Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : test suite for forest trust
4 :
5 : Copyright (C) Andrew Tridgell 2003
6 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 : Copyright (C) Sumit Bose <sbose@redhat.com> 2010
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "torture/torture.h"
25 : #include "librpc/gen_ndr/ndr_lsa_c.h"
26 : #include "librpc/gen_ndr/ndr_drsblobs.h"
27 : #include "librpc/gen_ndr/ndr_netlogon_c.h"
28 : #include "libcli/security/security.h"
29 : #include "libcli/auth/credentials.h"
30 : #include "libcli/auth/libcli_auth.h"
31 : #include "torture/rpc/torture_rpc.h"
32 : #include "param/param.h"
33 :
34 : #include <gnutls/gnutls.h>
35 : #include <gnutls/crypto.h>
36 :
37 : #undef strcasecmp
38 :
39 : #define TEST_DOM "torturedom"
40 : #define TEST_DOM_DNS "torturedom.samba.example.com"
41 : #define TEST_DOM_SID "S-1-5-21-97398-379795-10000"
42 : #define TEST_MACHINE_NAME "lsatestmach"
43 :
44 :
45 18 : static bool test_get_policy_handle(struct torture_context *tctx,
46 : struct dcerpc_pipe *p,
47 : uint32_t access_mask,
48 : struct policy_handle **handle )
49 : {
50 18 : struct policy_handle *h = NULL;
51 18 : struct lsa_ObjectAttribute attr = {
52 : .len = 0,
53 : };
54 18 : union lsa_revision_info in_rinfo = {
55 : .info1 = {
56 : .revision = 1,
57 : .supported_features = LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
58 : },
59 : };
60 18 : union lsa_revision_info out_rinfo = {
61 : .info1.revision = 0,
62 : };
63 18 : uint32_t out_version = 0;
64 18 : struct lsa_OpenPolicy3 r = {
65 : .in = {
66 : .system_name = "\\",
67 : .attr = &attr,
68 : .access_mask = access_mask,
69 : .in_version = 1,
70 : .in_revision_info = &in_rinfo,
71 : },
72 : .out = {
73 : .out_version = &out_version,
74 : .out_revision_info = &out_rinfo,
75 : }
76 : };
77 0 : NTSTATUS status;
78 :
79 18 : *handle = NULL;
80 :
81 18 : h = talloc_zero(tctx, struct policy_handle);
82 18 : torture_assert_not_null(tctx, h, "talloc_zero(tctx, struct policy_handle)");
83 18 : r.out.handle = h;
84 :
85 18 : status = dcerpc_lsa_OpenPolicy3_r(p->binding_handle, tctx, &r);
86 18 : torture_assert_ntstatus_ok(tctx, status, "OpenPolicy3 failed");
87 18 : torture_assert_ntstatus_ok(tctx, r.out.result, "OpenPolicy3 failed");
88 :
89 18 : torture_assert_int_equal(tctx,
90 : out_version,
91 : 1,
92 : "Invalid version");
93 18 : torture_assert_int_equal(tctx,
94 : out_rinfo.info1.revision,
95 : 1,
96 : "Invalid revision");
97 18 : torture_assert_int_equal(tctx,
98 : out_rinfo.info1.supported_features,
99 : LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
100 : "Invalid supported feature set");
101 :
102 18 : *handle = h;
103 18 : return true;
104 : }
105 :
106 3 : static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
107 : struct torture_context *tctx,
108 : const char *trust_name,
109 : const char *trust_name_dns,
110 : struct dom_sid *domsid,
111 : struct lsa_TrustDomainInfoAuthInfoInternal *authinfo)
112 : {
113 0 : struct policy_handle *handle;
114 0 : struct lsa_lsaRSetForestTrustInformation fti;
115 3 : struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
116 0 : struct lsa_Close cr;
117 0 : struct policy_handle closed_handle;
118 0 : struct lsa_CreateTrustedDomainEx2 r;
119 0 : struct lsa_TrustDomainInfoInfoEx trustinfo;
120 0 : struct policy_handle trustdom_handle;
121 0 : struct lsa_QueryTrustedDomainInfo q;
122 3 : union lsa_TrustedDomainInfo *info = NULL;
123 :
124 3 : if (!test_get_policy_handle(tctx, p,
125 : (LSA_POLICY_VIEW_LOCAL_INFORMATION |
126 : LSA_POLICY_TRUST_ADMIN |
127 : LSA_POLICY_CREATE_SECRET), &handle)) {
128 0 : return false;
129 : }
130 :
131 3 : torture_comment(tctx, "\nTesting CreateTrustedDomainEx2\n");
132 :
133 3 : trustinfo.sid = domsid;
134 3 : trustinfo.netbios_name.string = trust_name;
135 3 : trustinfo.domain_name.string = trust_name_dns;
136 :
137 3 : trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND |
138 : LSA_TRUST_DIRECTION_OUTBOUND;
139 :
140 3 : trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
141 :
142 : /*
143 : * MS-LSAD: Section 3.1.4.7.10 makes it clear that Win2k3
144 : * functional level and above return
145 : * NT_STATUS_INVALID_DOMAIN_STATE if
146 : * TRUST_ATTRIBUTE_FOREST_TRANSITIVE or
147 : * TRUST_ATTRIBUTE_CROSS_ORGANIZATION is set here.
148 : *
149 : * But we really want to test forest trusts here.
