LCOV - code coverage report
Current view: top level - source4/torture/rpc - remote_pac.c (source / functions) Hit Total Coverage
Test: coverage report for abartlet/fix-coverage dd10fb34 Lines: 546 575 95.0 %
Date: 2021-09-23 10:06:22 Functions: 19 20 95.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    test suite for netlogon PAC operations
       5             : 
       6             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012
       7             : 
       8             :    This program is free software; you can redistribute it and/or modify
       9             :    it under the terms of the GNU General Public License as published by
      10             :    the Free Software Foundation; either version 3 of the License, or
      11             :    (at your option) any later version.
      12             : 
      13             :    This program is distributed in the hope that it will be useful,
      14             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :    GNU General Public License for more details.
      17             : 
      18             :    You should have received a copy of the GNU General Public License
      19             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      20             : */
      21             : 
      22             : #include "includes.h"
      23             : #include "auth/auth.h"
      24             : #include "auth/auth_sam_reply.h"
      25             : #include "auth/gensec/gensec.h"
      26             : #include "system/kerberos.h"
      27             : #include "auth/kerberos/kerberos.h"
      28             : #include "auth/credentials/credentials.h"
      29             : #include "auth/credentials/credentials_krb5.h"
      30             : #include "lib/cmdline/cmdline.h"
      31             : #include "torture/rpc/torture_rpc.h"
      32             : #include "libcli/auth/libcli_auth.h"
      33             : #include "libcli/security/security.h"
      34             : #include "librpc/gen_ndr/ndr_netlogon_c.h"
      35             : #include "librpc/gen_ndr/ndr_krb5pac.h"
      36             : #include "librpc/gen_ndr/ndr_samr_c.h"
      37             : #include "param/param.h"
      38             : #include <ldb.h>
      39             : #include "ldb_wrap.h"
      40             : #include "dsdb/samdb/samdb.h"
      41             : 
      42             : #define TEST_MACHINE_NAME_BDC "torturepacbdc"
      43             : #define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
      44             : #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
      45             : #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
      46             : #define TEST_MACHINE_NAME_S4U2PROXY_WKSTA "tests4u2proxywk"
      47             : 
      48             : struct pac_data {
      49             :         DATA_BLOB pac_blob;
      50             :         struct PAC_SIGNATURE_DATA *pac_srv_sig;
      51             :         struct PAC_SIGNATURE_DATA *pac_kdc_sig;
      52             : };
      53             : 
      54             : /* A helper function which avoids touching the local databases to
      55             :  * generate the session info, as we just want to verify the PAC
      56             :  * details, not the full local token */
      57         100 : static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
      58             :                                                TALLOC_CTX *mem_ctx,
      59             :                                                struct smb_krb5_context *smb_krb5_context,
      60             :                                                DATA_BLOB *pac_blob,
      61             :                                                const char *principal_name,
      62             :                                                const struct tsocket_address *remote_address,
      63             :                                                uint32_t session_info_flags,
      64             :                                                struct auth_session_info **session_info)
      65             : {
      66             :         NTSTATUS nt_status;
      67             :         struct auth_user_info_dc *user_info_dc;
      68             :         TALLOC_CTX *tmp_ctx;
      69             :         struct pac_data *pac_data;
      70             : 
      71         100 :         tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
      72         100 :         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
      73             : 
      74         100 :         auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);
      75             : 
      76         100 :         pac_data->pac_blob = data_blob_dup_talloc(pac_data, *pac_blob);
      77         100 :         if (pac_data->pac_blob.length != pac_blob->length) {
      78           0 :                 talloc_free(tmp_ctx);
      79           0 :                 return NT_STATUS_NO_MEMORY;
      80             :         }
      81             : 
      82         100 :         pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
      83         100 :         if (!pac_data->pac_srv_sig) {
      84           0 :                 talloc_free(tmp_ctx);
      85           0 :                 return NT_STATUS_NO_MEMORY;
      86             :         }
      87         100 :         pac_data->pac_kdc_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
      88         100 :         if (!pac_data->pac_kdc_sig) {
      89           0 :                 talloc_free(tmp_ctx);
      90           0 :                 return NT_STATUS_NO_MEMORY;
      91             :         }
      92             : 
      93         100 :         nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
      94             :                                                       *pac_blob,
      95             :                                                       smb_krb5_context->krb5_context,
      96             :                                                       &user_info_dc,
      97             :                                                       pac_data->pac_srv_sig,
      98             :                                                       pac_data->pac_kdc_sig);
      99         100 :         if (!NT_STATUS_IS_OK(nt_status)) {
     100           0 :                 talloc_free(tmp_ctx);
     101           0 :                 return nt_status;
     102             :         }
     103             : 
     104         100 :         talloc_steal(pac_data, pac_data->pac_srv_sig);
     105         100 :         talloc_steal(pac_data, pac_data->pac_kdc_sig);
     106             : 
     107         100 :         if (user_info_dc->info->authenticated) {
     108         100 :                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
     109             :         }
     110             : 
     111         100 :         session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
     112         100 :         nt_status = auth_generate_session_info(mem_ctx,
     113             :                                                NULL,
     114             :                                                NULL,
     115             :                                                user_info_dc, session_info_flags,
     116             :                                                session_info);
     117         100 :         if (!NT_STATUS_IS_OK(nt_status)) {
     118           0 :                 talloc_free(tmp_ctx);
     119           0 :                 return nt_status;
     120             :         }
     121             : 
     122         100 :         talloc_free(tmp_ctx);
     123         100 :         return nt_status;
     124             : }
     125             : 
     126             : /* Check to see if we can pass the PAC across to the NETLOGON server for validation */
     127             : 
     128         280 : static const struct PAC_BUFFER *get_pac_buffer(const struct PAC_DATA *pac_data,
     129             :                                                enum PAC_TYPE type)
     130             : {
     131         280 :         const struct PAC_BUFFER *pac_buf = NULL;
     132             :         uint32_t i;
     133             : 
     134         900 :         for (i = 0; i < pac_data->num_buffers; ++i) {
     135         900 :                 pac_buf = &pac_data->buffers[i];
     136             : 
     137         900 :                 if (pac_buf->type == type) {
     138         280 :                         break;
     139             :                 }
     140             :         }
     141             : 
     142         280 :         return pac_buf;
     143             : }
     144             : 
     145             : /* Also happens to be a really good one-step verfication of our Kerberos stack */
     146             : 
     147             : static bool netlogon_validate_pac(struct torture_context *tctx,
     148             :                                   struct dcerpc_pipe *p1,
     149             :                                   struct cli_credentials *server_creds,
     150             :                                   enum netr_SchannelType secure_channel_type,
     151             :                                   const char *test_machine_name,
     152             :                                   uint32_t negotiate_flags,
     153             :                                   struct pac_data *pac_data,
     154             :                                   struct auth_session_info *session_info);
     155             : 
     156          40 : static bool test_PACVerify(struct torture_context *tctx,
     157             :                            struct dcerpc_pipe *p,
     158             :                            struct cli_credentials *credentials,
     159             :                            enum netr_SchannelType secure_channel_type,
     160             :                            const char *test_machine_name,
     161             :                            uint32_t negotiate_flags)
     162             : {
     163             :         NTSTATUS status;
     164             :         bool ok;
     165          40 :         const char *pkinit_ccache = torture_setting_string(tctx, "pkinit_ccache", NULL);
     166          40 :         bool pkinit_in_use = pkinit_ccache != NULL;
     167          40 :         bool expect_pac_upn_dns_info = torture_setting_bool(tctx, "expect_pac_upn_dns_info", true);
     168             :         size_t num_pac_buffers;
