[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Mon Nov 9 09:37:34 MST 2009 

The branch, master has been updated
       via  d7ce873... s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
       via  e9c6984... s4-smbtorture: re-arrange netlogon LogonControl test.
      from  a0b9e40... s3: Try to avoid dns searches with an empty site

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d7ce873391f215f4f3785abcd13b9d120b87e744
Author: Günther Deschner <gd at samba.org>
Date:   Mon Nov 9 17:34:47 2009 +0100

    s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
    
    Guenther

commit e9c6984cb62ce8d7d899202c1275d241a605913c
Author: Günther Deschner <gd at samba.org>
Date:   Mon Nov 9 17:32:31 2009 +0100

    s4-smbtorture: re-arrange netlogon LogonControl test.
    
    The LogonControl tests now are split out to a new RPC-NETLOGON-ADMIN test that
    tests the behaviour of that call when called by user, dc or workstation.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_netlog_nt.c    |   27 ++++++++++--
 source3/script/tests/test_posix_s3.sh |    3 +-
 source4/torture/rpc/netlogon.c        |   77 +++++++++++++++++++++++++++------
 source4/torture/rpc/rpc.c             |    1 +
 4 files changed, 90 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index bcf5c00..39912ac 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -177,6 +177,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
 	struct netr_NETLOGON_INFO_3 *info3;
 	struct netr_NETLOGON_INFO_4 *info4;
 	const char *fn;
+	uint32_t acct_ctrl;
 
 	switch (p->hdr_req.opnum) {
 	case NDR_NETR_LOGONCONTROL:
@@ -192,12 +193,16 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
 		return WERR_INVALID_PARAM;
 	}
 
+	acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
+
 	switch (r->in.function_code) {
 	case NETLOGON_CONTROL_TC_VERIFY:
 	case NETLOGON_CONTROL_CHANGE_PASSWORD:
 	case NETLOGON_CONTROL_REDISCOVER:
-		if (!nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS) &&
-		    !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok)) {
+		if ((geteuid() != sec_initial_uid()) &&
+		    !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
+		    !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
+		    !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
 			return WERR_ACCESS_DENIED;
 		}
 		break;
@@ -215,9 +220,23 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
 	case NETLOGON_CONTROL_SYNCHRONIZE:
 	case NETLOGON_CONTROL_PDC_REPLICATE:
 	case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
-	case NETLOGON_CONTROL_TRUNCATE_LOG:
 	case NETLOGON_CONTROL_BREAKPOINT:
-		return WERR_ACCESS_DENIED;
+		if (acct_ctrl & ACB_NORMAL) {
+			return WERR_NOT_SUPPORTED;
+		} else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+			return WERR_ACCESS_DENIED;
+		} else {
+			return WERR_ACCESS_DENIED;
+		}
+	case NETLOGON_CONTROL_TRUNCATE_LOG:
+		if (acct_ctrl & ACB_NORMAL) {
+			break;
+		} else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+			return WERR_ACCESS_DENIED;
+		} else {
+			return WERR_ACCESS_DENIED;
+		}
+
 	case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
 	case NETLOGON_CONTROL_FORCE_DNS_REG:
 	case NETLOGON_CONTROL_QUERY_DNS_REG:
diff --git a/source3/script/tests/test_posix_s3.sh b/source3/script/tests/test_posix_s3.sh
index 01d392a..11fe247 100755
--- a/source3/script/tests/test_posix_s3.sh
+++ b/source3/script/tests/test_posix_s3.sh
@@ -45,7 +45,8 @@ rpc="$rpc RPC-LSA-GETUSER RPC-LSA-LOOKUPSIDS RPC-LSA-LOOKUPNAMES"
 rpc="$rpc RPC-LSA-PRIVILEGES "
 rpc="$rpc RPC-SAMR RPC-SAMR-USERS RPC-SAMR-USERS-PRIVILEGES RPC-SAMR-PASSWORDS"
 rpc="$rpc RPC-SAMR-PASSWORDS-PWDLASTSET RPC-SAMR-LARGE-DC RPC-SAMR-MACHINE-AUTH"
-rpc="$rpc RPC-NETLOGON-S3 RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
+rpc="$rpc RPC-NETLOGON-S3 RPC-NETLOGON-ADMIN"
+rpc="$rpc RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
 
 local="LOCAL-NSS-WRAPPER"
 
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index db949ad..8972834 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -1608,12 +1608,16 @@ static const char *function_code_str(TALLOC_CTX *mem_ctx,
   try a netlogon LogonControl 
 */
 static bool test_LogonControl(struct torture_context *tctx, 
-			      struct dcerpc_pipe *p)
+			      struct dcerpc_pipe *p,
+			      struct cli_credentials *machine_credentials)
+
 {
 	NTSTATUS status;
 	struct netr_LogonControl r;
 	union netr_CONTROL_QUERY_INFORMATION query;
 	int i,f;
+	enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
+
 	uint32_t function_codes[] = {
 		NETLOGON_CONTROL_QUERY,
 		NETLOGON_CONTROL_REPLICATE,
@@ -1633,6 +1637,13 @@ static bool test_LogonControl(struct torture_context *tctx,
 		NETLOGON_CONTROL_BREAKPOINT
 	};
 
