goto done;
744 }
745 }
746
747 *domain_name= talloc_steal(mem_ctx, *domain_name);
748 *user_sid = talloc_steal(mem_ctx, *user_sid);
749 ret = true;
750 done:
751 talloc_free(tmp_ctx);
752 return ret;
753 }
754
755 /*
756 * Delete a test user
757 */
758
759 static bool delete_user(struct torture_context *tctx,
760 struct smbcli_state *cli,
761 struct cli_credentials *admin_creds,
762 const char *username)
763 {
764 TALLOC_CTX *mem_ctx;
765 NTSTATUS status;
766 char *dom_name;
767 struct dcerpc_pipe *samr_pipe;
768 struct dcerpc_binding_handle *samr_handle;
769 struct policy_handle *user_handle;
770 bool ret = false;
771
772 if ((mem_ctx = talloc_init("leave")) == NULL) {
773 torture_comment(tctx, "talloc_init failed\n");
774 return false;
775 }
776
777 ret = get_usr_handle(tctx, cli, mem_ctx, admin_creds,
778 DCERPC_AUTH_TYPE_NTLMSSP,
779 DCERPC_AUTH_LEVEL_INTEGRITY,
780 username, &dom_name, &samr_pipe,
781 &user_handle, NULL);
782 if (ret == false) {
783 torture_comment(tctx, "get_wks_handle failed\n");
784 goto done;
785 }
786 samr_handle = samr_pipe->binding_handle;
787
788 {
789 struct samr_DeleteUser d;
790
791 d.in.user_handle = user_handle;
792 d.out.user_handle = user_handle;
793
794 status = dcerpc_samr_DeleteUser_r(samr_handle, mem_ctx, &d);
795 if (!NT_STATUS_IS_OK(status)) {
796 torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(status));
797 goto done;
798 }
799 if (!NT_STATUS_IS_OK(d.out.result)) {
800 torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(d.out.result));
801 goto done;
802 }
803
804 }
805
806 ret = true;
807
808 done:
809 talloc_free(mem_ctx);
810 return ret;
811 }
812
813 /*
814 * Do a Samba3-style join
815 */
816
817 static bool join3(struct torture_context *tctx,
818 struct smbcli_state *cli,
819 bool use_level25,
820 struct cli_credentials *admin_creds,
821 struct cli_credentials *wks_creds)
822 {
823 TALLOC_CTX *mem_ctx;
824 NTSTATUS status;
825 char *dom_name;
826 struct dcerpc_pipe *samr_pipe;
827 struct dcerpc_binding_handle *samr_handle;
828 struct policy_handle *wks_handle;
829 bool ret = false;
830 NTTIME last_password_change;
831
832 if ((mem_ctx = talloc_init("join3")) == NULL) {
833 torture_comment(tctx, "talloc_init failed\n");
834 return false;
835 }
836
837 ret = get_usr_handle(
838 tctx, cli, mem_ctx, admin_creds,
839 DCERPC_AUTH_TYPE_NTLMSSP,
840 DCERPC_AUTH_LEVEL_PRIVACY,
841 talloc_asprintf(mem_ctx, "%s$",
842 cli_credentials_get_workstation(wks_creds)),
843 &dom_name, &samr_pipe, &wks_handle, NULL);
844 if (ret == false) {
845 torture_comment(tctx, "get_wks_handle failed\n");
846 goto done;
847 }
848 samr_handle = samr_pipe->binding_handle;
849 ret = false;
850 {
851 struct samr_QueryUserInfo q;
852 union samr_UserInfo *info;
853
854 q.in.user_handle = wks_handle;
855 q.in.level = 21;
856 q.out.info = &info;
857
858 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
859 if (!NT_STATUS_IS_OK(status)) {
860 torture_warning(tctx, "QueryUserInfo failed: %s\n",
861 nt_errstr(status));
862 goto done;
863 }
864 if (!NT_STATUS_IS_OK(q.out.result)) {
865 torture_warning(tctx, "QueryUserInfo failed: %s\n",
866 nt_errstr(q.out.result));
867 goto done;
868 }
869
870
871 last_password_change = info->info21.last_password_change;
872 }
873
874 cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED);
875
876 if (use_level25) {
877 struct samr_SetUserInfo2 sui2;
878 union samr_UserInfo u_info;
879 struct samr_UserInfo21 *i21 = &u_info.info25.info;
880 DATA_BLOB session_key;
881
882 ZERO_STRUCT(u_info);
883
884 i21->full_name.string = talloc_asprintf(
885 mem_ctx, "%s$",
886 cli_credentials_get_workstation(wks_creds));
887 i21->acct_flags = ACB_WSTRUST;
888 i21->fields_present = SAMR_FIELD_FULL_NAME |
889 SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_NT_PASSWORD_PRESENT;
890 /* this would break the test result expectations
891 i21->fields_present |= SAMR_FIELD_EXPIRED_FLAG;
892 i21->password_expired = 1;
893 */
894
895 status = dcerpc_binding_handle_transport_session_key(samr_handle,
896 tctx,
897 &session_key);
898 if (!NT_STATUS_IS_OK(status)) {
899 torture_comment(tctx, "transport_session_key failed: %s\n",
900 nt_errstr(status));
901 goto done;
902 }
903
904 status = init_samr_CryptPasswordEx(cli_credentials_get_password(wks_creds),
905 &session_key,
906 &u_info.info25.password);
907
908 sui2.in.user_handle = wks_handle;
909 sui2.in.level = 25;
910 sui2.in.info = &u_info;
911
912 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
913 if (!NT_STATUS_IS_OK(status)) {
914 torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
915 nt_errstr(status));
916 goto done;
917 }
918 if (!NT_STATUS_IS_OK(sui2.out.result)) {
919 torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
920 nt_errstr(sui2.out.result));
921 goto done;
922 }
923 } else {
924 struct samr_SetUserInfo2 sui2;
925 struct samr_SetUserInfo sui;
926 union samr_UserInfo u_info;
927 DATA_BLOB session_key;
928
929 encode_pw_buffer(u_info.info24.password.data,
930 cli_credentials_get_password(wks_creds),
931 STR_UNICODE);
932 /* just to make this test pass */
933 u_info.info24.password_expired = 1;
934
935 status = dcerpc_binding_handle_transport_session_key(samr_handle,
936 tctx,
937 &session_key);
938 if (!NT_STATUS_IS_OK(status)) {
939 torture_comment(tctx, "transport_session_key failed\n");
940 goto done;
941 }
942
943 status = init_samr_CryptPassword(cli_credentials_get_password(wks_creds),
944 &session_key,
945 &u_info.info24.password);
946
947 sui2.in.user_handle = wks_handle;
948 sui2.in.info = &u_info;
949 sui2.in.level = 24;
950
951 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
952 if (!NT_STATUS_IS_OK(status)) {
953 torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
954 nt_errstr(status));
955 goto done;
956 }
957 if (!NT_STATUS_IS_OK(sui2.out.result)) {
958 torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
959 nt_errstr(sui2.out.result));
960 goto done;
961 }
962
963 u_info.info16.acct_flags = ACB_WSTRUST;
964 sui.in.user_handle = wks_handle;
965 sui.in.info = &u_info;
966 sui.in.level = 16;
967
968 status = dcerpc_samr_SetUserInfo_r(samr_handle, mem_ctx, &sui);
969 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
970 torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
971 goto done;
972 }
973 }
974
975 {
976 struct samr_QueryUserInfo q;
977 union samr_UserInfo *info;
978
979 q.in.user_handle = wks_handle;
980 q.in.level = 21;
981 q.out.info = &info;
982
983 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
984 if (!NT_STATUS_IS_OK(status)) {
985 torture_warning(tctx, "QueryUserInfo failed: %s\n",
986 nt_errstr(status));
987 goto done;
988 }
989 if (!NT_STATUS_IS_OK(q.out.result)) {
990 torture_warning(tctx, "QueryUserInfo failed: %s\n",
991 nt_errstr(q.out.result));
992 goto done;
993 }
994
995 if (use_level25) {
996 if (last_password_change
997 == info->info21.last_password_change) {
998 torture_warning(tctx, "last_password_change unchanged "
999 "during join, level25 must change "
1000 "it\n");
1001 goto done;
1002 }
1003 }
1004 else {
1005 if (last_password_change
1006 != info->info21.last_password_change) {
1007 torture_warning(tctx, "last_password_change changed "
1008 "during join, level24 doesn't "
1009 "change it\n");
1010 goto done;
1011 }
1012 }
1013 }
1014
1015 ret = true;
1016
1017 done:
1018 talloc_free(mem_ctx);
1019 return ret;
1020 }
1021
1022 /*
1023 * Do a ReqChallenge/Auth2 and get the wks creds
1024 */
1025
1026 static bool auth2(struct torture_context *tctx,
1027 struct smbcli_state *cli,
1028 struct cli_credentials *wks_cred)
1029 {
1030 TALLOC_CTX *mem_ctx;
1031 struct dcerpc_pipe *net_pipe;
1032 struct dcerpc_binding_handle *net_handle;
1033 bool result = false;
1034 NTSTATUS status;
1035 struct netr_ServerReqChallenge r;
1036 struct netr_Credential netr_cli_creds;
1037 struct netr_Credential netr_srv_creds;
1038 uint32_t negotiate_flags;
1039 struct netr_ServerAuthenticate2 a;
1040 struct netlogon_creds_CredentialState *creds_state;
1041 struct netr_Credential netr_cred;
1042 struct samr_Password mach_pw;
1043
1044 mem_ctx = talloc_new(NULL);
1045 if (mem_ctx == NULL) {
1046 torture_comment(tctx, "talloc_new failed\n");
1047 return false;
1048 }
1049
1050 status = pipe_bind_smb(tctx, mem_ctx, cli->tree, "\\netlogon",
1051 &ndr_table_netlogon, &net_pipe);
1052 torture_assert_ntstatus_ok_goto(tctx, status, result, done,
1053 "pipe_bind_smb failed");
1054 net_handle = net_pipe->binding_handle;
1055
1056 r.in.computer_name = cli_credentials_get_workstation(wks_cred);
1057 r.in.server_name = talloc_asprintf(
1058 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1059 if (r.in.server_name == NULL) {
1060 torture_comment(tctx, "talloc_asprintf failed\n");
1061 goto done;
1062 }
1063 generate_random_buffer(netr_cli_creds.data,
1064 sizeof(netr_cli_creds.data));
1065 r.in.credentials = &netr_cli_creds;
1066 r.out.return_credentials = &netr_srv_creds;
1067
1068 status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
1069 if (!NT_STATUS_IS_OK(status)) {
1070 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
1071 nt_errstr(status));
1072 goto done;
1073 }
1074 if (!NT_STATUS_IS_OK(r.out.result)) {
1075 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
1076 nt_errstr(r.out.result));
1077 goto done;
1078 }
1079
1080 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
1081 E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
1082
1083 a.in.server_name = talloc_asprintf(
1084 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1085 a.in.account_name = talloc_asprintf(
1086 mem_ctx, "%s$", cli_credentials_get_workstation(wks_cred));
1087 a.in.computer_name = cli_credentials_get_workstation(wks_cred);
1088 a.in.secure_channel_type = SEC_CHAN_WKSTA;
1089 a.in.negotiate_flags = &negotiate_flags;
1090 a.out.negotiate_flags = &negotiate_flags;
1091 a.in.credentials = &netr_cred;
1092 a.out.return_credentials = &netr_cred;
1093
1094 creds_state = netlogon_creds_client_init(mem_ctx,
1095 a.in.account_name,
1096 a.in.computer_name,
1097 a.in.secure_channel_type,
1098 r.in.credentials,
1099 r.out.return_credentials, &mach_pw,
1100 &netr_cred,
1101 negotiate_flags,
1102 negotiate_flags);
1103 torture_assert(tctx, (creds_state != NULL), "memory allocation failed");
1104
1105 status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
1106 if (!NT_STATUS_IS_OK(status)) {
1107 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1108 nt_errstr(status));
1109 goto done;
1110 }
1111 if (!NT_STATUS_IS_OK(a.out.result)) {
1112 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1113 nt_errstr(a.out.result));
1114 goto done;
1115 }
1116
1117 if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) {
1118 torture_comment(tctx, "creds_client_check failed\n");
1119 goto done;
1120 }
1121
1122 cli_credentials_set_netlogon_creds(wks_cred, creds_state);
1123
1124 result = true;
1125
1126 done:
1127 talloc_free(mem_ctx);
1128 return result;
1129 }
1130
1131 /*
1132 * Do a couple of schannel protected Netlogon ops: Interactive and Network
1133 * login, and change the wks password
1134 */
1135
1136 static bool schan(struct torture_context *tctx,
1137 struct smbcli_state *cli,
1138 struct cli_credentials *wks_creds,
1139 struct cli_credentials *user_creds)
1140 {
1141 TALLOC_CTX *mem_ctx;
1142 NTSTATUS status;
1143 bool ret = false;
1144 struct dcerpc_pipe *net_pipe;
1145 struct dcerpc_binding_handle *net_handle;
1146 int i;
1147
1148 mem_ctx = talloc_new(NULL);
1149 if (mem_ctx == NULL) {
1150 torture_comment(tctx, "talloc_new failed\n");
1151 return false;
1152 }
1153
1154 #if 1
1155 status = pipe_bind_smb_auth(tctx, mem_ctx, cli->tree,
1156 wks_creds,
1157 DCERPC_AUTH_TYPE_SCHANNEL,
1158 DCERPC_AUTH_LEVEL_PRIVACY,
1159 "\\netlogon", &ndr_table_netlogon, &net_pipe);
1160 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1161 "pipe_bind_smb_auth failed");
1162 #else
1163 status = pipe_bind_smb(tctx, mem_ctx, cli->tree,
1164 "\\netlogon", &ndr_table_netlogon, &net_pipe);
1165 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1166 "pipe_bind_smb failed");
1167 #endif
1168 #if 0
1169 net_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN |
1170 DCERPC_DEBUG_PRINT_OUT;
1171 #endif
1172 net_handle = net_pipe->binding_handle;
1173
1174
1175 for (i=2; i<4; i++) {
1176 int flags;
1177 DATA_BLOB chal, nt_resp, lm_resp, names_blob;
1178 struct netlogon_creds_CredentialState *creds_state;
1179 struct netr_Authenticator netr_auth, netr_auth2;
1180 struct netr_NetworkInfo ninfo;
1181 struct netr_PasswordInfo pinfo;
1182 struct netr_LogonSamLogon r;
1183 union netr_LogonLevel logon;
1184 union netr_Validation validation;
1185 uint8_t authoritative;
1186 struct netr_Authenticator return_authenticator;
1187
1188 flags = CLI_CRED_LANMAN_AUTH | CLI_CRED_NTLM_AUTH |
1189 CLI_CRED_NTLMv2_AUTH;
1190
1191 chal = data_blob_talloc(mem_ctx, NULL, 8);
1192 if (chal.data == NULL) {
1193 torture_comment(tctx, "data_blob_talloc failed\n");
1194 goto done;
1195 }
1196
1197 generate_random_buffer(chal.data, chal.length);
1198 names_blob = NTLMv2_generate_names_blob(
1199 mem_ctx,
1200 cli_credentials_get_workstation(wks_creds),
1201 cli_credentials_get_domain(wks_creds));
1202 status = cli_credentials_get_ntlm_response(
1203 user_creds, mem_ctx, &flags, chal, NULL, names_blob,
1204 &lm_resp, &nt_resp, NULL, NULL);
1205 if (!NT_STATUS_IS_OK(status)) {
1206 torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"
1207 " %s\n", nt_errstr(status));
1208 goto done;
1209 }
1210
1211 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1212 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1213
1214 ninfo.identity_info.account_name.string =
1215 cli_credentials_get_username(user_creds);
1216 ninfo.identity_info.domain_name.string =
1217 cli_credentials_get_domain(user_creds);
1218 ninfo.identity_info.parameter_control = 0;
1219 ninfo.identity_info.logon_id = 0;
1220 ninfo.identity_info.workstation.string =
1221 cli_credentials_get_workstation(user_creds);
1222 memcpy(ninfo.challenge, chal.data, sizeof(ninfo.challenge));
1223 ninfo.nt.length = nt_resp.length;
1224 ninfo.nt.data = nt_resp.data;
1225 ninfo.lm.length = lm_resp.length;
1226 ninfo.lm.data = lm_resp.data;
1227
1228 logon.network = &ninfo;
1229
1230 r.in.server_name = talloc_asprintf(
1231 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1232 ZERO_STRUCT(netr_auth2);
1233 r.in.computer_name =
1234 cli_credentials_get_workstation(wks_creds);
1235 r.in.credential = &netr_auth;
1236 r.in.return_authenticator = &netr_auth2;
1237 r.in.logon_level = NetlogonNetworkInformation;
1238 r.in.validation_level = i;
1239 r.in.logon = &logon;
1240 r.out.validation = &validation;
1241 r.out.authoritative = &authoritative;
1242 r.out.return_authenticator = &return_authenticator;
1243
1244 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1245 if (!NT_STATUS_IS_OK(status)) {
1246 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1247 nt_errstr(status));
1248 goto done;
1249 }
1250 if (!NT_STATUS_IS_OK(r.out.result)) {
1251 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1252 nt_errstr(r.out.result));
1253 goto done;
1254 }
1255
1256 if ((r.out.return_authenticator == NULL) ||
1257 (!netlogon_creds_client_check(creds_state,
1258 &r.out.return_authenticator->cred))) {
1259 torture_comment(tctx, "Credentials check failed!\n");
1260 goto done;
1261 }
1262
1263 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1264
1265 pinfo.identity_info = ninfo.identity_info;
1266 ZERO_STRUCT(pinfo.lmpassword.hash);
1267 E_md4hash(cli_credentials_get_password(user_creds),
1268 pinfo.ntpassword.hash);
