[SCM] Samba Shared Repository - branch master updated -
580c2b3283cfa0f55a5c7e4632a2a101a036b364
Günther Deschner
gd at samba.org
Fri Nov 28 13:10:21 GMT 2008
The branch, master has been updated
via 580c2b3283cfa0f55a5c7e4632a2a101a036b364 (commit)
via 4b687944f382185fafccc41f3ec4737a72e55448 (commit)
via 465466e1afa70e0fa1076963ae67a96e9e5b4cbb (commit)
via 89ad20789cd3e3418cd22dd7b40f72fecf9f4c8d (commit)
from bd95b6b4160760b33bedb14b247fa302507962a4 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 580c2b3283cfa0f55a5c7e4632a2a101a036b364
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 27 17:25:13 2008 +0100
selftest: s4 does not have a pwdlastset implementation yet.
Guenther
commit 4b687944f382185fafccc41f3ec4737a72e55448
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 28 12:10:56 2008 +0100
s4-smbtorture: allow to disable full testing of all possible opcode combinations.
Guenther
commit 465466e1afa70e0fa1076963ae67a96e9e5b4cbb
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 27 12:09:39 2008 +0100
s4-smbtorture: move test to SAMR-PASSWORDS-PWDLASTSET.
Guenther
commit 89ad20789cd3e3418cd22dd7b40f72fecf9f4c8d
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 25 02:46:25 2008 +0100
s4-smbtorture: add test for samr password_expired flag while setting passwords.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source4/selftest/skip | 1 +
source4/torture/rpc/rpc.c | 1 +
source4/torture/rpc/samr.c | 455 +++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 456 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/selftest/skip b/source4/selftest/skip
index a3dfdbf..f1500ff 100644
--- a/source4/selftest/skip
+++ b/source4/selftest/skip
@@ -23,6 +23,7 @@ base.scan.maxfid
raw.hold.oplock # Not a test, but a way to block other clients for a test
raw.ping.pong # Needs second server to test
rpc.samr_accessmask
+samba4.rpc.samr.passwords.pwdlastset # Not provided by Samba 4 yet
raw.scan.eamax
samba4.ntvfs.cifs.raw.qfileinfo.ipc
smb2.notify
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c
index 7fe5827..7f6b06d 100644
--- a/source4/torture/rpc/rpc.c
+++ b/source4/torture/rpc/rpc.c
@@ -395,6 +395,7 @@ NTSTATUS torture_rpc_init(void)
torture_suite_add_simple_test(suite, "SAMR", torture_rpc_samr);
torture_suite_add_simple_test(suite, "SAMR-USERS", torture_rpc_samr_users);
torture_suite_add_simple_test(suite, "SAMR-PASSWORDS", torture_rpc_samr_passwords);
+ torture_suite_add_simple_test(suite, "SAMR-PASSWORDS-PWDLASTSET", torture_rpc_samr_passwords_pwdlastset);
torture_suite_add_suite(suite, torture_rpc_netlogon(suite));
torture_suite_add_suite(suite, torture_rpc_remote_pac(suite));
torture_suite_add_simple_test(suite, "SAMLOGON", torture_rpc_samlogon);
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 02124e6..86a959d 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -29,6 +29,8 @@
#include "libcli/security/security.h"
#include "torture/rpc/rpc.h"
+#include <unistd.h>
+
#define TEST_ACCOUNT_NAME "samrtorturetest"
#define TEST_ALIASNAME "samrtorturetestalias"
#define TEST_GROUPNAME "samrtorturetestgroup"
@@ -37,6 +39,7 @@
enum torture_samr_choice {
TORTURE_SAMR_PASSWORDS,
+ TORTURE_SAMR_PASSWORDS_PWDLASTSET,
TORTURE_SAMR_USER_ATTRIBUTES,
TORTURE_SAMR_OTHER
};
