[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-423-gd878643
Andrew Bartlett
abartlet at samba.org
Wed Aug 27 11:37:09 GMT 2008
The branch, v4-0-test has been updated
via d878643071a1477435a267e2944461d367cdfa79 (commit)
via 9701149ef75f9771f42000e2b6f44963abfee938 (commit)
via f0bde093d76fe9d17a0709cf01fa7b70f1985c6b (commit)
via 32143287c7eb452c6ed9ccd15e8cd4e5a907b437 (commit)
via f6e227b72bb56d12cb270d76f7f458136c4ca160 (commit)
via 2a1adaa759d9201670519b3938109e13c0476a83 (commit)
via b706708210a05d6f10474a3cd2bbc550704d4356 (commit)
via ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e (commit)
via aba5fbe39c4b93ec75c66f93c46b1967091afa61 (commit)
via a106a4ccc435d149072fb884caf95e5517cd4204 (commit)
via 719941e929ddb6fea011fcc0c8c6b91c26e586af (commit)
from 0c4227e45d6b8e31a0219358042318e9d2a0b36d (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit d878643071a1477435a267e2944461d367cdfa79
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 27 21:36:27 2008 +1000
Add a test to explore Netlogon PAC validation
However, I have still not figured out this protocol yet, and the docs
are rather unclear... :-(
Andrew Bartlett
commit 9701149ef75f9771f42000e2b6f44963abfee938
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 27 16:24:05 2008 +1000
Put the internal gensec_gssapi state into a header.
This will allow a torture suite to inspect some otherwise internal
details.
Andrew Bartlett
commit f0bde093d76fe9d17a0709cf01fa7b70f1985c6b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 27 16:22:45 2008 +1000
Fix the build on Win32, and use NEGOTIATE security (to allow kerberos)
commit 32143287c7eb452c6ed9ccd15e8cd4e5a907b437
Merge: f6e227b72bb56d12cb270d76f7f458136c4ca160 0c4227e45d6b8e31a0219358042318e9d2a0b36d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 27 11:01:55 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify
commit f6e227b72bb56d12cb270d76f7f458136c4ca160
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 27 10:29:54 2008 +1000
Add definition for NT_STATUS_DOWNGRADE_DETECTED
commit 2a1adaa759d9201670519b3938109e13c0476a83
Merge: b706708210a05d6f10474a3cd2bbc550704d4356 d7db5fe161429163a19d18c7e3045939897b9b2a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 16:28:59 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify
commit b706708210a05d6f10474a3cd2bbc550704d4356
Merge: ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e d94c7bbcd6eee6d975eac32a1d172f4164c97137
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 16:26:08 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify
commit ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 12 17:46:01 2008 +1000
Add GenericInfo level for SamLogon calls from the WSPP IDL.
Andrew Bartlett
commit aba5fbe39c4b93ec75c66f93c46b1967091afa61
Merge: a106a4ccc435d149072fb884caf95e5517cd4204 b345c9cf535af35c83da040ac965d9690dc802fe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 14:11:16 2008 +1000
Merge branch '4-0-abartlet' into pac-verify
commit a106a4ccc435d149072fb884caf95e5517cd4204
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 14:05:16 2008 +1000
Always set a session key, even for the 'no password' case.
This is for bug 5664 reported by Tom <hto at arcor.de>.
