diff options
| author | Andreas Schneider <asn@samba.org> | 2015-02-16 08:56:28 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2015-02-23 20:01:01 +0100 |
| commit | 6e5debf33bfb28ec0135a19f9cfb48b39d17fc83 (patch) | |
| tree | 23408d3169864a8d69bdf888565860bce2b86040 /source4 | |
| parent | bb4148450941e4949a2ff1b053719082b0514d71 (diff) | |
| download | samba-6e5debf33bfb28ec0135a19f9cfb48b39d17fc83.tar.gz samba-6e5debf33bfb28ec0135a19f9cfb48b39d17fc83.tar.xz samba-6e5debf33bfb28ec0135a19f9cfb48b39d17fc83.zip | |
torture: Add netr_setPassword(2) schannel test.
Thanks to Florian Weimer <fweimer@redhat.com> for the help to write
this torture test.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Feb 23 20:01:01 CET 2015 on sn-devel-104
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/torture/rpc/rpc.c | 1 | ||||
| -rw-r--r-- | source4/torture/rpc/schannel.c | 109 |
2 files changed, 110 insertions, 0 deletions
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c index 7557901efb..b7fd3bc1eb 100644 --- a/source4/torture/rpc/rpc.c +++ b/source4/torture/rpc/rpc.c @@ -507,6 +507,7 @@ NTSTATUS torture_rpc_init(void) torture_suite_add_simple_test(suite, "schannel", torture_rpc_schannel); torture_suite_add_simple_test(suite, "schannel2", torture_rpc_schannel2); torture_suite_add_simple_test(suite, "bench-schannel1", torture_rpc_schannel_bench1); + torture_suite_add_simple_test(suite, "schannel_anon_setpw", torture_rpc_schannel_anon_setpw); torture_suite_add_suite(suite, torture_rpc_srvsvc(suite)); torture_suite_add_suite(suite, torture_rpc_svcctl(suite)); torture_suite_add_suite(suite, torture_rpc_samr_accessmask(suite)); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index de93fcad1a..eff1c7ab1d 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -543,6 +543,86 @@ static bool test_schannel(struct torture_context *tctx, return true; } +/* + * Purpose of this test is to demonstrate that a netlogon server carefully deals + * with anonymous attempts to set passwords, in particular when the server + * enforces the use of schannel. This test makes most sense to be run in an + * environment where the netlogon server enforces use of schannel. + */ + +static bool test_schannel_anonymous_setPassword(struct torture_context *tctx, + uint32_t dcerpc_flags, + bool use2) +{ + struct test_join *join_ctx; + NTSTATUS status, result; + const char *binding = torture_setting_string(tctx, "binding", NULL); + struct dcerpc_binding *b; + struct dcerpc_pipe *p = NULL; + struct cli_credentials *credentials; + bool ok = true; + + credentials = cli_credentials_init(NULL); + torture_assert(tctx, credentials != NULL, "Bad credentials"); + cli_credentials_set_anonymous(credentials); + + status = dcerpc_parse_binding(tctx, binding, &b); + torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); + + status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS); + torture_assert_ntstatus_ok(tctx, status, "set flags"); + + status = dcerpc_pipe_connect_b(tctx, + &p, + b, + &ndr_table_netlogon, + credentials, + tctx->ev, + tctx->lp_ctx); + torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel"); + + if (use2) { + struct netr_ServerPasswordSet2 r = {}; + struct netr_Authenticator credential = {}; + struct netr_Authenticator return_authenticator = {}; + struct netr_CryptPassword new_password = {}; + + r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = 0; + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + status = dcerpc_netr_ServerPasswordSet2_r(p->binding_handle, tctx, &r); + result = r.out.result; + } else { + struct netr_ServerPasswordSet r = {}; + struct netr_Authenticator credential = {}; + struct netr_Authenticator return_authenticator = {}; + struct samr_Password new_password = {}; + + r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = 0; + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + status = dcerpc_netr_ServerPasswordSet_r(p->binding_handle, tctx, &r); + result = r.out.result; + } + + torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet failed"); + + if (NT_STATUS_IS_OK(result)) { + torture_fail(tctx, "unexpectedly received NT_STATUS_OK"); + } + + return ok; +} /* @@ -586,6 +666,35 @@ bool torture_rpc_schannel(struct torture_context *torture) return ret; } +bool torture_rpc_schannel_anon_setpw(struct torture_context *torture) +{ + bool ret = true; + bool ok; + uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO; + + ok = test_schannel_anonymous_setPassword(torture, + dcerpc_flags, + true); + if (!ok) { + torture_comment(torture, + "Failed with dcerpc_flags=0x%x\n", + dcerpc_flags); + ret = false; + } + + ok = test_schannel_anonymous_setPassword(torture, + dcerpc_flags, + false); + if (!ok) { + torture_comment(torture, + "Failed with dcerpc_flags=0x%x\n", + dcerpc_flags); + ret = false; + } + + return ret; +} + /* test two schannel connections */ |