From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 20 Jul 2023 11:29:12 +0000 (+0200)
Subject: s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags
X-Git-Tag: ldb-2.9.2~54
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=adcd2436bf0a770d2f0c7a584d0ecec377e6262a;p=thirdparty%2Fsamba.git

s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b)
---

diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index c3715619cb7..beac67c4c5b 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2039,6 +2039,7 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
 */
 bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
 				struct cli_credentials *credentials,
+				uint32_t requested_flags,
 				struct netlogon_creds_CredentialState *creds)
 {
 	NTSTATUS status;
@@ -2156,8 +2157,8 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");
 
-	torture_assert_int_equal(tctx, creds->negotiate_flags,
-				 capabilities.server_capabilities,
+	torture_assert_int_equal(tctx, requested_flags,
+				 capabilities.requested_flags,
 				 "negotiate flags");
 
 	return true;
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index d6dca366670..42b6f5d5264 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -32,6 +32,7 @@
 #include "libcli/security/security.h"
 #include "system/filesys.h"
 #include "param/param.h"
+#include "param/loadparm.h"
 #include "librpc/rpc/dcerpc_proto.h"
 #include "libcli/composite/composite.h"
 #include "lib/events/events.h"
@@ -591,6 +592,7 @@ static bool test_schannel(struct torture_context *tctx,
 	struct netlogon_creds_CredentialState *creds;
 	struct cli_credentials *credentials;
 	enum dcerpc_transport_t transport;
+	uint32_t requested_flags;
 
 	join_ctx = torture_join_domain(tctx,
 				       talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
@@ -630,8 +632,26 @@ static bool test_schannel(struct torture_context *tctx,
 	creds = cli_credentials_get_netlogon_creds(credentials);
 	torture_assert(tctx, (creds != NULL), "schannel creds");
 
+	requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+	if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+
 	/* checks the capabilities */
-	torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
+	torture_assert(tctx,
+		       test_netlogon_capabilities(p_netlogon, tctx, credentials, requested_flags, creds),
 		       "Failed to process schannel secured capability ops (on fresh connection)");
 
 	/* do a couple of logins */
@@ -719,8 +739,26 @@ static bool test_schannel(struct torture_context *tctx,
 						  tctx, &p_netlogon2);
 	torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
 
+	requested_flags = NETLOGON_NEG_AUTH2_FLAGS;
+	if (dcerpc_flags & DCERPC_SCHANNEL_128) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AES) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (dcerpc_flags & DCERPC_SCHANNEL_AUTO) {
+		requested_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+	if (lpcfg_weak_crypto(tctx->lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		requested_flags &= ~NETLOGON_NEG_ARCFOUR;
+		requested_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+
 	/* checks the capabilities */
-	torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
+	torture_assert(tctx,
+		       test_netlogon_capabilities(p_netlogon2, tctx, credentials, requested_flags, creds),
 		       "Failed to process schannel secured capability ops (on fresh connection)");
 
 	/* Try the schannel-only SamLogonEx operation */