s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

author Stefan Metzmacher <metze@samba.org>

Thu, 20 Jul 2023 11:29:12 +0000 (13:29 +0200)

committer Jule Anger <janger@samba.org>

Wed, 13 Nov 2024 10:39:11 +0000 (10:39 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 20 Jul 2023 11:29:12 +0000 (13:29 +0200)
committer Jule Anger <janger@samba.org>
Wed, 13 Nov 2024 10:39:11 +0000 (10:39 +0000)
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c

index c3715619cb7753145d40f47372abbba1d0ea527a..beac67c4c5bf0a9de0d0b66cdf0aceae60e53a3e 100644 (file)
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2039,6 +2039,7 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
  */
  bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
                                 struct cli_credentials *credentials,
+                               uint32_t requested_flags,
                                 struct netlogon_creds_CredentialState *creds)
  {
         NTSTATUS status;
@@ -2156,8 +2157,8 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
                                                          &r.out.return_authenticator->cred),
                        "Credential chaining failed");
  
-       torture_assert_int_equal(tctx, creds->negotiate_flags,
-                                capabilities.server_capabilities,
+       torture_assert_int_equal(tctx, requested_flags,
+                                capabilities.requested_flags,
                                  "negotiate flags");
  
         return true;
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c

index d6dca3666702f39d3a6cd5ff3c576d0cc48ad7a4..42b6f5d52644a77940bbbf18df113d73d54d8916 100644 (file)
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -32,6 +32,7 @@
  #include "libcli/security/security.h"
  #include "system/filesys.h"
  #include "param/param.h"
+#include "param/loadparm.h"
  #include "librpc/rpc/dcerpc_proto.h"
  #include "libcli/composite/composite.h"
  #include "lib/events/events.h"
@@ -591,6 +592,7 @@ static bool test_schannel(struct torture_context *tctx,
         struct netlogon_creds_CredentialState *creds;
         struct cli_credentials *credentials;
         enum dcerpc_transport_t transport;
+       uint32_t requested_flags;
  
         join_ctx = torture_join_domain(tctx,
                                        talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
@@ -630,8 +632,26 @@ static bool test_schannel(struct torture_context *tctx,
         creds = cli_credentials_get_netlogon_creds(credentials);
         torture_assert(tctx, (creds != NULL), "schannel creds");
  
+       requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+       if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       }
+       if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+       if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+       if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+
         /* checks the capabilities */
-       torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
+       torture_assert(tctx,
+                      test_netlogon_capabilities(p_netlogon, tctx, credentials, requested_flags, creds),
                        "Failed to process schannel secured capability ops (on fresh connection)");
  
         /* do a couple of logins */
@@ -719,8 +739,26 @@ static bool test_schannel(struct torture_context *tctx,
                                                   tctx, &p_netlogon2);
         torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
  
+       requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+       if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       }
+       if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+       if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+               requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+       if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+               requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+
         /* checks the capabilities */
-       torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
+       torture_assert(tctx,
+                      test_netlogon_capabilities(p_netlogon2, tctx, credentials, requested_flags, creds),
                        "Failed to process schannel secured capability ops (on fresh connection)");
  
         /* Try the schannel-only SamLogonEx operation */
author	Stefan Metzmacher <metze@samba.org>
	Thu, 20 Jul 2023 11:29:12 +0000 (13:29 +0200)
committer	Jule Anger <janger@samba.org>
	Wed, 13 Nov 2024 10:39:11 +0000 (10:39 +0000)
source4/torture/rpc/netlogon.c		patch \| blob \| blame \| history
source4/torture/rpc/schannel.c		patch \| blob \| blame \| history