Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : passdb testing utility
4 :
5 : Copyright (C) Wilco Baan Hofman 2006
6 : Copyright (C) Jelmer Vernooij 2006
7 : Copyright (C) Andrew Bartlett 2012
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 :
24 : #include "includes.h"
25 : #include "lib/cmdline/cmdline.h"
26 : #include "passdb.h"
27 :
28 : #include "../librpc/gen_ndr/drsblobs.h"
29 : #include "../librpc/gen_ndr/ndr_drsblobs.h"
30 : #include "../libcli/security/dom_sid.h"
31 : #include "../libcli/auth/libcli_auth.h"
32 : #include "../auth/common_auth.h"
33 : #include "lib/tsocket/tsocket.h"
34 : #include "include/auth.h"
35 : #include "nsswitch/libwbclient/wbclient.h"
36 : #include "auth/auth_sam_reply.h"
37 :
38 : #define TRUST_DOM "trustdom"
39 : #define TRUST_PWD "trustpwd1232"
40 : #define TRUST_SID "S-1-5-21-1111111111-2222222222-3333333333"
41 :
42 3 : static bool samu_correct(struct samu *s1, struct samu *s2)
43 : {
44 3 : bool ret = True;
45 : uint32_t s1_len, s2_len;
46 : const char *s1_buf, *s2_buf;
47 : const uint8_t *d1_buf, *d2_buf;
48 : const struct dom_sid *s1_sid, *s2_sid;
49 :
50 : /* Check Unix username */
51 3 : s1_buf = pdb_get_username(s1);
52 3 : s2_buf = pdb_get_username(s2);
53 3 : if (s2_buf == NULL && s1_buf != NULL) {
54 0 : DEBUG(0, ("Username is not set\n"));
55 0 : ret = False;
56 3 : } else if (s1_buf == NULL) {
57 : /* Do nothing */
58 3 : } else if (strcmp(s1_buf,s2_buf)) {
59 0 : DEBUG(0, ("Username not written correctly, want %s, got \"%s\"\n",
60 : pdb_get_username(s1),
61 : pdb_get_username(s2)));
62 0 : ret = False;
63 : }
64 :
65 : /* Check NT username */
66 3 : s1_buf = pdb_get_nt_username(s1);
67 3 : s2_buf = pdb_get_nt_username(s2);
68 3 : if (s2_buf == NULL && s1_buf != NULL) {
69 0 : DEBUG(0, ("NT Username is not set\n"));
70 0 : ret = False;
71 3 : } else if (s1_buf == NULL) {
72 : /* Do nothing */
73 3 : } else if (strcmp(s1_buf, s2_buf)) {
74 0 : DEBUG(0, ("NT Username not written correctly, want \"%s\", got \"%s\"\n",
75 : pdb_get_nt_username(s1),
76 : pdb_get_nt_username(s2)));
77 0 : ret = False;
78 : }
79 :
80 : /* Check acct ctrl */
81 3 : if (pdb_get_acct_ctrl(s1) != pdb_get_acct_ctrl(s2)) {
82 0 : DEBUG(0, ("Acct ctrl field not written correctly, want %d (0x%X), got %d (0x%X)\n",
83 : pdb_get_acct_ctrl(s1),
84 : pdb_get_acct_ctrl(s1),
85 : pdb_get_acct_ctrl(s2),
86 : pdb_get_acct_ctrl(s2)));
87 0 : ret = False;
88 : }
89 :
90 : /* Check NT password */
91 3 : d1_buf = pdb_get_nt_passwd(s1);
92 3 : d2_buf = pdb_get_nt_passwd(s2);
93 3 : if (d2_buf == NULL && d1_buf != NULL) {
94 0 : DEBUG(0, ("NT password is not set\n"));
95 0 : ret = False;
96 3 : } else if (d1_buf == NULL) {
97 : /* Do nothing */
98 3 : } else if (memcmp(d1_buf, d2_buf, NT_HASH_LEN)) {
99 0 : DEBUG(0, ("NT password not written correctly\n"));
100 0 : ret = False;
101 : }
102 :
103 : /* Check lanman password */
104 3 : d1_buf = pdb_get_lanman_passwd(s1);
105 3 : d2_buf = pdb_get_lanman_passwd(s2);
106 3 : if (d2_buf == NULL && d1_buf != NULL) {
107 0 : DEBUG(0, ("Lanman password is not set\n"));
