From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 20 Jul 2023 11:29:12 +0000 (+0200)
Subject: s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags
X-Git-Tag: tdb-1.4.13~822
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d174b6595a962230bf71cc5c2f512a2c93a4cc1b;p=thirdparty%2Fsamba.git

s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 82152ffda27..5ee4f3a7222 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2041,6 +2041,7 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
 */
 bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
 				struct cli_credentials *credentials,
+				uint32_t requested_flags,
 				struct netlogon_creds_CredentialState *creds)
 {
 	NTSTATUS status;
@@ -2158,8 +2159,8 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");
 
-	torture_assert_int_equal(tctx, creds->negotiate_flags,
-				 capabilities.server_capabilities,
+	torture_assert_int_equal(tctx, requested_flags,
+				 capabilities.requested_flags,
 				 "negotiate flags");
 
 	return true;
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index fab1fa4af45..497e15455ab 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -32,6 +32,7 @@
 #include "libcli/security/security.h"
 #include "system/filesys.h"
 #include "param/param.h"
+#include "param/loadparm.h"
 #include "librpc/rpc/dcerpc_proto.h"
 #include "libcli/composite/composite.h"
 #include "lib/events/events.h"
@@ -595,6 +596,7 @@ static bool test_schannel(struct torture_context *tctx,
 	struct netlogon_creds_CredentialState *creds;
 	struct cli_credentials *credentials;
 	enum dcerpc_transport_t transport;
+	uint32_t requested_flags;
 
 	join_ctx = torture_join_domain(tctx,
 				       talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
@@ -634,8 +636,26 @@ static bool test_schannel(struct torture_context *tctx,
 	creds = cli_credentials_get_netlogon_creds(credentials);
 	torture_assert(tctx, (creds != NULL), "schannel creds");
 
+	requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+	if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+
 	/* checks the capabilities */
-	torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
+	torture_assert(tctx,
+		       test_netlogon_capabilities(p_netlogon, tctx, credentials, requested_flags, creds),
 		       "Failed to process schannel secured capability ops (on fresh connection)");
 
 	/* do a couple of logins */
@@ -723,8 +743,26 @@ static bool test_schannel(struct torture_context *tctx,
 						  tctx, &p_netlogon2);
 	torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
 
+	requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+	if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+
 	/* checks the capabilities */
-	torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
+	torture_assert(tctx,
+		       test_netlogon_capabilities(p_netlogon2, tctx, credentials, requested_flags, creds),
 		       "Failed to process schannel secured capability ops (on fresh connection)");
 
 	/* Try the schannel-only SamLogonEx operation */