@@ -2270,6 +2273,416 @@ static bool test_TestPrivateFunctionsUser(struct dcerpc_pipe *p, struct torture_
return true;
}
+static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ bool use_info2,
+ NTTIME *pwdlastset)
+{
+ NTSTATUS status;
+ uint16_t levels[] = { /* 3, */ 5, 21 };
+ int i;
+ NTTIME pwdlastset3 = 0;
+ NTTIME pwdlastset5 = 0;
+ NTTIME pwdlastset21 = 0;
+
+ torture_comment(tctx, "Testing QueryUserInfo%s level 5 and 21 call ",
+ use_info2 ? "2":"");
+
+ for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+ struct samr_QueryUserInfo r;
+ struct samr_QueryUserInfo2 r2;
+ union samr_UserInfo *info;
+
+ if (use_info2) {
+ r2.in.user_handle = handle;
+ r2.in.level = levels[i];
+ r2.out.info = &info;
+ status = dcerpc_samr_QueryUserInfo2(p, tctx, &r2);
+
+ } else {
+ r.in.user_handle = handle;
+ r.in.level = levels[i];
+ r.out.info = &info;
+ status = dcerpc_samr_QueryUserInfo(p, tctx, &r);
+ }
+
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
+ printf("QueryUserInfo%s level %u failed - %s\n",
+ use_info2 ? "2":"", levels[i], nt_errstr(status));
+ return false;
+ }
+
+ switch (levels[i]) {
+ case 3:
+ pwdlastset3 = info->info3.last_password_change;
+ break;
+ case 5:
+ pwdlastset5 = info->info5.last_password_change;
+ break;
+ case 21:
+ pwdlastset21 = info->info21.last_password_change;
+ break;
+ default:
+ return false;
+ }
+ }
+ /* torture_assert_int_equal(tctx, pwdlastset3, pwdlastset5,
+ "pwdlastset mixup"); */
+ torture_assert_int_equal(tctx, pwdlastset5, pwdlastset21,
+ "pwdlastset mixup");
+
+ *pwdlastset = pwdlastset21;
+
+ torture_comment(tctx, "(pwdlastset: %lld)\n", *pwdlastset);
+
+ return true;
+}
+
+static bool test_SetPassword_level(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint16_t level,
+ uint32_t fields_present,
+ uint8_t password_expired,
+ NTSTATUS expected_error,
+ bool use_setinfo2,
+ char **password,
+ bool use_queryinfo2,
+ NTTIME *pwdlastset)
+{
+ const char *fields = NULL;
+ bool ret = true;
+
+ switch (level) {
+ case 21:
+ case 23:
+ case 25:
+ fields = talloc_asprintf(tctx, "(fields_present: 0x%08x)",
+ fields_present);
+ break;
+ default:
+ break;
+ }
+
+ torture_comment(tctx, "Testing SetUserInfo%s level %d call "
+ "(password_expired: %d) %s\n",
+ use_setinfo2 ? "2":"", level, password_expired,
+ fields ? fields : "");
+
+ switch (level) {
+ case 21:
+ case 23:
+ case 24:
+ case 25:
+ case 26:
+ if (!test_SetUserPass_level_ex(p, tctx, handle, level,
+ fields_present,
+ password,
+ password_expired,
+ use_setinfo2,
+ expected_error)) {
+ ret = false;
+ }
+ break;
+ default:
+ return false;
+ }
+
+ if (!test_QueryUserInfo_pwdlastset(p, tctx, handle,
+ use_queryinfo2,
+ pwdlastset)) {
+ ret = false;
+ }
+
+ return ret;
+}
+
+static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ uint32_t acct_flags,
+ struct policy_handle *handle,
+ char **password)
+{
+ int i, s = 0, q = 0;
+ bool ret = true;
+ int delay = 500000;
+ bool set_levels[] = { false, true };
+ bool query_levels[] = { false, true };
+
+ struct {
+ uint16_t level;
+ uint8_t password_expired_nonzero;
+ uint32_t fields_present;
+ bool query_info2;
+ bool set_info2;
+ NTSTATUS set_error;
+ } pwd_tests[] = {
+
+ /* level 21 */
+ {
+ .level = 21,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_EXPIRED_FLAG
+ },{