150 : */
151 3 : trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
152 :
153 3 : r.in.policy_handle = handle;
154 3 : r.in.info = &trustinfo;
155 3 : r.in.auth_info_internal = authinfo;
156 : /* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following
157 : * QueryTrustedDomainInfo call, although it seems that Windows does not
158 : * expect this */
159 3 : r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME;
160 3 : r.out.trustdom_handle = &trustdom_handle;
161 :
162 3 : torture_assert_ntstatus_ok(tctx,
163 : dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r),
164 : "CreateTrustedDomainEx2 failed");
165 3 : torture_assert_ntstatus_ok(tctx, r.out.result, "CreateTrustedDomainEx2 failed");
166 :
167 3 : q.in.trustdom_handle = &trustdom_handle;
168 3 : q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
169 3 : q.out.info = &info;
170 :
171 3 : torture_assert_ntstatus_ok(tctx,
172 : dcerpc_lsa_QueryTrustedDomainInfo_r(p->binding_handle, tctx, &q),
173 : "QueryTrustedDomainInfo failed");
174 3 : torture_assert_ntstatus_ok(tctx, q.out.result, "QueryTrustedDomainInfo level 1");
175 3 : torture_assert(tctx, q.out.info != NULL, "QueryTrustedDomainInfo level 1 failed to return an info pointer");
176 3 : torture_assert_str_equal(tctx, info->info_ex.netbios_name.string,
177 : trustinfo.netbios_name.string,
178 : "QueryTrustedDomainInfo returned inconsistent short name");
179 3 : torture_assert_int_equal(tctx, info->info_ex.trust_type, trustinfo.trust_type,
180 : "QueryTrustedDomainInfo returned incorrect trust type");
181 3 : torture_assert_int_equal(tctx, info->info_ex.trust_attributes, trustinfo.trust_attributes,
182 : "QueryTrustedDomainInfo of returned incorrect trust attributes");
183 3 : torture_assert_int_equal(tctx, info->info_ex.trust_direction, trustinfo.trust_direction,
184 : "QueryTrustedDomainInfo of returned incorrect trust direction");
185 :
186 3 : fti.in.handle = handle;
187 3 : fti.in.trusted_domain_name = talloc_zero(tctx, struct lsa_StringLarge);
188 3 : fti.in.trusted_domain_name->string = trust_name_dns;
189 3 : fti.in.highest_record_type = 2;
190 3 : fti.in.forest_trust_info = talloc_zero(tctx, struct lsa_ForestTrustInformation);
191 3 : fti.in.forest_trust_info->count = 2;
192 3 : fti.in.forest_trust_info->entries = talloc_array(tctx, struct lsa_ForestTrustRecord *, 2);
193 3 : fti.in.forest_trust_info->entries[0] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
194 3 : fti.in.forest_trust_info->entries[0]->flags = 0;
195 3 : fti.in.forest_trust_info->entries[0]->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
196 3 : fti.in.forest_trust_info->entries[0]->time = 0;
197 3 : fti.in.forest_trust_info->entries[0]->forest_trust_data.top_level_name.string = trust_name_dns;
198 3 : fti.in.forest_trust_info->entries[1] = talloc_zero(tctx, struct lsa_ForestTrustRecord);
199 3 : fti.in.forest_trust_info->entries[1]->flags = 0;
200 3 : fti.in.forest_trust_info->entries[1]->type = LSA_FOREST_TRUST_DOMAIN_INFO;
201 3 : fti.in.forest_trust_info->entries[1]->time = 0;
202 3 : fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.domain_sid = domsid;
203 3 : fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.dns_domain_name.string = trust_name_dns;
204 3 : fti.in.forest_trust_info->entries[1]->forest_trust_data.domain_info.netbios_domain_name.string = trust_name;
205 3 : fti.in.check_only = 0;
206 3 : fti.out.collision_info = &collision_info;
207 :
208 3 : torture_comment(tctx, "\nTesting SetForestTrustInformation\n");
209 :
210 3 : torture_assert_ntstatus_ok(tctx,
211 : dcerpc_lsa_lsaRSetForestTrustInformation_r(p->binding_handle, tctx, &fti),
212 : "lsaRSetForestTrustInformation failed");
213 3 : torture_assert_ntstatus_ok(tctx, fti.out.result, "lsaRSetForestTrustInformation failed");
214 :
215 3 : cr.in.handle = handle;
216 3 : cr.out.handle = &closed_handle;
217 3 : torture_assert_ntstatus_ok(tctx,
218 : dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
219 : "Close failed");
220 3 : torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
221 :
222 3 : return true;
223 : }
224 :
225 : struct get_set_info {
226 : enum lsa_TrustDomInfoEnum info_level;
227 : NTSTATUS get_result;
228 : NTSTATUS set_result;
229 : };
230 :
231 3 : static bool get_and_set_info(struct dcerpc_pipe *p,
232 : struct torture_context *tctx,
233 : const char *name)
234 : {
235 0 : struct policy_handle *handle;
236 0 : NTSTATUS status;
237 0 : struct lsa_QueryTrustedDomainInfoByName qr;
238 0 : struct lsa_SetTrustedDomainInfoByName sr;
239 0 : union lsa_TrustedDomainInfo *info;
240 0 : struct lsa_Close cr;
