The branch, master has been updated
via cf536e3 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon
via 5434bde torture: Add ServerReqChallengeReuse to rpc.netlogon
via 568d250 torture: Add new test ServerReqChallengeReuseGlobal to
rpc.netlogon
via f55dc9c torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS
via 380ec1b torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2
test
via ecb1f56 torture: Add credentials downgrade and challenge reuse test
to rpc.netlogon
from 91d5ea2 librpc/ndr/uuid.c: improve speed and accuracy of GUID
string parsing
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cf536e36fbb87a691b78bbea999497e3ce1049dc
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 15:59:08 2016 +1300
torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon
This test ensures that when the per-pipe challenge is used, the tdb cache
is wiped as well
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Wed Dec 14 15:56:37 CET 2016 on sn-devel-144
commit 5434bde87bb7fc7625642fd020c5835a6de10ce5
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 15:17:24 2016 +1300
torture: Add ServerReqChallengeReuse to rpc.netlogon
This test covers credentials reuse on the same process.
We test with direct re-use, and for the case where the challenge
is reset to zeros.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 568d250bfb26edbf9ad8370f2e0ce470839301bc
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 15:12:12 2016 +1300
torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon
This tests ensures we can not re-use the entries in global challenge table.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f55dc9cf72d7d8a2a3754dd8901d50e5611d8f5d
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 15:09:15 2016 +1300
torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS
This allows this test to pass after "allow nt4 crypto" is removed from
the default environment.
We now only set it in ad_dc
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 380ec1bb72378b7acfe52da25839633016367337
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 17:45:19 2016 +1300
torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test
This allows it to run against modern servers that do not permit NT4 crypto
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit ecb1f569d7a297dda6ff6ce040d3555a89404fd7
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 14 14:50:20 2016 +1300
torture: Add credentials downgrade and challenge reuse test to rpc.netlogon
This test confirms that the challenge set up is available
after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED
check.
This is needed for NetApp ONTAP member servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 2 +
selftest/target/Samba4.pm | 2 +-
source4/torture/rpc/netlogon.c | 344 ++++++++++++++++++++++++++++++++++++++++
source4/torture/rpc/samba3rpc.c | 2 +-
source4/torture/rpc/schannel.c | 2 +-
5 files changed, 349 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 97ec6ef..0e168ab 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -79,6 +79,8 @@
^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
^samba4.rpc.netlogon.*.GetPassword
^samba4.rpc.netlogon.*.DatabaseRedo
+^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) #
Broken by allowing NT4 crypto on this environment
+^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\)
# Broken by allowing NT4 crypto on this environment
^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal
^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only
work with seal
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index da60c44..9e30475 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -860,7 +860,6 @@ sub provision($$$$$$$$$$)
server max protocol = SMB2
host msdfs = $msdfs
lanman auth = yes
- allow nt4 crypto = yes
# fruit:copyfile is a global option
fruit:copyfile = yes
@@ -1399,6 +1398,7 @@ sub provision_ad_dc_ntvfs($$)
my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
+ allow nt4 crypto = yes
";
my $ret = $self->provision($prefix,
"domain controller",
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index bb793a6..1d24f07 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -359,6 +359,92 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct
torture_context *tctx,
return true;
}
+bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials
*machine_credentials)
+{
+ struct netr_ServerReqChallenge r;
+ struct netr_ServerAuthenticate3 a;
+ struct netr_Credential credentials1, credentials2, credentials3;
+ struct netlogon_creds_CredentialState *creds;
+ struct samr_Password mach_password;
+ uint32_t rid;
+ const char *machine_name;
+ const char *plain_pass;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+ uint32_t negotiate_flags = 0;
+
+ machine_name = cli_credentials_get_workstation(machine_credentials);
+ plain_pass = cli_credentials_get_password(machine_credentials);
+
+ torture_comment(tctx, "Testing ServerReqChallenge\n");
+
+ r.in.server_name = NULL;
+ r.in.computer_name = machine_name;
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+ generate_random_buffer(credentials1.data, sizeof(credentials1.data));
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b,
tctx, &r),
+ "ServerReqChallenge failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge
failed");
+
+ E_md4hash(plain_pass, mach_password.hash);
+
+ a.in.server_name = NULL;
+ a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
+ a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(machine_credentials);
+ a.in.computer_name = machine_name;
+ a.in.negotiate_flags = &negotiate_flags;
+ a.in.credentials = &credentials3;
+ a.out.return_credentials = &credentials3;
+ a.out.negotiate_flags = &negotiate_flags;
+ a.out.rid = &rid;
+
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ negotiate_flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b,
tctx, &a),
+ "ServerAuthenticate3 failed");
+ torture_assert_ntstatus_equal(tctx, a.out.result,
NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
+
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ negotiate_flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b,
tctx, &a),
+ "ServerAuthenticate3 failed");
+ torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3
should succeed");
+
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
+
+ torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
+
+ /* Prove that requesting a challenge again won't break it */
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b,
tctx, &r),
+ "ServerReqChallenge failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge
failed");
+
+ return true;
+}
+
bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
struct torture_context *tctx,
struct cli_credentials *machine_credentials,
@@ -1220,6 +1306,260 @@ static bool test_ServerReqChallengeGlobal(struct
torture_context *tctx,
return true;
}
+/*
+ * Test the re-use of the challenge is not possible on a third
+ * connection, after first useing it second one.