108 3 : } else if (d1_buf == NULL) {
109 : /* Do nothing */
110 3 : } else if (memcmp(d1_buf, d2_buf, NT_HASH_LEN)) {
111 0 : DEBUG(0, ("Lanman password not written correctly\n"));
112 0 : ret = False;
113 : }
114 :
115 : /* Check password history */
116 3 : d1_buf = pdb_get_pw_history(s1, &s1_len);
117 3 : d2_buf = pdb_get_pw_history(s2, &s2_len);
118 3 : if (d2_buf == NULL && d1_buf != NULL) {
119 0 : DEBUG(0, ("Password history is not set\n"));
120 3 : } else if (d1_buf == NULL) {
121 : /* Do nothing */
122 0 : } else if (s1_len != s2_len) {
123 0 : DEBUG(0, ("Password history not written correctly, lengths differ, want %d, got %d\n",
124 : s1_len, s2_len));
125 0 : ret = False;
126 0 : } else if (strncmp(s1_buf, s2_buf, s1_len)) {
127 0 : DEBUG(0, ("Password history not written correctly\n"));
128 0 : ret = False;
129 : }
130 :
131 : /* Check logon time */
132 3 : if (pdb_get_logon_time(s1) != pdb_get_logon_time(s2)) {
133 0 : DEBUG(0, ("Logon time is not written correctly\n"));
134 0 : ret = False;
135 : }
136 :
137 : /* Check logoff time */
138 3 : if (pdb_get_logoff_time(s1) != pdb_get_logoff_time(s2)) {
139 0 : DEBUG(0, ("Logoff time is not written correctly: %s vs %s \n",
140 : http_timestring(talloc_tos(), pdb_get_logoff_time(s1)),
141 : http_timestring(talloc_tos(), pdb_get_logoff_time(s2))));
142 0 : ret = False;
143 : }
144 :
145 : /* Check kickoff time */
146 3 : if (pdb_get_kickoff_time(s1) != pdb_get_kickoff_time(s2)) {
147 0 : DEBUG(0, ("Kickoff time is not written correctly: %s vs %s \n",
148 : http_timestring(talloc_tos(), pdb_get_kickoff_time(s1)),
149 : http_timestring(talloc_tos(), pdb_get_kickoff_time(s2))));
150 0 : ret = False;
151 : }
152 :
153 : /* Check bad password time */
154 3 : if (pdb_get_bad_password_time(s1) != pdb_get_bad_password_time(s2)) {
155 0 : DEBUG(0, ("Bad password time is not written correctly\n"));
156 0 : ret = False;
157 : }
158 :
159 : /* Check password last set time */
160 3 : if (pdb_get_pass_last_set_time(s1) != pdb_get_pass_last_set_time(s2)) {
161 0 : DEBUG(0, ("Password last set time is not written correctly: %s vs %s \n",
162 : http_timestring(talloc_tos(), pdb_get_pass_last_set_time(s1)),
163 : http_timestring(talloc_tos(), pdb_get_pass_last_set_time(s2))));
164 0 : ret = False;
165 : }
166 :
167 : /* Check password can change time */
168 3 : if (pdb_get_pass_can_change_time(s1) != pdb_get_pass_can_change_time(s2)) {
169 0 : DEBUG(0, ("Password can change time is not written correctly %s vs %s \n",
170 : http_timestring(talloc_tos(), pdb_get_pass_can_change_time(s1)),
171 : http_timestring(talloc_tos(), pdb_get_pass_can_change_time(s2))));
172 0 : ret = False;
173 : }
174 :
175 : /* Check password must change time */
176 3 : if (pdb_get_pass_must_change_time(s1) != pdb_get_pass_must_change_time(s2)) {
177 0 : DEBUG(0, ("Password must change time is not written correctly\n"));
178 0 : ret = False;
179 : }
180 :
181 : /* Check logon divs */
182 3 : if (pdb_get_logon_divs(s1) != pdb_get_logon_divs(s2)) {
183 0 : DEBUG(0, ("Logon divs not written correctly\n"));
184 0 : ret = False;
185 : }
186 :