241 0 : struct policy_handle closed_handle;
242 0 : size_t c;
243 :
244 3 : struct get_set_info il[] = {
245 : {LSA_TRUSTED_DOMAIN_INFO_NAME, NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER},
246 : /* {LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
247 : {LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET, NT_STATUS_OK, NT_STATUS_OK},
248 : /* {LSA_TRUSTED_DOMAIN_INFO_PASSWORD, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
249 : /* {LSA_TRUSTED_DOMAIN_INFO_BASIC, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
250 : {LSA_TRUSTED_DOMAIN_INFO_INFO_EX, NT_STATUS_OK, NT_STATUS_OK},
251 : /* {LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
252 : {LSA_TRUSTED_DOMAIN_INFO_FULL_INFO, NT_STATUS_OK, NT_STATUS_OK},
253 : /* {LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
254 : /* {LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
255 : /* {LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL, NT_STATUS_INVALID_PARAMETER, NT_STATUS_INVALID_INFO_CLASS}, */
256 : {LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL, NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER},
257 : {LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, NT_STATUS_OK, NT_STATUS_OK},
258 : { .info_level = -1, },
259 : };
260 :
261 3 : torture_comment(tctx, "\nGetting/Setting dom info\n");
262 :
263 3 : if(!test_get_policy_handle(tctx, p, LSA_POLICY_VIEW_LOCAL_INFORMATION,
264 : &handle)) {
265 0 : return false;
266 : }
267 :
268 3 : qr.in.handle = handle;
269 3 : qr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
270 3 : qr.in.trusted_domain->string = name;
271 3 : qr.out.info = &info;
272 :
273 3 : sr.in.handle = handle;
274 3 : sr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
275 3 : sr.in.trusted_domain->string = name;
276 3 : sr.in.info = info;
277 :
278 21 : for (c = 0; il[c].info_level != -1; c++) {
279 18 : torture_comment(tctx, "\nGetting/Setting dom info [%d]\n",il[c].info_level);
280 :
281 18 : qr.in.level = il[c].info_level;
282 18 : status = dcerpc_lsa_QueryTrustedDomainInfoByName_r(p->binding_handle,
283 : tctx, &qr);
284 18 : torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OK,
285 : "QueryTrustedDomainInfoByName failed");
286 18 : if (!NT_STATUS_EQUAL(qr.out.result, il[c].get_result)) {
287 0 : torture_comment(tctx, "QueryTrustedDomainInfoByName did not return "
288 : "%s but %s\n",
289 : nt_errstr(il[c].get_result),
290 : nt_errstr(qr.out.result));
291 :
292 : /* We may be testing a server without support for this level */
293 0 : if (qr.in.level == LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES && NT_STATUS_EQUAL(qr.out.result, NT_STATUS_INVALID_PARAMETER)) {
294 0 : return true;
295 : }
296 0 : return false;
297 : }
298 :
299 18 : sr.in.level = il[c].info_level;
300 18 : sr.in.info = info;
301 18 : status = dcerpc_lsa_SetTrustedDomainInfoByName_r(p->binding_handle,
302 : tctx, &sr);
303 18 : torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OK,
304 : "SetTrustedDomainInfoByName failed");
305 18 : if (!NT_STATUS_EQUAL(sr.out.result, il[c].set_result)) {
306 0 : torture_comment(tctx, "SetTrustedDomainInfoByName did not return "
307 : "%s but %s\n",
308 : nt_errstr(il[c].set_result),
309 : nt_errstr(sr.out.result));
310 0 : return false;
311 : }
312 : }
313 :
314 3 : cr.in.handle = handle;
315 3 : cr.out.handle = &closed_handle;
316 3 : torture_assert_ntstatus_ok(tctx,
317 : dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
318 : "Close failed");
319 3 : torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
320 :
321 3 : return true;
322 : }
323 :
324 6 : static bool check_name(struct dcerpc_pipe *p, struct torture_context *tctx,
325 : const char *name)
326 : {
327 0 : struct policy_handle *handle;
328 0 : NTSTATUS status;
329 0 : struct lsa_QueryTrustedDomainInfoByName qr;
330 0 : union lsa_TrustedDomainInfo *info;
331 0 : struct lsa_Close cr;
332 0 : struct policy_handle closed_handle;
333 :
334 6 : torture_comment(tctx, "\nGetting LSA_TRUSTED_DOMAIN_INFO_FULL_INFO\n");
335 :
336 6 : if(!test_get_policy_handle(tctx, p, LSA_POLICY_VIEW_LOCAL_INFORMATION,
337 : &handle)) {
338 0 : return false;
339 : }
340 :
341 6 : qr.in.handle = handle;
342 6 : qr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
343 6 : qr.in.trusted_domain->string = name;
344 6 : qr.in.level = LSA_TRUSTED_DOMAIN_INFO_FULL_INFO;
345 6 : qr.out.info = &info;
346 6 : status = dcerpc_lsa_QueryTrustedDomainInfoByName_r(p->binding_handle,
347 : tctx, &qr);
348 6 : torture_assert_ntstatus_ok(tctx, status,
349 : "QueryInfoPolicy2 failed");
350 6 : torture_assert_ntstatus_equal(tctx, qr.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND,