Andrew Bartlett
commit 719941e929ddb6fea011fcc0c8c6b91c26e586af
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 14:04:08 2008 +1000
Clarify comment
-----------------------------------------------------------------------
Summary of changes:
source/auth/gensec/gensec_gssapi.c | 44 +-----
source/auth/gensec/gensec_gssapi.h | 68 ++++++++
source/libcli/util/nterr.c | 1 +
source/libcli/util/ntstatus.h | 1 +
source/librpc/idl/krb5pac.idl | 14 ++
source/librpc/idl/netlogon.idl | 63 ++++++--
source/rpc_server/netlogon/dcerpc_netlogon.c | 18 ++-
source/samba4-skip | 1 +
source/torture/config.mk | 2 +-
source/torture/rpc/netlogon.c | 15 ++-
source/torture/rpc/remote_pac.c | 220 ++++++++++++++++++++++++++
source/torture/rpc/rpc.c | 1 +
source/torture/rpc/testjoin.c | 1 +
testprogs/win32/rpcecho/rpcecho.idl | 2 +-
testprogs/win32/rpcecho/server.c | 2 +-
15 files changed, 381 insertions(+), 72 deletions(-)
create mode 100644 source/auth/gensec/gensec_gssapi.h
create mode 100644 source/torture/rpc/remote_pac.c
Changeset truncated at 500 lines:
diff --git a/source/auth/gensec/gensec_gssapi.c b/source/auth/gensec/gensec_gssapi.c
index 20d0807..2057625 100644
--- a/source/auth/gensec/gensec_gssapi.c
+++ b/source/auth/gensec/gensec_gssapi.c
@@ -38,49 +38,7 @@
#include "auth/session_proto.h"
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
-
-enum gensec_gssapi_sasl_state
-{
- STAGE_GSS_NEG,
- STAGE_SASL_SSF_NEG,
- STAGE_SASL_SSF_ACCEPT,
- STAGE_DONE
-};
-
-#define NEG_SEAL 0x4
-#define NEG_SIGN 0x2
-#define NEG_NONE 0x1
-
-struct gensec_gssapi_state {
- gss_ctx_id_t gssapi_context;
- struct gss_channel_bindings_struct *input_chan_bindings;
- gss_name_t server_name;
- gss_name_t client_name;
- OM_uint32 want_flags, got_flags;
- gss_OID gss_oid;
-
- DATA_BLOB session_key;
- DATA_BLOB pac;
-
- struct smb_krb5_context *smb_krb5_context;
- struct gssapi_creds_container *client_cred;
- struct gssapi_creds_container *server_cred;
- gss_krb5_lucid_context_v1_t *lucid;
-
- gss_cred_id_t delegated_cred_handle;
-
- bool sasl; /* We have two different mechs in this file: One
- * for SASL wrapped GSSAPI and another for normal
- * GSSAPI */
- enum gensec_gssapi_sasl_state sasl_state;
- uint8_t sasl_protection; /* What was negotiated at the SASL
- * layer, independent of the GSSAPI
- * layer... */
-
- size_t max_wrap_buf_size;
- int gss_exchange_count;
- size_t sig_size;
-};
+#include "auth/gensec/gensec_gssapi.h"
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
diff --git a/source/auth/gensec/gensec_gssapi.h b/source/auth/gensec/gensec_gssapi.h
new file mode 100644
index 0000000..b55b439
--- /dev/null
+++ b/source/auth/gensec/gensec_gssapi.h
@@ -0,0 +1,68 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Kerberos backend for GENSEC
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2005
+ Copyright (C) Stefan Metzmacher <metze at samba.org> 2004-2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* This structure described here, so the RPC-PAC test can get at the PAC provided */
+
+enum gensec_gssapi_sasl_state
+{
+ STAGE_GSS_NEG,
+ STAGE_SASL_SSF_NEG,
+ STAGE_SASL_SSF_ACCEPT,
+ STAGE_DONE
+};
+
+#define NEG_SEAL 0x4
+#define NEG_SIGN 0x2
+#define NEG_NONE 0x1
+
+struct gensec_gssapi_state {
+ gss_ctx_id_t gssapi_context;
+ struct gss_channel_bindings_struct *input_chan_bindings;
+ gss_name_t server_name;
+ gss_name_t client_name;
+ OM_uint32 want_flags, got_flags;
+ gss_OID gss_oid;
+
+ DATA_BLOB session_key;
+ DATA_BLOB pac;
+
+ struct smb_krb5_context *smb_krb5_context;
+ struct gssapi_creds_container *client_cred;
+ struct gssapi_creds_container *server_cred;
+ gss_krb5_lucid_context_v1_t *lucid;
+
+ gss_cred_id_t delegated_cred_handle;
+
+ bool sasl; /* We have two different mechs in this file: One
+ * for SASL wrapped GSSAPI and another for normal
+ * GSSAPI */
+ enum gensec_gssapi_sasl_state sasl_state;
+ uint8_t sasl_protection; /* What was negotiated at the SASL
+ * layer, independent of the GSSAPI
+ * layer... */
+
