129 lines
4.5 KiB
Diff
129 lines
4.5 KiB
Diff
From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Sat, 15 Jul 2023 17:25:05 +0200
|
|
Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
|
|
netr_LogonGetCapabilities with different levels
|
|
|
|
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
for unsupported query_levels, we allow it to work with servers
|
|
with or without support for query_level=2.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
.../knownfail.d/netr_LogonGetCapabilities | 3 +
|
|
source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++-
|
|
2 files changed, 79 insertions(+), 1 deletion(-)
|
|
create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
|
|
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
new file mode 100644
|
|
index 00000000000..30aadf3bb9d
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
@@ -0,0 +1,3 @@
|
|
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
|
+^samba3.rpc.schannel.*\.schannel\(ad_dc
|
|
+^samba4.rpc.schannel.*\.schannel\(ad_dc
|
|
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
|
|
index 1f068eb7826..a3d190f13dd 100644
|
|
--- a/source4/torture/rpc/netlogon.c
|
|
+++ b/source4/torture/rpc/netlogon.c
|
|
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
|
r.out.capabilities = &capabilities;
|
|
r.out.return_authenticator = &return_auth;
|
|
|
|
- torture_comment(tctx, "Testing LogonGetCapabilities\n");
|
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
|
|
|
|
+ r.in.query_level = 0;
|
|
+ ZERO_STRUCT(return_auth);
|
|
+
|
|
+ /*
|
|
+ * we need to operate on a temporary copy of creds
|
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
|
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
+ * without looking a the authenticator.
|
|
+ */
|
|
+ tmp_creds = *creds;
|
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
+
|
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
|
+ "LogonGetCapabilities query_level=0 failed");
|
|
+
|
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
|
|
+
|
|
+ r.in.query_level = 3;
|
|
+ ZERO_STRUCT(return_auth);
|
|
+
|
|
+ /*
|
|
+ * we need to operate on a temporary copy of creds
|
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
|
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
+ * without looking a the authenticator.
|
|
+ */
|
|
+ tmp_creds = *creds;
|
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
+
|
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
|
+ "LogonGetCapabilities query_level=0 failed");
|
|
+
|
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
|
|
+
|
|
+ r.in.query_level = 1;
|
|
ZERO_STRUCT(return_auth);
|
|
|
|
/*
|
|
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
|
|
|
*creds = tmp_creds;
|
|
|
|
+ torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
+ &r.out.return_authenticator->cred),
|
|
+ "Credential chaining failed");
|
|
+
|
|
+ torture_assert_int_equal(tctx, creds->negotiate_flags,
|
|
+ capabilities.server_capabilities,
|
|
+ "negotiate flags");
|
|
+
|
|
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
|
|
+
|
|
+ r.in.query_level = 2;
|
|
+ ZERO_STRUCT(return_auth);
|
|
+
|
|
+ /*
|
|
+ * we need to operate on a temporary copy of creds
|
|
+ * because dcerpc_netr_LogonGetCapabilities with
|
|
+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
+ * without looking a the authenticator.
|
|
+ */
|
|
+ tmp_creds = *creds;
|
|
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
+
|
|
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
|
|
+ /*
|
|
+ * an server without KB5028166 returns
|
|
+ * DCERPC_NCA_S_FAULT_INVALID_TAG =>
|
|
+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
+ */
|
|
+ return true;
|
|
+ }
|
|
+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
|
|
+
|
|
+ *creds = tmp_creds;
|
|
+
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
--
|
|
2.39.3
|
|
|