351 : "QueryInfoPolicy2 did not return "
352 : "NT_STATUS_OBJECT_NAME_NOT_FOUND");
353 :
354 6 : cr.in.handle = handle;
355 6 : cr.out.handle = &closed_handle;
356 6 : torture_assert_ntstatus_ok(tctx,
357 : dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
358 : "Close failed");
359 6 : torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
360 :
361 6 : return true;
362 : }
363 :
364 3 : static bool get_lsa_policy_info_dns(struct dcerpc_pipe *p,
365 : struct torture_context *tctx,
366 : union lsa_PolicyInformation **info)
367 : {
368 0 : struct policy_handle *handle;
369 0 : NTSTATUS status;
370 0 : struct lsa_QueryInfoPolicy2 qr;
371 0 : struct lsa_Close cr;
372 0 : struct policy_handle closed_handle;
373 :
374 3 : torture_comment(tctx, "\nGetting LSA_POLICY_INFO_DNS\n");
375 :
376 3 : if (!test_get_policy_handle(tctx, p, LSA_POLICY_VIEW_LOCAL_INFORMATION,
377 : &handle)) {
378 0 : return false;
379 : }
380 :
381 3 : qr.in.handle = handle;
382 3 : qr.in.level = LSA_POLICY_INFO_DNS;
383 3 : qr.out.info = info;
384 3 : status = dcerpc_lsa_QueryInfoPolicy2_r(p->binding_handle, tctx, &qr);
385 3 : torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OK,
386 : "QueryInfoPolicy2 failed");
387 3 : if (!NT_STATUS_IS_OK(qr.out.result)) {
388 0 : torture_comment(tctx, "QueryInfoPolicy2 failed - %s\n",
389 : nt_errstr(qr.out.result));
390 0 : return false;
391 : }
392 :
393 3 : cr.in.handle = handle;
394 3 : cr.out.handle = &closed_handle;
395 3 : torture_assert_ntstatus_ok(tctx,
396 : dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
397 : "Close failed");
398 3 : torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
399 :
400 3 : return true;
401 : }
402 :
403 3 : static bool delete_trusted_domain_by_sid(struct dcerpc_pipe *p,
404 : struct torture_context *tctx,
405 : struct dom_sid *domsid)
406 : {
407 0 : struct policy_handle *handle;
408 0 : struct lsa_Close cr;
409 0 : struct policy_handle closed_handle;
410 0 : struct lsa_DeleteTrustedDomain dr;
411 :
412 3 : torture_comment(tctx, "\nDeleting trusted domain.\n");
413 :
414 : /* Against a windows server it was sufficient to have
415 : * LSA_POLICY_VIEW_LOCAL_INFORMATION although the documentations says
416 : * otherwise. */
417 3 : if (!test_get_policy_handle(tctx, p, LSA_POLICY_TRUST_ADMIN,
418 : &handle)) {
419 0 : return false;
420 : }
421 :
422 3 : dr.in.handle = handle;
423 3 : dr.in.dom_sid = domsid;
424 :
425 3 : torture_assert_ntstatus_ok(tctx,
426 : dcerpc_lsa_DeleteTrustedDomain_r(p->binding_handle, tctx, &dr),
427 : "DeleteTrustedDomain failed");
428 3 : torture_assert_ntstatus_ok(tctx, dr.out.result, "DeleteTrustedDomain failed");
429 :
430 3 : cr.in.handle = handle;
431 3 : cr.out.handle = &closed_handle;
432 3 : torture_assert_ntstatus_ok(tctx,
433 : dcerpc_lsa_Close_r(p->binding_handle, tctx, &cr),
434 : "Close failed");
435 3 : torture_assert_ntstatus_ok(tctx, cr.out.result, "Close failed");
436 :
437 3 : return true;
438 : }
439 :
440 : /*
441 : static const uint8_t my_blob[] = {
442 : 0xa3,0x0b,0x32,0x45,0x8b,0x84,0x3b,0x01,0x68,0xe8,0x2b,0xbb,0x00,0x13,0x69,0x1f,
443 : 0x10,0x35,0x72,0xa9,0x4f,0x77,0xb7,0xeb,0x59,0x08,0x07,0xc3,0xe8,0x17,0x00,0xc5,
444 : 0xf2,0xa9,0x6d,0xb7,0x69,0x45,0x63,0x20,0xcb,0x44,0x44,0x22,0x02,0xe3,0x28,0x84,
445 : 0x9b,0xd5,0x43,0x6f,0x8d,0x36,0x9b,0x9b,0x3b,0x31,0x86,0x84,0x8b,0xf2,0x36,0xd4,
446 : 0xe8,0xc4,0xee,0x90,0x0c,0xcb,0x3e,0x11,0x2f,0x86,0xfe,0x87,0x6d,0xce,0xae,0x0c,
447 : 0x83,0xfb,0x21,0x22,0x6d,0x7f,0x5e,0x08,0x71,0x1a,0x35,0xf4,0x5a,0x76,0x9b,0xf7,
448 : 0x54,0x62,0xa5,0x4c,0xcd,0xf6,0xa5,0xb0,0x0b,0xc7,0x79,0xe1,0x6f,0x85,0x16,0x6f,
449 : 0x82,0xdd,0x15,0x11,0x4c,0x9d,0x26,0x01,0x74,0x7e,0xbb,0xec,0x88,0x1d,0x71,0x9e,
450 : 0x5f,0xb2,0x9c,0xab,0x66,0x20,0x08,0x3d,0xae,0x07,0x2d,0xbb,0xa6,0xfb,0xec,0xcc,
451 : 0x51,0x58,0x48,0x47,0x38,0x3b,0x47,0x66,0xe8,0x17,0xfa,0x54,0x5c,0x95,0x73,0x29,
452 : 0xdf,0x7e,0x4a,0xb4,0x45,0x30,0xf7,0xbf,0xc0,0x56,0x6d,0x80,0xf6,0x11,0x56,0x93,
453 : 0xeb,0x97,0xd5,0x10,0xd6,0xd6,0xf7,0x23,0xc3,0xc0,0x93,0xa7,0x5c,0xa9,0xc0,0x81,
454 : 0x55,0x3d,0xec,0x03,0x31,0x7e,0x9d,0xf9,0xd0,0x9e,0xb5,0xc7,0xef,0xa8,0x54,0xf6,
455 : 0x9c,0xdc,0x0d,0xd4,0xd7,0xee,0x8d,0x5f,0xbd,0x89,0x48,0x3b,0x63,0xff,0xe8,0xca,
456 : 0x10,0x64,0x61,0xdf,0xfd,0x50,0xff,0x51,0xa0,0x2c,0xd7,0x8a,0xf1,0x13,0x02,0x02,
457 : 0x71,0xe9,0xff,0x0d,0x03,0x48,0xf8,0x08,0x8d,0xd5,0xe6,0x31,0x9f,0xf0,0x26,0x07,
458 : 0x91,0x6d,0xd3,0x01,0x91,0x92,0xc7,0x28,0x18,0x58,0xd8,0xf6,0x1b,0x97,0x8d,0xd0,
459 : 0xd2,0xa1,0x7c,0xae,0xc1,0xca,0xfe,0x20,0x91,0x1c,0x4d,0x15,0x89,0x29,0x37,0xd5,