     169             :         struct gensec_security *gensec_client_context;
     170             :         struct gensec_security *gensec_server_context;
     171             :         struct cli_credentials *client_creds;
     172             :         struct cli_credentials *server_creds;
     173             : 
     174             :         DATA_BLOB client_to_server, server_to_client;
     175             :         struct PAC_DATA pac_data_struct;
     176             :         enum ndr_err_code ndr_err;
     177             : 
     178             :         struct auth4_context *auth_context;
     179             :         struct auth_session_info *session_info;
     180             :         struct pac_data *pac_data;
     181          40 :         const struct PAC_BUFFER *pac_buf = NULL;
     182             : 
     183          40 :         TALLOC_CTX *tmp_ctx = talloc_new(tctx);
     184          40 :         torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
     185             : 
     186          40 :         torture_comment(tctx,
     187             :                 "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
     188             :                 secure_channel_type, test_machine_name, negotiate_flags);
     189             : 
     190          40 :         if (pkinit_in_use) {
     191           8 :                 struct cli_credentials *tmp_creds = NULL;
     192           8 :                 const char *error_string = NULL;
     193             :                 int rc;
     194             : 
     195           8 :                 torture_comment(tctx,
     196             :                                 "Using pkinit_ccache=%s\n",
     197             :                                 pkinit_ccache);
     198             : 
     199           8 :                 tmp_creds = cli_credentials_init(tctx);
     200           8 :                 torture_assert(tctx, tmp_creds, "Failed to create credentials");
     201             : 
     202           8 :                 rc = cli_credentials_set_ccache(tmp_creds,
     203             :                                                 tctx->lp_ctx,
     204             :                                                 pkinit_ccache,
     205             :                                                 CRED_SPECIFIED,
     206             :                                                 &error_string);
     207           8 :                 torture_assert_int_equal(tctx,
     208             :                                          rc,
     209             :                                          0,
     210             :                                          "cli_credentials_set_ccache failed");
     211           8 :                 cli_credentials_set_kerberos_state(tmp_creds,
     212             :                                                    CRED_USE_KERBEROS_REQUIRED,
     213             :                                                    CRED_SPECIFIED);
     214             : 
     215             :                 /*
     216             :                  * Copy the credentials in order to use a different MEMORY krb5
     217             :                  * ccache for each client/server setup. The MEMORY cache
     218             :                  * identifier is a pointer to the creds container. If we copy
     219             :                  * it the pointer changes and we will get a new clean memory
     220             :                  * cache.
     221             :                  */
     222           8 :                 client_creds =
     223           0 :                         cli_credentials_shallow_copy(tmp_ctx, tmp_creds);
     224           8 :                 torture_assert(tctx,
     225             :                                client_creds,
     226             :                                "Failed to copy of credentials");
     227             :         } else {
     228             :                 /*
     229             :                  * Copy the credentials in order to use a different MEMORY krb5
     230             :                  * ccache for each client/server setup. The MEMORY cache
     231             :                  * identifier is a pointer to the creds container. If we copy
     232             :                  * it the pointer changes and we will get a new clean memory
     233             :                  * cache.
     234             :                  */
     235          16 :                 client_creds =
     236          32 :                         cli_credentials_shallow_copy(tmp_ctx,
     237             :                                                      samba_cmdline_get_creds());
     238          32 :                 torture_assert(tctx,
     239             :                                client_creds,
     240             :                                "Failed to copy of credentials");
     241          32 :                 cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED);
     242             :         }
     243             : 
     244             : 
     245          40 :         server_creds = cli_credentials_shallow_copy(tmp_ctx,
     246             :                                                     credentials);
     247          40 :         torture_assert(tctx, server_creds, "Failed to copy of credentials");
     248             : 
     249          40 :         auth_context = talloc_zero(tmp_ctx, struct auth4_context);
     250          40 :         torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
     251             : 
     252          40 :         auth_context->generate_session_info_pac = test_generate_session_info_pac;
     253             : 
     254          40 :         status = gensec_client_start(tctx, &gensec_client_context,
     255             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
     256          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
     257             : 
     258          40 :         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
     259             : 
     260          40 :         status = gensec_set_credentials(gensec_client_context, client_creds);
     261          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
     262             : 
     263          40 :         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
     264          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
     265             : 
     266          40 :         status = gensec_server_start(tctx,
     267             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
     268             :                                      auth_context, &gensec_server_context);
     269          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
     270             : 
     271          40 :         status = gensec_set_credentials(gensec_server_context, server_creds);
     272          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
     273             : 
     274          40 :         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
     275          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
     276             : 
     277          40 :         server_to_client = data_blob(NULL, 0);
     278             : 
     279             :         do {
     280             :                 /* Do a client-server update dance */
     281         168 :                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
     282         120 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     283          40 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
     284             :                 }
     285             : 
     286         120 :                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
     287         120 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     288          40 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
     289             :                 }
     290             : 
     291         120 :                 if (NT_STATUS_IS_OK(status)) {
     292          40 :                         break;
     293             :                 }
     294             :         } while (1);
     295             : 
     296             :         /* Extract the PAC using Samba's code */
     297             : 
     298          40 :         status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
     299          40 :         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
     300             : 
     301          40 :         pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
     302             : 
     303          40 :         torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
     304          40 :         torture_assert(tctx, pac_data->pac_srv_sig != NULL, "pac_srv_sig not present");
     305          40 :         torture_assert(tctx, pac_data->pac_kdc_sig != NULL, "pac_kdc_sig not present");
     306             : 
     307          40 :         ndr_err = ndr_pull_struct_blob(&pac_data->pac_blob, tmp_ctx, &pac_data_struct,
     308             :                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
     309          40 :         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
     310             : 
     311          40 :         num_pac_buffers = 4;
     312          40 :         if (expect_pac_upn_dns_info) {
     313          40 :                 num_pac_buffers += 1;
     314             :         }
     315          40 :         if (pkinit_in_use) {
     316           8 :                 num_pac_buffers += 1;
     317             :         }
     318             : 
     319          40 :         torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
     320          40 :         torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
     321             : 
     322          40 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_INFO);
     323          40 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_INFO");
     324          40 :         torture_assert(tctx,
     325             :                        pac_buf->info != NULL,
     326             :                        "PAC_TYPE_LOGON_INFO info");
     327             : 
     328          40 :         if (pkinit_in_use) {
     329           8 :                 pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CREDENTIAL_INFO);
     330           8 :                 torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CREDENTIAL_INFO");
     331           8 :                 torture_assert(tctx,
     332             :                                pac_buf->info != NULL,