1269
1270 logon.password = &pinfo;
1271
1272 /*
1273 * We don't use this here:
1274 *
1275 * netlogon_creds_encrypt_samlogon_logon(creds_state,
1276 * NetlogonInteractiveInformation,
1277 * &logon);
1278 *
1279 * in order to detect bugs
1280 */
1281 #undef netlogon_creds_aes_encrypt
1282 netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
1283 #define netlogon_creds_aes_encrypt __DO_NOT_USE_netlogon_creds_aes_encrypt
1284
1285 r.in.logon_level = NetlogonInteractiveInformation;
1286 r.in.logon = &logon;
1287 r.out.return_authenticator = &return_authenticator;
1288
1289 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1290 if (!NT_STATUS_IS_OK(status)) {
1291 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1292 nt_errstr(status));
1293 goto done;
1294 }
1295 if (!NT_STATUS_IS_OK(r.out.result)) {
1296 torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1297 nt_errstr(r.out.result));
1298 goto done;
1299 }
1300
1301 if ((r.out.return_authenticator == NULL) ||
1302 (!netlogon_creds_client_check(creds_state,
1303 &r.out.return_authenticator->cred))) {
1304 torture_comment(tctx, "Credentials check failed!\n");
1305 goto done;
1306 }
1307 }
1308
1309 {
1310 struct netr_ServerPasswordSet s;
1311 char *password = generate_random_password(wks_creds, 8, 255);
1312 struct netlogon_creds_CredentialState *creds_state;
1313 struct netr_Authenticator credential, return_authenticator;
1314 struct samr_Password new_password;
1315 enum dcerpc_AuthType auth_type;
1316 enum dcerpc_AuthLevel auth_level;
1317
1318 s.in.server_name = talloc_asprintf(
1319 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1320 s.in.computer_name = cli_credentials_get_workstation(wks_creds);
1321 s.in.account_name = talloc_asprintf(
1322 mem_ctx, "%s$", s.in.computer_name);
1323 s.in.secure_channel_type = SEC_CHAN_WKSTA;
1324 s.in.credential = &credential;
1325 s.in.new_password = &new_password;
1326 s.out.return_authenticator = &return_authenticator;
1327
1328 E_md4hash(password, new_password.hash);
1329
1330 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1331 dcerpc_binding_handle_auth_info(net_handle,
1332 &auth_type,
1333 &auth_level);
1334 status = netlogon_creds_encrypt_samr_Password(creds_state,
1335 &new_password,
1336 auth_type,
1337 auth_level);
1338 torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password");
1339 netlogon_creds_client_authenticator(creds_state, &credential);
1340
1341 status = dcerpc_netr_ServerPasswordSet_r(net_handle, mem_ctx, &s);
1342 if (!NT_STATUS_IS_OK(status)) {
1343 torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(status));
1344 goto done;
1345 }
1346 if (!NT_STATUS_IS_OK(s.out.result)) {
1347 torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(s.out.result));
1348 goto done;
1349 }
1350
1351 if (!netlogon_creds_client_check(creds_state,
1352 &s.out.return_authenticator->cred)) {
1353 torture_comment(tctx, "Credential chaining failed\n");
1354 }
1355
1356 cli_credentials_set_password(wks_creds, password,
1357 CRED_SPECIFIED);
1358 }
1359
1360 ret = true;
1361 done:
1362 talloc_free(mem_ctx);
1363 return ret;
1364 }
1365
1366 /*
1367 * Delete the wks account again
1368 */
1369
1370 static bool leave(struct torture_context *tctx,
1371 struct smbcli_state *cli,
1372 struct cli_credentials *admin_creds,
1373 struct cli_credentials *wks_creds)
1374 {
1375 char *wks_name = talloc_asprintf(
1376 NULL, "%s$", cli_credentials_get_workstation(wks_creds));
1377 bool ret;
1378
1379 ret = delete_user(tctx, cli, admin_creds, wks_name);
1380 talloc_free(wks_name);
1381 return ret;
1382 }
1383
1384 /*
1385 * Test the Samba3 DC code a bit. Join, do some schan netlogon ops, leave
1386 */
1387
1388 static bool torture_netlogon_samba3(struct torture_context *torture)
1389 {
1390 NTSTATUS status;
1391 struct smbcli_state *cli;
1392 struct cli_credentials *wks_creds;
1393 const char *wks_name;
1394 int i;
1395 struct smbcli_options options;
1396 struct smbcli_session_options session_options;
1397
1398 wks_name = torture_setting_string(torture, "wksname", NULL);
1399 torture_assert(torture, wks_name != NULL, "wksname not set");
1400
1401 lpcfg_smbcli_options(torture->lp_ctx, &options);
1402 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
1403
1404 status = smbcli_full_connection(torture, &cli,
1405 torture_setting_string(torture, "host", NULL),
1406 lpcfg_smb_ports(torture->lp_ctx),
1407 "IPC$", NULL,
1408 lpcfg_socket_options(torture->lp_ctx),
1409 samba_cmdline_get_creds(),
1410 lpcfg_resolve_context(torture->lp_ctx),
1411 torture->ev, &options, &session_options,
1412 lpcfg_gensec_settings(torture, torture->lp_ctx));
1413 torture_assert_ntstatus_ok(torture, status, "smbcli_full_connection failed\n");
1414
1415 wks_creds = cli_credentials_init(torture);
1416 if (wks_creds == NULL) {
1417 torture_fail(torture, "cli_credentials_init failed\n");
1418 }
1419
1420 cli_credentials_set_conf(wks_creds, torture->lp_ctx);
1421 cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1422 cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1423 cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1424 cli_credentials_set_password(wks_creds,
1425 generate_random_password(wks_creds, 8, 255),
1426 CRED_SPECIFIED);
1427
1428 torture_assert(torture,
1429 join3(torture, cli, false, NULL, wks_creds),
1430 "join failed");
1431
1432 cli_credentials_set_domain(
1433 samba_cmdline_get_creds(),
1434 cli_credentials_get_domain(wks_creds),
1435 CRED_SPECIFIED);
1436
1437 for (i=0; i<2; i++) {
1438
1439 /* Do this more than once, the routine "schan" changes
1440 * the workstation password using the netlogon
1441 * password change routine */
1442
1443 int j;
1444
1445 torture_assert(torture,
1446 auth2(torture, cli, wks_creds),
1447 "auth2 failed");
1448
1449 for (j=0; j<2; j++) {
1450 torture_assert(torture,
1451 schan(torture, cli, wks_creds,
1452 samba_cmdline_get_creds()),
1453 "schan failed");
1454 }
1455 }
1456
1457 torture_assert(torture,
1458 leave(torture, cli, NULL, wks_creds),
1459 "leave failed");
1460
1461 return true;
1462 }
1463
1464 /*
1465 * Do a simple join, testjoin and leave using specified smb and samr
1466 * credentials
1467 */
1468
1469 static bool test_join3(struct torture_context *tctx,
1470 bool use_level25,
1471 struct cli_credentials *smb_creds,
1472 struct cli_credentials *samr_creds,
1473 const char *wks_name)
1474 {
1475 NTSTATUS status;
1476 struct smbcli_state *cli;
1477 struct cli_credentials *wks_creds;
1478 struct smbcli_options options;
1479 struct smbcli_session_options session_options;
1480
1481 lpcfg_smbcli_options(tctx->lp_ctx, &options);
1482 lpcfg_smbcli_session_options(tctx->lp_ctx, &session_options);
1483
1484 status = smbcli_full_connection(tctx, &cli,
1485 torture_setting_string(tctx, "host", NULL),
1486 lpcfg_smb_ports(tctx->lp_ctx),
1487 "IPC$", NULL, lpcfg_socket_options(tctx->lp_ctx),
1488 smb_creds, lpcfg_resolve_context(tctx->lp_ctx),
1489 tctx->ev, &options, &session_options,
1490 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
1491 torture_assert_ntstatus_ok(tctx, status,
1492 "smbcli_full_connection failed");
1493
1494 wks_creds = cli_credentials_init(cli);
1495 torture_assert(tctx, wks_creds, "cli_credentials_init failed");
1496
1497 cli_credentials_set_conf(wks_creds, tctx->lp_ctx);
1498 cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1499 cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1500 cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1501 cli_credentials_set_password(wks_creds,
1502 generate_random_password(wks_creds, 8, 255),
1503 CRED_SPECIFIED);
1504
1505 torture_assert(tctx,
1506 join3(tctx, cli, use_level25, samr_creds, wks_creds),
1507 "join failed");
1508
1509 cli_credentials_set_domain(
1510 samba_cmdline_get_creds(),
1511 cli_credentials_get_domain(wks_creds),
1512 CRED_SPECIFIED);
1513
1514 torture_assert(tctx,
1515 auth2(tctx, cli, wks_creds),
1516 "auth2 failed");
1517
1518 torture_assert(tctx,
1519 leave(tctx, cli, samr_creds, wks_creds),
1520 "leave failed");
1521
1522 talloc_free(cli);
1523
1524 return true;
1525 }
1526
1527 /*
1528 * Test the different session key variants. Do it by joining, this uses the
1529 * session key in the setpassword routine. Test the join by doing the auth2.
1530 */
1531
1532 static bool torture_samba3_sessionkey(struct torture_context *torture)
1533 {
1534 struct cli_credentials *anon_creds;
1535 const char *wks_name;
1536
1537
1538 wks_name = torture_setting_string(torture, "wksname", NULL);
1539 torture_assert(torture, wks_name != NULL, "wksname not set");
1540
1541 if (!(anon_creds = cli_credentials_init_anon(torture))) {
1542 torture_fail(torture, "create_anon_creds failed\n");
1543 }
1544
1545 cli_credentials_set_workstation(anon_creds, wks_name, CRED_SPECIFIED);
1546
1547 torture_assert(torture,
1548 test_join3(torture, false, samba_cmdline_get_creds(),
1549 NULL, wks_name),
1550 "join using anonymous bind on an authenticated smb connection failed");
1551
1552 /*
1553 * The following two are tests for setuserinfolevel 25
1554 */
1555
1556 torture_assert(torture,
1557 test_join3(torture, true, samba_cmdline_get_creds(),
1558 NULL, wks_name),
1559 "join using anonymous bind on an authenticated smb connection failed");
1560
1561 return true;
1562 }
1563
1564 /*
1565 * Sane wrapper around lsa_LookupNames
1566 */
1567
1568 static struct dom_sid *name2sid(struct torture_context *tctx,
1569 TALLOC_CTX *mem_ctx,
1570 struct dcerpc_pipe *p,
1571 const char *name,
1572 const char *domain)
1573 {
1574 struct lsa_ObjectAttribute attr;
1575 struct lsa_QosInfo qos;
1576 struct lsa_OpenPolicy2 r;
1577 struct lsa_Close c;
1578 NTSTATUS status;
1579 struct policy_handle handle;
1580 struct lsa_LookupNames l;
1581 struct lsa_TransSidArray sids;
1582 struct lsa_RefDomainList *domains = NULL;
1583 struct lsa_String lsa_name;
1584 uint32_t count = 0;
1585 struct dom_sid *result;
1586 TALLOC_CTX *tmp_ctx;
1587 struct dcerpc_binding_handle *b = p->binding_handle;
1588
1589 if (!(tmp_ctx = talloc_new(mem_ctx))) {
1590 return NULL;
1591 }
1592
1593 qos.len = 0;
1594 qos.impersonation_level = 2;
1595 qos.context_mode = 1;
1596 qos.effective_only = 0;
1597
1598 attr.len = 0;
1599 attr.root_dir = NULL;
1600 attr.object_name = NULL;
1601 attr.attributes = 0;
1602 attr.sec_desc = NULL;
1603 attr.sec_qos = &qos;
1604
1605 r.in.system_name = "\\";
1606 r.in.attr = &attr;
1607 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1608 r.out.handle = &handle;
1609
1610 status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r);
1611 if (!NT_STATUS_IS_OK(status)) {
1612 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(status));
1613 talloc_free(tmp_ctx);
1614 return NULL;
1615 }
1616 if (!NT_STATUS_IS_OK(r.out.result)) {
1617 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(r.out.result));
1618 talloc_free(tmp_ctx);
1619 return NULL;
1620 }
1621
1622 sids.count = 0;
1623 sids.sids = NULL;
1624
1625 lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, name);
1626
1627 l.in.handle = &handle;
1628 l.in.num_names = 1;
1629 l.in.names = &lsa_name;
1630 l.in.sids = &sids;
1631 l.in.level = 1;
1632 l.in.count = &count;
1633 l.out.count = &count;
1634 l.out.sids = &sids;
1635 l.out.domains = &domains;
1636
1637 status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l);
1638 if (!NT_STATUS_IS_OK(status)) {
1639 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1640 nt_errstr(status));
1641 talloc_free(tmp_ctx);
1642 return NULL;
1643 }
1644 if (!NT_STATUS_IS_OK(l.out.result)) {
1645 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1646 nt_errstr(l.out.result));
1647 talloc_free(tmp_ctx);
1648 return NULL;
1649 }
1650
1651 result = dom_sid_add_rid(mem_ctx, domains->domains[0].sid,
1652 l.out.sids->sids[0].rid);
1653
1654 c.in.handle = &handle;
1655 c.out.handle = &handle;
1656
1657 status = dcerpc_lsa_Close_r(b, tmp_ctx, &c);
1658 if (!NT_STATUS_IS_OK(status)) {
1659 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(status));
1660 talloc_free(tmp_ctx);
1661 return NULL;
1662 }
1663 if (!NT_STATUS_IS_OK(c.out.result)) {
1664 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(c.out.result));
1665 talloc_free(tmp_ctx);
1666 return NULL;
1667 }
1668
1669 talloc_free(tmp_ctx);
1670 return result;
1671 }
1672
1673 /*
1674 * Find out the user SID on this connection
1675 */
1676
1677 static struct dom_sid *whoami(struct torture_context *tctx,
1678 TALLOC_CTX *mem_ctx,
1679 struct smbcli_tree *tree)
1680 {
1681 struct dcerpc_pipe *lsa;
1682 struct dcerpc_binding_handle *lsa_handle;
1683 struct lsa_GetUserName r;
1684 NTSTATUS status;
1685 struct lsa_String *authority_name_p = NULL;
1686 struct lsa_String *account_name_p = NULL;
1687 struct dom_sid *result;
1688
1689 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\lsarpc",
1690 &ndr_table_lsarpc, &lsa);
1691 if (!NT_STATUS_IS_OK(status)) {
1692 torture_warning(tctx, "Could not bind to LSA: %s\n",
1693 nt_errstr(status));
1694 return NULL;
1695 }
1696 lsa_handle = lsa->binding_handle;
1697
1698 r.in.system_name = "\\";
1699 r.in.account_name = &account_name_p;
1700 r.in.authority_name = &authority_name_p;
1701 r.out.account_name = &account_name_p;
1702
1703 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
1704
1705 authority_name_p = *r.out.authority_name;
1706
1707 if (!NT_STATUS_IS_OK(status)) {
1708 torture_warning(tctx, "GetUserName failed - %s\n",
1709 nt_errstr(status));
1710 talloc_free(lsa);
1711 return NULL;
1712 }
1713 if (!NT_STATUS_IS_OK(r.out.result)) {
1714 torture_warning(tctx, "GetUserName failed - %s\n",
1715 nt_errstr(r.out.result));
1716 talloc_free(lsa);
1717 return NULL;
1718 }
1719
1720 result = name2sid(tctx, mem_ctx, lsa, account_name_p->string,
1721 authority_name_p->string);
1722
1723 talloc_free(lsa);
1724 return result;
1725 }
1726
1727 static int destroy_tree(struct smbcli_tree *tree)
1728 {
1729 smb_tree_disconnect(tree);
1730 return 0;
1731 }
1732
1733 /*
1734 * Do a tcon, given a session
1735 */
1736
1737 static NTSTATUS secondary_tcon(struct torture_context *tctx,
1738 TALLOC_CTX *mem_ctx,
1739 struct smbcli_session *session,
1740 const char *sharename,
1741 struct smbcli_tree **res)
1742 {
1743 struct smbcli_tree *result;
1744 TALLOC_CTX *tmp_ctx;
1745 union smb_tcon tcon;
1746 NTSTATUS status;
1747
1748 if (!(tmp_ctx = talloc_new(mem_ctx))) {
1749 return NT_STATUS_NO_MEMORY;
1750 }
1751
1752 if (!(result = smbcli_tree_init(session, mem_ctx, false))) {
1753 talloc_free(tmp_ctx);
1754 return NT_STATUS_NO_MEMORY;
1755 }
1756
1757 tcon.generic.level = RAW_TCON_TCONX;
1758 tcon.tconx.in.flags = TCONX_FLAG_EXTENDED_RESPONSE;
1759 tcon.tconx.in.flags |= TCONX_FLAG_EXTENDED_SIGNATURES;
1760 tcon.tconx.in.password = data_blob(NULL, 0);
1761 tcon.tconx.in.path = sharename;
1762 tcon.tconx.in.device = "?????";
1763
1764 status = smb_raw_tcon(result, tmp_ctx, &tcon);
1765 if (!NT_STATUS_IS_OK(status)) {
1766 torture_warning(tctx, "smb_raw_tcon failed: %s\n",
1767 nt_errstr(status));
1768 talloc_free(tmp_ctx);
1769 return status;
1770 }
1771
1772 result->tid = tcon.tconx.out.tid;
1773
1774 if (tcon.tconx.out.options & SMB_EXTENDED_SIGNATURES) {
1775 smb1cli_session_protect_session_key(result->session->smbXcli);
1776 }
1777
1778 result = talloc_steal(mem_ctx, result);
1779 talloc_set_destructor(result, destroy_tree);
1780 talloc_free(tmp_ctx);
1781 *res = result;
1782 return NT_STATUS_OK;
1783 }
1784
1785 /*
1786 * Test the getusername behaviour
1787 */
1788
1789 static bool torture_samba3_rpc_getusername(struct torture_context *torture)
1790 {
1791 NTSTATUS status;
1792 struct smbcli_state *cli;