460 : 0xf5,0xca,0x40,0x2b,0x03,0x8f,0x7b,0xc2,0x10,0xb4,0xd3,0xe8,0x14,0xb0,0x9b,0x5d,
461 : 0x85,0x30,0xe5,0x13,0x24,0xf7,0x78,0xec,0xbe,0x0b,0x9a,0x3f,0xb5,0x76,0xd9,0x0d,
462 : 0x49,0x64,0xa4,0xa7,0x33,0x88,0xdd,0xe9,0xe2,0x5f,0x04,0x51,0xdd,0x89,0xe2,0x68,
463 : 0x5b,0x5f,0x64,0x35,0xe3,0x23,0x4a,0x0e,0x09,0x15,0xcc,0x97,0x47,0xf4,0xc2,0x4f,
464 : 0x06,0xc3,0x96,0xa9,0x2f,0xb3,0xde,0x29,0x10,0xc7,0xf5,0x16,0xc5,0x3c,0x84,0xd2,
465 : 0x9b,0x6b,0xaa,0x54,0x59,0x8d,0x94,0xde,0xd1,0x75,0xb6,0x08,0x0d,0x7d,0xf1,0x18,
466 : 0xc8,0xf5,0xdf,0xaa,0xcd,0xec,0xab,0xb6,0xd1,0xcb,0xdb,0xe7,0x75,0x5d,0xbe,0x76,
467 : 0xea,0x1d,0x01,0xc8,0x0b,0x2d,0x32,0xe9,0xa8,0x65,0xbb,0x4a,0xcb,0x72,0xbc,0xda,
468 : 0x04,0x7f,0x82,0xfb,0x04,0xeb,0xd8,0xe1,0xb9,0xb1,0x1e,0xdc,0xb3,0x60,0xf3,0x55,
469 : 0x1e,0xcf,0x90,0x6a,0x15,0x74,0x4d,0xff,0xb4,0xc7,0xc9,0xc2,0x4f,0x67,0x9e,0xeb,
470 : 0x00,0x61,0x02,0xe3,0x9e,0x59,0x88,0x20,0xf1,0x0c,0xbe,0xe0,0x26,0x69,0x63,0x67,
471 : 0x72,0x3c,0x06,0x00,0x9e,0x4f,0xc7,0xa6,0x4d,0x6c,0xbe,0x68,0x8e,0xf4,0x32,0x36,
472 : 0x2e,0x5f,0xa6,0xcf,0xa7,0x19,0x40,0x2b,0xbd,0xa2,0x22,0x73,0xc4,0xb6,0xe3,0x86,
473 : 0x64,0xeb,0xb1,0xc7,0x45,0x7d,0xd6,0xd9,0x36,0xf1,0x04,0xd4,0x61,0xdc,0x41,0xb7,
474 : 0x01,0x00,0x00,0x00,0x0c,0x00,0x00,0x00, 0x30,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
475 : 0x02,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
476 : 0x35,0x00,0x36,0x00,0x37,0x00,0x38,0x00,0x39,0x00,0x30,0x00,0x01,0x00,0x00,0x00,
477 : 0x0c,0x00,0x00,0x00, 0x30,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
478 : 0x14,0x00,0x00,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00,0x36,0x00,
479 : 0x37,0x00,0x38,0x00,0x39,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x30,0x00,0x00,0x00
480 : };
481 : */
482 3 : static bool get_trust_domain_passwords_auth_blob(TALLOC_CTX *mem_ctx,
483 : const char *password,
484 : DATA_BLOB *auth_blob)
485 : {
486 0 : struct trustDomainPasswords auth_struct;
487 0 : struct AuthenticationInformation *auth_info_array;
488 0 : enum ndr_err_code ndr_err;
489 0 : size_t converted_size;
490 :
491 3 : generate_random_buffer(auth_struct.confounder,
492 : sizeof(auth_struct.confounder));
493 :
494 3 : auth_info_array = talloc_array(mem_ctx,
495 : struct AuthenticationInformation, 1);
496 3 : if (auth_info_array == NULL) {
497 0 : return false;
498 : }
499 :
500 3 : auth_info_array[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
501 3 : if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16, password,
502 : strlen(password),
503 3 : &auth_info_array[0].AuthInfo.clear.password,
504 : &converted_size)) {
505 0 : return false;
506 : }
507 :
508 3 : auth_info_array[0].AuthInfo.clear.size = converted_size;
509 :
510 3 : auth_struct.outgoing.count = 1;
511 3 : auth_struct.outgoing.current.count = 1;
512 3 : auth_struct.outgoing.current.array = auth_info_array;
513 3 : auth_struct.outgoing.previous.count = 0;
514 3 : auth_struct.outgoing.previous.array = NULL;
515 :
516 3 : auth_struct.incoming.count = 1;
517 3 : auth_struct.incoming.current.count = 1;
518 3 : auth_struct.incoming.current.array = auth_info_array;
519 3 : auth_struct.incoming.previous.count = 0;
520 3 : auth_struct.incoming.previous.array = NULL;
521 :
522 3 : ndr_err = ndr_push_struct_blob(auth_blob, mem_ctx, &auth_struct,
523 : (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
524 3 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
525 0 : return false;
526 : }
527 :
528 3 : return true;
529 : }
530 :
531 3 : static bool test_validate_trust(struct torture_context *tctx,
532 : const char *binding,
533 : const char *trusting_dom_name,
534 : const char *trusting_dom_dns_name,
535 : const char *trusted_dom_name,
536 : const char *trusted_dom_dns_name,
537 : const char *trust_password)
538 : {
539 0 : struct netr_ServerGetTrustInfo r;
540 :
541 0 : struct netr_Authenticator a;
542 0 : struct netr_Authenticator return_authenticator;
543 0 : struct samr_Password new_owf_password;
544 0 : struct samr_Password old_owf_password;
545 0 : struct netr_TrustInfo *trust_info;
546 :
547 0 : struct netlogon_creds_CredentialState *creds;
548 :
549 0 : NTSTATUS status;
550 0 : struct cli_credentials *credentials;
551 0 : struct dcerpc_binding *b;
552 3 : struct dcerpc_pipe *p1 = NULL;
553 3 : struct dcerpc_pipe *p = NULL;
554 :
555 0 : struct netr_GetForestTrustInformation fr;
556 0 : struct lsa_ForestTrustInformation *forest_trust_info;
557 3 : struct lsa_ForestTrustRecord *tln = NULL;
558 3 : struct lsa_ForestTrustRecord *di = NULL;
559 0 : int i;
560 0 : struct samr_Password *new_nt_hash;
561 0 : struct samr_Password *old_nt_hash;