187 : /* Check logon hours */
188 3 : if (pdb_get_hours_len(s1) != pdb_get_hours_len(s2)) {
189 0 : DEBUG(0, ("Logon hours length not written correctly\n"));
190 0 : ret = False;
191 3 : } else if (pdb_get_hours_len(s1) != 0) {
192 3 : d1_buf = pdb_get_hours(s1);
193 3 : d2_buf = pdb_get_hours(s2);
194 3 : if (d2_buf == NULL && d1_buf != NULL) {
195 0 : DEBUG(0, ("Logon hours is not set\n"));
196 0 : ret = False;
197 3 : } else if (d1_buf == NULL) {
198 : /* Do nothing */
199 3 : } else if (memcmp(d1_buf, d2_buf, MAX_HOURS_LEN)) {
200 0 : DEBUG(0, ("Logon hours is not written correctly\n"));
201 0 : ret = False;
202 : }
203 : }
204 :
205 : /* Check profile path */
206 3 : s1_buf = pdb_get_profile_path(s1);
207 3 : s2_buf = pdb_get_profile_path(s2);
208 3 : if (s2_buf == NULL && s1_buf != NULL) {
209 0 : DEBUG(0, ("Profile path is not set\n"));
210 0 : ret = False;
211 3 : } else if (s1_buf == NULL) {
212 : /* Do nothing */
213 3 : } else if (strcmp(s1_buf, s2_buf)) {
214 0 : DEBUG(0, ("Profile path is not written correctly\n"));
215 0 : ret = False;
216 : }
217 :
218 : /* Check home dir */
219 3 : s1_buf = pdb_get_homedir(s1);
220 3 : s2_buf = pdb_get_homedir(s2);
221 3 : if (s2_buf == NULL && s1_buf != NULL) {
222 0 : DEBUG(0, ("Home dir is not set\n"));
223 0 : ret = False;
224 3 : } else if (s1_buf == NULL) {
225 : /* Do nothing */
226 3 : } else if (strcmp(s1_buf, s2_buf)) {
227 0 : DEBUG(0, ("Home dir is not written correctly\n"));
228 0 : ret = False;
229 : }
230 :
231 : /* Check logon script */
232 3 : s1_buf = pdb_get_logon_script(s1);
233 3 : s2_buf = pdb_get_logon_script(s2);
234 3 : if (s2_buf == NULL && s1_buf != NULL) {
235 0 : DEBUG(0, ("Logon script not set\n"));
236 0 : ret = False;
237 3 : } else if (s1_buf == NULL) {
238 : /* Do nothing */
239 3 : } else if (strcmp(s1_buf, s2_buf)) {
240 0 : DEBUG(0, ("Logon script is not written correctly\n"));
241 0 : ret = False;
242 : }
243 :
244 : /* Check user and group sids */
245 3 : s1_sid = pdb_get_user_sid(s1);
246 3 : s2_sid = pdb_get_user_sid(s2);
247 3 : if (s2_sid == NULL && s1_sid != NULL) {
248 0 : DEBUG(0, ("USER SID not set\n"));
249 0 : ret = False;
250 3 : } else if (s1_sid == NULL) {
251 : /* Do nothing */
252 3 : } else if (!dom_sid_equal(s1_sid, s2_sid)) {
253 0 : DEBUG(0, ("USER SID is not written correctly\n"));
254 0 : ret = False;
255 : }
256 :
257 3 : return ret;
258 : }
259 :
260 3 : static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
261 : {
262 : struct auth_usersupplied_info *user_info;
263 : struct auth_context *auth_context;
264 : static const uint8_t challenge_8[8] = {1, 2, 3, 4, 5, 6, 7, 8};
265 3 : DATA_BLOB challenge = data_blob_const(challenge_8, sizeof(challenge_8));
266 : struct tsocket_address *remote_address;
267 : struct tsocket_address *local_address;
268 : unsigned char local_nt_response[24];
269 3 : DATA_BLOB nt_resp = data_blob_const(local_nt_response, sizeof(local_nt_response));
270 : unsigned char local_nt_session_key[16];
271 : struct netr_SamInfo3 *info3_sam, *info3_auth;
272 : struct auth_serversupplied_info *server_info;