1793 bool ret = true;
1794 struct dom_sid *user_sid;
1795 struct dom_sid *created_sid;
1796 struct cli_credentials *anon_creds;
1797 struct cli_credentials *user_creds;
1798 char *domain_name;
1799 struct smbcli_options options;
1800 struct smbcli_session_options session_options;
1801
1802 lpcfg_smbcli_options(torture->lp_ctx, &options);
1803 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
1804
1805 if (!(anon_creds = cli_credentials_init_anon(torture))) {
1806 torture_fail(torture, "create_anon_creds failed\n");
1807 }
1808
1809 status = smbcli_full_connection(
1810 torture, &cli, torture_setting_string(torture, "host", NULL),
1811 lpcfg_smb_ports(torture->lp_ctx), "IPC$", NULL,
1812 lpcfg_socket_options(torture->lp_ctx), anon_creds,
1813 lpcfg_resolve_context(torture->lp_ctx),
1814 torture->ev, &options, &session_options,
1815 lpcfg_gensec_settings(torture, torture->lp_ctx));
1816 torture_assert_ntstatus_ok(torture, status, "anon smbcli_full_connection failed\n");
1817
1818 if (!(user_sid = whoami(torture, torture, cli->tree))) {
1819 torture_fail(torture, "whoami on anon connection failed\n");
1820 }
1821
1822 torture_assert_sid_equal(torture, user_sid, dom_sid_parse_talloc(torture, "s-1-5-7"),
1823 "Anon lsa_GetUserName returned unexpected SID");
1824
1825 talloc_free(cli);
1826
1827 status = smbcli_full_connection(
1828 torture, &cli, torture_setting_string(torture, "host", NULL),
1829 lpcfg_smb_ports(torture->lp_ctx),
1830 "IPC$", NULL, lpcfg_socket_options(torture->lp_ctx),
1831 samba_cmdline_get_creds(),
1832 lpcfg_resolve_context(torture->lp_ctx), torture->ev, &options,
1833 &session_options, lpcfg_gensec_settings(torture, torture->lp_ctx));
1834 torture_assert_ntstatus_ok(torture, status, "smbcli_full_connection failed\n");
1835
1836 if (!(user_sid = whoami(torture, torture, cli->tree))) {
1837 torture_fail(torture, "whoami on auth'ed connection failed\n");
1838 }
1839
1840 if (!(user_creds = cli_credentials_init(torture))) {
1841 torture_fail(torture, "cli_credentials_init failed\n");
1842 }
1843
1844 cli_credentials_set_conf(user_creds, torture->lp_ctx);
1845 cli_credentials_set_username(user_creds, "torture_username",
1846 CRED_SPECIFIED);
1847 cli_credentials_set_password(user_creds,
1848 generate_random_password(user_creds, 8, 255),
1849 CRED_SPECIFIED);
1850
1851 if (!create_user(torture, torture, cli, NULL,
1852 cli_credentials_get_username(user_creds),
1853 cli_credentials_get_password(user_creds),
1854 &domain_name, &created_sid)) {
1855 torture_fail(torture, "create_user failed\n");
1856 }
1857
1858 cli_credentials_set_domain(user_creds, domain_name,
1859 CRED_SPECIFIED);
1860
1861 {
1862 struct smbcli_session *session2;
1863 struct smb_composite_sesssetup setup;
1864 struct smbcli_tree *tree;
1865
1866 session2 = smbcli_session_init(cli->transport, torture, false, session_options);
1867 if (session2 == NULL) {
1868 torture_fail(torture, "smbcli_session_init failed\n");
1869 }
1870
1871 setup.in.sesskey = cli->transport->negotiate.sesskey;
1872 setup.in.capabilities = cli->transport->negotiate.capabilities;
1873 setup.in.workgroup = "";
1874 setup.in.credentials = user_creds;
1875 setup.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
1876
1877 status = smb_composite_sesssetup(session2, &setup);
1878 torture_assert_ntstatus_ok(torture, status, "session setup with new user failed");
1879
1880 session2->vuid = setup.out.vuid;
1881
1882 if (!NT_STATUS_IS_OK(secondary_tcon(torture, torture, session2,
1883 "IPC$", &tree))) {
1884 torture_fail(torture, "secondary_tcon failed\n");
1885 }
1886
1887 if (!(user_sid = whoami(torture, torture, tree))) {
1888 torture_fail_goto(torture, del, "whoami on user connection failed\n");
1889 ret = false;
1890 goto del;
1891 }
1892
1893 talloc_free(tree);
1894 }
1895
1896 torture_comment(torture, "Created %s, found %s\n",
1897 dom_sid_string(torture, created_sid),
1898 dom_sid_string(torture, user_sid));
1899
1900 if (!dom_sid_equal(created_sid, user_sid)) {
1901 ret = false;
1902 }
1903
1904 del:
1905 if (!delete_user(torture, cli,
1906 NULL,
1907 cli_credentials_get_username(user_creds))) {
1908 torture_fail(torture, "delete_user failed\n");
1909 }
1910
1911 return ret;
1912 }
1913
1914 static bool test_NetShareGetInfo(struct torture_context *tctx,
1915 struct dcerpc_pipe *p,
1916 const char *sharename)
1917 {
1918 NTSTATUS status;
1919 struct srvsvc_NetShareGetInfo r;
1920 union srvsvc_NetShareInfo info;
1921 uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007, 1501 };
1922 size_t i;
1923 bool ret = true;
1924 struct dcerpc_binding_handle *b = p->binding_handle;
1925
1926 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s",
1927 dcerpc_server_name(p));
1928 r.in.share_name = sharename;
1929 r.out.info = &info;
1930
1931 for (i=0;i<ARRAY_SIZE(levels);i++) {
1932 r.in.level = levels[i];
1933
1934 torture_comment(tctx, "Testing NetShareGetInfo level %u on share '%s'\n",
1935 r.in.level, r.in.share_name);
1936
1937 status = dcerpc_srvsvc_NetShareGetInfo_r(b, tctx, &r);
1938 if (!NT_STATUS_IS_OK(status)) {
1939 torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed"
1940 " - %s\n", r.in.level, r.in.share_name,
1941 nt_errstr(status));
1942 ret = false;
1943 continue;
1944 }
1945 if (!W_ERROR_IS_OK(r.out.result)) {
1946 torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed "
1947 "- %s\n", r.in.level, r.in.share_name,
1948 win_errstr(r.out.result));
1949 ret = false;
1950 continue;
1951 }
1952 }
1953
1954 return ret;
1955 }
1956
1957 static bool test_NetShareEnum(struct torture_context *tctx,
1958 struct dcerpc_pipe *p,
1959 const char **one_sharename)
1960 {
1961 NTSTATUS status;
1962 struct srvsvc_NetShareEnum r;
1963 struct srvsvc_NetShareInfoCtr info_ctr;
1964 struct srvsvc_NetShareCtr0 c0;
1965 struct srvsvc_NetShareCtr1 c1;
1966 struct srvsvc_NetShareCtr2 c2;
1967 struct srvsvc_NetShareCtr501 c501;
1968 struct srvsvc_NetShareCtr502 c502;
1969 struct srvsvc_NetShareCtr1004 c1004;
1970 struct srvsvc_NetShareCtr1005 c1005;
1971 struct srvsvc_NetShareCtr1006 c1006;
1972 struct srvsvc_NetShareCtr1007 c1007;
1973 uint32_t totalentries = 0;
1974 uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007 };
1975 size_t i;
1976 bool ret = true;
1977 struct dcerpc_binding_handle *b = p->binding_handle;
1978
1979 ZERO_STRUCT(info_ctr);
1980
1981 r.in.server_unc = talloc_asprintf(tctx,"\\\\%s",dcerpc_server_name(p));
1982 r.in.info_ctr = &info_ctr;
1983 r.in.max_buffer = (uint32_t)-1;
1984 r.in.resume_handle = NULL;
1985 r.out.totalentries = &totalentries;
1986 r.out.info_ctr = &info_ctr;
1987
1988 for (i=0;i<ARRAY_SIZE(levels);i++) {
1989 info_ctr.level = levels[i];
1990
1991 switch (info_ctr.level) {
1992 case 0:
1993 ZERO_STRUCT(c0);
1994 info_ctr.ctr.ctr0 = &c0;
1995 break;
1996 case 1:
1997 ZERO_STRUCT(c1);
1998 info_ctr.ctr.ctr1 = &c1;
1999 break;
2000 case 2:
2001 ZERO_STRUCT(c2);
2002 info_ctr.ctr.ctr2 = &c2;
2003 break;
2004 case 501:
2005 ZERO_STRUCT(c501);
2006 info_ctr.ctr.ctr501 = &c501;
2007 break;
2008 case 502:
2009 ZERO_STRUCT(c502);
2010 info_ctr.ctr.ctr502 = &c502;
2011 break;
2012 case 1004:
2013 ZERO_STRUCT(c1004);
2014 info_ctr.ctr.ctr1004 = &c1004;
2015 break;
2016 case 1005:
2017 ZERO_STRUCT(c1005);
2018 info_ctr.ctr.ctr1005 = &c1005;
2019 break;
2020 case 1006:
2021 ZERO_STRUCT(c1006);
2022 info_ctr.ctr.ctr1006 = &c1006;
2023 break;
2024 case 1007:
2025 ZERO_STRUCT(c1007);
2026 info_ctr.ctr.ctr1007 = &c1007;
2027 break;
2028 }
2029
2030 torture_comment(tctx, "Testing NetShareEnum level %u\n", info_ctr.level);
2031
2032 status = dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r);
2033 if (!NT_STATUS_IS_OK(status)) {
2034 torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2035 info_ctr.level, nt_errstr(status));
2036 ret = false;
2037 continue;
2038 }
2039 if (!W_ERROR_IS_OK(r.out.result)) {
2040 torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2041 info_ctr.level, win_errstr(r.out.result));
2042 continue;
2043 }
2044 if (info_ctr.level == 0) {
2045 struct srvsvc_NetShareCtr0 *ctr = r.out.info_ctr->ctr.ctr0;
2046 if (ctr->count > 0) {
2047 *one_sharename = ctr->array[0].name;
2048 }
2049 }
2050 }
2051
2052 return ret;
2053 }
2054
2055 static bool torture_samba3_rpc_srvsvc(struct torture_context *torture)
2056 {
2057 struct dcerpc_pipe *p;
2058 const char *sharename = NULL;
2059 bool ret = true;
2060
2061 torture_assert_ntstatus_ok(torture,
2062 torture_rpc_connection(torture, &p, &ndr_table_srvsvc),
2063 "failed to open srvsvc");
2064
2065 ret &= test_NetShareEnum(torture, p, &sharename);
2066 if (sharename == NULL) {
2067 torture_comment(torture, "did not get sharename\n");
2068 } else {
2069 ret &= test_NetShareGetInfo(torture, p, sharename);
2070 }
2071
2072 return ret;
2073 }
2074
2075 /*
2076 * Do a ReqChallenge/Auth2 with a random wks name, make sure it returns
2077 * NT_STATUS_NO_SAM_ACCOUNT
2078 */
2079
2080 static bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
2081 {
2082 TALLOC_CTX *mem_ctx;
2083 struct dcerpc_pipe *net_pipe;
2084 struct dcerpc_binding_handle *net_handle;
2085 char wksname[15];
2086 bool result = false;
2087 NTSTATUS status;
2088 struct netr_ServerReqChallenge r;
2089 struct netr_Credential netr_cli_creds;
2090 struct netr_Credential netr_srv_creds;
2091 uint32_t negotiate_flags;
2092 struct netr_ServerAuthenticate2 a;
2093 struct netlogon_creds_CredentialState *creds_state;
2094 struct netr_Credential netr_cred;
2095 struct samr_Password mach_pw;
2096 struct smbcli_state *cli;
2097
2098 if (!(mem_ctx = talloc_new(torture))) {
2099 torture_comment(torture, "talloc_new failed\n");
2100 return false;
2101 }
2102
2103 generate_random_str_list_buf(wksname,
2104 sizeof(wksname),
2105 "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
2106
2107 if (!(torture_open_connection_share(
2108 mem_ctx, &cli,
2109 torture, torture_setting_string(torture, "host", NULL),
2110 "IPC$", torture->ev))) {
2111 torture_comment(torture, "IPC$ connection failed\n");
2112 goto done;
2113 }
2114
2115 status = pipe_bind_smb(torture, mem_ctx, cli->tree, "\\netlogon",
2116 &ndr_table_netlogon, &net_pipe);
2117 torture_assert_ntstatus_ok_goto(torture, status, result, done,
2118 "pipe_bind_smb failed");
2119 net_handle = net_pipe->binding_handle;
2120
2121 r.in.computer_name = wksname;
2122 r.in.server_name = talloc_asprintf(
2123 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2124 if (r.in.server_name == NULL) {
2125 torture_comment(torture, "talloc_asprintf failed\n");
2126 goto done;
2127 }
2128 generate_random_buffer(netr_cli_creds.data,
2129 sizeof(netr_cli_creds.data));
2130 r.in.credentials = &netr_cli_creds;
2131 r.out.return_credentials = &netr_srv_creds;
2132
2133 status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
2134 if (!NT_STATUS_IS_OK(status)) {
2135 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2136 nt_errstr(status));
2137 goto done;
2138 }
2139 if (!NT_STATUS_IS_OK(r.out.result)) {
2140 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2141 nt_errstr(r.out.result));
2142 goto done;
2143 }
2144
2145 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
2146 E_md4hash("foobar", mach_pw.hash);
2147
2148 a.in.server_name = talloc_asprintf(
2149 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2150 a.in.account_name = talloc_asprintf(
2151 mem_ctx, "%s$", wksname);
2152 a.in.computer_name = wksname;
2153 a.in.secure_channel_type = SEC_CHAN_WKSTA;
2154 a.in.negotiate_flags = &negotiate_flags;
2155 a.out.negotiate_flags = &negotiate_flags;
2156 a.in.credentials = &netr_cred;
2157 a.out.return_credentials = &netr_cred;
2158
2159 creds_state = netlogon_creds_client_init(mem_ctx,
2160 a.in.account_name,
2161 a.in.computer_name,
2162 a.in.secure_channel_type,
2163 r.in.credentials,
2164 r.out.return_credentials, &mach_pw,
2165 &netr_cred,
2166 negotiate_flags,
2167 negotiate_flags);
2168 torture_assert(torture, (creds_state != NULL), "memory allocation failed");
2169
2170 status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
2171 if (!NT_STATUS_IS_OK(status)) {
2172 goto done;
2173 }
2174 if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) {
2175 torture_comment(torture, "dcerpc_netr_ServerAuthenticate2 returned %s, "
2176 "expected NT_STATUS_NO_TRUST_SAM_ACCOUNT\n",
2177 nt_errstr(a.out.result));
2178 goto done;
2179 }
2180
2181 result = true;
2182 done:
2183 talloc_free(mem_ctx);
2184 return result;
2185 }
2186
2187 static struct security_descriptor *get_sharesec(struct torture_context *tctx,
2188 TALLOC_CTX *mem_ctx,
2189 struct smbcli_session *sess,
2190 const char *sharename)
2191 {
2192 struct smbcli_tree *tree;
2193 TALLOC_CTX *tmp_ctx;
2194 struct dcerpc_pipe *p;
2195 struct dcerpc_binding_handle *b;
2196 NTSTATUS status;
2197 struct srvsvc_NetShareGetInfo r;
2198 union srvsvc_NetShareInfo info;
2199 struct security_descriptor *result;
2200
2201 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2202 torture_comment(tctx, "talloc_new failed\n");
2203 return NULL;
2204 }
2205
2206 if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2207 torture_comment(tctx, "secondary_tcon failed\n");
2208 talloc_free(tmp_ctx);
2209 return NULL;
2210 }
2211
2212 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2213 &ndr_table_srvsvc, &p);
2214 if (!NT_STATUS_IS_OK(status)) {
2215 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2216 nt_errstr(status));
2217 talloc_free(tmp_ctx);
2218 return NULL;
2219 }
2220 b = p->binding_handle;
2221
2222 #if 0
2223 p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2224 #endif
2225
2226 r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2227 dcerpc_server_name(p));
2228 r.in.share_name = sharename;
2229 r.in.level = 502;
2230 r.out.info = &info;
2231
2232 status = dcerpc_srvsvc_NetShareGetInfo_r(b, tmp_ctx, &r);
2233 if (!NT_STATUS_IS_OK(status)) {
2234 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2235 nt_errstr(status));
2236 talloc_free(tmp_ctx);
2237 return NULL;
2238 }
2239 if (!W_ERROR_IS_OK(r.out.result)) {
2240 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2241 win_errstr(r.out.result));
2242 talloc_free(tmp_ctx);
2243 return NULL;
2244 }
2245
2246 result = talloc_steal(mem_ctx, info.info502->sd_buf.sd);
2247 talloc_free(tmp_ctx);
2248 return result;
2249 }
2250
2251 static NTSTATUS set_sharesec(struct torture_context *tctx,
2252 TALLOC_CTX *mem_ctx,
2253 struct smbcli_session *sess,
2254 const char *sharename,
2255 struct security_descriptor *sd)
2256 {
2257 struct smbcli_tree *tree;
2258 TALLOC_CTX *tmp_ctx;
2259 struct dcerpc_pipe *p;
2260 struct dcerpc_binding_handle *b;
2261 NTSTATUS status;
2262 struct sec_desc_buf i;
2263 struct srvsvc_NetShareSetInfo r;
2264 union srvsvc_NetShareInfo info;
2265 uint32_t error = 0;
2266
2267 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2268 torture_comment(tctx, "talloc_new failed\n");
2269 return NT_STATUS_NO_MEMORY;
2270 }
2271
2272 if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2273 torture_comment(tctx, "secondary_tcon failed\n");
2274 talloc_free(tmp_ctx);
2275 return NT_STATUS_UNSUCCESSFUL;
2276 }
2277
2278 status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2279 &ndr_table_srvsvc, &p);
2280 if (!NT_STATUS_IS_OK(status)) {
2281 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2282 nt_errstr(status));
2283 talloc_free(tmp_ctx);
2284 return NT_STATUS_UNSUCCESSFUL;
2285 }
2286 b = p->binding_handle;
2287
2288 #if 0
2289 p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2290 #endif
2291
2292 r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2293 dcerpc_server_name(p));