+ .level = 21,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
+ .set_error = NT_STATUS_ACCESS_DENIED
+#if 0
+ /* FIXME */
+ },{
+ .level = 21,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2 |
+ SAMR_FIELD_LAST_PWD_CHANGE,
+ .query_info2 = false,
+ .set_error = NT_STATUS_ACCESS_DENIED
+#endif
+
+ /* level 23 */
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_EXPIRED_FLAG
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
+ .set_error = NT_STATUS_ACCESS_DENIED
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_LAST_PWD_CHANGE |
+ SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2,
+ .set_error = NT_STATUS_ACCESS_DENIED
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_LAST_PWD_CHANGE |
+ SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2 |
+ SAMR_FIELD_EXPIRED_FLAG,
+ .set_error = NT_STATUS_ACCESS_DENIED
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2 |
+ SAMR_FIELD_EXPIRED_FLAG
+ },{
+ .level = 23,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2
+ },{
+
+ /* level 24 */
+
+ .level = 24,
+ .password_expired_nonzero = 1
+ },{
+ .level = 24,
+ .password_expired_nonzero = 24
+ },{
+
+ /* level 25 */
+
+ .level = 25,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
+ .set_error = NT_STATUS_ACCESS_DENIED
+ },{
+ .level = 25,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_EXPIRED_FLAG,
+ },{
+ .level = 25,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2 |
+ SAMR_FIELD_EXPIRED_FLAG
+ },{
+ .level = 25,
+ .password_expired_nonzero = 1,
+ .fields_present = SAMR_FIELD_PASSWORD |
+ SAMR_FIELD_PASSWORD2
+ },{
+
+ /* level 26 */
+
+ .level = 26,
+ .password_expired_nonzero = 1
+ },{
+ .level = 26,
+ .password_expired_nonzero = 24
+ }
+ };
+
+ if (torture_setting_bool(tctx, "samba3", false)) {
+ delay = 1000000;
+ printf("Samba3 has second granularity, setting delay to: %d\n",
+ delay);
+ return ret;
+ }
+
+ /* set to 1 to enable testing for all possible opcode
+ (SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2)
+ combinations */
+#if 0
+#define TEST_SET_LEVELS 1
+#define TEST_QUERY_LEVELS 1
+#endif
+ for (i=0; i<ARRAY_SIZE(pwd_tests); i++) {
+#ifdef TEST_SET_LEVELS
+ for (s=0; s<ARRAY_SIZE(set_levels); s++) {
+#endif
+#ifdef TEST_QUERY_LEVELS
+ for (q=0; q<ARRAY_SIZE(query_levels); q++) {
+#endif
+ NTTIME pwdlastset_old = 0;
+ NTTIME pwdlastset_new = 0;
+
+ /* set #1 */
+
+ torture_comment(tctx, "------------------------------\n"
+ "Testing pwdLastSet attribute for flags: 0x%08x "
+ "(s: %d (l: %d), q: %d)\n",
+ acct_flags, s, pwd_tests[i].level, q);
+
+ if (!test_SetPassword_level(p, tctx, handle,
+ pwd_tests[i].level,
+ pwd_tests[i].fields_present,
+ pwd_tests[i].password_expired_nonzero, /* will set pwdlast to 0 */
+ pwd_tests[i].set_error,
+ set_levels[s],
+ password,
+ query_levels[q],
+ &pwdlastset_old)) {
+ ret = false;
+ }
+
+ if (!NT_STATUS_IS_OK(pwd_tests[i].set_error)) {
+ /* skipping on expected failure */
+ continue;
+ }
+
+ /* pwdlastset must be 0 afterwards, except for a level 23 and 25
+ * set without the SAMR_FIELD_EXPIRED_FLAG */
+
+ switch (pwd_tests[i].level) {
+ case 23:
+ case 25:
+ if ((pwdlastset_new != 0) &&
+ !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) {
+ torture_comment(tctx, "not considering a non-0 "
+ "pwdLastSet as a an error as the "