     333             :                                "PAC_TYPE_CREDENTIAL_INFO info");
     334             :         }
     335             : 
     336          40 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_NAME);
     337          40 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_NAME");
     338          40 :         torture_assert(tctx,
     339             :                        pac_buf->info != NULL,
     340             :                        "PAC_TYPE_LOGON_NAME info");
     341             : 
     342          40 :         if (expect_pac_upn_dns_info) {
     343          40 :                 pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_UPN_DNS_INFO);
     344          40 :                 torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_UPN_DNS_INFO");
     345          40 :                 torture_assert(tctx,
     346             :                                pac_buf->info != NULL,
     347             :                                "PAC_TYPE_UPN_DNS_INFO info");
     348             :         }
     349             : 
     350          40 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_SRV_CHECKSUM);
     351          40 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_SRV_CHECKSUM");
     352          40 :         torture_assert(tctx,
     353             :                        pac_buf->info != NULL,
     354             :                        "PAC_TYPE_SRV_CHECKSUM info");
     355             : 
     356          40 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_KDC_CHECKSUM);
     357          40 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_KDC_CHECKSUM");
     358          40 :         torture_assert(tctx,
     359             :                        pac_buf->info != NULL,
     360             :                        "PAC_TYPE_KDC_CHECKSUM info");
     361             : 
     362          40 :         ok = netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name,
     363             :                                    negotiate_flags, pac_data, session_info);
     364             : 
     365          40 :         talloc_free(tmp_ctx);
     366             : 
     367          40 :         return ok;
     368             : }
     369             : 
     370          52 : static bool netlogon_validate_pac(struct torture_context *tctx,
     371             :                                   struct dcerpc_pipe *p1,
     372             :                                   struct cli_credentials *server_creds,
     373             :                                   enum netr_SchannelType secure_channel_type,
     374             :                                   const char *test_machine_name,
     375             :                                   uint32_t negotiate_flags,
     376             :                                   struct pac_data *pac_data,
     377             :                                   struct auth_session_info *session_info)
     378             : {
     379             :         struct PAC_Validate pac_wrapped_struct;
     380          52 :         struct netlogon_creds_CredentialState *creds = NULL;
     381             :         struct netr_Authenticator return_authenticator;
     382             :         struct netr_Authenticator auth, auth2;
     383             :         struct netr_GenericInfo generic;
     384             :         struct netr_LogonSamLogon r;
     385             :         union netr_Validation validation;
     386             :         union netr_LogonLevel logon;
     387             :         uint8_t authoritative;
     388          52 :         struct dcerpc_pipe *p = NULL;
     389          52 :         struct dcerpc_binding_handle *b = NULL;
     390             :         enum ndr_err_code ndr_err;
     391             :         DATA_BLOB payload, pac_wrapped;
     392             : 
     393          52 :         if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
     394             :                                     server_creds, secure_channel_type,
     395             :                                     &creds)) {
     396           0 :                 return false;
     397             :         }
     398          52 :         if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
     399             :                                        DCERPC_SIGN | DCERPC_SEAL, &p)) {
     400           0 :                 return false;
     401             :         }
     402          52 :         b = p->binding_handle;
     403             : 
     404          52 :         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
     405          52 :         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
     406          52 :         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
     407          52 :         pac_wrapped_struct.ChecksumAndSignature = payload
     408          52 :                 = data_blob_talloc(tctx, NULL,
     409             :                                    pac_wrapped_struct.ChecksumLength
     410             :                                    + pac_wrapped_struct.SignatureLength);
     411          88 :         memcpy(&payload.data[0],
     412          52 :                pac_data->pac_srv_sig->signature.data,
     413          52 :                pac_wrapped_struct.ChecksumLength);
     414          88 :         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
     415          52 :                pac_data->pac_kdc_sig->signature.data,
     416          52 :                pac_wrapped_struct.SignatureLength);
     417             : 
     418          52 :         ndr_err = ndr_push_struct_blob(&pac_wrapped, tctx, &pac_wrapped_struct,
     419             :                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
     420          52 :         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
     421             : 
     422          52 :         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
     423          52 :         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
     424          26 :                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
     425             :         } else {
     426          26 :                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
     427             :         }
     428             : 
     429          52 :         generic.length = pac_wrapped.length;
     430          52 :         generic.data = pac_wrapped.data;
     431             : 
     432             :         /* Validate it over the netlogon pipe */
     433             : 
     434          52 :         generic.identity_info.parameter_control = 0;
     435          52 :         generic.identity_info.logon_id = 0;
     436          52 :         generic.identity_info.domain_name.string = session_info->info->domain_name;
     437          52 :         generic.identity_info.account_name.string = session_info->info->account_name;
     438          52 :         generic.identity_info.workstation.string = test_machine_name;
     439             : 
     440          52 :         generic.package_name.string = "Kerberos";
     441             : 
     442          52 :         logon.generic = &generic;
     443             : 
     444          52 :         ZERO_STRUCT(auth2);
     445          52 :         netlogon_creds_client_authenticator(creds, &auth);
     446          52 :         r.in.credential = &auth;
     447          52 :         r.in.return_authenticator = &auth2;
     448          52 :         r.in.logon = &logon;
     449          52 :         r.in.logon_level = NetlogonGenericInformation;
     450          52 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     451          52 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     452          52 :         r.in.validation_level = NetlogonValidationGenericInfo2;
     453          52 :         r.out.validation = &validation;
     454          52 :         r.out.authoritative = &authoritative;
     455          52 :         r.out.return_authenticator = &return_authenticator;
     456             : 
     457          52 :         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
     458             :                 "LogonSamLogon failed");
     459             : 
     460          52 :         torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
     461             : 
     462             :         /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */
     463          52 :         generic.data[generic.length-1]++;
     464             : 
     465          52 :         logon.generic = &generic;
     466             : 
     467          52 :         ZERO_STRUCT(auth2);
     468          52 :         netlogon_creds_client_authenticator(creds, &auth);
     469          52 :         r.in.credential = &auth;
     470          52 :         r.in.return_authenticator = &auth2;
     471          52 :         r.in.logon_level = NetlogonGenericInformation;
     472          52 :         r.in.logon = &logon;
     473          52 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     474          52 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     475          52 :         r.in.validation_level = NetlogonValidationGenericInfo2;
     476             : 
     477          52 :         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
     478             :                 "LogonSamLogon failed");
     479             : 
     480          52 :         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
     481             : 
     482          52 :         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
     483             :                        "Credential chaining failed");
     484             : 
     485             :         /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */
     486          52 :         generic.length--;
     487             : 
     488          52 :         logon.generic = &generic;
     489             : 
     490          52 :         ZERO_STRUCT(auth2);
     491          52 :         netlogon_creds_client_authenticator(creds, &auth);
     492          52 :         r.in.credential = &auth;
     493          52 :         r.in.return_authenticator = &auth2;
     494          52 :         r.in.logon_level = NetlogonGenericInformation;
     495          52 :         r.in.logon = &logon;
     496          52 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     497          52 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     498          52 :         r.in.validation_level = NetlogonValidationGenericInfo2;
     499             : 