562 0 : char *dummy;
563 3 : uint32_t trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
564 :
565 3 : status = dcerpc_parse_binding(tctx, binding, &b);
566 3 : torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
567 :
568 3 : credentials = cli_credentials_init(tctx);
569 3 : torture_assert(tctx, credentials != NULL, "cli_credentials_init()");
570 :
571 3 : dummy = talloc_asprintf(tctx, "%s$", trusted_dom_name);
572 3 : cli_credentials_set_username(credentials, dummy,
573 : CRED_SPECIFIED);
574 3 : cli_credentials_set_domain(credentials, trusting_dom_name,
575 : CRED_SPECIFIED);
576 3 : cli_credentials_set_realm(credentials, trusting_dom_dns_name,
577 : CRED_SPECIFIED);
578 3 : cli_credentials_set_password(credentials, trust_password, CRED_SPECIFIED);
579 3 : cli_credentials_set_old_password(credentials, trust_password, CRED_SPECIFIED);
580 3 : cli_credentials_set_workstation(credentials,
581 : trusted_dom_name, CRED_SPECIFIED);
582 3 : cli_credentials_set_secure_channel_type(credentials, SEC_CHAN_DOMAIN);
583 :
584 3 : status = dcerpc_pipe_connect_b(tctx, &p1, b,
585 : &ndr_table_netlogon, credentials,
586 : tctx->ev, tctx->lp_ctx);
587 :
588 3 : if (NT_STATUS_IS_ERR(status)) {
589 0 : torture_comment(tctx, "Failed to connect to remote server: %s with %s - %s\n",
590 : binding,
591 : cli_credentials_get_unparsed_name(credentials, tctx),
592 : nt_errstr(status));
593 0 : return false;
594 : }
595 :
596 3 : if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
597 : credentials, &creds)) {
598 0 : torture_comment(tctx, "test_SetupCredentials3 failed.\n");
599 0 : return false;
600 : }
601 3 : if (!test_SetupCredentialsPipe(p1, tctx, credentials, creds,
602 : DCERPC_SIGN | DCERPC_SEAL, &p)) {
603 0 : torture_comment(tctx, "test_SetupCredentialsPipe failed.\n");
604 0 : return false;
605 : }
606 :
607 3 : netlogon_creds_client_authenticator(creds, &a);
608 :
609 3 : r.in.server_name = talloc_asprintf(tctx, "\\\\%s",
610 : dcerpc_server_name(p));
611 3 : r.in.account_name = talloc_asprintf(tctx, "%s$", trusted_dom_name);
612 3 : r.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
613 3 : r.in.computer_name = trusted_dom_name;
614 3 : r.in.credential = &a;
615 :
616 3 : r.out.return_authenticator = &return_authenticator;
617 3 : r.out.new_owf_password = &new_owf_password;
618 3 : r.out.old_owf_password = &old_owf_password;
619 3 : r.out.trust_info = &trust_info;
620 :
621 3 : torture_assert_ntstatus_ok(tctx,
622 : dcerpc_netr_ServerGetTrustInfo_r(p->binding_handle, tctx, &r),
623 : "ServerGetTrustInfo failed");
624 3 : torture_assert_ntstatus_ok(tctx, r.out.result,
625 : "ServerGetTrustInfo failed");
626 :
627 3 : torture_assert(tctx, trust_info != NULL, "ServerGetTrustInfo got no trust_info");
628 3 : torture_assert_int_equal(tctx, trust_info->count, 1,
629 : "Unexpected number of results");
630 3 : torture_assert_int_equal(tctx, trust_info->data[0], trust_attributes,
631 : "Unexpected trust_attributes");
632 :
633 3 : new_nt_hash = cli_credentials_get_nt_hash(credentials, tctx);
634 3 : torture_assert(tctx, new_nt_hash != NULL, "cli_credentials_get_nt_hash()");
635 :
636 3 : old_nt_hash = cli_credentials_get_old_nt_hash(credentials, tctx);
637 3 : torture_assert(tctx, old_nt_hash != NULL, "cli_credentials_get_old_nt_hash()");
638 :
639 3 : netlogon_creds_des_decrypt(creds, &new_owf_password);
640 3 : netlogon_creds_des_decrypt(creds, &old_owf_password);
641 :
642 3 : dump_data(1, new_owf_password.hash, 16);
643 3 : dump_data(1, new_nt_hash->hash, 16);
644 3 : dump_data(1, old_owf_password.hash, 16);
645 3 : dump_data(1, old_nt_hash->hash, 16);
646 :
647 3 : torture_assert_mem_equal(tctx, new_owf_password.hash, new_nt_hash->hash, 16,
648 : "received unexpected new owf password\n");
649 :
650 3 : torture_assert_mem_equal(tctx, old_owf_password.hash, old_nt_hash->hash, 16,
651 : "received unexpected old owf password\n");
652 :
653 3 : netlogon_creds_client_authenticator(creds, &a);
654 :
655 3 : fr.in.server_name = talloc_asprintf(tctx, "\\\\%s",
656 : dcerpc_server_name(p));
657 3 : fr.in.computer_name = trusted_dom_name;
658 3 : fr.in.credential = &a;
659 3 : fr.in.flags = 0;
660 3 : fr.out.return_authenticator = &return_authenticator;
661 3 : fr.out.forest_trust_info = &forest_trust_info;
662 :
663 3 : torture_assert_ntstatus_ok(tctx,
664 : dcerpc_netr_GetForestTrustInformation_r(p->binding_handle, tctx, &fr),
665 : "netr_GetForestTrustInformation failed");
666 3 : torture_assert_ntstatus_ok(tctx, r.out.result,
667 : "netr_GetForestTrustInformation failed");
668 :
669 15 : for(i = 0; i < forest_trust_info->count; i++) {