+ "SAMR_FIELD_EXPIRED_FLAG has not "
+ "been set\n");
+ break;
+ }
+ default:
+ if (pwdlastset_new != 0) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected pwdLastSet 0 but got %lld\n",
+ pwdlastset_old);
+ ret = false;
+ }
+ break;
+ }
+
+ usleep(delay);
+
+ /* set #2 */
+
+ if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level,
+ pwd_tests[i].fields_present,
+ 0,
+ /* will normally update (increase) the pwdlast */
+ pwd_tests[i].set_error,
+ set_levels[s],
+ password,
+ query_levels[q],
+ &pwdlastset_new)) {
+
+ ret = false;
+ }
+
+ /* pwdlastset must not be 0 afterwards and must be larger then
+ * the old value */
+
+ if (pwdlastset_old >= pwdlastset_new) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected last pwdlastset (%lld) < new pwdlastset (%lld)\n",
+ pwdlastset_old, pwdlastset_new);
+ ret = false;
+ }
+ if (pwdlastset_new == 0) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected non-0 pwdlastset, got: %lld\n",
+ pwdlastset_new);
+ ret = false;
+ }
+ pwdlastset_old = pwdlastset_new;
+
+ usleep(delay);
+
+ /* set #3 */
+
+ if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level,
+ pwd_tests[i].fields_present,
+ pwd_tests[i].password_expired_nonzero,
+ pwd_tests[i].set_error,
+ set_levels[s],
+ password,
+ query_levels[q],
+ &pwdlastset_new)) {
+ ret = false;
+ }
+
+ if (pwdlastset_old == pwdlastset_new) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected last pwdlastset (%lld) != new pwdlastset (%lld)\n",
+ pwdlastset_old, pwdlastset_new);
+ ret = false;
+ }
+
+ /* pwdlastset must be 0 afterwards, except for a level 23 and 25
+ * set without the SAMR_FIELD_EXPIRED_FLAG */
+
+ switch (pwd_tests[i].level) {
+ case 23:
+ case 25:
+ if ((pwdlastset_new != 0) &&
+ !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) {
+ break;
+ }
+ default:
+ if (pwdlastset_new != 0) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected pwdLastSet 0, got %lld\n",
+ pwdlastset_old);
+ ret = false;
+ }
+ break;
+ }
+#ifdef TEST_QUERY_LEVELS
+ }
+#endif
+#ifdef TEST_SET_LEVELS
+ }
+#endif
+ }
+
+#undef TEST_SET_LEVELS
+#undef TEST_QUERY_LEVELS
+
+ return ret;
+}
static bool test_user_ops(struct dcerpc_pipe *p,
struct torture_context *tctx,
@@ -2363,7 +2776,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
ret = false;
}
}
-
+
for (i = 0; password_fields[i]; i++) {
if (!test_SetUserPass_23(p, tctx, user_handle, password_fields[i], &password)) {
ret = false;
@@ -2419,6 +2832,23 @@ static bool test_user_ops(struct dcerpc_pipe *p,
}
break;
+
+ case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
+
+ /* test last password change timestamp behaviour */
+ if (!test_SetPassword_pwdlastset(p, tctx, base_acct_flags,
+ user_handle, &password)) {
+ ret = false;
+ }
+
+ if (ret == true) {
+ torture_comment(tctx, "pwdLastSet test succeeded\n");
+ } else {
+ torture_warning(tctx, "pwdLastSet test failed\n");
+ }
+
+ break;
+
case TORTURE_SAMR_OTHER:
/* We just need the account to exist */
break;
@@ -4636,6 +5066,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
switch (which_ops) {
case TORTURE_SAMR_USER_ATTRIBUTES:
case TORTURE_SAMR_PASSWORDS:
+ case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
--
Samba Shared Repository
More information about the samba-cvs
mailing list