[SCM] Samba Shared Repository - branch v3-5-test updated
Günther Deschner
gd at samba.org
Tue Nov 10 05:18:48 MST 2009
The branch, v3-5-test has been updated
via bc0dc5a... s3-rpc_client: make sure cli_rpc_pipe_open_schannel() does not always return NT_STATUS_OK.
via f0e7188... s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
via 8b94ea1... s4-smbtorture: re-arrange netlogon LogonControl test.
from b58c7d9... s3:registry: add an extra check for dsize==0 to regdb_fetch_keys_internal()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit bc0dc5a452f52df76d3f6bbd119acd8476afe9d5
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 10 13:10:12 2009 +0100
s3-rpc_client: make sure cli_rpc_pipe_open_schannel() does not always return NT_STATUS_OK.
Guenther
(cherry picked from commit d241b9ae4c9b520406aac98e24d078f2d4fd4ae5)
commit f0e718833fa73560e06c844963fe78932a22dfb2
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 9 17:34:47 2009 +0100
s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
Guenther
(cherry picked from commit d7ce873391f215f4f3785abcd13b9d120b87e744)
commit 8b94ea1a55fa96078ce86dedb033b083143939ff
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 9 17:32:31 2009 +0100
s4-smbtorture: re-arrange netlogon LogonControl test.
The LogonControl tests now are split out to a new RPC-NETLOGON-ADMIN test that
tests the behaviour of that call when called by user, dc or workstation.
Guenther
(cherry picked from commit e9c6984cb62ce8d7d899202c1275d241a605913c)
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_client/cli_pipe.c | 4 +-
source3/rpc_server/srv_netlog_nt.c | 27 ++++++++++--
source3/script/tests/test_posix_s3.sh | 3 +-
source4/torture/rpc/netlogon.c | 77 +++++++++++++++++++++++++++------
source4/torture/rpc/rpc.c | 1 +
5 files changed, 93 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 9ff84f8..28d9d99 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -4123,6 +4123,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
struct rpc_pipe_client *result = NULL;
NTSTATUS status;
+ *presult = NULL;
+
status = get_schannel_session_key(cli, domain, &neg_flags,
&netlogon_pipe);
if (!NT_STATUS_IS_OK(status)) {
@@ -4143,7 +4145,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
*presult = result;
}
- return NT_STATUS_OK;
+ return status;
}
/****************************************************************************
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index bcf5c00..39912ac 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -177,6 +177,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
struct netr_NETLOGON_INFO_3 *info3;
struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
+ uint32_t acct_ctrl;
switch (p->hdr_req.opnum) {
case NDR_NETR_LOGONCONTROL:
@@ -192,12 +193,16 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
return WERR_INVALID_PARAM;
}
+ acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
+
switch (r->in.function_code) {
case NETLOGON_CONTROL_TC_VERIFY:
case NETLOGON_CONTROL_CHANGE_PASSWORD:
case NETLOGON_CONTROL_REDISCOVER:
- if (!nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok)) {
+ if ((geteuid() != sec_initial_uid()) &&
+ !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
+ !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
return WERR_ACCESS_DENIED;
}
break;
@@ -215,9 +220,23 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
case NETLOGON_CONTROL_SYNCHRONIZE:
case NETLOGON_CONTROL_PDC_REPLICATE:
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
- case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- return WERR_ACCESS_DENIED;
+ if (acct_ctrl & ACB_NORMAL) {
+ return WERR_NOT_SUPPORTED;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ if (acct_ctrl & ACB_NORMAL) {
+ break;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
case NETLOGON_CONTROL_QUERY_DNS_REG:
diff --git a/source3/script/tests/test_posix_s3.sh b/source3/script/tests/test_posix_s3.sh
index 01d392a..11fe247 100755
--- a/source3/script/tests/test_posix_s3.sh
+++ b/source3/script/tests/test_posix_s3.sh
@@ -45,7 +45,8 @@ rpc="$rpc RPC-LSA-GETUSER RPC-LSA-LOOKUPSIDS RPC-LSA-LOOKUPNAMES"
rpc="$rpc RPC-LSA-PRIVILEGES "
rpc="$rpc RPC-SAMR RPC-SAMR-USERS RPC-SAMR-USERS-PRIVILEGES RPC-SAMR-PASSWORDS"
rpc="$rpc RPC-SAMR-PASSWORDS-PWDLASTSET RPC-SAMR-LARGE-DC RPC-SAMR-MACHINE-AUTH"
-rpc="$rpc RPC-NETLOGON-S3 RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
+rpc="$rpc RPC-NETLOGON-S3 RPC-NETLOGON-ADMIN"
+rpc="$rpc RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
local="LOCAL-NSS-WRAPPER"
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 7499ff2..c198c2d 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -1614,12 +1614,16 @@ static const char *function_code_str(TALLOC_CTX *mem_ctx,
try a netlogon LogonControl