273 3 : struct wbcAuthUserParams params = { .flags = 0 };
274 3 : struct wbcAuthUserInfo *info = NULL;
275 3 : struct wbcAuthErrorInfo *err = NULL;
276 : wbcErr wbc_status;
277 3 : struct netr_SamInfo6 *info6_wbc = NULL;
278 : NTSTATUS status;
279 : bool ok;
280 3 : uint8_t authoritative = 1;
281 : int rc;
282 :
283 3 : rc = SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
284 : local_nt_response);
285 3 : if (rc != 0) {
286 0 : return False;
287 : }
288 :
289 3 : SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
290 :
291 3 : if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &remote_address) != 0) {
292 0 : return False;
293 : }
294 :
295 3 : if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &local_address) != 0) {
296 0 : return False;
297 : }
298 :
299 3 : status = make_user_info(mem_ctx,
300 : &user_info, pdb_get_username(pdb_entry), pdb_get_username(pdb_entry),
301 : pdb_get_domain(pdb_entry), pdb_get_domain(pdb_entry), lp_netbios_name(),
302 : remote_address,local_address, "pdbtest",
303 : NULL, &nt_resp, NULL, NULL, NULL,
304 : AUTH_PASSWORD_RESPONSE);
305 3 : if (!NT_STATUS_IS_OK(status)) {
306 0 : DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
307 0 : return False;
308 : }
309 :
310 3 : status = check_sam_security_info3(&challenge, NULL, user_info, &info3_sam);
311 3 : if (!NT_STATUS_IS_OK(status)) {
312 0 : DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
313 0 : return False;
314 : }
315 :
316 3 : if (memcmp(info3_sam->base.key.key, local_nt_session_key, 16) != 0) {
317 0 : DEBUG(0, ("Returned NT session key is incorrect\n"));
318 0 : return False;
319 : }
320 :
321 3 : status = make_auth3_context_for_ntlm(NULL, &auth_context);
322 :
323 3 : if (!NT_STATUS_IS_OK(status)) {
324 0 : DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
325 0 : return False;
326 : }
327 :
328 3 : ok = auth3_context_set_challenge(
329 3 : auth_context, challenge.data, "fixed");
330 3 : if (!ok) {
331 0 : DBG_ERR("auth3_context_set_challenge failed\n");
332 0 : return false;
333 : }
334 :
335 3 : status = auth_check_ntlm_password(mem_ctx,
336 : auth_context,
337 : user_info,
338 : &server_info,
339 : &authoritative);
340 :
341 3 : if (!NT_STATUS_IS_OK(status)) {
342 0 : DEBUG(0, ("Failed to test authentication with auth module: "
343 : "%s authoritative[%u].\n",
344 : nt_errstr(status), authoritative));
345 0 : return False;
346 : }
347 :
348 3 : info3_auth = talloc_zero(mem_ctx, struct netr_SamInfo3);
349 3 : if (info3_auth == NULL) {
350 0 : return False;
351 : }
352 :
353 3 : status = serverinfo_to_SamInfo3(server_info, info3_auth);
354 3 : if (!NT_STATUS_IS_OK(status)) {
355 0 : DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
356 : nt_errstr(status)));
357 0 : return False;
358 : }
359 :
360 3 : if (memcmp(info3_auth->base.key.key, local_nt_session_key, 16) != 0) {
361 0 : DEBUG(0, ("Returned NT session key is incorrect\n"));
362 0 : return False;
363 : }
364 :
365 3 : if (!dom_sid_equal(info3_sam->base.domain_sid, info3_auth->base.domain_sid)) {
366 : struct dom_sid_buf buf1, buf2;
