[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Oct 27 10:52:03 MDT 2011
The branch, master has been updated
via b972bd5 s4-torture: Add a user creation check.
via 4186ef9 s4-torture: Add a samr privilege check.
via b411b81 s4-torture: Add torture_delete_testuser().
via 80e942a s4-torture: Add domain_handle to test_join struct.
via beb42c3 s3-build: Add .clang_complete.
from 790c6b4 s3:rpc_client: remove references to auth_ntlmssp_state
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b972bd53d736bbf2720585bc8f1ed316a647a5d6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 26 17:48:01 2011 +0200
s4-torture: Add a user creation check.
This adds a patch which creates a non-privileged user and then tries to
create a new user as the non-privileged user.
Pretty simple test but it found #8509.
Autobuild-User: Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date: Thu Oct 27 18:51:14 CEST 2011 on sn-devel-104
commit 4186ef9560804375fedca7c43faa80e57f868339
Author: Andreas Schneider <asn at samba.org>
Date: Thu Sep 15 08:54:44 2011 +0200
s4-torture: Add a samr privilege check.
This is the first part which checks if a deleted user is propagated
correctly to all daemons and caches with user information are emtpy.
commit b411b81642a6317f11cfb67c04fc1313ff009bea
Author: Andreas Schneider <asn at samba.org>
Date: Fri Sep 23 16:57:25 2011 +0200
s4-torture: Add torture_delete_testuser().
commit 80e942aec955af86b197893b6ca661e3e521066d
Author: Andreas Schneider <asn at samba.org>
Date: Fri Sep 23 16:56:59 2011 +0200
s4-torture: Add domain_handle to test_join struct.
commit beb42c3774d170f2b52627409aa7ae383337a090
Author: Andreas Schneider <asn at samba.org>
Date: Thu Sep 15 17:26:18 2011 +0200
s3-build: Add .clang_complete.
-----------------------------------------------------------------------
Summary of changes:
source3/selftest/tests.py | 1 +
source4/.clang_complete | 10 +
source4/torture/rpc/rpc.c | 1 +
source4/torture/rpc/samr_priv.c | 615 +++++++++++++++++++++++++++++++++++++++
source4/torture/rpc/testjoin.c | 22 ++-
source4/torture/wscript_build | 2 +-
6 files changed, 646 insertions(+), 5 deletions(-)
create mode 100644 source4/.clang_complete
create mode 100644 source4/torture/rpc/samr_priv.c
Changeset truncated at 500 lines:
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index b4c41fd..546ca12 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -191,6 +191,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
"rpc.lsa.privileges", "rpc.lsa.secrets",
"rpc.samr", "rpc.samr.users", "rpc.samr.users.privileges", "rpc.samr.passwords",
"rpc.samr.passwords.pwdlastset", "rpc.samr.large-dc", "rpc.samr.machine.auth",
+ "rpc.samr.priv",
"rpc.netlogon.admin",
"rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.join", "rpc.bind"]
diff --git a/source4/.clang_complete b/source4/.clang_complete
new file mode 100644
index 0000000..bfaf852
--- /dev/null
+++ b/source4/.clang_complete
@@ -0,0 +1,10 @@
+-I../bin/default
+-I../bin/default/include
+-I../bin/default/include/public/
+-I../bin/default/source4
+-I../lib
+-I../lib/popt
+-I../lib/replace
+-I..
+-I./include
+-I.