+	if (machine_credentials) {
+		secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
+	}
+
+	torture_comment(tctx, "testing LogonControl with secure channel type: %d\n",
+		secure_channel_type);
+
 	r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
 	r.in.function_code = 1;
 	r.out.query = &query;
@@ -1655,12 +1666,18 @@ static bool test_LogonControl(struct torture_context *tctx,
 			case NETLOGON_CONTROL_REPLICATE:
 			case NETLOGON_CONTROL_SYNCHRONIZE:
 			case NETLOGON_CONTROL_PDC_REPLICATE:
-			case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
-			case NETLOGON_CONTROL_TRUNCATE_LOG:
 			case NETLOGON_CONTROL_BREAKPOINT:
-				torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
-					"LogonControl returned unexpected error code");
+			case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+				if ((secure_channel_type == SEC_CHAN_BDC) ||
+				    (secure_channel_type == SEC_CHAN_WKSTA)) {
+					torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
+						"LogonControl returned unexpected error code");
+				} else {
+					torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
+						"LogonControl returned unexpected error code");
+				}
 				break;
+
 			case NETLOGON_CONTROL_REDISCOVER:
 			case NETLOGON_CONTROL_TC_QUERY:
 			case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
@@ -1673,6 +1690,16 @@ static bool test_LogonControl(struct torture_context *tctx,
 				torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
 					"LogonControl returned unexpected error code");
 				break;
+			case NETLOGON_CONTROL_TRUNCATE_LOG:
+				if ((secure_channel_type == SEC_CHAN_BDC) ||
+				    (secure_channel_type == SEC_CHAN_WKSTA)) {
+					torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
+						"LogonControl returned unexpected error code");
+				} else {
+					torture_assert_werr_ok(tctx, r.out.result,
+						"LogonControl returned unexpected result");
+				}
+				break;
 			default:
 				torture_assert_werr_ok(tctx, r.out.result,
 					"LogonControl returned unexpected result");
@@ -1725,7 +1752,9 @@ static bool test_GetAnyDCName(struct torture_context *tctx,
   try a netlogon LogonControl2
 */
 static bool test_LogonControl2(struct torture_context *tctx, 
-			       struct dcerpc_pipe *p)
+			       struct dcerpc_pipe *p,
+			       struct cli_credentials *machine_credentials)
+
 {
 	NTSTATUS status;
 	struct netr_LogonControl2 r;
@@ -1873,7 +1902,9 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
   try a netlogon LogonControl2Ex
 */
 static bool test_LogonControl2Ex(struct torture_context *tctx, 
-				 struct dcerpc_pipe *p)
+				 struct dcerpc_pipe *p,
+				 struct cli_credentials *machine_credentials)
+
 {
 	NTSTATUS status;
 	struct netr_LogonControl2Ex r;
@@ -2817,11 +2848,8 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
 	torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
 	torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
 	torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
-	torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
 	torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
-	torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
 	torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
-	torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
 	torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
 	torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
 	torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
@@ -2850,10 +2878,33 @@ struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
 	torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
 	torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
 	torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
-	torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
-	torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
-	torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
 	torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
 
 	return suite;
 }
+
+struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
+{
+	struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
+	struct torture_rpc_tcase *tcase;
+
+	tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
+						  &ndr_table_netlogon, TEST_MACHINE_NAME);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+	tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
+						  &ndr_table_netlogon, TEST_MACHINE_NAME);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+	tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
+						  &ndr_table_netlogon);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+	torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+	return suite;
+}
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c
index c896850..71043f0 100644
--- a/source4/torture/rpc/rpc.c
+++ b/source4/torture/rpc/rpc.c
@@ -450,6 +450,7 @@ NTSTATUS torture_rpc_init(void)
 	torture_suite_add_simple_test(suite, "SAMR-PASSWORDS", torture_rpc_samr_passwords);
 	torture_suite_add_suite(suite, torture_rpc_netlogon(suite));
 	torture_suite_add_suite(suite, torture_rpc_netlogon_s3(suite));
+	torture_suite_add_suite(suite, torture_rpc_netlogon_admin(suite));
 	torture_suite_add_suite(suite, torture_rpc_remote_pac(suite));
 	torture_suite_add_simple_test(suite, "SAMLOGON", torture_rpc_samlogon);
 	torture_suite_add_simple_test(suite, "SAMSYNC", torture_rpc_samsync);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list