2294 r.in.share_name = sharename;
2295 r.in.level = 1501;
2296 i.sd = sd;
2297 info.info1501 = &i;
2298 r.in.info = &info;
2299 r.in.parm_error = &error;
2300
2301 status = dcerpc_srvsvc_NetShareSetInfo_r(b, tmp_ctx, &r);
2302 if (!NT_STATUS_IS_OK(status)) {
2303 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2304 nt_errstr(status));
2305 }
2306 if (!W_ERROR_IS_OK(r.out.result)) {
2307 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2308 win_errstr(r.out.result));
2309 status = werror_to_ntstatus(r.out.result);
2310 }
2311 talloc_free(tmp_ctx);
2312 return status;
2313 }
2314
2315 bool try_tcon(struct torture_context *tctx,
2316 TALLOC_CTX *mem_ctx,
2317 struct security_descriptor *orig_sd,
2318 struct smbcli_session *session,
2319 const char *sharename, const struct dom_sid *user_sid,
2320 unsigned int access_mask, NTSTATUS expected_tcon,
2321 NTSTATUS expected_mkdir)
2322 {
2323 TALLOC_CTX *tmp_ctx;
2324 struct smbcli_tree *rmdir_tree, *tree;
2325 struct dom_sid *domain_sid;
2326 uint32_t rid;
2327 struct security_descriptor *sd;
2328 NTSTATUS status;
2329 bool ret = true;
2330
2331 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2332 torture_comment(tctx, "talloc_new failed\n");
2333 return false;
2334 }
2335
2336 status = secondary_tcon(tctx, tmp_ctx, session, sharename, &rmdir_tree);
2337 if (!NT_STATUS_IS_OK(status)) {
2338 torture_comment(tctx, "first tcon to delete dir failed\n");
2339 talloc_free(tmp_ctx);
2340 return false;
2341 }
2342
2343 smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2344
2345 if (!NT_STATUS_IS_OK(dom_sid_split_rid(tmp_ctx, user_sid,
2346 &domain_sid, &rid))) {
2347 torture_comment(tctx, "dom_sid_split_rid failed\n");
2348 talloc_free(tmp_ctx);
2349 return false;
2350 }
2351
2352 sd = security_descriptor_dacl_create(
2353 tmp_ctx, 0, "S-1-5-32-544",
2354 dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
2355 DOMAIN_RID_USERS)),
2356 dom_sid_string(mem_ctx, user_sid),
2357 SEC_ACE_TYPE_ACCESS_ALLOWED, access_mask, 0, NULL);
2358 if (sd == NULL) {
2359 torture_comment(tctx, "security_descriptor_dacl_create failed\n");
2360 talloc_free(tmp_ctx);
2361 return false;
2362 }
2363
2364 status = set_sharesec(tctx, mem_ctx, session, sharename, sd);
2365 if (!NT_STATUS_IS_OK(status)) {
2366 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2367 nt_errstr(status));
2368 talloc_free(tmp_ctx);
2369 return false;
2370 }
2371
2372 status = secondary_tcon(tctx, tmp_ctx, session, sharename, &tree);
2373 if (!NT_STATUS_EQUAL(status, expected_tcon)) {
2374 torture_comment(tctx, "Expected %s, got %s\n", nt_errstr(expected_tcon),
2375 nt_errstr(status));
2376 ret = false;
2377 goto done;
2378 }
2379
2380 if (!NT_STATUS_IS_OK(status)) {
2381 /* An expected non-access, no point in trying to write */
2382 goto done;
2383 }
2384
2385 status = smbcli_mkdir(tree, "sharesec_testdir");
2386 if (!NT_STATUS_EQUAL(status, expected_mkdir)) {
2387 torture_warning(tctx, "Expected %s, got %s\n",
2388 nt_errstr(expected_mkdir), nt_errstr(status));
2389 ret = false;
2390 }
2391
2392 done:
2393 smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2394
2395 status = set_sharesec(tctx, mem_ctx, session, sharename, orig_sd);
2396 if (!NT_STATUS_IS_OK(status)) {
2397 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2398 nt_errstr(status));
2399 talloc_free(tmp_ctx);
2400 return false;
2401 }
2402
2403 talloc_free(tmp_ctx);
2404 return ret;
2405 }
2406
2407 static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
2408 {
2409 struct smbcli_state *cli = NULL;
2410 struct security_descriptor *sd = NULL;
2411 struct dom_sid *user_sid = NULL;
2412 const char *testuser_passwd = NULL;
2413 struct cli_credentials *test_credentials = NULL;
2414 struct smbcli_options options;
2415 struct smbcli_session_options session_options;
2416 NTSTATUS status;
2417 struct test_join *tj = NULL;
2418 struct dcerpc_pipe *lsa_pipe = NULL;
2419 const char *priv_array[1];
2420
2421 /* Create a new user. The normal user has SeBackup and SeRestore
2422 privs so we can't lock them out with a share security descriptor. */
2423 tj = torture_create_testuser(torture,
2424 "sharesec_user",
2425 torture_setting_string(torture, "workgroup", NULL),
2426 ACB_NORMAL,
2427 &testuser_passwd);
2428 if (!tj) {
2429 torture_fail(torture, "Creating sharesec_user failed\n");
2430 }
2431
2432 /* Give them SeDiskOperatorPrivilege but no other privs. */
2433 status = torture_rpc_connection(torture, &lsa_pipe, &ndr_table_lsarpc);
2434 if (!NT_STATUS_IS_OK(status)) {
2435 torture_delete_testuser(torture, tj, "sharesec_user");
2436 talloc_free(tj);
2437 torture_fail(torture, "Error connecting to LSA pipe");
2438 }
2439
2440 priv_array[0] = "SeDiskOperatorPrivilege";
2441 if (!torture_setup_privs(torture,
2442 lsa_pipe,
2443 1,
2444 priv_array,
2445 torture_join_user_sid(tj))) {
2446 talloc_free(lsa_pipe);
2447 torture_delete_testuser(torture, tj, "sharesec_user");
2448 talloc_free(tj);
2449 torture_fail(torture, "Failed to setup privs\n");
2450 }
2451 talloc_free(lsa_pipe);
2452
2453 test_credentials = cli_credentials_init(torture);
2454 cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
2455 cli_credentials_set_domain(test_credentials, lpcfg_workgroup(torture->lp_ctx),
2456 CRED_SPECIFIED);
2457 cli_credentials_set_username(test_credentials, "sharesec_user", CRED_SPECIFIED);
2458 cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
2459
2460 ZERO_STRUCT(options);
2461 ZERO_STRUCT(session_options);
2462 lpcfg_smbcli_options(torture->lp_ctx, &options);
2463 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
2464
2465 status = smbcli_full_connection(torture,
2466 &cli,
2467 torture_setting_string(torture, "host", NULL),
2468 lpcfg_smb_ports(torture->lp_ctx),
2469 "IPC$",
2470 NULL,
2471 lpcfg_socket_options(torture->lp_ctx),
2472 test_credentials,
2473 lpcfg_resolve_context(torture->lp_ctx),
2474 torture->ev,
2475 &options,
2476 &session_options,
2477 lpcfg_gensec_settings(torture, torture->lp_ctx));
2478 if (!NT_STATUS_IS_OK(status)) {
2479 talloc_free(cli);
2480 torture_delete_testuser(torture, tj, "sharesec_user");
2481 talloc_free(tj);
2482 torture_fail(torture, "Failed to open connection\n");
2483 }
2484
2485 if (!(user_sid = whoami(torture, torture, cli->tree))) {
2486 talloc_free(cli);
2487 torture_delete_testuser(torture, tj, "sharesec_user");
2488 talloc_free(tj);
2489 torture_fail(torture, "whoami failed\n");
2490 }
2491
2492 sd = get_sharesec(torture, torture, cli->session,
2493 torture_setting_string(torture, "share", NULL));
2494
2495 if (!try_tcon(torture, torture, sd, cli->session,
2496 torture_setting_string(torture, "share", NULL),
2497 user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK)) {
2498 talloc_free(cli);
2499 torture_delete_testuser(torture, tj, "sharesec_user");
2500 talloc_free(tj);
2501 torture_fail(torture, "failed to test tcon with 0 access_mask");
2502 }
2503
2504 if (!try_tcon(torture, torture, sd, cli->session,
2505 torture_setting_string(torture, "share", NULL),
2506 user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
2507 NT_STATUS_MEDIA_WRITE_PROTECTED)) {
2508 talloc_free(cli);
2509 torture_delete_testuser(torture, tj, "sharesec_user");
2510 talloc_free(tj);
2511 torture_fail(torture, "failed to test tcon with SEC_FILE_READ_DATA access_mask");
2512 }
2513
2514 /* sharesec_user doesn't have any rights on the underlying file system.
2515 Go back to the normal user. */
2516
2517 talloc_free(cli);
2518 cli = NULL;
2519 torture_delete_testuser(torture, tj, "sharesec_user");
2520 talloc_free(tj);
2521 tj = NULL;
2522
2523 if (!(torture_open_connection_share(
2524 torture, &cli, torture, torture_setting_string(torture, "host", NULL),
2525 "IPC$", torture->ev))) {
2526 torture_fail(torture, "IPC$ connection failed\n");
2527 }
2528
2529 if (!(user_sid = whoami(torture, torture, cli->tree))) {
2530 torture_fail(torture, "whoami failed\n");
2531 }
2532 torture_assert(torture, try_tcon(
2533 torture, torture, sd, cli->session,
2534 torture_setting_string(torture, "share", NULL),
2535 user_sid, SEC_FILE_ALL, NT_STATUS_OK, NT_STATUS_OK),
2536 "failed to test tcon with SEC_FILE_ALL access_mask");
2537
2538 return true;
2539 }
2540
2541 static bool torture_samba3_rpc_lsa(struct torture_context *torture)
2542 {
2543 struct dcerpc_pipe *p;
2544 struct dcerpc_binding_handle *b;
2545 struct policy_handle lsa_handle;
2546
2547 torture_assert_ntstatus_ok(torture,
2548 torture_rpc_connection(torture, &p, &ndr_table_lsarpc),
2549 "failed to setup lsarpc");
2550
2551 b = p->binding_handle;
2552
2553 {
2554 struct lsa_ObjectAttribute attr;
2555 struct lsa_OpenPolicy2 o;
2556 o.in.system_name = talloc_asprintf(
2557 torture, "\\\\%s", dcerpc_server_name(p));
2558 ZERO_STRUCT(attr);
2559 o.in.attr = &attr;
2560 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2561 o.out.handle = &lsa_handle;
2562
2563 torture_assert_ntstatus_ok(torture,
2564 dcerpc_lsa_OpenPolicy2_r(b, torture, &o),
2565 "dcerpc_lsa_OpenPolicy2 failed");
2566 torture_assert_ntstatus_ok(torture, o.out.result,
2567 "dcerpc_lsa_OpenPolicy2 failed");
2568 }
2569
2570 {
2571 size_t i;
2572 int levels[] = { 2,3,5,6 };
2573
2574 for (i=0; i<ARRAY_SIZE(levels); i++) {
2575 struct lsa_QueryInfoPolicy r;
2576 union lsa_PolicyInformation *info = NULL;
2577 r.in.handle = &lsa_handle;
2578 r.in.level = levels[i];
2579 r.out.info = &info;
2580
2581 torture_assert_ntstatus_ok(torture,
2582 dcerpc_lsa_QueryInfoPolicy_r(b, torture, &r),
2583 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2584 torture_assert_ntstatus_ok(torture, r.out.result,
2585 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2586 }
2587 }
2588
2589 return true;
2590 }
2591
2592 static NTSTATUS get_servername(TALLOC_CTX *mem_ctx, struct smbcli_tree *tree,
2593 char **name)
2594 {
2595 struct rap_WserverGetInfo r;
2596 NTSTATUS status;
2597 char servername[17];
2598 size_t converted_size;
2599
2600 r.in.level = 0;
2601 r.in.bufsize = 0xffff;
2602
2603 status = smbcli_rap_netservergetinfo(tree, mem_ctx, &r);
2604 if (!NT_STATUS_IS_OK(status)) {
2605 return status;
2606 }
2607
2608 memcpy(servername, r.out.info.info0.name, 16);
2609 servername[16] = '\0';
2610
2611 if (!pull_ascii_talloc(mem_ctx, name, servername, &converted_size)) {
2612 return NT_STATUS_NO_MEMORY;
2613 }
2614
2615 return NT_STATUS_OK;
2616 }
2617
2618 static bool rap_get_servername(struct torture_context *tctx,
2619 char **servername)
2620 {
2621 struct smbcli_state *cli;
2622
2623 torture_assert(tctx,
2624 torture_open_connection_share(tctx, &cli, tctx, torture_setting_string(tctx, "host", NULL),
2625 "IPC$", tctx->ev),
2626 "IPC$ connection failed");
2627
2628 torture_assert_ntstatus_ok(tctx,
2629 get_servername(tctx, cli->tree, servername),
2630 "get_servername failed");
2631
2632 talloc_free(cli);
2633
2634 return true;
2635 }
2636
2637 static bool find_printers(struct torture_context *tctx,
2638 struct dcerpc_pipe *p,
2639 const char ***printers,
2640 size_t *num_printers)
2641 {
2642 struct srvsvc_NetShareEnum r;
2643 struct srvsvc_NetShareInfoCtr info_ctr;
2644 struct srvsvc_NetShareCtr1 c1_in;
2645 struct srvsvc_NetShareCtr1 *c1;
2646 uint32_t totalentries = 0;
2647 uint32_t i;
2648 struct dcerpc_binding_handle *b = p->binding_handle;
2649
2650 ZERO_STRUCT(c1_in);
2651 info_ctr.level = 1;
2652 info_ctr.ctr.ctr1 = &c1_in;
2653
2654 r.in.server_unc = talloc_asprintf(
2655 tctx, "\\\\%s", dcerpc_server_name(p));
2656 r.in.info_ctr = &info_ctr;
2657 r.in.max_buffer = (uint32_t)-1;
2658 r.in.resume_handle = NULL;
2659 r.out.totalentries = &totalentries;
2660 r.out.info_ctr = &info_ctr;
2661
2662 torture_assert_ntstatus_ok(tctx,
2663 dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r),
2664 "NetShareEnum level 1 failed");
2665 torture_assert_werr_ok(tctx, r.out.result,
2666 "NetShareEnum level 1 failed");
2667
2668 *printers = NULL;
2669 *num_printers = 0;
2670 c1 = r.out.info_ctr->ctr.ctr1;
2671 for (i=0; i<c1->count; i++) {
2672 if (c1->array[i].type != STYPE_PRINTQ) {
2673 continue;
2674 }
2675 if (!add_string_to_array(tctx, c1->array[i].name,
2676 printers, num_printers)) {
2677 return false;
2678 }
2679 }
2680
2681 return true;
2682 }
2683
2684 static bool enumprinters(struct torture_context *tctx,
2685 struct dcerpc_binding_handle *b,
2686 const char *servername, int level, int *num_printers)
2687 {
2688 struct spoolss_EnumPrinters r;
2689 DATA_BLOB blob;
2690 uint32_t needed;
2691 uint32_t count;
2692 union spoolss_PrinterInfo *info;
2693
2694 r.in.flags = PRINTER_ENUM_LOCAL;
2695 r.in.server = talloc_asprintf(tctx, "\\\\%s", servername);
2696 r.in.level = level;
2697 r.in.buffer = NULL;
2698 r.in.offered = 0;
2699 r.out.needed = &needed;
2700 r.out.count = &count;
2701 r.out.info = &info;
2702
2703 torture_assert_ntstatus_ok(tctx,
2704 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2705 "dcerpc_spoolss_EnumPrinters failed");
2706 torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2707 "EnumPrinters unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2708
2709 blob = data_blob_talloc_zero(tctx, needed);
2710 if (blob.data == NULL) {
2711 return false;
2712 }
2713
2714 r.in.buffer = &blob;
2715 r.in.offered = needed;
2716
2717 torture_assert_ntstatus_ok(tctx,
2718 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2719 "dcerpc_spoolss_EnumPrinters failed");
2720 torture_assert_werr_ok(tctx, r.out.result,
2721 "dcerpc_spoolss_EnumPrinters failed");
2722
2723 *num_printers = count;
2724
2725 return true;
2726 }
2727
2728 static bool getprinterinfo(struct torture_context *tctx,
2729 struct dcerpc_binding_handle *b,
2730 struct policy_handle *handle, int level,
2731 union spoolss_PrinterInfo **res)
2732 {
2733 struct spoolss_GetPrinter r;
2734 DATA_BLOB blob;
2735 uint32_t needed;
2736
2737 r.in.handle = handle;
2738 r.in.level = level;
2739 r.in.buffer = NULL;
2740 r.in.offered = 0;
2741 r.out.needed = &needed;
2742
2743 torture_assert_ntstatus_ok(tctx,
2744 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2745 "dcerpc_spoolss_GetPrinter failed");
2746 torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2747 "GetPrinter unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2748
2749 r.in.handle = handle;
2750 r.in.level = level;
2751 blob = data_blob_talloc_zero(tctx, needed);
2752 if (blob.data == NULL) {
2753 return false;
2754 }
2755 r.in.buffer = &blob;
2756 r.in.offered = needed;
2757
2758 torture_assert_ntstatus_ok(tctx,
2759 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2760 "dcerpc_spoolss_GetPrinter failed");
2761 torture_assert_werr_ok(tctx, r.out.result,
2762 "dcerpc_spoolss_GetPrinter failed");
2763
2764 if (res != NULL) {
2765 *res = talloc_steal(tctx, r.out.info);
2766 }
2767
2768 return true;
2769 }
2770
2771 static bool torture_samba3_rpc_spoolss(struct torture_context *torture)
2772 {
2773 struct dcerpc_pipe *p, *p2;
2774 struct dcerpc_binding_handle *b;
2775 struct policy_handle server_handle, printer_handle;
2776 const char **printers;
2777 size_t num_printers;
2778 struct spoolss_UserLevel1 userlevel1;
2779 char *servername;
2780
2781 torture_assert(torture,
2782 rap_get_servername(torture, &servername),
2783 "failed to rap servername");
2784
2785 torture_assert_ntstatus_ok(torture,
2786 torture_rpc_connection(torture, &p2, &ndr_table_srvsvc),
2787 "failed to setup srvsvc");
2788
2789 torture_assert(torture,
2790 find_printers(torture, p2, &printers, &num_printers),
2791 "failed to find printers via srvsvc");
2792
2793 talloc_free(p2);
2794
2795 if (num_printers == 0) {
2796 torture_skip(torture, "Did not find printers\n");
2797 return true;