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c
index 01ce93f..41668e0 100644
--- a/source4/torture/rpc/rpc.c
+++ b/source4/torture/rpc/rpc.c
@@ -503,6 +503,7 @@ NTSTATUS torture_rpc_init(void)
torture_suite_add_suite(suite, torture_rpc_samr_passwords_lockout(suite));
torture_suite_add_suite(suite, torture_rpc_samr_user_privileges(suite));
torture_suite_add_suite(suite, torture_rpc_samr_large_dc(suite));
+ torture_suite_add_suite(suite, torture_rpc_samr_priv(suite));
torture_suite_add_suite(suite, torture_rpc_epmapper(suite));
torture_suite_add_suite(suite, torture_rpc_initshutdown(suite));
torture_suite_add_suite(suite, torture_rpc_oxidresolve(suite));
diff --git a/source4/torture/rpc/samr_priv.c b/source4/torture/rpc/samr_priv.c
new file mode 100644
index 0000000..20d9640
--- /dev/null
+++ b/source4/torture/rpc/samr_priv.c
@@ -0,0 +1,615 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * test suite for samr rpc operations
+ *
+ * Copyright (c) 2011 Andreas Schneider
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "param/param.h"
+#include "torture/torture.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/rpc/dcerpc_proto.h"
+#include "libcli/security/security.h"
+#include "torture/rpc/torture_rpc.h"
+
+#define TEST_ACCOUNT_NAME "guru"
+
+struct torture_user {
+ const char *username;
+ const char *password;
+ const char *domain;
+ uint32_t *builtin_memberships;
+ uint32_t num_builtin_memberships;
+ bool admin_rights;
+};
+
+struct torture_access_context {
+ struct dcerpc_pipe *pipe;
+ struct torture_user user;
+ struct test_join *join;
+};
+
+static void init_lsa_String(struct lsa_String *name, const char *s)
+{
+ name->string = s;
+}
+
+static bool test_samr_queryUserInfo(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ struct policy_handle *user_handle)
+{
+ struct samr_QueryUserInfo r;
+ union samr_UserInfo *info;
+ NTSTATUS status;
+
+ r.in.level = UserGeneralInformation;
+ r.in.user_handle = user_handle;
+ r.out.info = &info;
+
+ status = dcerpc_samr_QueryUserInfo_r(b,
+ tctx,
+ &r);
+ torture_assert_ntstatus_ok(tctx, status, "queryUserInfo failed");
+ if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_OK)) {
+ torture_comment(tctx, "queryUserInfo failed");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_LookupName(struct dcerpc_binding_handle *b,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ const char *name,
+ uint32_t *rid)
+{
+ NTSTATUS status;
+ struct samr_LookupNames n;
+ struct lsa_String sname[1];
+ struct samr_Ids rids, types;
+
+ init_lsa_String(&sname[0], name);
+
+ n.in.domain_handle = domain_handle;
+ n.in.num_names = 1;
+ n.in.names = sname;
+ n.out.rids = &rids;
+ n.out.types = &types;
+
+ status = dcerpc_samr_LookupNames_r(b, tctx, &n);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+ if (!NT_STATUS_IS_OK(n.out.result)) {
+ return false;
+ }
+
+ *rid = n.out.rids->ids[0];
+ return true;
+}
+
+static bool test_samr_CreateUser(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ struct policy_handle *domain_handle,
+ const char *name,
+ struct policy_handle *user_handle)
+{
+ struct lsa_String username;
+ struct samr_CreateUser r;
+ uint32_t rid = 0;
+ NTSTATUS status;
+
+ init_lsa_String(&username, name);
+
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.in.domain_handle = domain_handle;
+ r.in.account_name = &username;
+ r.out.user_handle = user_handle;
+ r.out.rid = &rid;
+
+ status = dcerpc_samr_CreateUser_r(b, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "CreateUser failed");
+ if (!NT_STATUS_IS_OK(r.out.result)) {
+ torture_comment(tctx, "CreateUser failed");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_samr_OpenUser(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ struct policy_handle *domain_handle,
+ const char *name,
+ struct policy_handle *user_handle,
+ bool expected)
+{
+ struct samr_OpenUser r;
+ uint32_t rid = 0;
+ NTSTATUS status;
+ bool ok;
+
+ ok = test_LookupName(b, tctx, domain_handle, name, &rid);
+ if (!ok && expected) {