+ size_t max_wrap_buf_size;
+ int gss_exchange_count;
+ size_t sig_size;
+};
+
diff --git a/source/libcli/util/nterr.c b/source/libcli/util/nterr.c
index 7629a14..ef4055a 100644
--- a/source/libcli/util/nterr.c
+++ b/source/libcli/util/nterr.c
@@ -546,6 +546,7 @@ static const nt_err_code_struct nt_errs[] =
{ "NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED", NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED },
{ "NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX", NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX },
{ "NT_STATUS_OBJECTID_NOT_FOUND", NT_STATUS_OBJECTID_NOT_FOUND },
+ { "NT_STATUS_DOWNGRADE_DETECTED", NT_STATUS_DOWNGRADE_DETECTED },
{ "STATUS_MORE_ENTRIES", STATUS_MORE_ENTRIES },
{ "STATUS_SOME_UNMAPPED", STATUS_SOME_UNMAPPED },
{ "STATUS_NOTIFY_CLEANUP", STATUS_NOTIFY_CLEANUP },
diff --git a/source/libcli/util/ntstatus.h b/source/libcli/util/ntstatus.h
index 026b516..527a95b 100644
--- a/source/libcli/util/ntstatus.h
+++ b/source/libcli/util/ntstatus.h
@@ -593,6 +593,7 @@ typedef uint32_t NTSTATUS;
#define NT_STATUS_NOT_A_REPARSE_POINT NT_STATUS(0xC0000000 | 0x0275)
#define NT_STATUS_OBJECTID_NOT_FOUND NT_STATUS(0xC0000000 | 0x02F0)
#define NT_STATUS_NO_SUCH_JOB NT_STATUS(0xC0000000 | 0xEDE) /* scheduler */
+#define NT_STATUS_DOWNGRADE_DETECTED NT_STATUS(0xC0000000 | 0x0388)
#define NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED NT_STATUS(0xC0000000 | 0x20004)
#define NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX NT_STATUS(0xC0000000 | 0x20026)
diff --git a/source/librpc/idl/krb5pac.idl b/source/librpc/idl/krb5pac.idl
index ca0efae..07f747a 100644
--- a/source/librpc/idl/krb5pac.idl
+++ b/source/librpc/idl/krb5pac.idl
@@ -100,6 +100,14 @@ interface krb5pac
PAC_BUFFER_RAW buffers[num_buffers];
} PAC_DATA_RAW;
+ typedef [public] struct {
+ uint32 MessageType;
+ uint32 ChecksumLength;
+ uint32 SignatureType;
+ uint32 SignatureLength;
+ [size_is(ChecksumLength),length_is(ChecksumLength)] uint8 *data;
+ } PAC_Validate;
+
void decode_pac(
[in] PAC_DATA pac
);
@@ -111,4 +119,10 @@ interface krb5pac
void decode_login_info(
[in] PAC_LOGON_INFO logon_info
);
+
+ void decode_pac_validate(
+ [in] PAC_Validate pac_validate
+ );
+
+
}
diff --git a/source/librpc/idl/netlogon.idl b/source/librpc/idl/netlogon.idl
index d8f7d2f..006411d 100644
--- a/source/librpc/idl/netlogon.idl
+++ b/source/librpc/idl/netlogon.idl
@@ -123,12 +123,31 @@ interface netlogon
netr_ChallengeResponse lm;
} netr_NetworkInfo;
- typedef [public,switch_type(uint16)] union {
- [case(1)] netr_PasswordInfo *password;
- [case(2)] netr_NetworkInfo *network;
- [case(3)] netr_PasswordInfo *password;
- [case(5)] netr_PasswordInfo *password;
- [case(6)] netr_NetworkInfo *network;
+ typedef [flag(NDR_PAHEX)] struct {
+ netr_IdentityInfo identity_info;
+ lsa_String package_name;
+ uint32 length;
+ [size_is(length)] uint8 *data;
+ } netr_GenericInfo;
+
+ typedef enum {
+ NetlogonInteractiveInformation = 1,
+ NetlogonNetworkInformation = 2,
+ NetlogonServiceInformation = 3,
+ NetlogonGenericInformation = 4,
+ NetlogonInteractiveTransitiveInformation = 5,
+ NetlogonNetworkTransitiveInformation = 6,
+ NetlogonServiceTransitiveInformation = 7
+ } netr_LogonInfoClass;
+
+ typedef [public,switch_type(netr_LogonInfoClass)] union {
+ [case(NetlogonInteractiveInformation)] netr_PasswordInfo *password;
+ [case(NetlogonNetworkInformation)] netr_NetworkInfo *network;
+ [case(NetlogonServiceInformation)] netr_PasswordInfo *password;
+ [case(NetlogonGenericInformation)] netr_GenericInfo *generic;
+ [case(NetlogonInteractiveTransitiveInformation)] netr_PasswordInfo *password;
+ [case(NetlogonNetworkTransitiveInformation)] netr_NetworkInfo *network;
+ [case(NetlogonServiceTransitiveInformation)] netr_PasswordInfo *password;
} netr_LogonLevel;
typedef [public,flag(NDR_PAHEX)] struct {
@@ -221,12 +240,20 @@ interface netlogon
lsa_String unknown4;
} netr_PacInfo;
+ typedef enum {
+ NetlogonValidationUasInfo = 1,
+ NetlogonValidationSamInfo = 2,