     500          52 :         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
     501             :                 "LogonSamLogon failed");
     502             : 
     503          52 :         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
     504             : 
     505          52 :         torture_assert(tctx, netlogon_creds_client_check(creds,
     506             :                                                          &r.out.return_authenticator->cred),
     507             :                        "Credential chaining failed");
     508             : 
     509          52 :         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
     510          52 :         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
     511             : 
     512             :         /* Break the SignatureType */
     513          52 :         pac_wrapped_struct.SignatureType++;
     514             : 
     515          52 :         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
     516          52 :         pac_wrapped_struct.ChecksumAndSignature = payload
     517          52 :                 = data_blob_talloc(tctx, NULL,
     518             :                                    pac_wrapped_struct.ChecksumLength
     519             :                                    + pac_wrapped_struct.SignatureLength);
     520          88 :         memcpy(&payload.data[0],
     521          52 :                pac_data->pac_srv_sig->signature.data,
     522          52 :                pac_wrapped_struct.ChecksumLength);
     523          88 :         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
     524          52 :                pac_data->pac_kdc_sig->signature.data,
     525          52 :                pac_wrapped_struct.SignatureLength);
     526             : 
     527          52 :         ndr_err = ndr_push_struct_blob(&pac_wrapped, tctx, &pac_wrapped_struct,
     528             :                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
     529          52 :         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
     530             : 
     531          52 :         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
     532          52 :         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
     533          26 :                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
     534             :         } else {
     535          26 :                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
     536             :         }
     537             : 
     538          52 :         generic.length = pac_wrapped.length;
     539          52 :         generic.data = pac_wrapped.data;
     540             : 
     541          52 :         logon.generic = &generic;
     542             : 
     543          52 :         ZERO_STRUCT(auth2);
     544          52 :         netlogon_creds_client_authenticator(creds, &auth);
     545          52 :         r.in.credential = &auth;
     546          52 :         r.in.return_authenticator = &auth2;
     547          52 :         r.in.logon_level = NetlogonGenericInformation;
     548          52 :         r.in.logon = &logon;
     549          52 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     550          52 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     551          52 :         r.in.validation_level = NetlogonValidationGenericInfo2;
     552             : 
     553          52 :         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
     554             :                 "LogonSamLogon failed");
     555             : 
     556          52 :         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
     557             : 
     558          52 :         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
     559             :                        "Credential chaining failed");
     560             : 
     561          52 :         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
     562          52 :         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
     563          52 :         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
     564             : 
     565          52 :         pac_wrapped_struct.ChecksumAndSignature = payload
     566          52 :                 = data_blob_talloc(tctx, NULL,
     567             :                                    pac_wrapped_struct.ChecksumLength
     568             :                                    + pac_wrapped_struct.SignatureLength);
     569          88 :         memcpy(&payload.data[0],
     570          52 :                pac_data->pac_srv_sig->signature.data,
     571          52 :                pac_wrapped_struct.ChecksumLength);
     572          88 :         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
     573          52 :                pac_data->pac_kdc_sig->signature.data,
     574          52 :                pac_wrapped_struct.SignatureLength);
     575             : 
     576             :         /* Break the signature length */
     577          52 :         pac_wrapped_struct.SignatureLength++;
     578             : 
     579          52 :         ndr_err = ndr_push_struct_blob(&pac_wrapped, tctx, &pac_wrapped_struct,
     580             :                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
     581          52 :         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
     582             : 
     583          52 :         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
     584          52 :         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
     585          26 :                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
     586             :         } else {
     587          26 :                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
     588             :         }
     589             : 
     590          52 :         generic.length = pac_wrapped.length;
     591          52 :         generic.data = pac_wrapped.data;
     592             : 
     593          52 :         logon.generic = &generic;
     594             : 
     595          52 :         ZERO_STRUCT(auth2);
     596          52 :         netlogon_creds_client_authenticator(creds, &auth);
     597          52 :         r.in.credential = &auth;
     598          52 :         r.in.return_authenticator = &auth2;
     599          52 :         r.in.logon_level = NetlogonGenericInformation;
     600          52 :         r.in.logon = &logon;
     601          52 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     602          52 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     603          52 :         r.in.validation_level = NetlogonValidationGenericInfo2;
     604             : 
     605          52 :         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
     606             :                 "LogonSamLogon failed");
     607             : 
     608          52 :         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
     609             : 
     610          52 :         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
     611             :                        "Credential chaining failed");
     612             : 
     613          52 :         return true;
     614             : }
     615             : 
     616          10 : static bool test_PACVerify_bdc_arcfour(struct torture_context *tctx,
     617             :                                        struct dcerpc_pipe *p,
     618             :                                        struct cli_credentials *credentials)
     619             : {
     620          10 :         return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC,
     621             :                               TEST_MACHINE_NAME_BDC,
     622             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
     623             : }
     624             : 
     625          10 : static bool test_PACVerify_bdc_aes(struct torture_context *tctx,
     626             :                                    struct dcerpc_pipe *p,
     627             :                                    struct cli_credentials *credentials)
     628             : {
     629          10 :         return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC,
     630             :                               TEST_MACHINE_NAME_BDC,
     631             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
     632             : }
     633             : 
     634          10 : static bool test_PACVerify_workstation_arcfour(struct torture_context *tctx,
     635             :                                                struct dcerpc_pipe *p,
     636             :                                                struct cli_credentials *credentials)
     637             : {
     638          10 :         return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
     639             :                               TEST_MACHINE_NAME_WKSTA,
     640             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
     641             : }
     642             : 
     643          10 : static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
     644             :                                            struct dcerpc_pipe *p,
     645             :                                            struct cli_credentials *credentials)
     646             : {
     647          10 :         return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
     648             :                               TEST_MACHINE_NAME_WKSTA,
     649             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
     650             : }
     651             : 
     652             : #ifdef SAMBA4_USES_HEIMDAL
     653          24 : static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
     654             :                                                   uint16_t validation_level,
     655             :                                                   const union netr_Validation *validation)
     656             : {
     657          24 :         const struct netr_SamBaseInfo *base = NULL;
     658             :         int i;
     659          24 :         switch (validation_level) {
     660           0 :         case 2:
     661           0 :                 if (!validation || !validation->sam2) {
     662           0 :                         return NT_STATUS_INVALID_PARAMETER;
     663             :                 }
     664           0 :                 base = &validation->sam2->base;
     665           0 :                 break;
     666          24 :         case 3:
     667          24 :                 if (!validation || !validation->sam3) {
     668           0 :                         return NT_STATUS_INVALID_PARAMETER;
     669             :                 }
     670          24 :                 base = &validation->sam3->base;
     671          24 :                 break;
     672           0 :         case 6:
     673           0 :                 if (!validation || !validation->sam6) {
     674           0 :                         return NT_STATUS_INVALID_PARAMETER;
     675             :                 }
     676           0 :                 base = &validation->sam6->base;
     677           0 :                 break;
     678           0 :         default:
     679           0 :                 return NT_STATUS_INVALID_LEVEL;
     680             :         }
     681             : 
     682          24 :         for (i = 0; i < base->groups.count; i++) {
     683          24 :                 if (base->groups.rids[i].rid == base->primary_gid) {
     684          24 :                         return NT_STATUS_OK;
     685             :                 }
     686             :         }
     687           0 :         return NT_STATUS_INVALID_PARAMETER;
     688             : }
     689             : 
     690             : /* Check various ways to get the PAC, in particular check the group membership and
     691             :  * other details between the PAC from a normal kinit, S4U2Self and a SamLogon */
     692          24 : static bool test_S4U2Self(struct torture_context *tctx,
     693             :                           struct dcerpc_pipe *p1,
     694             :                           struct cli_credentials *credentials,
     695             :                           enum netr_SchannelType secure_channel_type,
     696             :                           const char *test_machine_name,
     697             :                           uint32_t negotiate_flags)
     698             : {
     699             :         NTSTATUS status;
     700          24 :         struct dcerpc_pipe *p = NULL;
     701          24 :         struct dcerpc_binding_handle *b = NULL;
     702             : 
     703             :         struct netr_LogonSamLogon r;
     704             : 
     705             :         union netr_LogonLevel logon;
     706             :         union netr_Validation validation;
     707             :         uint8_t authoritative;
     708             : 
     709             :         struct netr_Authenticator auth, auth2;
     710             : 
     711             :         DATA_BLOB client_to_server, server_to_client;
     712             : 
     713             :         struct netlogon_creds_CredentialState *creds;
     714             :         struct gensec_security *gensec_client_context;
     715             :         struct gensec_security *gensec_server_context;
     716             :         struct cli_credentials *client_creds;
     717             :         struct cli_credentials *server_creds;
     718             : 
     719             :         struct auth4_context *auth_context;
     720             :         struct auth_session_info *kinit_session_info;
     721             :         struct auth_session_info *s4u2self_session_info;
     722             :         struct auth_user_info_dc *netlogon_user_info_dc;
     723             : 
     724             :         struct netr_NetworkInfo ninfo;
     725             :         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
     726             :         size_t i;
     727          24 :         int flags = CLI_CRED_NTLMv2_AUTH;
     728             : 
     729             :         struct dom_sid *builtin_domain;
     730             : 
     731          24 :         TALLOC_CTX *tmp_ctx = talloc_new(tctx);
     732             : 
     733          24 :         torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
     734             : 
     735          24 :         torture_comment(tctx,
     736             :                 "Testing S4U2SELF (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
     737             :                 secure_channel_type, test_machine_name, negotiate_flags);
     738             : 
     739             :         /*
     740             :          * Copy the credentials in order to use a different MEMORY krb5 ccache
     741             :          * for each client/server setup. The MEMORY cache identifier is a
     742             :          * pointer to the creds container. If we copy it the pointer changes and
     743             :          * we will get a new clean memory cache.
     744             :          */
     745          24 :         client_creds = cli_credentials_shallow_copy(tmp_ctx,
     746             :                                             samba_cmdline_get_creds());
     747          24 :         torture_assert(tctx, client_creds, "Failed to copy of credentials");
     748             :         /* We use cli_credentials_get_ntlm_response(), so relax krb5 requirements. */
     749          24 :         cli_credentials_set_kerberos_state(client_creds,
     750             :                                            CRED_USE_KERBEROS_DESIRED,
     751             :                                            CRED_SPECIFIED);
     752             : 
     753          24 :         server_creds = cli_credentials_shallow_copy(tmp_ctx,
     754             :                                                     credentials);
     755          24 :         torture_assert(tctx, server_creds, "Failed to copy of credentials");
     756             : 
     757          24 :         if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
     758             :                                     server_creds, secure_channel_type,
     759             :                                     &creds)) {
     760           0 :                 return false;
     761             :         }
     762          24 :         if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
     763             :                                        DCERPC_SIGN | DCERPC_SEAL, &p)) {
     764           0 :                 return false;
     765             :         }
     766          24 :         b = p->binding_handle;
     767             : 
     768          24 :         auth_context = talloc_zero(tmp_ctx, struct auth4_context);
     769          24 :         torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
     770             : 
     771          24 :         auth_context->generate_session_info_pac = test_generate_session_info_pac;
     772             : 
     773             :         /* First, do a normal Kerberos connection */
     774             : 
     775          24 :         status = gensec_client_start(tctx, &gensec_client_context,
     776             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
     777          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
     778             : 
     779          24 :         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
     780             : 
     781          24 :         status = gensec_set_credentials(gensec_client_context, client_creds);
     782          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
     783             : 
     784          24 :         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
     785          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
     786             : 
     787          24 :         status = gensec_server_start(tctx,
     788             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
     789             :                                      auth_context, &gensec_server_context);
     790          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
     791             : 
     792          24 :         status = gensec_set_credentials(gensec_server_context, server_creds);
     793          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
     794             : 
     795          24 :         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
     796          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
     797             : 
     798          24 :         server_to_client = data_blob(NULL, 0);
     799             : 
     800             :         do {
     801             :                 /* Do a client-server update dance */
     802         120 :                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
     803          72 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     804          24 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
     805             :                 }
     806             : 
     807          72 :                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
     808          72 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     809          24 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
     810             :                 }
     811             : 
     812          72 :                 if (NT_STATUS_IS_OK(status)) {
     813          24 :                         break;
     814             :                 }
     815             :         } while (1);
     816             : 
     817             :         /* Extract the PAC using Samba's code */
     818             : 
     819          24 :         status = gensec_session_info(gensec_server_context, gensec_server_context, &kinit_session_info);
     820          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
     821             : 
     822             : 
     823             :         /* Now do the dance with S4U2Self */
     824             : 
     825             :         /* Wipe out any existing ccache */
     826          24 :         cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED);
     827          24 :         cli_credentials_invalidate_ccache(server_creds, CRED_SPECIFIED);
     828          24 :         cli_credentials_set_impersonate_principal(server_creds,
     829          24 :                         cli_credentials_get_principal(client_creds, tmp_ctx),
     830          24 :                         talloc_asprintf(tmp_ctx, "host/%s", test_machine_name));
     831             : 
     832          24 :         status = gensec_client_start(tctx, &gensec_client_context,
     833             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
     834          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
     835             : 
     836          24 :         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
     837             : 
     838             :         /* We now set the same credentials on both client and server contexts */