2798 }
2799
2800 torture_assert_ntstatus_ok(torture,
2801 torture_rpc_connection(torture, &p, &ndr_table_spoolss),
2802 "failed to setup spoolss");
2803
2804 b = p->binding_handle;
2805
2806 ZERO_STRUCT(userlevel1);
2807 userlevel1.client = talloc_asprintf(
2808 torture, "\\\\%s", lpcfg_netbios_name(torture->lp_ctx));
2809 userlevel1.user = cli_credentials_get_username(
2810 samba_cmdline_get_creds());
2811 userlevel1.build = 2600;
2812 userlevel1.major = 3;
2813 userlevel1.minor = 0;
2814 userlevel1.processor = 0;
2815
2816 {
2817 struct spoolss_OpenPrinterEx r;
2818
2819 ZERO_STRUCT(r);
2820 r.in.printername = talloc_asprintf(torture, "\\\\%s",
2821 servername);
2822 r.in.datatype = NULL;
2823 r.in.access_mask = 0;
2824 r.in.userlevel_ctr.level = 1;
2825 r.in.userlevel_ctr.user_info.level1 = &userlevel1;
2826 r.out.handle = &server_handle;
2827
2828 torture_assert_ntstatus_ok(torture,
2829 dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2830 "dcerpc_spoolss_OpenPrinterEx failed");
2831 torture_assert_werr_ok(torture, r.out.result,
2832 "dcerpc_spoolss_OpenPrinterEx failed");
2833 }
2834
2835 {
2836 struct spoolss_ClosePrinter r;
2837
2838 r.in.handle = &server_handle;
2839 r.out.handle = &server_handle;
2840
2841 torture_assert_ntstatus_ok(torture,
2842 dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2843 "dcerpc_spoolss_ClosePrinter failed");
2844 torture_assert_werr_ok(torture, r.out.result,
2845 "dcerpc_spoolss_ClosePrinter failed");
2846 }
2847
2848 {
2849 struct spoolss_OpenPrinterEx r;
2850
2851 ZERO_STRUCT(r);
2852 r.in.printername = talloc_asprintf(
2853 torture, "\\\\%s\\%s", servername, printers[0]);
2854 r.in.datatype = NULL;
2855 r.in.access_mask = 0;
2856 r.in.userlevel_ctr.level = 1;
2857 r.in.userlevel_ctr.user_info.level1 = &userlevel1;
2858 r.out.handle = &printer_handle;
2859
2860 torture_assert_ntstatus_ok(torture,
2861 dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2862 "dcerpc_spoolss_OpenPrinterEx failed");
2863 torture_assert_werr_ok(torture, r.out.result,
2864 "dcerpc_spoolss_OpenPrinterEx failed");
2865 }
2866
2867 {
2868 int i;
2869
2870 for (i=0; i<8; i++) {
2871 torture_assert(torture,
2872 getprinterinfo(torture, b, &printer_handle, i, NULL),
2873 talloc_asprintf(torture, "getprinterinfo %d failed", i));
2874 }
2875 }
2876
2877 {
2878 struct spoolss_ClosePrinter r;
2879
2880 r.in.handle = &printer_handle;
2881 r.out.handle = &printer_handle;
2882
2883 torture_assert_ntstatus_ok(torture,
2884 dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2885 "dcerpc_spoolss_ClosePrinter failed");
2886 torture_assert_werr_ok(torture, r.out.result,
2887 "dcerpc_spoolss_ClosePrinter failed");
2888 }
2889
2890 {
2891 int num_enumerated;
2892
2893 torture_assert(torture,
2894 enumprinters(torture, b, servername, 1, &num_enumerated),
2895 "enumprinters failed");
2896
2897 torture_assert_int_equal(torture, num_printers, num_enumerated,
2898 "netshareenum / enumprinters lvl 1 numprinter mismatch");
2899 }
2900
2901 {
2902 int num_enumerated;
2903
2904 torture_assert(torture,
2905 enumprinters(torture, b, servername, 2, &num_enumerated),
2906 "enumprinters failed");
2907
2908 torture_assert_int_equal(torture, num_printers, num_enumerated,
2909 "netshareenum / enumprinters lvl 2 numprinter mismatch");
2910 }
2911
2912 return true;
2913 }
2914
2915 static bool torture_samba3_rpc_wkssvc(struct torture_context *torture)
2916 {
2917 struct dcerpc_pipe *p;
2918 struct dcerpc_binding_handle *b;
2919 char *servername;
2920
2921 torture_assert(torture,
2922 rap_get_servername(torture, &servername),
2923 "failed to rap servername");
2924
2925 torture_assert_ntstatus_ok(torture,
2926 torture_rpc_connection(torture, &p, &ndr_table_wkssvc),
2927 "failed to setup wkssvc");
2928
2929 b = p->binding_handle;
2930
2931 {
2932 struct wkssvc_NetWkstaInfo100 wks100;
2933 union wkssvc_NetWkstaInfo info;
2934 struct wkssvc_NetWkstaGetInfo r;
2935
2936 r.in.server_name = "\\foo";
2937 r.in.level = 100;
2938 info.info100 = &wks100;
2939 r.out.info = &info;
2940
2941 torture_assert_ntstatus_ok(torture,
2942 dcerpc_wkssvc_NetWkstaGetInfo_r(b, torture, &r),
2943 "dcerpc_wkssvc_NetWksGetInfo failed");
2944 torture_assert_werr_ok(torture, r.out.result,
2945 "dcerpc_wkssvc_NetWksGetInfo failed");
2946
2947 torture_assert_str_equal(torture, servername, r.out.info->info100->server_name,
2948 "servername RAP / DCERPC inconsistency");
2949 }
2950
2951 return true;
2952 }
2953
2954 static bool winreg_close(struct torture_context *tctx,
2955 struct dcerpc_binding_handle *b,
2956 struct policy_handle *handle)
2957 {
2958 struct winreg_CloseKey c;
2959
2960 c.in.handle = c.out.handle = handle;
2961
2962 torture_assert_ntstatus_ok(tctx,
2963 dcerpc_winreg_CloseKey_r(b, tctx, &c),
2964 "winreg_CloseKey failed");
2965 torture_assert_werr_ok(tctx, c.out.result,
2966 "winreg_CloseKey failed");
2967
2968 return true;
2969 }
2970
2971 static bool enumvalues(struct torture_context *tctx,
2972 struct dcerpc_binding_handle *b,
2973 struct policy_handle *handle)
2974 {
2975 uint32_t enum_index = 0;
2976
2977 while (1) {
2978 struct winreg_EnumValue r;
2979 struct winreg_ValNameBuf name;
2980 enum winreg_Type type = 0;
2981 uint8_t buf8[1024];
2982 NTSTATUS status;
2983 uint32_t size, length;
2984
2985 ZERO_STRUCT(buf8);
2986 r.in.handle = handle;
2987 r.in.enum_index = enum_index;
2988 name.name = "";
2989 name.size = 1024;
2990 r.in.name = r.out.name = &name;
2991 size = 1024;
2992 length = 5;
2993 r.in.type = &type;
2994 r.in.value = buf8;
2995 r.in.size = &size;
2996 r.in.length = &length;
2997
2998 status = dcerpc_winreg_EnumValue_r(b, tctx, &r);
2999 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
3000 return true;
3001 }
3002 enum_index += 1;
3003 }
3004 }
3005
3006 static bool enumkeys(struct torture_context *tctx,
3007 struct dcerpc_binding_handle *b,
3008 struct policy_handle *handle,
3009 int depth)
3010 {
3011 struct winreg_EnumKey r;
3012 struct winreg_StringBuf kclass, name;
3013 NTSTATUS status;
3014 NTTIME t = 0;
3015
3016 if (depth <= 0) {
3017 return true;
3018 }
3019
3020 kclass.name = "";
3021 kclass.size = 1024;
3022
3023 r.in.handle = handle;
3024 r.in.enum_index = 0;
3025 r.in.name = &name;
3026 r.in.keyclass = &kclass;
3027 r.out.name = &name;
3028 r.in.last_changed_time = &t;
3029
3030 do {
3031 struct winreg_OpenKey o;
3032 struct policy_handle key_handle;
3033 int i;
3034
3035 name.name = NULL;
3036 name.size = 1024;
3037
3038 status = dcerpc_winreg_EnumKey_r(b, tctx, &r);
3039 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
3040 /* We're done enumerating */
3041 return true;
3042 }
3043
3044 for (i=0; i<10-depth; i++) {
3045 torture_comment(tctx, " ");
3046 }
3047 torture_comment(tctx, "%s\n", r.out.name->name);
3048
3049 o.in.parent_handle = handle;
3050 o.in.keyname.name = r.out.name->name;
3051 o.in.options = 0;
3052 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3053 o.out.handle = &key_handle;
3054
3055 status = dcerpc_winreg_OpenKey_r(b, tctx, &o);
3056 if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(o.out.result)) {
3057 enumkeys(tctx, b, &key_handle, depth-1);
3058 enumvalues(tctx, b, &key_handle);
3059 torture_assert(tctx, winreg_close(tctx, b, &key_handle), "");
3060 }
3061
3062 r.in.enum_index += 1;
3063 } while(true);
3064
3065 return true;
3066 }
3067
3068 typedef NTSTATUS (*winreg_open_fn)(struct dcerpc_binding_handle *, TALLOC_CTX *, void *);
3069
3070 static bool test_Open3(struct torture_context *tctx,
3071 struct dcerpc_binding_handle *b,
3072 const char *name, winreg_open_fn open_fn)
3073 {
3074 struct policy_handle handle;
3075 struct winreg_OpenHKLM r;
3076
3077 r.in.system_name = 0;
3078 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3079 r.out.handle = &handle;
3080
3081 torture_assert_ntstatus_ok(tctx,
3082 open_fn(b, tctx, &r),
3083 talloc_asprintf(tctx, "%s failed", name));
3084 torture_assert_werr_ok(tctx, r.out.result,
3085 talloc_asprintf(tctx, "%s failed", name));
3086
3087 enumkeys(tctx, b, &handle, 4);
3088
3089 torture_assert(tctx,
3090 winreg_close(tctx, b, &handle),
3091 "dcerpc_CloseKey failed");
3092
3093 return true;
3094 }
3095
3096 static bool torture_samba3_rpc_winreg(struct torture_context *torture)
3097 {
3098 struct dcerpc_pipe *p;
3099 struct dcerpc_binding_handle *b;
3100 bool ret = true;
3101 struct {
3102 const char *name;
3103 winreg_open_fn fn;
3104 } open_fns[] = {
3105 {"OpenHKLM", (winreg_open_fn)dcerpc_winreg_OpenHKLM_r },
3106 {"OpenHKU", (winreg_open_fn)dcerpc_winreg_OpenHKU_r },
3107 {"OpenHKPD", (winreg_open_fn)dcerpc_winreg_OpenHKPD_r },
3108 {"OpenHKPT", (winreg_open_fn)dcerpc_winreg_OpenHKPT_r },
3109 {"OpenHKCR", (winreg_open_fn)dcerpc_winreg_OpenHKCR_r }};
3110 #if 0
3111 int i;
3112 #endif
3113
3114 torture_assert_ntstatus_ok(torture,
3115 torture_rpc_connection(torture, &p, &ndr_table_winreg),
3116 "failed to setup winreg");
3117
3118 b = p->binding_handle;
3119
3120 #if 1
3121 ret = test_Open3(torture, b, open_fns[0].name, open_fns[0].fn);
3122 #else
3123 for (i = 0; i < ARRAY_SIZE(open_fns); i++) {
3124 if (!test_Open3(torture, b, open_fns[i].name, open_fns[i].fn))
3125 ret = false;
3126 }
3127 #endif
3128 return ret;
3129 }
3130
3131 static bool get_shareinfo(struct torture_context *tctx,
3132 struct dcerpc_binding_handle *b,
3133 const char *servername,
3134 const char *share,
3135 struct srvsvc_NetShareInfo502 **info502)
3136 {
3137 struct srvsvc_NetShareGetInfo r;
3138 union srvsvc_NetShareInfo info;
3139
3140 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", servername);
3141 r.in.share_name = share;
3142 r.in.level = 502;
3143 r.out.info = &info;
3144
3145 torture_assert_ntstatus_ok(tctx,
3146 dcerpc_srvsvc_NetShareGetInfo_r(b, tctx, &r),
3147 "srvsvc_NetShareGetInfo failed");
3148 torture_assert_werr_ok(tctx, r.out.result,
3149 "srvsvc_NetShareGetInfo failed");
3150
3151 *info502 = talloc_move(tctx, &info.info502);
3152
3153 return true;
3154 }
3155
3156 /*
3157 * Get us a handle on HKLM\
3158 */
3159
3160 static bool get_hklm_handle(struct torture_context *tctx,
3161 struct dcerpc_binding_handle *b,
3162 struct policy_handle *handle)
3163 {
3164 struct winreg_OpenHKLM r;
3165 struct policy_handle result;
3166
3167 r.in.system_name = 0;
3168 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3169 r.out.handle = &result;
3170
3171 torture_assert_ntstatus_ok(tctx,
3172 dcerpc_winreg_OpenHKLM_r(b, tctx, &r),
3173 "OpenHKLM failed");
3174 torture_assert_werr_ok(tctx, r.out.result,
3175 "OpenHKLM failed");
3176
3177 *handle = result;
3178
3179 return true;
3180 }
3181
3182 static bool torture_samba3_createshare(struct torture_context *tctx,
3183 struct dcerpc_binding_handle *b,
3184 const char *sharename)
3185 {
3186 struct policy_handle hklm;
3187 struct policy_handle new_handle;
3188 struct winreg_CreateKey c;
3189 struct winreg_CloseKey cl;
3190 enum winreg_CreateAction action_taken = REG_ACTION_NONE;
3191
3192 ZERO_STRUCT(c);
3193 ZERO_STRUCT(cl);
3194 ZERO_STRUCT(hklm);
3195 ZERO_STRUCT(new_handle);
3196
3197 c.in.handle = &hklm;
3198 c.in.name.name = talloc_asprintf(
3199 tctx, "software\\samba\\smbconf\\%s", sharename);
3200 torture_assert(tctx, c.in.name.name, "talloc_asprintf failed");
3201
3202 c.in.keyclass.name = "";
3203 c.in.options = 0;
3204 c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3205 c.in.secdesc = NULL;
3206 c.in.action_taken = &action_taken;
3207 c.out.new_handle = &new_handle;
3208 c.out.action_taken = &action_taken;
3209
3210 torture_assert_ntstatus_ok(tctx,
3211 dcerpc_winreg_CreateKey_r(b, tctx, &c),
3212 "OpenKey failed");
3213 torture_assert_werr_ok(tctx, c.out.result,
3214 "OpenKey failed");
3215
3216 cl.in.handle = &new_handle;
3217 cl.out.handle = &new_handle;
3218
3219 torture_assert_ntstatus_ok(tctx,
3220 dcerpc_winreg_CloseKey_r(b, tctx, &cl),
3221 "CloseKey failed");
3222 torture_assert_werr_ok(tctx, cl.out.result,
3223 "CloseKey failed");
3224
3225 return true;
3226 }
3227
3228 static bool torture_samba3_deleteshare(struct torture_context *tctx,
3229 struct dcerpc_binding_handle *b,
3230 const char *sharename)
3231 {
3232 struct policy_handle hklm;
3233 struct winreg_DeleteKey d;
3234
3235 torture_assert(tctx,
3236 get_hklm_handle(tctx, b, &hklm),
3237 "get_hklm_handle failed");
3238
3239 d.in.handle = &hklm;
3240 d.in.key.name = talloc_asprintf(
3241 tctx, "software\\samba\\smbconf\\%s", sharename);
3242 torture_assert(tctx, d.in.key.name, "talloc_asprintf failed");
3243
3244 torture_assert_ntstatus_ok(tctx,
3245 dcerpc_winreg_DeleteKey_r(b, tctx, &d),
3246 "DeleteKey failed");
3247 torture_assert_werr_ok(tctx, d.out.result,
3248 "DeleteKey failed");
3249
3250 return true;
3251 }
3252
3253 static bool torture_samba3_setconfig(struct torture_context *tctx,
3254 struct dcerpc_binding_handle *b,
3255 const char *sharename,
3256 const char *parameter,
3257 const char *value)
3258 {
3259 struct policy_handle hklm, key_handle;
3260 struct winreg_OpenKey o;
3261 struct winreg_SetValue s;
3262 uint32_t type;
3263 DATA_BLOB val;
3264
3265 torture_assert(tctx,
3266 get_hklm_handle(tctx, b, &hklm),
3267 "get_hklm_handle failed");
3268
3269 o.in.parent_handle = &hklm;
3270 o.in.keyname.name = talloc_asprintf(
3271 tctx, "software\\samba\\smbconf\\%s", sharename);
3272 torture_assert(tctx, o.in.keyname.name, "talloc_asprintf failed");
3273
3274 o.in.options = 0;
3275 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3276 o.out.handle = &key_handle;
3277
3278 torture_assert_ntstatus_ok(tctx,
3279 dcerpc_winreg_OpenKey_r(b, tctx, &o),
3280 "OpenKey failed");
3281 torture_assert_werr_ok(tctx, o.out.result,
3282 "OpenKey failed");
3283
3284 torture_assert(tctx,
3285 reg_string_to_val(tctx, "REG_SZ", value, &type, &val),
3286 "reg_string_to_val failed");
3287
3288 s.in.handle = &key_handle;
3289 s.in.name.name = parameter;
3290 s.in.type = type;
3291 s.in.data = val.data;
3292 s.in.size = val.length;
3293
3294 torture_assert_ntstatus_ok(tctx,
3295 dcerpc_winreg_SetValue_r(b, tctx, &s),
3296 "SetValue failed");
3297 torture_assert_werr_ok(tctx, s.out.result,
3298 "SetValue failed");
3299
3300 return true;
3301 }
3302
3303 static bool torture_samba3_regconfig(struct torture_context *torture)
3304 {
3305 struct srvsvc_NetShareInfo502 *i = NULL;
3306 const char *comment = "Dummer Kommentar";
3307 struct dcerpc_pipe *srvsvc_pipe, *winreg_pipe;
3308
3309 torture_assert_ntstatus_ok(torture,
3310 torture_rpc_connection(torture, &srvsvc_pipe, &ndr_table_srvsvc),
3311 "failed to setup srvsvc");
3312
3313 torture_assert_ntstatus_ok(torture,
3314 torture_rpc_connection(torture, &winreg_pipe, &ndr_table_winreg),
3315 "failed to setup winreg");
3316
3317 torture_assert(torture,
3318 torture_samba3_createshare(torture, winreg_pipe->binding_handle, "blubber"),
3319 "torture_samba3_createshare failed");
3320
3321 torture_assert(torture,
3322 torture_samba3_setconfig(torture, winreg_pipe->binding_handle, "blubber", "comment", comment),
3323 "torture_samba3_setconfig failed");
3324
3325 torture_assert(torture,
3326 get_shareinfo(torture, srvsvc_pipe->binding_handle, dcerpc_server_name(srvsvc_pipe), "blubber", &i),
3327 "get_shareinfo failed");
3328
3329 torture_assert_str_equal(torture, comment, i->comment,
3330 "got unexpected comment");
3331
3332 torture_assert(torture,
3333 torture_samba3_deleteshare(torture, winreg_pipe->binding_handle, "blubber"),
3334 "torture_samba3_deleteshare failed");
3335
3336 return true;
3337 }
3338
3339 /*
3340 * Test that even with a result of 0 rids the array is returned as a
3341 * non-NULL pointer. Yes, XP does notice.