+ NetlogonValidationSamInfo2 = 3,
+ NetlogonValidationGenericInfo2 = 5,
+ NetlogonValidationSamInfo4 = 6
+ } netr_ValidationInfoClass;
+
typedef [public,switch_type(uint16)] union {
- [case(2)] netr_SamInfo2 *sam2;
- [case(3)] netr_SamInfo3 *sam3;
+ [case(NetlogonValidationSamInfo)] netr_SamInfo2 *sam2;
+ [case(NetlogonValidationSamInfo2)] netr_SamInfo3 *sam3;
[case(4)] netr_PacInfo *pac;
- [case(5)] netr_PacInfo *pac;
- [case(6)] netr_SamInfo6 *sam6;
+ [case(NetlogonValidationGenericInfo2)] netr_PacInfo *pac;
+ [case(NetlogonValidationSamInfo4)] netr_SamInfo6 *sam6;
} netr_Validation;
typedef [public, flag(NDR_PAHEX)] struct {
@@ -239,15 +266,15 @@ interface netlogon
} netr_Authenticator;
NTSTATUS netr_LogonSamLogon(
- [in,unique] [string,charset(UTF16)] uint16 *server_name,
- [in,unique] [string,charset(UTF16)] uint16 *computer_name,
- [in,unique] netr_Authenticator *credential,
- [in,out,unique] netr_Authenticator *return_authenticator,
- [in] uint16 logon_level,
- [in] [switch_is(logon_level)] netr_LogonLevel logon,
- [in] uint16 validation_level,
+ [in,unique] [string,charset(UTF16)] uint16 *server_name,
+ [in,unique] [string,charset(UTF16)] uint16 *computer_name,
+ [in,unique] netr_Authenticator *credential,
+ [in,out,unique] netr_Authenticator *return_authenticator,
+ [in] netr_LogonInfoClass logon_level,
+ [in] [switch_is(logon_level)] netr_LogonLevel logon,
+ [in] uint16 validation_level,
[out] [switch_is(validation_level)] netr_Validation validation,
- [out] uint8 authoritative
+ [out] uint8 authoritative
);
diff --git a/source/rpc_server/netlogon/dcerpc_netlogon.c b/source/rpc_server/netlogon/dcerpc_netlogon.c
index d9ae92c..763e6a3 100644
--- a/source/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source/rpc_server/netlogon/dcerpc_netlogon.c
@@ -421,9 +421,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
user_info->remote_host = NULL;
switch (r->in.logon_level) {
- case 1:
- case 3:
- case 5:
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
creds_arcfour_crypt(creds,
r->in.logon.password->lmpassword.hash,
@@ -460,8 +461,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
*user_info->password.hash.nt = r->in.logon.password->ntpassword;
break;
- case 2:
- case 6:
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
/* TODO: we need to deny anonymous access here */
nt_status = auth_context_create(mem_ctx,
@@ -483,6 +484,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length);
break;
+
+
+ case NetlogonGenericInformation:
+ {
+ /* Until we get enough information for an implemetnation */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
default:
return NT_STATUS_INVALID_PARAMETER;
}
diff --git a/source/samba4-skip b/source/samba4-skip
index b1313ad..35b274f 100644
--- a/source/samba4-skip
+++ b/source/samba4-skip
@@ -41,6 +41,7 @@ ntvfs.cifs.raw.context
ntvfs.cifs.raw.qfileinfo.ipc
rpc.dssync
rpc.samsync
+rpc.pac # Not finished yet
ldap.uptodatevector # Segfaults
rpc.remact # Not provided by Samba 4
rpc.oxidresolve # Not provided by Samba 4
diff --git a/source/torture/config.mk b/source/torture/config.mk
index 5a1746c..96da10b 100644
--- a/source/torture/config.mk
+++ b/source/torture/config.mk
@@ -114,7 +114,7 @@ torture_rpc_OBJ_FILES = $(addprefix $(torturesrcdir)/rpc/, \
drsuapi_cracknames.o dssync.o spoolss.o spoolss_notify.o spoolss_win.o \
unixinfo.o samr.o samr_accessmask.o wkssvc.o srvsvc.o svcctl.o atsvc.o \
eventlog.o epmapper.o winreg.o initshutdown.o oxidresolve.o remact.o mgmt.o \
- scanner.o autoidl.o countcalls.o testjoin.o schannel.o netlogon.o samlogon.o \
+ scanner.o autoidl.o countcalls.o testjoin.o schannel.o netlogon.o remote_pac.o samlogon.o \
samsync.o bind.o dssetup.o alter_context.o bench.o samba3rpc.o rpc.o async_bind.o \
handles.o frsapi.o)
diff --git a/source/torture/rpc/netlogon.c b/source/torture/rpc/netlogon.c
index 5b92ce1..5ec2c29 100644
--- a/source/torture/rpc/netlogon.c
+++ b/source/torture/rpc/netlogon.c
@@ -25,8 +25,10 @@
#include "torture/torture.h"