+ */
+
+static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx,
+ struct dcerpc_pipe *p1,
+ struct cli_credentials
*machine_credentials)
+{
+ uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
+ struct netr_ServerReqChallenge r;
+ struct netr_ServerAuthenticate3 a;
+ struct netr_Credential credentials1, credentials2, credentials3;
+ struct netlogon_creds_CredentialState *creds;
+ struct samr_Password mach_password;
+ uint32_t rid;
+ const char *machine_name;
+ const char *plain_pass;
+ struct dcerpc_binding_handle *b1 = p1->binding_handle;
+ struct dcerpc_pipe *p2 = NULL;
+ struct dcerpc_binding_handle *b2 = NULL;
+ struct dcerpc_pipe *p3 = NULL;
+ struct dcerpc_binding_handle *b3 = NULL;
+
+ machine_name = cli_credentials_get_workstation(machine_credentials);
+ plain_pass = cli_credentials_get_password(machine_credentials);
+
+ torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_pipe_connect_b(tctx, &p2, p1->binding,
+ &ndr_table_netlogon,
+ machine_credentials,
+ tctx->ev, tctx->lp_ctx),
+ "dcerpc_pipe_connect_b failed");
+ b2 = p2->binding_handle;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_pipe_connect_b(tctx, &p3, p1->binding,
+ &ndr_table_netlogon,
+ machine_credentials,
+ tctx->ev, tctx->lp_ctx),
+ "dcerpc_pipe_connect_b failed");
+ b3 = p3->binding_handle;
+
+ r.in.server_name = NULL;
+ r.in.computer_name = machine_name;
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+ generate_random_buffer(credentials1.data, sizeof(credentials1.data));
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1,
tctx, &r),
+ "ServerReqChallenge failed on b1");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge
failed on b1");
+
+ E_md4hash(plain_pass, mach_password.hash);
+
+ a.in.server_name = NULL;
+ a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
+ a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(machine_credentials);
+ a.in.computer_name = machine_name;
+ a.in.negotiate_flags = &flags;
+ a.in.credentials = &credentials3;
+ a.out.return_credentials = &credentials3;
+ a.out.negotiate_flags = &flags;
+ a.out.rid = &rid;
+
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2,
tctx, &a),
+ "ServerAuthenticate3 failed on b2");
+ torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3
failed on b2");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b3,
tctx, &a),
+ "ServerAuthenticate3 failed on b3");
+ torture_assert_ntstatus_equal(tctx, a.out.result,
NT_STATUS_ACCESS_DENIED,
+ "ServerAuthenticate3 should have failed
on b3, due to credential reuse");
+ return true;
+}
+
+/*
+ * Test if use of the per-pipe challenge will wipe out the globally cached
challenge
+ */
+static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx,
+ struct dcerpc_pipe *p1,
+ struct cli_credentials
*machine_credentials)
+{
+ uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
+ struct netr_ServerReqChallenge r;
+ struct netr_ServerAuthenticate3 a;
+ struct netr_Credential credentials1, credentials2, credentials3;
+ struct netlogon_creds_CredentialState *creds;
+ struct samr_Password mach_password;
+ uint32_t rid;
+ const char *machine_name;
+ const char *plain_pass;
+ struct dcerpc_binding_handle *b1 = p1->binding_handle;
+ struct dcerpc_pipe *p2 = NULL;
+ struct dcerpc_binding_handle *b2 = NULL;
+
+ machine_name = cli_credentials_get_workstation(machine_credentials);
+ plain_pass = cli_credentials_get_password(machine_credentials);
+
+ torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_pipe_connect_b(tctx, &p2, p1->binding,
+ &ndr_table_netlogon,
+ machine_credentials,
+ tctx->ev, tctx->lp_ctx),
+ "dcerpc_pipe_connect_b failed");
+ b2 = p2->binding_handle;
+
+ r.in.server_name = NULL;
+ r.in.computer_name = machine_name;
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+ generate_random_buffer(credentials1.data, sizeof(credentials1.data));
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1,
tctx, &r),
+ "ServerReqChallenge failed on b1");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge
failed on b1");
+
+ E_md4hash(plain_pass, mach_password.hash);
+
+ a.in.server_name = NULL;
+ a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
+ a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(machine_credentials);
+ a.in.computer_name = machine_name;
+ a.in.negotiate_flags = &flags;
+ a.in.credentials = &credentials3;
+ a.out.return_credentials = &credentials3;
+ a.out.negotiate_flags = &flags;
+ a.out.rid = &rid;
+
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b1,
tctx, &a),
+ "ServerAuthenticate3 failed on b");
+ torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3
failed on b");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2,
tctx, &a),
+ "ServerAuthenticate3 failed on b2");
+ torture_assert_ntstatus_equal(tctx, a.out.result,
NT_STATUS_ACCESS_DENIED,
+ "ServerAuthenticate3 should have failed