3342 */
3343
3344 bool torture_samba3_getaliasmembership_0(struct torture_context *torture)
3345 {
3346 struct dcerpc_pipe *p;
3347 struct dcerpc_binding_handle *b;
3348 struct samr_Connect2 c;
3349 struct samr_OpenDomain o;
3350 struct dom_sid sid;
3351 struct lsa_SidPtr ptr;
3352 struct lsa_SidArray sids;
3353 struct samr_GetAliasMembership g;
3354 struct samr_Ids rids;
3355 struct policy_handle samr, domain;
3356
3357 torture_assert_ntstatus_ok(torture,
3358 torture_rpc_connection(torture, &p, &ndr_table_samr),
3359 "failed to setup samr");
3360
3361 b = p->binding_handle;
3362
3363 c.in.system_name = NULL;
3364 c.in.access_mask = SAMR_ACCESS_LOOKUP_DOMAIN;
3365 c.out.connect_handle = &samr;
3366 torture_assert_ntstatus_ok(torture,
3367 dcerpc_samr_Connect2_r(b, torture, &c),
3368 "");
3369 torture_assert_ntstatus_ok(torture, c.out.result,
3370 "");
3371 dom_sid_parse("S-1-5-32", &sid);
3372 o.in.connect_handle = &samr;
3373 o.in.access_mask = SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS;
3374 o.in.sid = &sid;
3375 o.out.domain_handle = &domain;
3376 torture_assert_ntstatus_ok(torture,
3377 dcerpc_samr_OpenDomain_r(b, torture, &o),
3378 "");
3379 torture_assert_ntstatus_ok(torture, o.out.result,
3380 "");
3381 dom_sid_parse("S-1-2-3-4-5", &sid);
3382 ptr.sid = &sid;
3383 sids.num_sids = 1;
3384 sids.sids = &ptr;
3385 g.in.domain_handle = &domain;
3386 g.in.sids = &sids;
3387 g.out.rids = &rids;
3388 torture_assert_ntstatus_ok(torture,
3389 dcerpc_samr_GetAliasMembership_r(b, torture, &g),
3390 "");
3391 torture_assert_ntstatus_ok(torture, g.out.result,
3392 "");
3393 if (rids.ids == NULL) {
3394 /* This is the piece to test here */
3395 torture_fail(torture,
3396 "torture_samba3_getaliasmembership_0: "
3397 "Server returns NULL rids array\n");
3398 }
3399
3400 return true;
3401 }
3402
3403 /**
3404 * Test smb reauthentication while rpc pipe is in use.
3405 */
3406 static bool torture_rpc_smb_reauth1(struct torture_context *torture)
3407 {
3408 TALLOC_CTX *mem_ctx;
3409 NTSTATUS status;
3410 bool ret = false;
3411 struct smbcli_state *cli;
3412 struct smbcli_options options;
3413 struct smbcli_session_options session_options;
3414
3415 struct dcerpc_pipe *lsa_pipe;
3416 struct dcerpc_binding_handle *lsa_handle;
3417 struct lsa_GetUserName r;
3418 struct lsa_String *authority_name_p = NULL;
3419 char *authority_name_saved = NULL;
3420 struct lsa_String *account_name_p = NULL;
3421 char *account_name_saved = NULL;
3422 struct cli_credentials *anon_creds = NULL;
3423 struct smb_composite_sesssetup io;
3424
3425 mem_ctx = talloc_init("torture_samba3_reauth");
3426 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3427
3428 lpcfg_smbcli_options(torture->lp_ctx, &options);
3429 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
3430
3431 status = smbcli_full_connection(mem_ctx, &cli,
3432 torture_setting_string(torture, "host", NULL),
3433 lpcfg_smb_ports(torture->lp_ctx),
3434 "IPC$", NULL,
3435 lpcfg_socket_options(torture->lp_ctx),
3436 samba_cmdline_get_creds(),
3437 lpcfg_resolve_context(torture->lp_ctx),
3438 torture->ev, &options, &session_options,
3439 lpcfg_gensec_settings(torture, torture->lp_ctx));
3440 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3441 "smbcli_full_connection failed");
3442
3443 status = pipe_bind_smb(torture, mem_ctx, cli->tree, "\\lsarpc",
3444 &ndr_table_lsarpc, &lsa_pipe);
3445 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3446 "pipe_bind_smb failed");
3447 lsa_handle = lsa_pipe->binding_handle;
3448
3449 /* lsa getusername */
3450
3451 ZERO_STRUCT(r);
3452 r.in.system_name = "\\";
3453 r.in.account_name = &account_name_p;
3454 r.in.authority_name = &authority_name_p;
3455 r.out.account_name = &account_name_p;
3456
3457 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3458
3459 authority_name_p = *r.out.authority_name;
3460
3461 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3462 "GetUserName failed");
3463 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3464 "GetUserName failed");
3465
3466 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3467 authority_name_p->string,
3468 account_name_p->string);
3469
3470 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3471 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3472 "talloc failed");
3473 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3474 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3475 "talloc failed");
3476
3477 /* smb re-authenticate as anonymous */
3478
3479 anon_creds = cli_credentials_init_anon(mem_ctx);
3480
3481 ZERO_STRUCT(io);
3482 io.in.sesskey = cli->transport->negotiate.sesskey;
3483 io.in.capabilities = cli->transport->negotiate.capabilities;
3484 io.in.credentials = anon_creds;
3485 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3486 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3487
3488 status = smb_composite_sesssetup(cli->session, &io);
3489 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3490 "session reauth to anon failed");
3491
3492 /* re-do lsa getusername after reauth */
3493
3494 TALLOC_FREE(authority_name_p);
3495 TALLOC_FREE(account_name_p);
3496 ZERO_STRUCT(r);
3497 r.in.system_name = "\\";
3498 r.in.account_name = &account_name_p;
3499 r.in.authority_name = &authority_name_p;
3500 r.out.account_name = &account_name_p;
3501
3502 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3503
3504 authority_name_p = *r.out.authority_name;
3505
3506 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3507 "GetUserName failed");
3508 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3509 "GetUserName failed");
3510
3511 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3512 ret, done, "authority_name not equal after reauth to anon");
3513 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3514 ret, done, "account_name not equal after reauth to anon");
3515
3516 /* smb re-auth again to the original user */
3517
3518 ZERO_STRUCT(io);
3519 io.in.sesskey = cli->transport->negotiate.sesskey;
3520 io.in.capabilities = cli->transport->negotiate.capabilities;
3521 io.in.credentials = samba_cmdline_get_creds();
3522 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3523 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3524
3525 status = smb_composite_sesssetup(cli->session, &io);
3526 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3527 "session reauth to anon failed");
3528
3529 /* re-do lsa getusername */
3530
3531 TALLOC_FREE(authority_name_p);
3532 TALLOC_FREE(account_name_p);
3533 ZERO_STRUCT(r);
3534 r.in.system_name = "\\";
3535 r.in.account_name = &account_name_p;
3536 r.in.authority_name = &authority_name_p;
3537 r.out.account_name = &account_name_p;
3538
3539 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3540
3541 authority_name_p = *r.out.authority_name;
3542
3543 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3544 "GetUserName failed");
3545 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3546 "GetUserName failed");
3547
3548 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3549 ret, done, "authority_name not equal after reauth to anon");
3550 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3551 ret, done, "account_name not equal after reauth to anon");
3552
3553 ret = true;
3554
3555 done:
3556 talloc_free(mem_ctx);
3557 return ret;
3558 }
3559
3560 /**
3561 * Test smb reauthentication while rpc pipe is in use.
3562 * Open a second lsa bind after reauth to anon.
3563 * Do lsa getusername on that second bind.
3564 */
3565 static bool torture_rpc_smb_reauth2(struct torture_context *torture)
3566 {
3567 TALLOC_CTX *mem_ctx;
3568 NTSTATUS status;
3569 bool ret = false;
3570 struct smbcli_state *cli;
3571 struct smbcli_options options;
3572 struct smbcli_session_options session_options;
3573
3574 struct dcerpc_pipe *lsa_pipe;
3575 struct dcerpc_binding_handle *lsa_handle;
3576 struct lsa_GetUserName r;
3577 struct lsa_String *authority_name_p = NULL;
3578 char *authority_name_saved = NULL;
3579 struct lsa_String *account_name_p = NULL;
3580 char *account_name_saved = NULL;
3581 struct cli_credentials *anon_creds = NULL;
3582 struct smb_composite_sesssetup io;
3583
3584 mem_ctx = talloc_init("torture_samba3_reauth");
3585 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3586
3587 lpcfg_smbcli_options(torture->lp_ctx, &options);
3588 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
3589
3590 status = smbcli_full_connection(mem_ctx, &cli,
3591 torture_setting_string(torture, "host", NULL),
3592 lpcfg_smb_ports(torture->lp_ctx),
3593 "IPC$", NULL,
3594 lpcfg_socket_options(torture->lp_ctx),
3595 samba_cmdline_get_creds(),
3596 lpcfg_resolve_context(torture->lp_ctx),
3597 torture->ev, &options, &session_options,
3598 lpcfg_gensec_settings(torture, torture->lp_ctx));
3599 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3600 "smbcli_full_connection failed");
3601
3602 /* smb re-authenticate as anonymous */
3603
3604 anon_creds = cli_credentials_init_anon(mem_ctx);
3605
3606 ZERO_STRUCT(io);
3607 io.in.sesskey = cli->transport->negotiate.sesskey;
3608 io.in.capabilities = cli->transport->negotiate.capabilities;
3609 io.in.credentials = anon_creds;
3610 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3611 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3612
3613 status = smb_composite_sesssetup(cli->session, &io);
3614 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3615 "session reauth to anon failed");
3616
3617 /* open the lsa pipe */
3618
3619 status = pipe_bind_smb(torture, mem_ctx, cli->tree, "\\lsarpc",
3620 &ndr_table_lsarpc, &lsa_pipe);
3621 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3622 "pipe_bind_smb failed");
3623 lsa_handle = lsa_pipe->binding_handle;
3624
3625 /* lsa getusername */
3626
3627 ZERO_STRUCT(r);
3628 r.in.system_name = "\\";
3629 r.in.account_name = &account_name_p;
3630 r.in.authority_name = &authority_name_p;
3631 r.out.account_name = &account_name_p;
3632
3633 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3634
3635 authority_name_p = *r.out.authority_name;
3636
3637 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3638 "GetUserName failed");
3639 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3640 "GetUserName failed");
3641
3642 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3643 authority_name_p->string,
3644 account_name_p->string);
3645
3646 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3647 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3648 "talloc failed");
3649 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3650 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3651 "talloc failed");
3652
3653 /* smb re-auth again to the original user */
3654
3655 ZERO_STRUCT(io);
3656 io.in.sesskey = cli->transport->negotiate.sesskey;
3657 io.in.capabilities = cli->transport->negotiate.capabilities;
3658 io.in.credentials = samba_cmdline_get_creds();
3659 io.in.workgroup = lpcfg_workgroup(torture->lp_ctx);
3660 io.in.gensec_settings = lpcfg_gensec_settings(torture, torture->lp_ctx);
3661
3662 status = smb_composite_sesssetup(cli->session, &io);
3663 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3664 "session reauth to anon failed");
3665
3666 /* re-do lsa getusername after reauth */
3667
3668 TALLOC_FREE(authority_name_p);
3669 TALLOC_FREE(account_name_p);
3670 ZERO_STRUCT(r);
3671 r.in.system_name = "\\";
3672 r.in.account_name = &account_name_p;
3673 r.in.authority_name = &authority_name_p;
3674 r.out.account_name = &account_name_p;
3675
3676 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3677
3678 authority_name_p = *r.out.authority_name;
3679
3680 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3681 "GetUserName failed");
3682 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3683 "GetUserName failed");
3684
3685 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3686 ret, done, "authority_name not equal after reauth to anon");
3687 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3688 ret, done, "account_name not equal after reauth to anon");
3689
3690 ret = true;
3691
3692 done:
3693 talloc_free(mem_ctx);
3694 return ret;
3695 }
3696
3697 /**
3698 * Test smb2 reauthentication while rpc pipe is in use.
3699 */
3700 static bool torture_rpc_smb2_reauth1(struct torture_context *torture)
3701 {
3702 TALLOC_CTX *mem_ctx;
3703 NTSTATUS status;
3704 bool ret = false;
3705 struct smbcli_options options;
3706
3707 struct dcerpc_pipe *lsa_pipe;
3708 struct dcerpc_binding_handle *lsa_handle;
3709 struct lsa_GetUserName r;
3710 struct lsa_String *authority_name_p = NULL;
3711 char *authority_name_saved = NULL;
3712 struct lsa_String *account_name_p = NULL;
3713 char *account_name_saved = NULL;
3714 struct cli_credentials *anon_creds = NULL;
3715 const char *host = torture_setting_string(torture, "host", NULL);
3716 struct smb2_tree *tree;
3717
3718 mem_ctx = talloc_init("torture_samba3_reauth");
3719 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3720
3721 lpcfg_smbcli_options(torture->lp_ctx, &options);
3722
3723 status = smb2_connect(mem_ctx,
3724 host,
3725 lpcfg_smb_ports(torture->lp_ctx),
3726 "IPC$",
3727 lpcfg_resolve_context(torture->lp_ctx),
3728 samba_cmdline_get_creds(),
3729 &tree,
3730 torture->ev,
3731 &options,
3732 lpcfg_socket_options(torture->lp_ctx),
3733 lpcfg_gensec_settings(torture, torture->lp_ctx)
3734 );
3735 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3736 "smb2_connect failed");
3737
3738 status = pipe_bind_smb2(torture, mem_ctx, tree, "lsarpc",
3739 &ndr_table_lsarpc, &lsa_pipe);
3740 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3741 "pipe_bind_smb2 failed");
3742 lsa_handle = lsa_pipe->binding_handle;
3743
3744 /* lsa getusername */
3745
3746 ZERO_STRUCT(r);
3747 r.in.system_name = "\\";
3748 r.in.account_name = &account_name_p;
3749 r.in.authority_name = &authority_name_p;
3750 r.out.account_name = &account_name_p;
3751
3752 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3753
3754 authority_name_p = *r.out.authority_name;
3755
3756 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3757 "GetUserName failed");
3758 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3759 "GetUserName failed");
3760
3761 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3762 authority_name_p->string,
3763 account_name_p->string);
3764
3765 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3766 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3767 "talloc failed");
3768 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3769 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3770 "talloc failed");
3771
3772 /* smb re-authenticate as anonymous */
3773
3774 anon_creds = cli_credentials_init_anon(mem_ctx);
3775
3776 status = smb2_session_setup_spnego(tree->session,
3777 anon_creds,
3778 0 /* previous_session_id */);
3779 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3780 "session reauth to anon failed");
3781
3782 /* re-do lsa getusername after reauth */
3783
3784 TALLOC_FREE(authority_name_p);
3785 TALLOC_FREE(account_name_p);
3786 ZERO_STRUCT(r);
3787 r.in.system_name = "\\";
3788 r.in.account_name = &account_name_p;
3789 r.in.authority_name = &authority_name_p;
3790 r.out.account_name = &account_name_p;
3791
3792 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3793
3794 authority_name_p = *r.out.authority_name;
3795
3796 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3797 "GetUserName failed");
3798 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3799 "GetUserName failed");
3800
3801 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3802 ret, done, "authority_name not equal after reauth to anon");
3803 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3804 ret, done, "account_name not equal after reauth to anon");
3805
3806 /* smb re-auth again to the original user */
3807
3808 status = smb2_session_setup_spnego(tree->session,
3809 samba_cmdline_get_creds(),
3810 0 /* previous_session_id */);
3811 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3812 "session reauth to anon failed");
3813
3814 /* re-do lsa getusername */
3815
3816 TALLOC_FREE(authority_name_p);
3817 TALLOC_FREE(account_name_p);
3818 ZERO_STRUCT(r);
3819 r.in.system_name = "\\";
3820 r.in.account_name = &account_name_p;
3821 r.in.authority_name = &authority_name_p;
3822 r.out.account_name = &account_name_p;
3823
3824 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3825
3826 authority_name_p = *r.out.authority_name;
3827
3828 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3829 "GetUserName failed");
3830 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3831 "GetUserName failed");
3832
3833 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3834 ret, done, "authority_name not equal after reauth to anon");
3835 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3836 ret, done, "account_name not equal after reauth to anon");
3837
3838 ret = true;
3839
3840 done:
3841 talloc_free(mem_ctx);
3842 return ret;
3843 }
3844
3845 /**
3846 * Test smb2 reauthentication while rpc pipe is in use.