     839          24 :         status = gensec_set_credentials(gensec_client_context, server_creds);
     840          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
     841             : 
     842          24 :         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
     843          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
     844             : 
     845          24 :         status = gensec_server_start(tctx,
     846             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
     847             :                                      auth_context, &gensec_server_context);
     848          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
     849             : 
     850          24 :         status = gensec_set_credentials(gensec_server_context, server_creds);
     851          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
     852             : 
     853          24 :         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
     854          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
     855             : 
     856          24 :         server_to_client = data_blob(NULL, 0);
     857             : 
     858             :         do {
     859             :                 /* Do a client-server update dance */
     860         120 :                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
     861          72 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     862          24 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
     863             :                 }
     864             : 
     865          72 :                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
     866          72 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
     867          24 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
     868             :                 }
     869             : 
     870          72 :                 if (NT_STATUS_IS_OK(status)) {
     871          24 :                         break;
     872             :                 }
     873             :         } while (1);
     874             : 
     875             :         /* Don't pollute the remaining tests with the changed credentials */
     876          24 :         cli_credentials_invalidate_ccache(server_creds, CRED_SPECIFIED);
     877          24 :         cli_credentials_set_target_service(server_creds, NULL);
     878          24 :         cli_credentials_set_impersonate_principal(server_creds, NULL, NULL);
     879             : 
     880             :         /* Extract the PAC using Samba's code */
     881             : 
     882          24 :         status = gensec_session_info(gensec_server_context, gensec_server_context, &s4u2self_session_info);
     883          24 :         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
     884             : 
     885          24 :         cli_credentials_get_ntlm_username_domain(client_creds, tctx,
     886             :                                                  &ninfo.identity_info.account_name.string,
     887             :                                                  &ninfo.identity_info.domain_name.string);
     888             : 
     889             :         /* Now try with SamLogon */
     890          24 :         generate_random_buffer(ninfo.challenge,
     891             :                                sizeof(ninfo.challenge));
     892          24 :         chal = data_blob_const(ninfo.challenge,
     893             :                                sizeof(ninfo.challenge));
     894             : 
     895          24 :         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(server_creds),
     896             :                                                 cli_credentials_get_domain(server_creds));
     897             : 
     898          24 :         status = cli_credentials_get_ntlm_response(client_creds, tctx,
     899             :                                                    &flags,
     900             :                                                    chal,
     901             :                                                    NULL, /* server_timestamp */
     902             :                                                    names_blob,
     903             :                                                    &lm_resp, &nt_resp,
     904             :                                                    NULL, NULL);
     905          24 :         torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
     906             : 
     907          24 :         ninfo.lm.data = lm_resp.data;
     908          24 :         ninfo.lm.length = lm_resp.length;
     909             : 
     910          24 :         ninfo.nt.data = nt_resp.data;
     911          24 :         ninfo.nt.length = nt_resp.length;
     912             : 
     913          24 :         ninfo.identity_info.parameter_control = 0;
     914          24 :         ninfo.identity_info.logon_id = 0;
     915          24 :         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(server_creds);
     916             : 
     917          24 :         logon.network = &ninfo;
     918             : 
     919          24 :         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
     920          24 :         r.in.computer_name = cli_credentials_get_workstation(server_creds);
     921          24 :         r.in.credential = &auth;
     922          24 :         r.in.return_authenticator = &auth2;
     923          24 :         r.in.logon_level = NetlogonNetworkInformation;
     924          24 :         r.in.logon = &logon;
     925          24 :         r.out.validation = &validation;
     926          24 :         r.out.authoritative = &authoritative;
     927             : 
     928          24 :         ZERO_STRUCT(auth2);
     929          24 :         netlogon_creds_client_authenticator(creds, &auth);
     930             : 
     931          24 :         r.in.validation_level = 3;
     932             : 
     933          24 :         status = dcerpc_netr_LogonSamLogon_r(b, tctx, &r);
     934          24 :         torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
     935             : 
     936          24 :         torture_assert(tctx, netlogon_creds_client_check(creds,
     937             :                                                          &r.out.return_authenticator->cred),
     938             :                        "Credential chaining failed");
     939             : 
     940          24 :         torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
     941             : 
     942          24 :         status = make_user_info_dc_netlogon_validation(tmp_ctx,
     943             :                                                       ninfo.identity_info.account_name.string,
     944          24 :                                                       r.in.validation_level,
     945          24 :                                                       r.out.validation,
     946             :                                                           true, /* This user was authenticated */
     947             :                                                       &netlogon_user_info_dc);
     948             : 
     949          24 :         torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");
     950             : 
     951             :         /* Check that the primary group is present in validation's RID array */
     952          24 :         status = check_primary_group_in_validation(tmp_ctx, r.in.validation_level, r.out.validation);
     953          24 :         torture_assert_ntstatus_ok(tctx, status, "check_primary_group_in_validation failed");
     954             : 
     955             :         /* Check that the primary group is not duplicated in user_info_dc SID array */
     956         144 :         for (i = 2; i < netlogon_user_info_dc->num_sids; i++) {
     957         120 :                 torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1],
     958             :                                                     &netlogon_user_info_dc->sids[i]),
     959             :                                "Duplicate PrimaryGroupId in return SID array");
     960             :         }
     961             : 
     962          24 :         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
     963             :                                  kinit_session_info->info->account_name, "Account name differs for kinit-based PAC");
     964          24 :         torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
     965             :                                  s4u2self_session_info->info->account_name, "Account name differs for S4U2Self");
     966          24 :         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
     967          24 :         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s4u2self_session_info->info->full_name, "Full name differs for S4U2Self");
     968          24 :         torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
     969          24 :         torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S4U2Self");
     970             : 
     971          24 :         builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
     972             : 
     973         192 :         for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
     974         168 :                 torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
     975         168 :                 torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s4u2self_session_info->torture->dc_sids[i]), "Different domain groups for S4U2Self");
     976         168 :                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S4U2Self");
     977         168 :                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
     978         168 :                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
     979             :         }
     980             : 
     981          24 :         return true;
     982             : }
     983             : 
     984           6 : static bool test_S4U2Self_bdc_arcfour(struct torture_context *tctx,
     985             :                                       struct dcerpc_pipe *p,
     986             :                                       struct cli_credentials *credentials)
     987             : {
     988           6 :         return test_S4U2Self(tctx, p, credentials, SEC_CHAN_BDC,
     989             :                              TEST_MACHINE_NAME_S4U2SELF_BDC,
