s4:torture/rpc: add rpc.pac tests with DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()

author Stefan Metzmacher <metze@samba.org>

Mon, 11 Nov 2024 18:32:48 +0000 (19:32 +0100)

committer Stefan Metzmacher <metze@samba.org>

Mon, 13 Jan 2025 23:40:30 +0000 (23:40 +0000)
author Stefan Metzmacher <metze@samba.org>
Mon, 11 Nov 2024 18:32:48 +0000 (19:32 +0100)
committer Stefan Metzmacher <metze@samba.org>
Mon, 13 Jan 2025 23:40:30 +0000 (23:40 +0000)
diff --git a/selftest/expectedfail.d/samba4.rpc.pac.krb5 b/selftest/expectedfail.d/samba4.rpc.pac.krb5

new file mode 100644 (file)

index 0000000..f859f17
--- /dev/null
+++ b/selftest/expectedfail.d/samba4.rpc.pac.krb5
@@ -0,0 +1,5 @@
+# fl2000dc and fl2003dc don't have 'server support krb5 netlogon = yes'
+^samba4.rpc.pac.on.ncacn_np.netr-bdc-krb5.verify-sig-krb5\(fl2000dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-mem-krb5.verify-sig-krb5\(fl2000dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-bdc-krb5.verify-sig-krb5\(fl2003dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-mem-krb5.verify-sig-krb5\(fl2003dc\)
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c

index 668962181640a070c1c0981022f7cde72ab85e90..6b69352017f4f6a5e5846795556ae6f99fa38e5f 100644 (file)
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -410,6 +410,28 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
         enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
         NTSTATUS status;
  
+       if (negotiate_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+               const struct dcerpc_binding *b1 =
+                       dcerpc_binding_handle_get_binding(p1->binding_handle);
+               struct dcerpc_binding *b2 = NULL;
+
+               b2 = dcerpc_binding_dup(tctx, b1);
+               torture_assert(tctx, b2 != NULL, "dcerpc_binding_dup");
+               dcerpc_binding_set_flags(b2,
+                                        DCERPC_SCHANNEL | DCERPC_SCHANNEL_KRB5,
+                                        DCERPC_AUTH_OPTIONS);
+
+               cli_credentials_set_netlogon_creds(server_creds, NULL);
+               status = dcerpc_pipe_connect_b(tctx, &p, b2,
+                                              &ndr_table_netlogon,
+                                              server_creds,
+                                              tctx->ev, tctx->lp_ctx);
+               torture_assert_ntstatus_ok(tctx, status,
+                               "dcerpc_pipe_connect_b(DCERPC_SCHANNEL_KRB5)\n");
+               creds = cli_credentials_get_netlogon_creds(server_creds);
+               goto connected;
+       }
+
         if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
                                     server_creds, secure_channel_type,
                                     &creds)) {
@@ -419,6 +441,7 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
                                        DCERPC_SIGN | DCERPC_SEAL, &p)) {
                 return false;
         }
+connected:
         b = p->binding_handle;
  
         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
@@ -502,7 +525,11 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
  
         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
  
-       torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
+       status = netlogon_creds_client_verify(creds,
+                                             &r.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       torture_assert_ntstatus_ok(tctx, status,
                        "Credential chaining failed");
  
         /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */
@@ -525,8 +552,11 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
  
         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
  
-       torture_assert(tctx, netlogon_creds_client_check(creds,
-                                                        &r.out.return_authenticator->cred),
+       status = netlogon_creds_client_verify(creds,
+                                             &r.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       torture_assert_ntstatus_ok(tctx, status,
                        "Credential chaining failed");
  
         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
@@ -581,7 +611,11 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
  
         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
  
-       torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
+       status = netlogon_creds_client_verify(creds,
+                                             &r.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       torture_assert_ntstatus_ok(tctx, status,
                        "Credential chaining failed");
  
         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
@@ -636,7 +670,11 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
  
         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
  
-       torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
+       status = netlogon_creds_client_verify(creds,
+                                             &r.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       torture_assert_ntstatus_ok(tctx, status,
                        "Credential chaining failed");
  
         return true;
@@ -660,6 +698,15 @@ static bool test_PACVerify_bdc_aes(struct torture_context *tctx,
                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
  }
  
+static bool test_PACVerify_bdc_krb5(struct torture_context *tctx,
+                                   struct dcerpc_pipe *p,
+                                   struct cli_credentials *credentials)
+{
+       return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC,
+                             TEST_MACHINE_NAME_BDC,
+                             NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH);
+}
+
  static bool test_PACVerify_workstation_arcfour(struct torture_context *tctx,
                                                struct dcerpc_pipe *p,
                                                struct cli_credentials *credentials)
@@ -678,6 +725,15 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
  }
  
+static bool test_PACVerify_workstation_krb5(struct torture_context *tctx,
+                                           struct dcerpc_pipe *p,
+                                           struct cli_credentials *credentials)
+{
+       return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
+                             TEST_MACHINE_NAME_WKSTA,
+                             NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH);
+}
+
  #ifdef SAMBA4_USES_HEIMDAL
  static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
                                                   uint16_t validation_level,
@@ -1400,6 +1456,10 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_bdc_aes);
  
+       tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-krb5",
+                                                             &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
+       torture_rpc_tcase_add_test_creds(tcase, "verify-sig-krb5", test_PACVerify_bdc_krb5);
+
         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_workstation_arcfour);
@@ -1408,6 +1468,10 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
  
+       tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-krb5",
+                                                                     &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
+       torture_rpc_tcase_add_test_creds(tcase, "verify-sig-krb5", test_PACVerify_workstation_krb5);
+
  #ifdef SAMBA4_USES_HEIMDAL
         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
author	Stefan Metzmacher <metze@samba.org>
	Mon, 11 Nov 2024 18:32:48 +0000 (19:32 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Mon, 13 Jan 2025 23:40:30 +0000 (23:40 +0000)
selftest/expectedfail.d/samba4.rpc.pac.krb5	[new file with mode: 0644]	patch \| blob
source4/torture/rpc/remote_pac.c		patch \| blob \| blame \| history