+ torture_comment(tctx, " - lookup name for %s failed\n", name);
+ return true;
+ } else if (!ok) {
+ return false;
+ }
+
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.in.domain_handle = domain_handle;
+ r.in.rid = rid;
+ r.out.user_handle = user_handle;
+
+ status = dcerpc_samr_OpenUser_r(b, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "CreateUser failed");
+ if (!NT_STATUS_IS_OK(r.out.result)) {
+ torture_comment(tctx, "CreateUser failed");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_samr_openDomain(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ struct policy_handle *connect_handle,
+ const char *domain,
+ struct policy_handle *domain_handle)
+{
+ struct samr_LookupDomain r;
+ struct samr_OpenDomain r2;
+ struct lsa_String n;
+ struct dom_sid *sid;
+ NTSTATUS status;
+
+ r.in.connect_handle = connect_handle;
+ init_lsa_String(&n, domain);
+ r.in.domain_name = &n;
+ r.out.sid = &sid;
+
+ status = dcerpc_samr_LookupDomain_r(b, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "LookupDomain failed");
+ if (!NT_STATUS_IS_OK(r.out.result)) {
+ torture_comment(tctx, "LookupDomain failed - %s\n", nt_errstr(r.out.result));
+ return false;
+ }
+
+ r2.in.connect_handle = connect_handle;
+ r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r2.in.sid = sid;
+ r2.out.domain_handle = domain_handle;
+
+ status = dcerpc_samr_OpenDomain_r(b, tctx, &r2);
+ torture_assert_ntstatus_ok(tctx, status, "OpenDomain failed");
+ if (!NT_STATUS_IS_OK(r2.out.result)) {
+ torture_comment(tctx, "OpenDomain failed - %s\n", nt_errstr(r.out.result));
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_samr_Connect(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ struct policy_handle *connect_handle)
+{
+ struct samr_Connect r;
+ NTSTATUS status;
+
+ r.in.system_name = 0;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.out.connect_handle = connect_handle;
+
+ status = dcerpc_samr_Connect_r(b, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "SAMR connect failed");
+ if (!NT_STATUS_IS_OK(r.out.result)) {
+ torture_comment(tctx, "Connect failed - %s\n", nt_errstr(r.out.result));
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_samr_create_user(struct torture_context *tctx,
+ struct torture_access_context *t,
+ const char *name)
+{
+ struct dcerpc_binding_handle *b = t->pipe->binding_handle;
+ struct policy_handle connect_handle;
+ struct policy_handle domain_handle;
+ struct policy_handle user_handle;
+ bool ok = false;
+
+ torture_comment(tctx, "Connecting to SAMR\n");
+ ZERO_STRUCT(connect_handle);
+ ok = test_samr_Connect(tctx, b, &connect_handle);
+ torture_assert(tctx, ok, "Unable to connect to domain");
+
+ torture_comment(tctx, "Opening domain %s\n", t->user.domain);
+ ZERO_STRUCT(domain_handle);
+ ok = test_samr_openDomain(tctx,
+ b,
+ &connect_handle,
+ t->user.domain,
+ &domain_handle);
+ torture_assert(tctx, ok, "Unable to open to domain");
+
+ torture_comment(tctx, "Creating account %s\n", name);
+ ZERO_STRUCT(user_handle);
+ ok = test_samr_CreateUser(tctx,
+ b,
+ &domain_handle,
+ name,
+ &user_handle);
+
+ test_samr_handle_Close(b, tctx, &domain_handle);
+ test_samr_handle_Close(b, tctx, &connect_handle);
+
+ return ok;
+}
+
+static bool test_samr_userinfo_getinfo(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ bool expected)
+{
+ const char *name;
+ struct dcerpc_pipe *p2 = NULL;
+ struct dcerpc_binding_handle *b;
+ struct policy_handle connect_handle;
+ struct policy_handle domain_handle;
+ struct policy_handle user_handle;
+ NTSTATUS status;
+ uint32_t i = 0;
+ bool ok;
+
+ status = torture_rpc_connection(tctx, &p2, &ndr_table_samr);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Creating secondary connection failed");
+ b = p2->binding_handle;
+
+ torture_comment(tctx, " - 2nd connect\n");
+ /* connect */
+ ZERO_STRUCT(connect_handle);
+ ok = test_samr_Connect(tctx, b, &connect_handle);
+ torture_assert(tctx, ok, "Unable to connect to domain");
+
+ torture_comment(tctx, " - 2nd open domain\n");