367 0 : DEBUG(0, ("domain_sid in SAM info3 %s does not match domain_sid in AUTH info3 %s\n",
368 : dom_sid_str_buf(info3_sam->base.domain_sid, &buf1),
369 : dom_sid_str_buf(info3_auth->base.domain_sid,
370 : &buf2)));
371 0 : return False;
372 : }
373 :
374 : /* TODO:
375 : * Compare more details from the two info3 structures,
376 : * then test that an expired/disabled/pwdmustchange account
377 : * returns the correct errors
378 : */
379 :
380 3 : params.parameter_control = user_info->logon_parameters;
381 3 : params.parameter_control |= WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
382 : WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
383 3 : params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
384 :
385 3 : params.account_name = user_info->client.account_name;
386 3 : params.domain_name = user_info->client.domain_name;
387 3 : params.workstation_name = user_info->workstation_name;
388 :
389 3 : memcpy(params.password.response.challenge,
390 3 : challenge.data,
391 : sizeof(params.password.response.challenge));
392 :
393 3 : params.password.response.lm_length =
394 3 : user_info->password.response.lanman.length;
395 3 : params.password.response.nt_length =
396 3 : user_info->password.response.nt.length;
397 :
398 3 : params.password.response.lm_data =
399 3 : user_info->password.response.lanman.data;
400 3 : params.password.response.nt_data =
401 3 : user_info->password.response.nt.data;
402 :
403 3 : wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
404 3 : if (wbc_status != WBC_ERR_WINBIND_NOT_AVAILABLE) {
405 3 : if (wbc_status == WBC_ERR_AUTH_ERROR) {
406 0 : if (err) {
407 0 : DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
408 : err->nt_string, err->nt_status, err->display_string));
409 0 : status = NT_STATUS(err->nt_status);
410 0 : wbcFreeMemory(err);
411 : } else {
412 0 : status = NT_STATUS_LOGON_FAILURE;
413 : }
414 0 : if (!NT_STATUS_IS_OK(status)) {
415 0 : return false;
416 : }
417 3 : } else if (!WBC_ERROR_IS_OK(wbc_status)) {
418 0 : DEBUG(1, ("wbcAuthenticateUserEx: failed with %u - %s\n",
419 : wbc_status, wbcErrorString(wbc_status)));
420 0 : if (err) {
421 0 : DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
422 : err->nt_string, err->nt_status, err->display_string));
423 : }
424 0 : return false;
425 : }
426 3 : info6_wbc = wbcAuthUserInfo_to_netr_SamInfo6(mem_ctx, info);
427 3 : wbcFreeMemory(info);
428 3 : if (!info6_wbc) {
429 0 : DEBUG(1, ("wbcAuthUserInfo_to_netr_SamInfo6 failed\n"));
430 0 : return false;
431 : }
432 :
433 3 : if (memcmp(info6_wbc->base.key.key, local_nt_session_key, 16) != 0) {
434 0 : DEBUG(0, ("Returned NT session key is incorrect\n"));
435 0 : return false;
436 : }
437 :
438 3 : if (!dom_sid_equal(info3_sam->base.domain_sid, info6_wbc->base.domain_sid)) {
439 : struct dom_sid_buf buf1, buf2;
440 0 : DEBUG(0, ("domain_sid in SAM info3 %s does not match domain_sid in AUTH info3 %s\n",
441 : dom_sid_str_buf(info3_sam->base.domain_sid,
442 : &buf1),
443 : dom_sid_str_buf(info6_wbc->base.domain_sid,
444 : &buf2)));
445 0 : return false;
446 : }
447 : }
448 :
449 3 : return True;
450 : }
451 :