#include "lib/events/events.h"
#include "auth/auth.h"
+#include "auth/gensec/gensec.h"
#include "lib/cmdline/popt_common.h"
#include "torture/rpc/rpc.h"
+#include "torture/rpc/netlogon.h"
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
@@ -67,8 +69,8 @@ static bool test_LogonUasLogoff(struct torture_context *tctx,
}
static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct cli_credentials *credentials,
- struct creds_CredentialState **creds_out)
+ struct cli_credentials *credentials,
+ struct creds_CredentialState **creds_out)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
@@ -113,6 +115,13 @@ static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context
torture_comment(tctx, "Testing ServerAuthenticate\n");
status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
+
+ /* This allows the tests to continue against the more fussy windows 2008 */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ credentials, SEC_CHAN_BDC, creds_out);
+ }
+
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
torture_assert(tctx, creds_client_check(creds, &credentials3),
@@ -122,7 +131,7 @@ static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context
return true;
}
-static bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
+bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
uint32_t negotiate_flags,
struct cli_credentials *machine_credentials,
int sec_chan_type,
diff --git a/source/torture/rpc/remote_pac.c b/source/torture/rpc/remote_pac.c
new file mode 100644
index 0000000..a9e0bbc
--- /dev/null
+++ b/source/torture/rpc/remote_pac.c
@@ -0,0 +1,220 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ test suite for netlogon PAC operations
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2008
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "torture/torture.h"
+#include "lib/events/events.h"
+#include "auth/auth.h"
+#include "auth/gensec/gensec.h"
+#include "lib/cmdline/popt_common.h"
+#include "torture/rpc/rpc.h"
+#include "torture/rpc/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "param/param.h"
+#include "lib/messaging/irpc.h"
+#include "cluster/cluster.h"
+
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/krb5pac.h"
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#include "auth/gensec/gensec_gssapi.h"
+
+#define TEST_MACHINE_NAME "torturepactest"
+
+/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
+
+/* Also happens to be a really good one-step verfication of our Kerberos stack */
+
+static bool test_PACVerify(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *credentials)
+{
+ NTSTATUS status;
+
+ struct netr_LogonSamLogon r;
+
+ struct netr_GenericInfo generic;
+ struct netr_Authenticator auth, auth2;
+
+
+ struct creds_CredentialState *creds;
+ struct gensec_security *gensec_client_context;
+ struct gensec_security *gensec_server_context;
+ struct gensec_gssapi_state *gensec_gssapi_state;
+
+ struct messaging_context *msg_server_ctx;
+ DATA_BLOB client_to_server, server_to_client, pac_blob, pac_wrapped;
+ gss_buffer_desc pac;
+ struct PAC_Validate pac_wrapped_struct;
+
+ enum ndr_err_code ndr_err;
+
+ struct auth_session_info *session_info;
+
+ char *tmp_dir;
+ OM_uint32 maj_stat, min_stat;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(tctx);
+
+ torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
+
+ if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ credentials, SEC_CHAN_BDC,
+ &creds)) {
+ return false;
+ }
+
+ status = torture_temp_dir(tctx, "PACVerify", &tmp_dir);
+ torture_assert_ntstatus_ok(tctx, status, "torture_temp_dir failed");
+
+ msg_server_ctx = messaging_init(tctx,
+ tmp_dir,
+ cluster_id(0, 1),
+ lp_iconv_convenience(tctx->lp_ctx),
+ tctx->ev);
+
+ torture_assert(tctx, msg_server_ctx != NULL, "Failed to init messaging context");
+
+ status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
+
+ status = gensec_set_target_hostname(gensec_client_context, TEST_MACHINE_NAME);
--
Samba Shared Repository
More information about the samba-cvs
mailing list