3847 * Open a second lsa bind after reauth to anon.
3848 * Do lsa getusername on that second bind.
3849 */
3850 static bool torture_rpc_smb2_reauth2(struct torture_context *torture)
3851 {
3852 TALLOC_CTX *mem_ctx;
3853 NTSTATUS status;
3854 bool ret = false;
3855 struct smbcli_options options;
3856
3857 struct dcerpc_pipe *lsa_pipe;
3858 struct dcerpc_binding_handle *lsa_handle;
3859 struct lsa_GetUserName r;
3860 struct lsa_String *authority_name_p = NULL;
3861 char *authority_name_saved = NULL;
3862 struct lsa_String *account_name_p = NULL;
3863 char *account_name_saved = NULL;
3864 struct cli_credentials *anon_creds = NULL;
3865 const char *host = torture_setting_string(torture, "host", NULL);
3866 struct smb2_tree *tree;
3867
3868 mem_ctx = talloc_init("torture_samba3_reauth");
3869 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3870
3871 lpcfg_smbcli_options(torture->lp_ctx, &options);
3872
3873 status = smb2_connect(mem_ctx,
3874 host,
3875 lpcfg_smb_ports(torture->lp_ctx),
3876 "IPC$",
3877 lpcfg_resolve_context(torture->lp_ctx),
3878 samba_cmdline_get_creds(),
3879 &tree,
3880 torture->ev,
3881 &options,
3882 lpcfg_socket_options(torture->lp_ctx),
3883 lpcfg_gensec_settings(torture, torture->lp_ctx)
3884 );
3885 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3886 "smb2_connect failed");
3887
3888 /* smb re-authenticate as anonymous */
3889
3890 anon_creds = cli_credentials_init_anon(mem_ctx);
3891
3892 status = smb2_session_setup_spnego(tree->session,
3893 anon_creds,
3894 0 /* previous_session_id */);
3895 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3896 "session reauth to anon failed");
3897
3898 /* open the lsa pipe */
3899
3900 status = pipe_bind_smb2(torture, mem_ctx, tree, "lsarpc",
3901 &ndr_table_lsarpc, &lsa_pipe);
3902 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3903 "pipe_bind_smb2 failed");
3904 lsa_handle = lsa_pipe->binding_handle;
3905
3906 /* lsa getusername */
3907
3908 ZERO_STRUCT(r);
3909 r.in.system_name = "\\";
3910 r.in.account_name = &account_name_p;
3911 r.in.authority_name = &authority_name_p;
3912 r.out.account_name = &account_name_p;
3913
3914 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3915
3916 authority_name_p = *r.out.authority_name;
3917
3918 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3919 "GetUserName failed");
3920 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3921 "GetUserName failed");
3922
3923 torture_comment(torture, "lsa_GetUserName gave '%s\\%s'\n",
3924 authority_name_p->string,
3925 account_name_p->string);
3926
3927 account_name_saved = talloc_strdup(mem_ctx, account_name_p->string);
3928 torture_assert_goto(torture, (account_name_saved != NULL), ret, done,
3929 "talloc failed");
3930 authority_name_saved = talloc_strdup(mem_ctx, authority_name_p->string);
3931 torture_assert_goto(torture, (authority_name_saved != NULL), ret, done,
3932 "talloc failed");
3933
3934 /* smb re-auth again to the original user */
3935
3936 status = smb2_session_setup_spnego(tree->session,
3937 samba_cmdline_get_creds(),
3938 0 /* previous_session_id */);
3939 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3940 "session reauth to anon failed");
3941
3942 /* re-do lsa getusername */
3943
3944 TALLOC_FREE(authority_name_p);
3945 TALLOC_FREE(account_name_p);
3946 ZERO_STRUCT(r);
3947 r.in.system_name = "\\";
3948 r.in.account_name = &account_name_p;
3949 r.in.authority_name = &authority_name_p;
3950 r.out.account_name = &account_name_p;
3951
3952 status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
3953
3954 authority_name_p = *r.out.authority_name;
3955
3956 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
3957 "GetUserName failed");
3958 torture_assert_ntstatus_ok_goto(torture, r.out.result, ret, done,
3959 "GetUserName failed");
3960
3961 torture_assert_goto(torture, (strcmp(authority_name_p->string, authority_name_saved) == 0),
3962 ret, done, "authority_name not equal after reauth to anon");
3963 torture_assert_goto(torture, (strcmp(account_name_p->string, account_name_saved) == 0),
3964 ret, done, "account_name not equal after reauth to anon");
3965
3966 ret = true;
3967
3968 done:
3969 talloc_free(mem_ctx);
3970 return ret;
3971 }
3972
3973 static bool torture_rpc_smb1_pipe_name(struct torture_context *torture)
3974 {
3975 TALLOC_CTX *mem_ctx;
3976 NTSTATUS status;
3977 bool ret = false;
3978 struct smbcli_state *cli;
3979 struct smbcli_options options;
3980 struct smbcli_session_options session_options;
3981 union smb_open io;
3982 union smb_close cl;
3983 uint16_t fnum;
3984
3985 mem_ctx = talloc_init("torture_samba3_smb1_pipe_name");
3986 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
3987
3988 lpcfg_smbcli_options(torture->lp_ctx, &options);
3989 lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
3990
3991 status = smbcli_full_connection(mem_ctx, &cli,
3992 torture_setting_string(torture, "host", NULL),
3993 lpcfg_smb_ports(torture->lp_ctx),
3994 "IPC$", NULL,
3995 lpcfg_socket_options(torture->lp_ctx),
3996 samba_cmdline_get_creds(),
3997 lpcfg_resolve_context(torture->lp_ctx),
3998 torture->ev, &options, &session_options,
3999 lpcfg_gensec_settings(torture, torture->lp_ctx));
4000 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4001 "smbcli_full_connection failed");
4002
4003 ZERO_STRUCT(io);
4004 io.generic.level = RAW_OPEN_NTCREATEX;
4005 io.ntcreatex.in.access_mask = DESIRED_ACCESS_PIPE;
4006 io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ|
4007 NTCREATEX_SHARE_ACCESS_WRITE;
4008 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
4009 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
4010 io.ntcreatex.in.security_flags = 0;
4011
4012 io.ntcreatex.in.fname = "__none__";
4013 status = smb_raw_open(cli->tree, torture, &io);
4014 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4015 ret, done,
4016 "smb_raw_open for '__none__'");
4017
4018 io.ntcreatex.in.fname = "pipe\\srvsvc";
4019 status = smb_raw_open(cli->tree, torture, &io);
4020 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4021 ret, done,
4022 "smb_raw_open for 'pipe\\srvsvc'");
4023
4024 io.ntcreatex.in.fname = "\\pipe\\srvsvc";
4025 status = smb_raw_open(cli->tree, torture, &io);
4026 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4027 ret, done,
4028 "smb_raw_open for '\\pipe\\srvsvc'");
4029
4030 io.ntcreatex.in.fname = "srvsvc";
4031 status = smb_raw_open(cli->tree, torture, &io);
4032 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4033 "smb2_create failed for 'srvsvc'");
4034 fnum = io.ntcreatex.out.file.fnum;
4035 ZERO_STRUCT(cl);
4036 cl.generic.level = RAW_CLOSE_CLOSE;
4037 cl.close.in.file.fnum = fnum;
4038 status = smb_raw_close(cli->tree, &cl);
4039 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4040 "smb_raw_close failed");
4041
4042 io.ntcreatex.in.fname = "\\srvsvc";
4043 status = smb_raw_open(cli->tree, torture, &io);
4044 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4045 "smb2_create failed for '\\srvsvc'");
4046 fnum = io.ntcreatex.out.file.fnum;
4047 ZERO_STRUCT(cl);
4048 cl.generic.level = RAW_CLOSE_CLOSE;
4049 cl.close.in.file.fnum = fnum;
4050 status = smb_raw_close(cli->tree, &cl);
4051 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4052 "smb_raw_close failed");
4053
4054 io.ntcreatex.in.fname = "\\\\\\\\\\srvsvc";
4055 status = smb_raw_open(cli->tree, torture, &io);
4056 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4057 "smb2_create failed for '\\\\\\\\\\srvsvc'");
4058 fnum = io.ntcreatex.out.file.fnum;
4059 ZERO_STRUCT(cl);
4060 cl.generic.level = RAW_CLOSE_CLOSE;
4061 cl.close.in.file.fnum = fnum;
4062 status = smb_raw_close(cli->tree, &cl);
4063 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4064 "smb_raw_close failed");
4065
4066 ZERO_STRUCT(io);
4067 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
4068 io.nttrans.in.access_mask = DESIRED_ACCESS_PIPE;
4069 io.nttrans.in.share_access = NTCREATEX_SHARE_ACCESS_READ|
4070 NTCREATEX_SHARE_ACCESS_WRITE;
4071 io.nttrans.in.open_disposition = NTCREATEX_DISP_OPEN;
4072 io.nttrans.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
4073 io.nttrans.in.security_flags = 0;
4074
4075 io.nttrans.in.fname = "__none__";
4076 status = smb_raw_open(cli->tree, torture, &io);
4077 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4078 ret, done,
4079 "smb_raw_open for '__none__'");
4080
4081 io.nttrans.in.fname = "pipe\\srvsvc";
4082 status = smb_raw_open(cli->tree, torture, &io);
4083 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4084 ret, done,
4085 "smb_raw_open for 'pipe\\srvsvc'");
4086
4087 io.nttrans.in.fname = "\\pipe\\srvsvc";
4088 status = smb_raw_open(cli->tree, torture, &io);
4089 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4090 ret, done,
4091 "smb_raw_open for '\\pipe\\srvsvc'");
4092
4093 io.nttrans.in.fname = "srvsvc";
4094 status = smb_raw_open(cli->tree, torture, &io);
4095 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4096 "smb2_create failed for 'srvsvc'");
4097 fnum = io.nttrans.out.file.fnum;
4098 ZERO_STRUCT(cl);
4099 cl.generic.level = RAW_CLOSE_CLOSE;
4100 cl.close.in.file.fnum = fnum;
4101 status = smb_raw_close(cli->tree, &cl);
4102 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4103 "smb_raw_close failed");
4104
4105 io.nttrans.in.fname = "\\srvsvc";
4106 status = smb_raw_open(cli->tree, torture, &io);
4107 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4108 "smb2_create failed for '\\srvsvc'");
4109 fnum = io.nttrans.out.file.fnum;
4110 ZERO_STRUCT(cl);
4111 cl.generic.level = RAW_CLOSE_CLOSE;
4112 cl.close.in.file.fnum = fnum;
4113 status = smb_raw_close(cli->tree, &cl);
4114 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4115 "smb_raw_close failed");
4116
4117 io.nttrans.in.fname = "\\\\\\\\\\srvsvc";
4118 status = smb_raw_open(cli->tree, torture, &io);
4119 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4120 "smb2_create failed for '\\\\\\\\\\srvsvc'");
4121 fnum = io.nttrans.out.file.fnum;
4122 ZERO_STRUCT(cl);
4123 cl.generic.level = RAW_CLOSE_CLOSE;
4124 cl.close.in.file.fnum = fnum;
4125 status = smb_raw_close(cli->tree, &cl);
4126 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4127 "smb_raw_close failed");
4128
4129 ZERO_STRUCT(io);
4130 io.generic.level = RAW_OPEN_OPENX;
4131 io.openx.in.open_mode = OPENX_MODE_ACCESS_RDWR;
4132 io.openx.in.open_func = OPENX_OPEN_FUNC_OPEN;
4133
4134 io.openx.in.fname = "__none__";
4135 status = smb_raw_open(cli->tree, torture, &io);
4136 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4137 ret, done,
4138 "smb_raw_open for '__none__'");
4139
4140 io.openx.in.fname = "srvsvc";
4141 status = smb_raw_open(cli->tree, torture, &io);
4142 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4143 ret, done,
4144 "smb_raw_open for 'srvsvc'");
4145
4146 io.openx.in.fname = "\\srvsvc";
4147 status = smb_raw_open(cli->tree, torture, &io);
4148 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4149 ret, done,
4150 "smb_raw_open for '\\srvsvc'");
4151
4152 io.openx.in.fname = "\\pipesrvsvc";
4153 status = smb_raw_open(cli->tree, torture, &io);
4154 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_PATH_SYNTAX_BAD,
4155 ret, done,
4156 "smb_raw_open for '\\pipesrvsvc'");
4157
4158 io.openx.in.fname = "pipe\\__none__";
4159 status = smb_raw_open(cli->tree, torture, &io);
4160 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4161 ret, done,
4162 "smb_raw_open for 'pipe\\__none__'");
4163
4164 io.openx.in.fname = "\\pipe\\__none__";
4165 status = smb_raw_open(cli->tree, torture, &io);
4166 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4167 ret, done,
4168 "smb_raw_open for '\\pipe\\__none__'");
4169
4170 io.openx.in.fname = "pipe\\srvsvc";
4171 status = smb_raw_open(cli->tree, torture, &io);
4172 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4173 "smb2_create failed for 'pipe\\srvsvc'");
4174 fnum = io.openx.out.file.fnum;
4175 ZERO_STRUCT(cl);
4176 cl.generic.level = RAW_CLOSE_CLOSE;
4177 cl.close.in.file.fnum = fnum;
4178 status = smb_raw_close(cli->tree, &cl);
4179 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4180 "smb_raw_close failed");
4181
4182 io.openx.in.fname = "\\pipe\\srvsvc";
4183 status = smb_raw_open(cli->tree, torture, &io);
4184 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4185 "smb2_create failed for '\\pipe\\srvsvc'");
4186 fnum = io.openx.out.file.fnum;
4187 ZERO_STRUCT(cl);
4188 cl.generic.level = RAW_CLOSE_CLOSE;
4189 cl.close.in.file.fnum = fnum;
4190 status = smb_raw_close(cli->tree, &cl);
4191 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4192 "smb_raw_close failed");
4193
4194 io.openx.in.fname = "\\\\\\\\\\pipe\\srvsvc";
4195 status = smb_raw_open(cli->tree, torture, &io);
4196 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4197 "smb2_create failed for '\\\\\\\\\\pipe\\srvsvc'");
4198 fnum = io.openx.out.file.fnum;
4199 ZERO_STRUCT(cl);
4200 cl.generic.level = RAW_CLOSE_CLOSE;
4201 cl.close.in.file.fnum = fnum;
4202 status = smb_raw_close(cli->tree, &cl);
4203 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4204 "smb_raw_close failed");
4205
4206 io.openx.in.fname = "\\\\\\\\\\pipe\\\\\\\\\\srvsvc";
4207 status = smb_raw_open(cli->tree, torture, &io);
4208 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4209 "smb2_create failed for '\\\\\\\\\\pipe\\\\\\\\\\srvsvc'");
4210 fnum = io.openx.out.file.fnum;
4211 ZERO_STRUCT(cl);
4212 cl.generic.level = RAW_CLOSE_CLOSE;
4213 cl.close.in.file.fnum = fnum;
4214 status = smb_raw_close(cli->tree, &cl);
4215 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4216 "smb_raw_close failed");
4217 ret = true;
4218
4219 done:
4220 talloc_free(mem_ctx);
4221 return ret;
4222 }
4223
4224 static bool torture_rpc_smb2_pipe_name(struct torture_context *torture)
4225 {
4226 TALLOC_CTX *mem_ctx;
4227 NTSTATUS status;
4228 bool ret = false;
4229 struct smbcli_options options;
4230 const char *host = torture_setting_string(torture, "host", NULL);
4231 struct smb2_tree *tree;
4232 struct smb2_handle h;
4233 struct smb2_create io;
4234
4235 mem_ctx = talloc_init("torture_samba3_smb2_pipe_name");
4236 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4237
4238 lpcfg_smbcli_options(torture->lp_ctx, &options);
4239
4240 status = smb2_connect(mem_ctx,
4241 host,
4242 lpcfg_smb_ports(torture->lp_ctx),
4243 "IPC$",
4244 lpcfg_resolve_context(torture->lp_ctx),
4245 samba_cmdline_get_creds(),
4246 &tree,
4247 torture->ev,
4248 &options,
4249 lpcfg_socket_options(torture->lp_ctx),
4250 lpcfg_gensec_settings(torture, torture->lp_ctx)
4251 );
4252 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4253 "smb2_connect failed");
4254
4255 ZERO_STRUCT(io);
4256 io.in.oplock_level = 0;
4257 io.in.desired_access = DESIRED_ACCESS_PIPE;
4258 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4259 io.in.file_attributes = 0;
4260 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4261 io.in.share_access =
4262 NTCREATEX_SHARE_ACCESS_READ|
4263 NTCREATEX_SHARE_ACCESS_WRITE;
4264 io.in.create_options = 0;
4265
4266 io.in.fname = "__none__";
4267 status = smb2_create(tree, tree, &io);
4268 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4269 ret, done,
4270 "smb2_create for '__none__'");
4271
4272 io.in.fname = "\\srvsvc";
4273 status = smb2_create(tree, tree, &io);
4274 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4275 ret, done,
4276 "smb2_create for '\\srvsvc'");
4277
4278 io.in.fname = "\\pipe\\srvsvc";
4279 status = smb2_create(tree, tree, &io);
4280 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4281 ret, done,
4282 "smb2_create for '\\pipe\\srvsvc'");
4283
4284 io.in.fname = "pipe\\srvsvc";
4285 status = smb2_create(tree, tree, &io);
4286 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
4287 ret, done,
4288 "smb2_create for 'pipe\\srvsvc'");
4289
4290 io.in.fname = "srvsvc";
4291 status = smb2_create(tree, tree, &io);
4292 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4293 "smb2_create failed for 'srvsvc'");
4294
4295 h = io.out.file.handle;
4296
4297 status = smb2_util_close(tree, h);
4298 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4299 "smb2_util_close failed");
4300
4301 ret = true;
4302 done:
4303 talloc_free(mem_ctx);
4304 return ret;
4305 }
4306
4307 /**
4308 * Test behaviour of a waiting read call on a pipe when
4309 * the pipe handle is closed:
4310 * - open a pipe via smb2
4311 * - trigger a read which hangs since there is nothing to read
4312 * - close the pipe file handle
4313 * - wait for the read to return and check the status
4314 * (STATUS_PIPE_BROKEN)
4315 */
4316 static bool torture_rpc_smb2_pipe_read_close(struct torture_context *torture)
4317 {
4318 TALLOC_CTX *mem_ctx;
4319 NTSTATUS status;
4320 bool ret = false;
4321 struct smbcli_options options;
4322 const char *host = torture_setting_string(torture, "host", NULL);
4323 struct smb2_tree *tree;
4324 struct smb2_handle h;
4325 struct smb2_request *smb2req;
4326 struct smb2_create io;
4327 struct smb2_read rd;
4328
4329 mem_ctx = talloc_init("torture_samba3_pipe_read_close");
4330 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4331
4332 lpcfg_smbcli_options(torture->lp_ctx, &options);
4333
4334 status = smb2_connect(mem_ctx,
4335 host,
4336 lpcfg_smb_ports(torture->lp_ctx),
4337 "IPC$",
4338 lpcfg_resolve_context(torture->lp_ctx),
4339 samba_cmdline_get_creds(),
4340 &tree,
4341 torture->ev,
4342 &options,
4343 lpcfg_socket_options(torture->lp_ctx),
4344 lpcfg_gensec_settings(torture, torture->lp_ctx)
4345 );
4346 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4347 "smb2_connect failed");
4348
4349 ZERO_STRUCT(io);
4350 io.in.oplock_level = 0;
4351 io.in.desired_access = DESIRED_ACCESS_PIPE;
4352 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4353 io.in.file_attributes = 0;
4354 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4355 io.in.share_access =
4356 NTCREATEX_SHARE_ACCESS_READ|
4357 NTCREATEX_SHARE_ACCESS_WRITE;
4358 io.in.create_options = 0;
4359 io.in.fname = "lsarpc";
4360
4361 status = smb2_create(tree, tree, &io);
4362 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4363 "smb2_create failed for 'lsarpc'");
4364
4365 h = io.out.file.handle;
4366
4367 ZERO_STRUCT(rd);
4368 rd.in.file.handle = h;
4369 rd.in.length = 1024;
4370 rd.in.offset = 0;
4371 rd.in.min_count = 0;
4372
4373 smb2req = smb2_read_send(tree, &rd);
4374 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4375 "smb2_read_send failed");
4376
4377 status = smb2_util_close(tree, h);
4378 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4379 "smb2_util_close failed");
4380
4381 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4382 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4383 "smb2_read_recv: unexpected return code");
4384
4385 ret = true;
4386 done:
4387 talloc_free(mem_ctx);
4388 return ret;
4389 }
4390
4391 /**
4392 * Test behaviour of a waiting read call on a pipe when
4393 * the tree is disconnected.