452 1 : static bool test_trusted_domains(TALLOC_CTX *ctx,
453 : struct pdb_methods *pdb,
454 : bool *error)
455 : {
456 : NTSTATUS rv;
457 : /* test trustdom calls */
458 : struct pdb_trusted_domain *td;
459 : struct pdb_trusted_domain *new_td;
460 : struct trustAuthInOutBlob taiob;
461 : struct AuthenticationInformation aia;
462 : enum ndr_err_code ndr_err;
463 : bool ok;
464 :
465 1 : td = talloc_zero(ctx ,struct pdb_trusted_domain);
466 1 : if (!td) {
467 0 : fprintf(stderr, "talloc failed\n");
468 0 : return false;
469 : }
470 :
471 1 : td->domain_name = talloc_strdup(td, TRUST_DOM);
472 1 : td->netbios_name = talloc_strdup(td, TRUST_DOM);
473 1 : if (!td->domain_name || !td->netbios_name) {
474 0 : fprintf(stderr, "talloc failed\n");
475 0 : return false;
476 : }
477 1 : ok = dom_sid_parse("S-1-5-21-123-456-789", &td->security_identifier);
478 1 : if (!ok) {
479 0 : fprintf(stderr, "dom_sid_parse S-1-5-21-123-456-789 failed\n");
480 0 : return false;
481 : }
482 :
483 1 : td->trust_auth_incoming = data_blob_null;
484 :
485 1 : ZERO_STRUCT(taiob);
486 1 : ZERO_STRUCT(aia);
487 1 : taiob.count = 1;
488 1 : taiob.current.count = 1;
489 1 : taiob.current.array = &aia;
490 1 : unix_to_nt_time(&aia.LastUpdateTime, time(NULL));
491 1 : aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
492 1 : aia.AuthInfo.clear.password = (uint8_t *) talloc_strdup(ctx, TRUST_PWD);
493 1 : aia.AuthInfo.clear.size = strlen(TRUST_PWD);
494 :
495 1 : taiob.previous.count = 0;
496 1 : taiob.previous.array = NULL;
497 :
498 1 : ndr_err = ndr_push_struct_blob(&td->trust_auth_outgoing,
499 : td, &taiob,
500 : (ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob);
501 1 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
502 0 : fprintf(stderr, "ndr_push_struct_blob failed.\n");
503 0 : return false;
504 : }
505 :
506 1 : td->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
507 1 : td->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
508 1 : td->trust_attributes = 0;
509 1 : td->trust_forest_trust_info = data_blob_null;
510 :
511 1 : rv = pdb->set_trusted_domain(pdb, TRUST_DOM, td);
512 1 : if (!NT_STATUS_IS_OK(rv)) {
513 0 : fprintf(stderr, "Error in set_trusted_domain %s\n",
514 : get_friendly_nt_error_msg(rv));
515 0 : *error = true;
516 : }
517 :
518 1 : rv = pdb->get_trusted_domain(pdb, ctx, TRUST_DOM, &new_td);
519 1 : if (!NT_STATUS_IS_OK(rv)) {
520 0 : fprintf(stderr, "Error in get_trusted_domain %s\n",
521 : get_friendly_nt_error_msg(rv));
522 0 : *error = true;
523 : }
524 :
525 1 : if (!strequal(td->domain_name, new_td->domain_name) ||
526 1 : !strequal(td->netbios_name, new_td->netbios_name) ||
527 1 : !dom_sid_equal(&td->security_identifier,
528 1 : &new_td->security_identifier) ||
529 1 : td->trust_direction != new_td->trust_direction ||
530 1 : td->trust_type != new_td->trust_type ||
531 1 : td->trust_attributes != new_td->trust_attributes ||
532 1 : td->trust_auth_incoming.length != new_td->trust_auth_incoming.length ||
533 2 : td->trust_forest_trust_info.length != new_td->trust_forest_trust_info.length ||