*/
static bool test_LogonControl(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ struct cli_credentials *machine_credentials)
+
{
NTSTATUS status;
struct netr_LogonControl r;
union netr_CONTROL_QUERY_INFORMATION query;
int i,f;
+ enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
+
uint32_t function_codes[] = {
NETLOGON_CONTROL_QUERY,
NETLOGON_CONTROL_REPLICATE,
@@ -1639,6 +1643,13 @@ static bool test_LogonControl(struct torture_context *tctx,
NETLOGON_CONTROL_BREAKPOINT
};
+ if (machine_credentials) {
+ secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
+ }
+
+ torture_comment(tctx, "testing LogonControl with secure channel type: %d\n",
+ secure_channel_type);
+
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.function_code = 1;
r.out.query = &query;
@@ -1661,12 +1672,18 @@ static bool test_LogonControl(struct torture_context *tctx,
case NETLOGON_CONTROL_REPLICATE:
case NETLOGON_CONTROL_SYNCHRONIZE:
case NETLOGON_CONTROL_PDC_REPLICATE:
- case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
- case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
- "LogonControl returned unexpected error code");
+ case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+ if ((secure_channel_type == SEC_CHAN_BDC) ||
+ (secure_channel_type == SEC_CHAN_WKSTA)) {
+ torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
+ "LogonControl returned unexpected error code");
+ } else {
+ torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
+ "LogonControl returned unexpected error code");
+ }
break;
+
case NETLOGON_CONTROL_REDISCOVER:
case NETLOGON_CONTROL_TC_QUERY:
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
@@ -1679,6 +1696,16 @@ static bool test_LogonControl(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
"LogonControl returned unexpected error code");
break;
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ if ((secure_channel_type == SEC_CHAN_BDC) ||
+ (secure_channel_type == SEC_CHAN_WKSTA)) {
+ torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
+ "LogonControl returned unexpected error code");
+ } else {
+ torture_assert_werr_ok(tctx, r.out.result,
+ "LogonControl returned unexpected result");
+ }
+ break;
default:
torture_assert_werr_ok(tctx, r.out.result,
"LogonControl returned unexpected result");
@@ -1731,7 +1758,9 @@ static bool test_GetAnyDCName(struct torture_context *tctx,
try a netlogon LogonControl2
*/
static bool test_LogonControl2(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ struct cli_credentials *machine_credentials)
+
{
NTSTATUS status;
struct netr_LogonControl2 r;
@@ -1879,7 +1908,9 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
try a netlogon LogonControl2Ex
*/
static bool test_LogonControl2Ex(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ struct cli_credentials *machine_credentials)
+
{
NTSTATUS status;
struct netr_LogonControl2Ex r;
@@ -2823,11 +2854,8 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
- torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
- torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
- torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
@@ -2856,10 +2884,33 @@ struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
- torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
- torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
- torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
return suite;
}
+
+struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
+ struct torture_rpc_tcase *tcase;
+
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
+ &ndr_table_netlogon, TEST_MACHINE_NAME);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+ tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
+ &ndr_table_netlogon, TEST_MACHINE_NAME);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+ tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
+ &ndr_table_netlogon);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
+ torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
+
+ return suite;
+}
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c
index 6e9d37b..9dd2be1 100644
--- a/source4/torture/rpc/rpc.c
+++ b/source4/torture/rpc/rpc.c
@@ -452,6 +452,7 @@ NTSTATUS torture_rpc_init(void)
torture_suite_add_simple_test(suite, "SAMR-PASSWORDS", torture_rpc_samr_passwords);
torture_suite_add_suite(suite, torture_rpc_netlogon(suite));
torture_suite_add_suite(suite, torture_rpc_netlogon_s3(suite));
+ torture_suite_add_suite(suite, torture_rpc_netlogon_admin(suite));
torture_suite_add_suite(suite, torture_rpc_remote_pac(suite));
torture_suite_add_simple_test(suite, "SAMLOGON", torture_rpc_samlogon);
torture_suite_add_simple_test(suite, "SAMSYNC", torture_rpc_samsync);
--
Samba Shared Repository
More information about the samba-cvs
mailing list