     990             :                              NETLOGON_NEG_AUTH2_ADS_FLAGS);
     991             : }
     992             : 
     993           6 : static bool test_S4U2Self_bdc_aes(struct torture_context *tctx,
     994             :                                   struct dcerpc_pipe *p,
     995             :                                   struct cli_credentials *credentials)
     996             : {
     997           6 :         return test_S4U2Self(tctx, p, credentials, SEC_CHAN_BDC,
     998             :                              TEST_MACHINE_NAME_S4U2SELF_BDC,
     999             :                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
    1000             : }
    1001             : 
    1002           6 : static bool test_S4U2Self_workstation_arcfour(struct torture_context *tctx,
    1003             :                                               struct dcerpc_pipe *p,
    1004             :                                               struct cli_credentials *credentials)
    1005             : {
    1006           6 :         return test_S4U2Self(tctx, p, credentials, SEC_CHAN_WKSTA,
    1007             :                              TEST_MACHINE_NAME_S4U2SELF_WKSTA,
    1008             :                              NETLOGON_NEG_AUTH2_ADS_FLAGS);
    1009             : }
    1010             : 
    1011           6 : static bool test_S4U2Self_workstation_aes(struct torture_context *tctx,
    1012             :                                           struct dcerpc_pipe *p,
    1013             :                                           struct cli_credentials *credentials)
    1014             : {
    1015           6 :         return test_S4U2Self(tctx, p, credentials, SEC_CHAN_WKSTA,
    1016             :                              TEST_MACHINE_NAME_S4U2SELF_WKSTA,
    1017             :                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
    1018             : }
    1019             : 
    1020          12 : static bool test_S4U2Proxy(struct torture_context *tctx,
    1021             :                            struct dcerpc_pipe *p,
    1022             :                            struct cli_credentials *credentials,
    1023             :                            enum netr_SchannelType secure_channel_type,
    1024             :                            const char *test_machine_name,
    1025             :                            uint32_t negotiate_flags)
    1026             : {
    1027             :         NTSTATUS status;
    1028          12 :         struct gensec_security *gensec_client_context = NULL;
    1029          12 :         struct gensec_security *gensec_server_context = NULL;
    1030          12 :         struct cli_credentials *server_creds = NULL;
    1031             :         size_t num_pac_buffers;
    1032          12 :         struct auth4_context *auth_context = NULL;
    1033          12 :         struct auth_session_info *session_info = NULL;
    1034          12 :         struct pac_data *pac_data = NULL;
    1035          12 :         const struct PAC_BUFFER *pac_buf = NULL;
    1036          12 :         char *impersonate_princ = NULL, *self_princ = NULL, *target_princ = NULL;
    1037             :         enum ndr_err_code ndr_err;
    1038             :         struct PAC_DATA pac_data_struct;
    1039          12 :         struct PAC_CONSTRAINED_DELEGATION *deleg = NULL;
    1040             : 
    1041             :         DATA_BLOB client_to_server, server_to_client;
    1042             : 
    1043          12 :         auth_context = talloc_zero(tctx, struct auth4_context);
    1044          12 :         torture_assert_not_null(tctx, auth_context, "talloc_new() failed");
    1045             : 
    1046          12 :         auth_context->generate_session_info_pac = test_generate_session_info_pac;
    1047             : 
    1048          12 :         torture_comment(tctx,
    1049             :                 "Testing S4U2Proxy (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
    1050             :                 secure_channel_type, test_machine_name, negotiate_flags);
    1051             : 
    1052          12 :         impersonate_princ = cli_credentials_get_principal(samba_cmdline_get_creds(), tctx);
    1053          12 :         torture_assert_not_null(tctx, impersonate_princ, "Failed to get impersonate client name");
    1054             : 
    1055          12 :         server_creds = cli_credentials_shallow_copy(tctx, credentials);
    1056          12 :         torture_assert_not_null(tctx, server_creds, "Failed to copy of credentials");
    1057             : 
    1058          12 :         self_princ = talloc_asprintf(tctx, "host/%s", test_machine_name);
    1059          12 :         cli_credentials_invalidate_ccache(server_creds, CRED_SPECIFIED);
    1060          12 :         cli_credentials_set_impersonate_principal(server_creds, impersonate_princ, self_princ);
    1061             : 
    1062             :         /* Trigger S4U2Proxy by setting a target_service different than self_principal */
    1063          12 :         target_princ = talloc_asprintf(tctx, "%s$", test_machine_name);
    1064          12 :         cli_credentials_set_target_service(server_creds, target_princ);
    1065             : 
    1066          12 :         status = gensec_client_start(tctx, &gensec_client_context,
    1067             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
    1068          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
    1069             : 
    1070          12 :         status = gensec_set_target_principal(gensec_client_context, target_princ);
    1071          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
    1072             : 
    1073             :         /* We now set the same credentials on both client and server contexts */
    1074          12 :         status = gensec_set_credentials(gensec_client_context, server_creds);
    1075          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
    1076             : 
    1077          12 :         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
    1078          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
    1079             : 
    1080          12 :         status = gensec_server_start(tctx,
    1081             :                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    1082             :                                      auth_context, &gensec_server_context);
    1083          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
    1084             : 
    1085          12 :         status = gensec_set_credentials(gensec_server_context, server_creds);
    1086          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
    1087             : 
    1088          12 :         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
    1089          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
    1090             : 
    1091          12 :         server_to_client = data_blob(NULL, 0);
    1092             : 
    1093             :         do {
    1094             :                 /* Do a client-server update dance */
    1095          60 :                 status = gensec_update(gensec_client_context, tctx, server_to_client, &client_to_server);
    1096          36 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
    1097          12 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
    1098             :                 }
    1099             : 
    1100          36 :                 status = gensec_update(gensec_server_context, tctx, client_to_server, &server_to_client);
    1101          36 :                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
    1102          12 :                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
    1103             :                 }
    1104             : 
    1105          36 :                 if (NT_STATUS_IS_OK(status)) {
    1106          12 :                         break;
    1107             :                 }
    1108             :         } while (1);
    1109             : 
    1110             :         /* Extract the PAC using Samba's code */
    1111             : 
    1112          12 :         status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
    1113          12 :         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
    1114             : 
    1115          12 :         pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
    1116             : 
    1117          12 :         torture_assert_not_null(tctx, pac_data, "gensec_update failed to fill in pac_data in auth_context");
    1118          12 :         torture_assert_not_null(tctx, pac_data->pac_srv_sig, "pac_srv_sig not present");
    1119          12 :         torture_assert_not_null(tctx, pac_data->pac_kdc_sig, "pac_kdc_sig not present");
    1120             : 
    1121          12 :         ndr_err = ndr_pull_struct_blob(&pac_data->pac_blob, tctx, &pac_data_struct,
    1122             :                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
    1123          12 :         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
    1124             : 
    1125          12 :         num_pac_buffers = 6;
    1126             : 
    1127          12 :         torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
    1128          12 :         torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
    1129             : 
    1130          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_INFO);
    1131          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_INFO");
    1132          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_LOGON_INFO info");
    1133             : 
    1134          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_NAME);
    1135          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_NAME");
    1136          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_LOGON_NAME info");
    1137             : 
    1138          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_UPN_DNS_INFO);
    1139          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_UPN_DNS_INFO");
    1140          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_UPN_DNS_INFO info");
    1141             : 
    1142          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_SRV_CHECKSUM);
    1143          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_SRV_CHECKSUM");
    1144          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_SRV_CHECKSUM info");
    1145             : 
    1146          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_KDC_CHECKSUM);