670 12 : struct lsa_ForestTrustRecord *e = forest_trust_info->entries[i];
671 :
672 12 : switch (e->type) {
673 9 : case LSA_FOREST_TRUST_TOP_LEVEL_NAME:
674 9 : if (strcmp(e->forest_trust_data.top_level_name.string, trusting_dom_dns_name) != 0) {
675 6 : break;
676 : }
677 :
678 3 : torture_assert(tctx, tln == NULL, "TOP_LEVEL_NAME found twice");
679 :
680 3 : tln = e;
681 3 : break;
682 :
683 0 : case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
684 0 : break;
685 :
686 3 : case LSA_FOREST_TRUST_DOMAIN_INFO:
687 3 : if (strcmp(e->forest_trust_data.domain_info.dns_domain_name.string, trusting_dom_dns_name) != 0) {
688 0 : break;
689 : }
690 :
691 3 : torture_assert(tctx, di == NULL, "DOMAIN_INFO found twice");
692 :
693 3 : di = e;
694 3 : break;
695 0 : default:
696 0 : torture_assert_int_equal(tctx, e->type, LSA_FOREST_TRUST_TOP_LEVEL_NAME,
697 : "Unexpected LSA_FOREST_TRUST_* type");
698 : }
699 : }
700 :
701 3 : torture_assert(tctx, tln != NULL, "TOP_LEVEL_NAME entry missing");
702 3 : torture_assert(tctx, di != NULL, "DOMAIN_INFO entry missing");
703 :
704 3 : torture_assert_str_equal(tctx, di->forest_trust_data.domain_info.netbios_domain_name.string,
705 : trusting_dom_name,
706 : "netbios_domain_name mismatch");
707 :
708 3 : return true;
709 : }
710 :
711 3 : static bool test_setup_trust(struct torture_context *tctx,
712 : struct dcerpc_pipe *p,
713 : const char *netbios_name,
714 : const char *dns_name,
715 : struct dom_sid *sid,
716 : DATA_BLOB *auth_blob)
717 :
718 : {
719 0 : DATA_BLOB session_key;
720 0 : struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
721 0 : NTSTATUS status;
722 3 : gnutls_cipher_hd_t cipher_hnd = NULL;
723 0 : gnutls_datum_t _session_key;
724 :
725 3 : if (!check_name(p, tctx, netbios_name)) {
726 0 : return false;
727 : }
728 3 : if (!check_name(p, tctx, dns_name)) {
729 0 : return false;
730 : }
731 :
732 3 : status = dcerpc_fetch_session_key(p, &session_key);
733 3 : if (!NT_STATUS_IS_OK(status)) {
734 0 : torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n",
735 : nt_errstr(status));
736 0 : return false;
737 : }
738 :
739 3 : authinfo.auth_blob.data = talloc_memdup(tctx, auth_blob->data,
740 : auth_blob->length);
741 3 : if (authinfo.auth_blob.data == NULL) {
742 0 : return false;
743 : }
744 3 : authinfo.auth_blob.size = auth_blob->length;
745 :
746 3 : _session_key = (gnutls_datum_t) {
747 3 : .data = session_key.data,
748 3 : .size = session_key.length,
749 : };
750 :
751 3 : gnutls_cipher_init(&cipher_hnd,
752 : GNUTLS_CIPHER_ARCFOUR_128,
753 : &_session_key,
754 : NULL);
755 3 : gnutls_cipher_encrypt(cipher_hnd,
756 3 : authinfo.auth_blob.data,
757 3 : authinfo.auth_blob.size);
758 3 : gnutls_cipher_deinit(cipher_hnd);
759 :
760 3 : if (!test_create_trust_and_set_info(p, tctx, netbios_name,
761 : dns_name, sid, &authinfo)) {
762 0 : return false;
763 : }
764 :
765 3 : return true;
766 : }
767 :
768 3 : static bool testcase_ForestTrusts(struct torture_context *tctx,
769 : struct dcerpc_pipe *p)
770 : {
771 0 : const char *dom2_binding_string;
772 0 : const char * dom2_cred_string;
773 0 : NTSTATUS status;
774 0 : struct dom_sid *domsid;
775 0 : DATA_BLOB auth_blob;
776 0 : struct dcerpc_binding *dom2_binding;
777 0 : struct dcerpc_pipe *dom2_p;
778 0 : struct cli_credentials *dom2_credentials;
779 3 : union lsa_PolicyInformation *dom1_info_dns = NULL;
780 3 : union lsa_PolicyInformation *dom2_info_dns = NULL;
781 3 : const char *binding = torture_setting_string(tctx, "binding", NULL);
782 0 : char *test_password;
783 :
784 3 : torture_comment(tctx, "Testing Forest Trusts\n");
785 :
786 3 : test_password = generate_random_password(tctx, 32, 64);
787 3 : torture_assert(tctx, test_password != NULL, "test password must be generated");
788 :
789 3 : if (!get_trust_domain_passwords_auth_blob(tctx, test_password, &auth_blob)) {
790 0 : torture_comment(tctx,
791 : "get_trust_domain_passwords_auth_blob failed\n");
792 0 : return false;
793 : }
794 :
795 : #if 0
796 : /* Use the following if get_trust_domain_passwords_auth_blob() cannot
797 : * generate a usable blob due to errors in the IDL */
798 : auth_blob.data = talloc_memdup(tctx, my_blob, sizeof(my_blob));
799 : auth_blob.length = sizeof(my_blob);
800 :
801 : test_password = "1234567890"
802 : #endif
803 :
804 3 : domsid = dom_sid_parse_talloc(tctx, TEST_DOM_SID);
805 3 : if (domsid == NULL) {
806 0 : return false;
807 : }
808 :
809 3 : if (!test_setup_trust(tctx, p, TEST_DOM, TEST_DOM_DNS, domsid,
810 : &auth_blob)) {
811 0 : return false;
812 : }
813 :
814 3 : if (!get_lsa_policy_info_dns(p, tctx, &dom1_info_dns)) {