4394 * - open a pipe via smb2
4395 * - trigger a read which hangs since there is nothing to read
4396 * - do a tree disconnect
4397 * - wait for the read to return and check the status
4398 * (STATUS_PIPE_BROKEN)
4399 */
4400 static bool torture_rpc_smb2_pipe_read_tdis(struct torture_context *torture)
4401 {
4402 TALLOC_CTX *mem_ctx;
4403 NTSTATUS status;
4404 bool ret = false;
4405 struct smbcli_options options;
4406 const char *host = torture_setting_string(torture, "host", NULL);
4407 struct smb2_tree *tree;
4408 struct smb2_handle h;
4409 struct smb2_request *smb2req;
4410 struct smb2_create io;
4411 struct smb2_read rd;
4412
4413 mem_ctx = talloc_init("torture_samba3_pipe_read_tdis");
4414 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4415
4416 lpcfg_smbcli_options(torture->lp_ctx, &options);
4417
4418 status = smb2_connect(mem_ctx,
4419 host,
4420 lpcfg_smb_ports(torture->lp_ctx),
4421 "IPC$",
4422 lpcfg_resolve_context(torture->lp_ctx),
4423 samba_cmdline_get_creds(),
4424 &tree,
4425 torture->ev,
4426 &options,
4427 lpcfg_socket_options(torture->lp_ctx),
4428 lpcfg_gensec_settings(torture, torture->lp_ctx)
4429 );
4430 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4431 "smb2_connect failed");
4432
4433 ZERO_STRUCT(io);
4434 io.in.oplock_level = 0;
4435 io.in.desired_access = DESIRED_ACCESS_PIPE;
4436 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4437 io.in.file_attributes = 0;
4438 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4439 io.in.share_access =
4440 NTCREATEX_SHARE_ACCESS_READ|
4441 NTCREATEX_SHARE_ACCESS_WRITE;
4442 io.in.create_options = 0;
4443 io.in.fname = "lsarpc";
4444
4445 status = smb2_create(tree, tree, &io);
4446 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4447 "smb2_create failed for 'lsarpc'");
4448
4449 h = io.out.file.handle;
4450
4451 ZERO_STRUCT(rd);
4452 rd.in.file.handle = h;
4453 rd.in.length = 1024;
4454 rd.in.offset = 0;
4455 rd.in.min_count = 0;
4456
4457 smb2req = smb2_read_send(tree, &rd);
4458 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4459 "smb2_read_send failed");
4460
4461 status = smb2_tdis(tree);
4462 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4463 "smb2_tdis failed");
4464
4465 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4466 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4467 "smb2_read_recv: unexpected return code");
4468
4469 ret = true;
4470 done:
4471 talloc_free(mem_ctx);
4472 return ret;
4473 }
4474
4475 /**
4476 * Test behaviour of a waiting read call on a pipe when
4477 * the user logs off
4478 * - open a pipe via smb2
4479 * - trigger a read which hangs since there is nothing to read
4480 * - do a logoff
4481 * - wait for the read to return and check the status
4482 * (STATUS_PIPE_BROKEN)
4483 */
4484 static bool torture_rpc_smb2_pipe_read_logoff(struct torture_context *torture)
4485 {
4486 TALLOC_CTX *mem_ctx;
4487 NTSTATUS status;
4488 bool ret = false;
4489 struct smbcli_options options;
4490 const char *host = torture_setting_string(torture, "host", NULL);
4491 struct smb2_tree *tree;
4492 struct smb2_handle h;
4493 struct smb2_request *smb2req;
4494 struct smb2_create io;
4495 struct smb2_read rd;
4496
4497 mem_ctx = talloc_init("torture_samba3_pipe_read_tdis");
4498 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4499
4500 lpcfg_smbcli_options(torture->lp_ctx, &options);
4501
4502 status = smb2_connect(mem_ctx,
4503 host,
4504 lpcfg_smb_ports(torture->lp_ctx),
4505 "IPC$",
4506 lpcfg_resolve_context(torture->lp_ctx),
4507 samba_cmdline_get_creds(),
4508 &tree,
4509 torture->ev,
4510 &options,
4511 lpcfg_socket_options(torture->lp_ctx),
4512 lpcfg_gensec_settings(torture, torture->lp_ctx)
4513 );
4514 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4515 "smb2_connect failed");
4516
4517 ZERO_STRUCT(io);
4518 io.in.oplock_level = 0;
4519 io.in.desired_access = DESIRED_ACCESS_PIPE;
4520 io.in.impersonation_level = SMB2_IMPERSONATION_IMPERSONATION;
4521 io.in.file_attributes = 0;
4522 io.in.create_disposition = NTCREATEX_DISP_OPEN;
4523 io.in.share_access =
4524 NTCREATEX_SHARE_ACCESS_READ|
4525 NTCREATEX_SHARE_ACCESS_WRITE;
4526 io.in.create_options = 0;
4527 io.in.fname = "lsarpc";
4528
4529 status = smb2_create(tree, tree, &io);
4530 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4531 "smb2_create failed for 'lsarpc'");
4532
4533 h = io.out.file.handle;
4534
4535 ZERO_STRUCT(rd);
4536 rd.in.file.handle = h;
4537 rd.in.length = 1024;
4538 rd.in.offset = 0;
4539 rd.in.min_count = 0;
4540
4541 smb2req = smb2_read_send(tree, &rd);
4542 torture_assert_goto(torture, (smb2req != NULL), ret, done,
4543 "smb2_read_send failed");
4544
4545 status = smb2_logoff(tree->session);
4546 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4547 "smb2_logoff failed");
4548
4549 status = smb2_read_recv(smb2req, mem_ctx, &rd);
4550 torture_assert_ntstatus_equal_goto(torture, status, NT_STATUS_PIPE_BROKEN, ret, done,
4551 "smb2_read_recv: unexpected return code");
4552
4553 ret = true;
4554 done:
4555 talloc_free(mem_ctx);
4556 return ret;
4557 }
4558
4559 static bool torture_rpc_lsa_over_netlogon(struct torture_context *torture)
4560 {
4561 TALLOC_CTX *mem_ctx;
4562 NTSTATUS status;
4563 bool ret = false;
4564 struct smbcli_options options;
4565 struct smb2_tree *tree;
4566 struct dcerpc_pipe *netlogon_pipe;
4567 struct dcerpc_binding_handle *lsa_handle;
4568 struct lsa_ObjectAttribute attr;
4569 struct lsa_QosInfo qos;
4570 struct lsa_OpenPolicy2 o;
4571 struct policy_handle handle;
4572
4573 torture_comment(torture, "Testing if we can access LSA server over "
4574 "\\\\pipe\\netlogon rather than \\\\pipe\\lsarpc\n");
4575
4576 mem_ctx = talloc_init("torture_samba3_rpc_lsa_over_netlogon");
4577 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4578
4579 lpcfg_smbcli_options(torture->lp_ctx, &options);
4580
4581 status = smb2_connect(mem_ctx,
4582 torture_setting_string(torture, "host", NULL),
4583 lpcfg_smb_ports(torture->lp_ctx),
4584 "IPC$",
4585 lpcfg_resolve_context(torture->lp_ctx),
4586 samba_cmdline_get_creds(),
4587 &tree,
4588 torture->ev,
4589 &options,
4590 lpcfg_socket_options(torture->lp_ctx),
4591 lpcfg_gensec_settings(torture, torture->lp_ctx)
4592 );
4593 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4594 "smb2_connect failed");
4595
4596 status = pipe_bind_smb2(torture, mem_ctx, tree, "netlogon",
4597 &ndr_table_lsarpc, &netlogon_pipe);
4598 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4599 "pipe_bind_smb2 failed");
4600 lsa_handle = netlogon_pipe->binding_handle;
4601
4602 qos.len = 0;
4603 qos.impersonation_level = 2;
4604 qos.context_mode = 1;
4605 qos.effective_only = 0;
4606
4607 attr.len = 0;
4608 attr.root_dir = NULL;
4609 attr.object_name = NULL;
4610 attr.attributes = 0;
4611 attr.sec_desc = NULL;
4612 attr.sec_qos = &qos;
4613
4614 o.in.system_name = "\\";
4615 o.in.attr = &attr;
4616 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
4617 o.out.handle = &handle;
4618
4619 torture_assert_ntstatus_ok(torture,
4620 dcerpc_lsa_OpenPolicy2_r(lsa_handle, torture, &o),
4621 "OpenPolicy2 failed");
4622 torture_assert_ntstatus_ok(torture,
4623 o.out.result,
4624 "OpenPolicy2 failed");
4625
4626 ret = true;
4627 done:
4628 talloc_free(mem_ctx);
4629 return ret;
4630 }
4631
4632 static bool torture_rpc_pipes_supported_interfaces(
4633 struct torture_context *torture)
4634 {
4635 TALLOC_CTX *mem_ctx;
4636 NTSTATUS status;
4637 bool ret = false;
4638 struct smbcli_options options;
4639 struct smb2_tree *tree;
4640 struct dcerpc_pipe *pipe1;
4641 struct dcerpc_pipe *pipe2;
4642 struct dcerpc_pipe *pipe3;
4643
4644 torture_comment(torture, "Testing only appropriate interfaces are "
4645 "available in smb pipes\n");
4646
4647 mem_ctx = talloc_init("torture_samba3_rpc_pipes_supported_interfaces");
4648 torture_assert(torture, (mem_ctx != NULL), "talloc_init failed");
4649
4650 lpcfg_smbcli_options(torture->lp_ctx, &options);
4651
4652 status = smb2_connect(mem_ctx,
4653 torture_setting_string(torture, "host", NULL),
4654 lpcfg_smb_ports(torture->lp_ctx),
4655 "IPC$",
4656 lpcfg_resolve_context(torture->lp_ctx),
4657 samba_cmdline_get_creds(),
4658 &tree,
4659 torture->ev,
4660 &options,
4661 lpcfg_socket_options(torture->lp_ctx),
4662 lpcfg_gensec_settings(torture, torture->lp_ctx)
4663 );
4664 torture_assert_ntstatus_ok_goto(torture, status, ret, done,
4665 "smb2_connect failed");
4666
4667 /* Test embedded services pipes. The svcctl interface is
4668 * not available if we open the winreg pipe. */
4669 status = pipe_bind_smb2(torture, mem_ctx, tree, "winreg",
4670 &ndr_table_svcctl, &pipe1);
4671 torture_assert_ntstatus_equal(torture,
4672 status,
4673 NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX,
4674 "svcctl interface not supported in winreg pipe");
4675
4676 /* Test it is not possible to bind to S4 server provided services */
4677 status = pipe_bind_smb2(torture, mem_ctx, tree, "srvsvc",
4678 &ndr_table_samr, &pipe2);
4679 torture_assert_ntstatus_equal(torture,
4680 status,
4681 NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX,
4682 "samr interface not supported in srvsvc pipe");
4683
4684 /* Test pipes in forked daemons like lsassd. The lsarpc interface is
4685 * not available if we open the SAMR pipe. */
4686 status = pipe_bind_smb2(torture, mem_ctx, tree, "samr",
4687 &ndr_table_lsarpc, &pipe3);
4688 torture_assert_ntstatus_equal(torture,
4689 status,
4690 NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX,
4691 "lsarpc interface not supported in samr pipe");
4692
4693 ret = true;
4694 done:
4695 talloc_free(mem_ctx);
4696 return ret;
4697 }
4698
4699 struct torture_suite *torture_rpc_samba3(TALLOC_CTX *mem_ctx)
4700 {
4701 struct torture_suite *suite = torture_suite_create(mem_ctx, "samba3");
4702
4703 torture_suite_add_simple_test(suite, "bind", torture_bind_samba3);
4704 torture_suite_add_simple_test(suite, "netlogon", torture_netlogon_samba3);
4705 torture_suite_add_simple_test(suite, "sessionkey", torture_samba3_sessionkey);
4706 torture_suite_add_simple_test(suite, "srvsvc", torture_samba3_rpc_srvsvc);
4707 torture_suite_add_simple_test(suite, "sharesec", torture_samba3_rpc_sharesec);
4708 torture_suite_add_simple_test(suite, "getusername", torture_samba3_rpc_getusername);
4709 torture_suite_add_simple_test(suite, "randomauth2", torture_samba3_rpc_randomauth2);
4710 torture_suite_add_simple_test(suite, "lsa", torture_samba3_rpc_lsa);
4711 torture_suite_add_simple_test(suite, "spoolss", torture_samba3_rpc_spoolss);
4712 torture_suite_add_simple_test(suite, "wkssvc", torture_samba3_rpc_wkssvc);
4713 torture_suite_add_simple_test(suite, "winreg", torture_samba3_rpc_winreg);
4714 torture_suite_add_simple_test(suite, "getaliasmembership-0", torture_samba3_getaliasmembership_0);
4715 torture_suite_add_simple_test(suite, "regconfig", torture_samba3_regconfig);
4716 torture_suite_add_simple_test(suite, "smb-reauth1", torture_rpc_smb_reauth1);
4717 torture_suite_add_simple_test(suite, "smb-reauth2", torture_rpc_smb_reauth2);
4718 torture_suite_add_simple_test(suite, "smb2-reauth1", torture_rpc_smb2_reauth1);
4719 torture_suite_add_simple_test(suite, "smb2-reauth2", torture_rpc_smb2_reauth2);
4720 torture_suite_add_simple_test(suite, "smb1-pipe-name", torture_rpc_smb1_pipe_name);
4721 torture_suite_add_simple_test(suite, "smb2-pipe-name", torture_rpc_smb2_pipe_name);
4722 torture_suite_add_simple_test(suite, "smb2-pipe-read-close", torture_rpc_smb2_pipe_read_close);
4723 torture_suite_add_simple_test(suite, "smb2-pipe-read-tdis", torture_rpc_smb2_pipe_read_tdis);
4724 torture_suite_add_simple_test(suite, "smb2-pipe-read-logoff", torture_rpc_smb2_pipe_read_logoff);
4725 torture_suite_add_simple_test(suite,
4726 "lsa_over_netlogon",
4727 torture_rpc_lsa_over_netlogon);
4728 torture_suite_add_simple_test(suite,
4729 "pipes_supported_interfaces",
4730 torture_rpc_pipes_supported_interfaces);
4731
4732 suite->description = talloc_strdup(suite, "samba3 DCERPC interface tests");
4733
4734 return suite;
4735 }
GSS-enabled samba4