534 1 : data_blob_cmp(&td->trust_auth_outgoing, &new_td->trust_auth_outgoing) != 0) {
535 0 : fprintf(stderr, "Old and new trusdet domain data do not match\n");
536 0 : *error = true;
537 : }
538 :
539 1 : rv = pdb->del_trusted_domain(pdb, TRUST_DOM);
540 1 : if (!NT_STATUS_IS_OK(rv)) {
541 0 : fprintf(stderr, "Error in del_trusted_domain %s\n",
542 : get_friendly_nt_error_msg(rv));
543 0 : *error = true;
544 : }
545 :
546 1 : return true;
547 : }
548 :
549 :
550 3 : int main(int argc, const char **argv)
551 : {
552 : TALLOC_CTX *ctx;
553 3 : struct samu *out = NULL;
554 3 : struct samu *in = NULL;
555 : NTSTATUS rv;
556 : int i;
557 : int opt;
558 : struct timeval tv;
559 3 : bool error = False;
560 : struct passwd *pwd;
561 : uint8_t *buf;
562 : uint32_t expire, min_age, history;
563 : struct pdb_methods *pdb;
564 : poptContext pc;
565 : static const char *backend = NULL;
566 : static const char *unix_user = "nobody";
567 : bool ok;
568 9 : struct poptOption long_options[] = {
569 : {"username", 'u', POPT_ARG_STRING, &unix_user, 0, "Unix user to use for testing", "USERNAME" },
570 : {"backend", 'b', POPT_ARG_STRING, &backend, 0, "Backend to use if not default", "BACKEND[:SETTINGS]" },
571 : POPT_AUTOHELP
572 3 : POPT_COMMON_SAMBA
573 3 : POPT_COMMON_VERSION
574 : POPT_TABLEEND
575 : };
576 :
577 3 : ctx = talloc_stackframe();
578 :
579 3 : smb_init_locale();
580 :
581 3 : ok = samba_cmdline_init(ctx,
582 : SAMBA_CMDLINE_CONFIG_CLIENT,
583 : true /* require_smbconf */);
584 3 : if (!ok) {
585 0 : TALLOC_FREE(ctx);
586 0 : exit(1);
587 : }
588 :
589 3 : pc = samba_popt_get_context(getprogname(), argc, argv, long_options, 0);
590 3 : if (pc == NULL) {
591 0 : TALLOC_FREE(ctx);
592 0 : exit(1);
593 : }
594 :
595 3 : poptSetOtherOptionHelp(pc, "backend[:settings] username");
596 :
597 3 : while ((opt = poptGetNextOpt(pc)) != -1) {
598 0 : switch (opt) {
599 0 : case POPT_ERROR_BADOPT:
600 0 : fprintf(stderr, "\nInvalid option %s: %s\n\n",
601 : poptBadOption(pc, 0), poptStrerror(opt));
602 0 : poptPrintUsage(pc, stderr, 0);
603 0 : exit(1);
604 : }
605 : }
606 :
607 3 : poptFreeContext(pc);
608 :
609 3 : if (backend == NULL) {
610 3 : backend = lp_passdb_backend();
611 : }
612 :
613 3 : rv = make_pdb_method_name(&pdb, backend);
614 3 : if (NT_STATUS_IS_ERR(rv)) {
615 0 : fprintf(stderr, "Error initializing '%s': %s\n", backend, get_friendly_nt_error_msg(rv));
616 0 : exit(1);
617 : }
618 :
619 3 : if (!(out = samu_new(ctx))) {
620 0 : fprintf(stderr, "Can't create samu structure.\n");
621 0 : exit(1);
622 : }
623 :
624 3 : if ((pwd = Get_Pwnam_alloc(ctx, unix_user)) == NULL) {
625 0 : fprintf(stderr, "Error getting user information for %s\n", unix_user);
626 0 : exit(1);
627 : }
628 :
629 3 : samu_set_unix(out, pwd);
630 :
631 3 : pdb_set_profile_path(out, "\\\\torture\\profile", PDB_SET);
632 3 : pdb_set_homedir(out, "\\\\torture\\home", PDB_SET);
633 3 : pdb_set_logon_script(out, "torture_script.cmd", PDB_SET);
634 :
635 3 : pdb_set_acct_ctrl(out, ACB_NORMAL, PDB_SET);
636 :
637 3 : pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &history);