+ /* open domain */
+ ZERO_STRUCT(domain_handle);
+ ok = test_samr_openDomain(tctx,
+ b,
+ &connect_handle,
+ torture_setting_string(tctx, "workgroup",
+ lpcfg_workgroup(tctx->lp_ctx)),
+ &domain_handle);
+ torture_assert(tctx, ok, "Unable to open to domain");
+
+ /* create user */
+ name = talloc_asprintf(tctx,
+ "%s%04d",
+ TEST_ACCOUNT_NAME,
+ i);
+
+ torture_comment(tctx, " - 2nd open user\n");
+ ZERO_STRUCT(user_handle);
+ ok = test_samr_OpenUser(tctx,
+ b,
+ &domain_handle,
+ name,
+ &user_handle,
+ expected);
+ torture_assert(tctx, ok, "Unable to open user");
+
+ if (!expected) {
+ torture_comment(tctx, " - 2nd query user\n");
+ ok = test_samr_queryUserInfo(tctx, b, &user_handle);
+ torture_assert(tctx, ok, "Unable to query user");
+
+ test_samr_handle_Close(b, tctx, &user_handle);
+ }
+
+ test_samr_handle_Close(b, tctx, &domain_handle);
+ test_samr_handle_Close(b, tctx, &connect_handle);
+
+ talloc_free(p2);
+
+ return true;
+}
+
+#define NUM_RUNS 20
+static bool torture_rpc_samr_caching(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ struct test_join *join;
+ const char *password = NULL;
+ const char *name;
+ NTSTATUS status;
+ uint32_t i = 0;
+ bool ok;
+
+ torture_comment(tctx, ">>> Testing User Info Caching\n");
+
+ /* create user */
+ name = talloc_asprintf(tctx,
+ "%s%04d",
+ TEST_ACCOUNT_NAME,
+ i);
+
+ torture_comment(tctx, "- Creating user %s\n", name);
+
+ join = torture_create_testuser(tctx,
+ name,
+ torture_setting_string(tctx, "workgroup",
+ lpcfg_workgroup(tctx->lp_ctx)),
+ ACB_NORMAL,
+ &password);
+ if (join == NULL) {
+ return false;
+ }
+
+ torture_comment(tctx, "- Query user information\n");
+ for (i = 0; i < NUM_RUNS; i++) {
+ ok = test_samr_userinfo_getinfo(tctx, p, false);
+ torture_assert(tctx, ok, "test_samr_userinfo_getinfo failed");
+ }
+
+ torture_comment(tctx, "- Delete user\n");
+ status = torture_delete_testuser(tctx,
+ join,
+ name);
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_comment(tctx, "DeleteUser failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ torture_comment(tctx, "- Try to query user information again (should fail)\n");
+ for (i = 0; i < NUM_RUNS; i++) {
+ ok = test_samr_userinfo_getinfo(tctx,
+ p,
+ true);
+ torture_assert(tctx, ok, "test_samr_userinfo_getinfo failed");
+ }
+
+ return true;
+}
+#undef NUM_RUNS
+
+static bool torture_rpc_samr_access_setup_membership(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ uint32_t num_members,
+ uint32_t *members,
+ struct dom_sid *user_sid)
+{
+ struct dcerpc_binding_handle *b = p->binding_handle;
+ struct policy_handle connect_handle, domain_handle;
+ int i;
+
+ torture_comment(tctx,
+ "Setting up BUILTIN membership for %s\n",
+ dom_sid_string(tctx, user_sid));
+
+ for (i=0; i < num_members; i++) {
+ torture_comment(tctx, "adding user to S-1-5-32-%d\n", members[i]);
+ }
+
+ /* connect */
+ {
+ struct samr_Connect2 r;
+ r.in.system_name = "";
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ ZERO_STRUCT(connect_handle);
+ r.out.connect_handle = &connect_handle;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_samr_Connect2_r(b, tctx, &r),
+ "samr_Connect2 failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result,
+ "samr_Connect2 failed");
+ }
+
+ /* open domain */
+ {
+ struct samr_OpenDomain r;
+ r.in.connect_handle = &connect_handle;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
+ ZERO_STRUCT(domain_handle);
+ r.out.domain_handle = &domain_handle;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_samr_OpenDomain_r(b, tctx, &r),
+ "samr_OpenDomain failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result,
+ "samr_OpenDomain failed");
+ }
+
+ for (i = 0; i < num_members; i++) {
+
+ struct policy_handle alias_handle;
+
+ /* open alias */
+ {
+ struct samr_OpenAlias r;
+ r.in.domain_handle = &domain_handle;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.in.rid = members[i];
+ ZERO_STRUCT(alias_handle);
--
Samba Shared Repository
More information about the samba-cvs
mailing list