815 0 : return false;
816 : }
817 :
818 3 : if (!get_and_set_info(p, tctx, TEST_DOM)) {
819 0 : return false;
820 : }
821 :
822 3 : if (!test_validate_trust(tctx, binding,
823 3 : dom1_info_dns->dns.name.string,
824 3 : dom1_info_dns->dns.dns_domain.string,
825 : TEST_DOM, TEST_DOM_DNS, test_password)) {
826 0 : return false;
827 : }
828 :
829 3 : if (!delete_trusted_domain_by_sid(p, tctx, domsid)) {
830 0 : return false;
831 : }
832 :
833 3 : dom2_binding_string = torture_setting_string(tctx,
834 : "Forest_Trust_Dom2_Binding",
835 : NULL);
836 3 : if (dom2_binding_string == NULL) {
837 3 : torture_skip(tctx, "torture:Forest_Trust_Dom2_Binding not specified\n");
838 : }
839 :
840 0 : status = dcerpc_parse_binding(tctx, dom2_binding_string, &dom2_binding);
841 0 : torture_assert_ntstatus_ok(tctx, status, "dcerpc_parse_binding()");
842 :
843 0 : dom2_cred_string = torture_setting_string(tctx,
844 : "Forest_Trust_Dom2_Creds",
845 : NULL);
846 0 : torture_assert(tctx, dom2_cred_string != NULL, "torture:Forest_Trust_Dom2_Creds missing");
847 :
848 0 : dom2_credentials = cli_credentials_init(tctx);
849 0 : torture_assert(tctx, dom2_credentials != NULL, "cli_credentials_init()");
850 :
851 0 : cli_credentials_parse_string(dom2_credentials, dom2_cred_string,
852 : CRED_SPECIFIED);
853 0 : cli_credentials_set_workstation(dom2_credentials,
854 : TEST_MACHINE_NAME, CRED_SPECIFIED);
855 :
856 0 : status = dcerpc_pipe_connect_b(tctx, &dom2_p, dom2_binding,
857 : &ndr_table_lsarpc, dom2_credentials,
858 : tctx->ev, tctx->lp_ctx);
859 0 : torture_assert_ntstatus_ok(tctx, status, talloc_asprintf(tctx,
860 : "Failed to connect to remote server: %s\n",
861 : dcerpc_binding_string(tctx, dom2_binding)));
862 :
863 0 : if (!get_lsa_policy_info_dns(dom2_p, tctx, &dom2_info_dns)) {
864 0 : return false;
865 : }
866 :
867 0 : if (strcasecmp(dom1_info_dns->dns.name.string,
868 0 : dom2_info_dns->dns.name.string) == 0 ||
869 0 : strcasecmp(dom1_info_dns->dns.dns_domain.string,
870 0 : dom2_info_dns->dns.dns_domain.string) == 0)
871 : {
872 0 : torture_assert(tctx, false, talloc_asprintf(tctx,
873 : "Trusting (%s;%s) and trusted domain (%s;%s) have the "
874 : "same name",
875 : dom1_info_dns->dns.name.string,
876 : dom1_info_dns->dns.dns_domain.string,
877 : dom2_info_dns->dns.name.string,
878 : dom2_info_dns->dns.dns_domain.string));
879 : }
880 :
881 0 : if (!test_setup_trust(tctx, p, dom2_info_dns->dns.name.string,
882 0 : dom2_info_dns->dns.dns_domain.string,
883 0 : dom2_info_dns->dns.sid, &auth_blob)) {
884 0 : return false;
885 : }
886 0 : if (!test_setup_trust(tctx, dom2_p, dom1_info_dns->dns.name.string,
887 0 : dom1_info_dns->dns.dns_domain.string,
888 0 : dom1_info_dns->dns.sid, &auth_blob)) {
889 0 : return false;
890 : }
891 :
892 0 : if (!test_validate_trust(tctx, binding,
893 0 : dom1_info_dns->dns.name.string,
894 0 : dom1_info_dns->dns.dns_domain.string,
895 0 : dom2_info_dns->dns.name.string,
896 0 : dom2_info_dns->dns.dns_domain.string, test_password)) {
897 0 : return false;
898 : }
899 :
900 0 : if (!test_validate_trust(tctx, dom2_binding_string,
901 0 : dom2_info_dns->dns.name.string,
902 0 : dom2_info_dns->dns.dns_domain.string,
903 0 : dom1_info_dns->dns.name.string,
904 0 : dom1_info_dns->dns.dns_domain.string, test_password)) {
905 0 : return false;
906 : }
907 :
908 0 : if (!delete_trusted_domain_by_sid(p, tctx, dom2_info_dns->dns.sid)) {
909 0 : return false;
910 : }
911 :
912 0 : if (!delete_trusted_domain_by_sid(dom2_p, tctx, dom1_info_dns->dns.sid)) {
913 0 : return false;
914 : }
915 :
916 0 : return true;
917 : }
918 :
919 : /* By default this test creates a trust object in the destination server to a
920 : * dummy domain. If a second server from a different domain is specified on the
921 : * command line a trust is created between those two domains.
922 : *
923 : * Example:
924 : * smbtorture ncacn_np:srv1.dom1.test[print] RPC-LSA-FOREST-TRUST \
925 : * -U 'dom1\testadm1%12345678' \
926 : * --option=torture:Forest_Trust_Dom2_Binding=ncacn_np:srv2.dom2.test[print] \
927 : * --option=torture:Forest_Trust_Dom2_Creds='dom2\testadm2%12345678'
928 : */
929 :
930 2338 : struct torture_suite *torture_rpc_lsa_forest_trust(TALLOC_CTX *mem_ctx)
931 : {
932 125 : struct torture_suite *suite;
933 125 : struct torture_rpc_tcase *tcase;
934 :
935 2338 : suite = torture_suite_create(mem_ctx, "lsa.forest.trust");
936 :
937 2338 : tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa-forest-trust",
938 : &ndr_table_lsarpc);
939 2338 : torture_rpc_tcase_add_test(tcase, "ForestTrust", testcase_ForestTrusts);
940 :
941 2338 : return suite;
942 : }
|