on b2, due to credential reuse");
+ return true;
+}
+
+static bool test_ServerReqChallengeReuse(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials
*machine_credentials)
+{
+ uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
+ struct netr_ServerReqChallenge r;
+ struct netr_ServerAuthenticate3 a;
+ struct netr_Credential credentials1, credentials2, credentials3;
+ struct netlogon_creds_CredentialState *creds;
+ struct samr_Password mach_password;
+ uint32_t rid;
+ const char *machine_name;
+ const char *plain_pass;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+ machine_name = cli_credentials_get_workstation(machine_credentials);
+ plain_pass = cli_credentials_get_password(machine_credentials);
+
+ torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
+
+ r.in.server_name = NULL;
+ r.in.computer_name = machine_name;
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+ generate_random_buffer(credentials1.data, sizeof(credentials1.data));
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b,
tctx, &r),
+ "ServerReqChallenge");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge
failed on b1");
+
+ E_md4hash(plain_pass, mach_password.hash);
+
+ a.in.server_name = NULL;
+ a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
+ a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(machine_credentials);
+ a.in.computer_name = machine_name;
+ a.in.negotiate_flags = &flags;
+ a.in.credentials = &credentials3;
+ a.out.return_credentials = &credentials3;
+ a.out.negotiate_flags = &flags;
+ a.out.rid = &rid;
+
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b,
tctx, &a),
+ "ServerAuthenticate3 failed");
+ torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3
failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b,
tctx, &a),
+ "ServerAuthenticate3 failed");
+ torture_assert_ntstatus_equal(tctx, a.out.result,
NT_STATUS_ACCESS_DENIED,
+ "ServerAuthenticate3 should have failed
on b3, due to credential reuse");
+
+ ZERO_STRUCT(credentials1.data);
+ ZERO_STRUCT(credentials2.data);
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ a.in.secure_channel_type,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
+ torture_comment(tctx, "Testing ServerAuthenticate3 with zero'ed
challenge\n");
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b,
tctx, &a),
+ "ServerAuthenticate3 failed");
+ torture_assert_ntstatus_equal(tctx, a.out.result,
NT_STATUS_ACCESS_DENIED,
+ "ServerAuthenticate3 should have failed
on b3, due to credential reuse");
+ return true;
+}
+
static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct cli_credentials *credentials)
@@ -4205,6 +4545,9 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX
*mem_ctx)
torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
torture_rpc_tcase_add_test_creds(tcase, "invalidAuthenticate2",
test_invalidAuthenticate2);
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeGlobal",
test_ServerReqChallengeGlobal);
+ torture_rpc_tcase_add_test_creds(tcase,
"ServerReqChallengeReuseGlobal", test_ServerReqChallengeReuseGlobal);
+ torture_rpc_tcase_add_test_creds(tcase,
"ServerReqChallengeReuseGlobal2", test_ServerReqChallengeReuseGlobal2);
+ torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuse",
test_ServerReqChallengeReuse);
torture_rpc_tcase_add_test_creds(tcase, "SetPassword",
test_SetPassword);
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2",
test_SetPassword2);
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES",
test_SetPassword2_AES);
@@ -4236,6 +4579,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX
*mem_ctx)
torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation",
test_netr_GetForestTrustInformation);
torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon",
test_lsa_over_netlogon);
+ torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade",
test_SetupCredentialsDowngrade);
return suite;
}
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 9da6b54..1bcbdf3 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1070,7 +1070,7 @@ static bool auth2(struct torture_context *tctx,
goto done;
}
- negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
a.in.server_name = talloc_asprintf(
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index da81c52..08c1b09 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -709,7 +709,7 @@ bool torture_rpc_schannel2(struct torture_context *torture)
struct dcerpc_binding *b;
struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
struct cli_credentials *credentials1, *credentials2;
- uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;
+ uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO |
DCERPC_SIGN;
join_ctx = torture_join_domain(torture, talloc_asprintf(torture, "%s2",
TEST_MACHINE_NAME),
ACB_WSTRUST, &credentials1);
--
Samba Shared Repository