638 3 : if (history * PW_HISTORY_ENTRY_LEN < NT_HASH_LEN) {
639 3 : buf = (uint8_t *)TALLOC(ctx, NT_HASH_LEN);
640 : } else {
641 0 : buf = (uint8_t *)TALLOC(ctx, history * PW_HISTORY_ENTRY_LEN);
642 : }
643 :
644 : /* Generate some random hashes */
645 3 : GetTimeOfDay(&tv);
646 3 : srand(tv.tv_usec);
647 51 : for (i = 0; i < NT_HASH_LEN; i++) {
648 48 : buf[i] = (uint8_t) rand();
649 : }
650 3 : pdb_set_nt_passwd(out, buf, PDB_SET);
651 51 : for (i = 0; i < LM_HASH_LEN; i++) {
652 48 : buf[i] = (uint8_t) rand();
653 : }
654 3 : pdb_set_lanman_passwd(out, buf, PDB_SET);
655 3 : for (i = 0; i < history * PW_HISTORY_ENTRY_LEN; i++) {
656 0 : buf[i] = (uint8_t) rand();
657 : }
658 3 : pdb_set_pw_history(out, buf, history, PDB_SET);
659 :
660 3 : pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire);
661 3 : pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &min_age);
662 3 : pdb_set_pass_last_set_time(out, time(NULL), PDB_SET);
663 :
664 3 : if (min_age == (uint32_t)-1) {
665 0 : pdb_set_pass_can_change_time(out, 0, PDB_SET);
666 : } else {
667 3 : pdb_set_pass_can_change_time(out, time(NULL)+min_age, PDB_SET);
668 : }
669 :
670 3 : pdb_set_logon_time(out, time(NULL)-3600, PDB_SET);
671 :
672 3 : pdb_set_logoff_time(out, time(NULL), PDB_SET);
673 :
674 3 : pdb_set_kickoff_time(out, time(NULL)+3600, PDB_SET);
675 :
676 : /* Create account */
677 3 : if (!NT_STATUS_IS_OK(rv = pdb->add_sam_account(pdb, out))) {
678 0 : fprintf(stderr, "Error in add_sam_account: %s\n",
679 : get_friendly_nt_error_msg(rv));
680 0 : exit(1);
681 : }
682 :
683 3 : if (!(in = samu_new(ctx))) {
684 0 : fprintf(stderr, "Can't create samu structure.\n");
685 0 : exit(1);
686 : }
687 :
688 : /* Get account information through getsampwnam() */
689 3 : rv = pdb->getsampwnam(pdb, in, out->username);
690 3 : if (NT_STATUS_IS_ERR(rv)) {
691 0 : fprintf(stderr, "Error getting sampw of added user %s: %s\n",
692 : out->username, nt_errstr(rv));
693 0 : if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
694 0 : fprintf(stderr, "Error in delete_sam_account %s\n",
695 : get_friendly_nt_error_msg(rv));
696 : }
697 0 : TALLOC_FREE(ctx);
698 0 : exit(1);
699 : }
700 :
701 : /* Verify integrity */
702 3 : if (samu_correct(out, in)) {
703 3 : printf("User info written correctly\n");
704 : } else {
705 0 : printf("User info NOT written correctly\n");
706 0 : error = True;
707 : }
708 :
709 3 : if (test_auth(ctx, out)) {
710 3 : printf("Authentication module test passed\n");
711 : } else {
712 0 : printf("Authentication module test failed!\n");
713 0 : error = True;
714 : }
715 :
716 :
717 : /* Delete account */
718 3 : if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
719 0 : fprintf(stderr, "Error in delete_sam_account %s\n",
720 : get_friendly_nt_error_msg(rv));
721 : }
722 :
723 3 : if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
724 1 : if (!test_trusted_domains(ctx, pdb, &error)) {
725 0 : fprintf(stderr, "failed testing trusted domains.\n");
726 0 : exit(1);
727 : }
728 : }
729 :
730 3 : TALLOC_FREE(ctx);
731 :
732 3 : if (error) {
733 0 : return 1;
734 : }
735 3 : return 0;
736 : }
|