    1147          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_KDC_CHECKSUM");
    1148          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_KDC_CHECKSUM info");
    1149             : 
    1150          12 :         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CONSTRAINED_DELEGATION);
    1151          12 :         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CONSTRAINED_DELEGATION");
    1152          12 :         torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CONSTRAINED_DELEGATION info");
    1153             : 
    1154          12 :         deleg = pac_buf->info->constrained_delegation.info;
    1155          12 :         torture_assert_str_equal(tctx, deleg->proxy_target.string, target_princ, "wrong proxy_target");
    1156          12 :         torture_assert_int_equal(tctx, deleg->num_transited_services, 1, "wrong transited_services number");
    1157          12 :         torture_assert_str_equal(tctx, deleg->transited_services[0].string,
    1158             :                                  talloc_asprintf(tctx, "%s@%s", self_princ, cli_credentials_get_realm(credentials)),
    1159             :                                  "wrong transited_services[0]");
    1160             : 
    1161          12 :         return netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name,
    1162             :                                      negotiate_flags, pac_data, session_info);
    1163             : }
    1164             : 
    1165          12 : static bool setup_constrained_delegation(struct torture_context *tctx,
    1166             :                                          struct dcerpc_pipe *p,
    1167             :                                          struct test_join *join_ctx,
    1168             :                                          const char *machine_name)
    1169             : {
    1170             :         struct samr_SetUserInfo r;
    1171             :         union samr_UserInfo user_info;
    1172          12 :         struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
    1173          12 :         const char *server_dn_str = NULL;
    1174          12 :         struct ldb_context *sam_ctx = NULL;
    1175          12 :         struct ldb_dn *server_dn = NULL;
    1176          12 :         struct ldb_message *msg = NULL;
    1177          12 :         char *url = NULL;
    1178             :         int ret;
    1179             : 
    1180          12 :         url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
    1181          12 :         sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url, NULL, samba_cmdline_get_creds(), 0);
    1182          12 :         torture_assert_not_null(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
    1183             : 
    1184          12 :         server_dn_str = samdb_search_string(sam_ctx, tctx, ldb_get_default_basedn(sam_ctx), "distinguishedName",
    1185             :                                             "samaccountname=%s$", machine_name);
    1186          12 :         torture_assert_not_null(tctx, server_dn_str, "samdb_search_string()");
    1187             : 
    1188          12 :         server_dn = ldb_dn_new(tctx, sam_ctx, server_dn_str);
    1189          12 :         torture_assert_not_null(tctx, server_dn, "ldb_dn_new()");
    1190             : 
    1191          12 :         msg = ldb_msg_new(tctx);
    1192          12 :         torture_assert_not_null(tctx, msg, "ldb_msg_new()");
    1193             : 
    1194          12 :         msg->dn = server_dn;
    1195          12 :         ret = ldb_msg_add_string(msg, "msDS-AllowedToDelegateTo", talloc_asprintf(tctx, "%s$", machine_name));
    1196          12 :         torture_assert_int_equal(tctx, ret, 0, "ldb_msg_add_string())");
    1197             : 
    1198          12 :         ret = ldb_modify(sam_ctx, msg);
    1199          12 :         torture_assert_int_equal(tctx, ret, 0, "ldb_modify()");
    1200             : 
    1201             :         /* Allow forwardable flag in S4U2Self */
    1202          12 :         user_info.info16.acct_flags = ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | ACB_WSTRUST;
    1203          12 :         r.in.user_handle = torture_join_samr_user_policy(join_ctx);
    1204          12 :         r.in.level = 16;
    1205          12 :         r.in.info = &user_info;
    1206             : 
    1207          12 :         torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
    1208             :                 "failed to set ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION info account flags");
    1209          12 :         torture_assert_ntstatus_ok(tctx, r.out.result,
    1210             :                 "failed to set ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION into account flags");
    1211             : 
    1212          12 :         return true;
    1213             : }
    1214             : 
    1215           6 : static bool test_S4U2Proxy_workstation_arcfour(struct torture_context *tctx,
    1216             :                                                struct dcerpc_pipe *p,
    1217             :                                                struct cli_credentials *credentials,
    1218             :                                                struct test_join *join_ctx)
    1219             : {
    1220           6 :         torture_assert(tctx, setup_constrained_delegation(tctx, p, join_ctx,
    1221             :                                                           TEST_MACHINE_NAME_S4U2PROXY_WKSTA),
    1222             :                                                           "setup_constrained_delegation() failed");
    1223           6 :         return test_S4U2Proxy(tctx, p, credentials, SEC_CHAN_WKSTA,
    1224             :                               TEST_MACHINE_NAME_S4U2PROXY_WKSTA,
    1225             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
    1226             : }
    1227             : 
    1228           6 : static bool test_S4U2Proxy_workstation_aes(struct torture_context *tctx,
    1229             :                                            struct dcerpc_pipe *p,
    1230             :                                            struct cli_credentials *credentials,
    1231             :                                            struct test_join *join_ctx)
    1232             : {
    1233           6 :         torture_assert(tctx, setup_constrained_delegation(tctx, p, join_ctx,
    1234             :                                                           TEST_MACHINE_NAME_S4U2PROXY_WKSTA),
    1235             :                                                           "setup_constrained_delegation() failed");
    1236           6 :         return test_S4U2Proxy(tctx, p, credentials, SEC_CHAN_WKSTA,
    1237             :                               TEST_MACHINE_NAME_S4U2PROXY_WKSTA,
    1238             :                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
    1239             : }
    1240             : #endif
    1241             : 
    1242        2355 : struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
    1243             : {
    1244        2355 :         struct torture_suite *suite = torture_suite_create(mem_ctx, "pac");
    1245             :         struct torture_rpc_tcase *tcase;
    1246             : 
    1247        2355 :         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
    1248             :                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
    1249        2355 :         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_bdc_arcfour);
    1250             : 
    1251        2355 :         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-aes",
    1252             :                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
    1253        2355 :         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_bdc_aes);
    1254             : 
    1255        2355 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
    1256             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
    1257        2355 :         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_workstation_arcfour);
    1258             : 
    1259        2355 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes",
    1260             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
    1261        2355 :         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
    1262             : 
    1263             : #ifdef SAMBA4_USES_HEIMDAL
    1264        1897 :         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
    1265             :                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
    1266        1897 :         torture_rpc_tcase_add_test_creds(tcase, "s4u2self-arcfour", test_S4U2Self_bdc_arcfour);
    1267             : 
    1268        1897 :         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bcd-aes",
    1269             :                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
    1270        1897 :         torture_rpc_tcase_add_test_creds(tcase, "s4u2self-aes", test_S4U2Self_bdc_aes);
    1271             : 
    1272        1897 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
    1273             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_WKSTA);
    1274        1897 :         torture_rpc_tcase_add_test_creds(tcase, "s4u2self-arcfour", test_S4U2Self_workstation_arcfour);
    1275             : 
    1276        1897 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes",
    1277             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_WKSTA);
    1278        1897 :         torture_rpc_tcase_add_test_creds(tcase, "s4u2self-aes", test_S4U2Self_workstation_aes);
    1279             : 
    1280        1897 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
    1281             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2PROXY_WKSTA);
    1282        1897 :         torture_rpc_tcase_add_test_join(tcase, "s4u2proxy-arcfour", test_S4U2Proxy_workstation_arcfour);
    1283             : 
    1284        1897 :         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes",
    1285             :                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2PROXY_WKSTA);
    1286        1897 :         torture_rpc_tcase_add_test_join(tcase, "s4u2proxy-aes", test_S4U2Proxy_workstation_aes);
    1287             : #endif
    1288        2355 :         return suite;
    1289             : }

Generated by: LCOV version 1.13