s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function

This create a schannel connection to netlogon, this makes the tests
more realistic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

5 files changed, 132 insertions, 33 deletions

diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c
index 214b690c7f2..787a05c1d92 100644
--- a/source4/torture/rpc/forest_trust.c
+++ b/source4/torture/rpc/forest_trust.c
@@ -517,7 +517,8 @@ static bool test_validate_trust(struct torture_context *tctx,
 	NTSTATUS status;
 	struct cli_credentials *credentials;
 	struct dcerpc_binding *b;
-	struct dcerpc_pipe *p;
+	struct dcerpc_pipe *p1 = NULL;
+	struct dcerpc_pipe *p = NULL;
 
 	struct netr_GetForestTrustInformation fr;
 	struct lsa_ForestTrustInformation *forest_trust_info;
@@ -548,7 +549,7 @@ static bool test_validate_trust(struct torture_context *tctx,
 					trusted_dom_name, CRED_SPECIFIED);
 	cli_credentials_set_secure_channel_type(credentials, SEC_CHAN_DOMAIN);
 
-	status = dcerpc_pipe_connect_b(tctx, &p, b,
+	status = dcerpc_pipe_connect_b(tctx, &p1, b,
 				       &ndr_table_netlogon, credentials,
 				       tctx->ev, tctx->lp_ctx);
 
@@ -560,11 +561,16 @@ static bool test_validate_trust(struct torture_context *tctx,
 		return false;
 	}
 
-	if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
+	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 				    credentials, &creds)) {
 		torture_comment(tctx, "test_SetupCredentials3 failed.\n");
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		torture_comment(tctx, "test_SetupCredentialsPipe failed.\n");
+		return false;
+	}
 
 	netlogon_creds_client_authenticator(creds, &a);
 
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 432d9ef5732..fa884fb17ee 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -4138,7 +4138,8 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
 	struct netr_Authenticator req_auth;
 	struct netr_Authenticator rep_auth;
 	struct netr_ServerPasswordSet2 s;
-	struct dcerpc_pipe *p2;
+	struct dcerpc_pipe *p1 = NULL;
+	struct dcerpc_pipe *p2 = NULL;
 	NTSTATUS status;
 	bool ok;
 	int rc;
@@ -4238,18 +4239,25 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
 	status = dcerpc_parse_binding(tctx, binding, &b2);
 	torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
 
-	status = dcerpc_pipe_connect_b(tctx, &p2, b2,
+	status = dcerpc_pipe_connect_b(tctx, &p1, b2,
 				       &ndr_table_netlogon,
 				       cli_credentials_init_anon(tctx),
 				       tctx->ev, tctx->lp_ctx);
 	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
 
-	ok = check_pw_with_ServerAuthenticate3(p2, tctx,
+	ok = check_pw_with_ServerAuthenticate3(p1, tctx,
 					       NETLOGON_NEG_AUTH2_ADS_FLAGS,
 					       server_name,
 					       incoming_creds, &creds);
 	torture_assert_int_equal(tctx, ok, expected_result,
 				 "check_pw_with_ServerAuthenticate3");
+	if (expected_result == true) {
+		ok = test_SetupCredentialsPipe(p1, tctx, incoming_creds, creds,
+					       DCERPC_SIGN | DCERPC_SEAL, &p2);
+		torture_assert_int_equal(tctx, ok, true,
+					 "test_SetupCredentialsPipe");
+	}
+	TALLOC_FREE(p1);
 
 	if (trusted->trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
 #ifdef SAMBA4_USES_HEIMDAL
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 9f8e8f1e4fa..a9e64cf2fe2 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -359,6 +359,35 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
 	return true;
 }
 
+bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
+			       struct torture_context *tctx,
+			       struct cli_credentials *machine_credentials,
+			       struct netlogon_creds_CredentialState *creds,
+			       uint32_t additional_flags,
+			       struct dcerpc_pipe **_p2)
+{
+	NTSTATUS status;
+	struct dcerpc_binding *b2 = NULL;
+	struct dcerpc_pipe *p2 = NULL;
+
+	b2 = dcerpc_binding_dup(tctx, p1->binding);
+	torture_assert(tctx, b2 != NULL, "dcerpc_binding_dup");
+	dcerpc_binding_set_flags(b2,
+				 DCERPC_SCHANNEL | additional_flags,
+				 DCERPC_AUTH_OPTIONS);
+
+	cli_credentials_set_netlogon_creds(machine_credentials, creds);
+	status = dcerpc_pipe_connect_b(tctx, &p2, b2,
+				       &ndr_table_netlogon,
+				       machine_credentials,
+				       tctx->ev, tctx->lp_ctx);
+	cli_credentials_set_netlogon_creds(machine_credentials, NULL);
+	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b schannel");
+
+	*_p2 = p2;
+	return true;
+}
+
 /*
   try a change password for our machine account
 */
@@ -436,7 +465,7 @@ static bool test_SetPassword(struct torture_context *tctx,
   try a change password for our machine account
 */
 static bool test_SetPassword_flags(struct torture_context *tctx,
-				   struct dcerpc_pipe *p,
+				   struct dcerpc_pipe *p1,
 				   struct cli_credentials *machine_credentials,
 				   uint32_t negotiate_flags)
 {
@@ -445,14 +474,20 @@ static bool test_SetPassword_flags(struct torture_context *tctx,
 	struct netlogon_creds_CredentialState *creds;
 	struct netr_Authenticator credential, return_authenticator;
 	struct samr_Password new_password;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
-	if (!test_SetupCredentials2(p, tctx, negotiate_flags,
+	if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
 				    machine_credentials,
 				    cli_credentials_get_secure_channel_type(machine_credentials),
 				    &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
 	r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@@ -532,7 +567,7 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
   try a change password for our machine account
 */
 static bool test_SetPassword2_with_flags(struct torture_context *tctx,
-					 struct dcerpc_pipe *p,
+					 struct dcerpc_pipe *p1,
 					 struct cli_credentials *machine_credentials,
 					 uint32_t flags)
 {
@@ -544,11 +579,19 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
 	struct samr_Password nt_hash;
 	struct netr_Authenticator credential, return_authenticator;
 	struct netr_CryptPassword new_password;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
-	if (!test_SetupCredentials2(p, tctx, flags, machine_credentials, cli_credentials_get_secure_channel_type(machine_credentials), &creds)) {
+	if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
+				    cli_credentials_get_secure_channel_type(machine_credentials),
+				    &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
 	r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@@ -2507,7 +2550,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx,
 }
 
 static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
-						struct dcerpc_pipe *p,
+						struct dcerpc_pipe *p1,
 						struct cli_credentials *machine_credentials)
 {
 	struct netr_GetForestTrustInformation r;
@@ -2515,12 +2558,18 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
 	struct netr_Authenticator a;
 	struct netr_Authenticator return_authenticator;
 	struct lsa_ForestTrustInformation *forest_trust_info;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
-	if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
 				    machine_credentials, &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	netlogon_creds_client_authenticator(creds, &a);
 
@@ -3343,7 +3392,7 @@ static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
 }
 
 static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
-					       struct dcerpc_pipe *p,
+					       struct dcerpc_pipe *p1,
 					       struct cli_credentials *machine_credentials,
 					       uint32_t negotiate_flags)
 {
@@ -3356,14 +3405,20 @@ static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
 	struct netr_TrustInfo *trust_info;
 
 	struct netlogon_creds_CredentialState *creds;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
 	struct samr_Password nt_hash;
 
-	if (!test_SetupCredentials3(p, tctx, negotiate_flags,
+	if (!test_SetupCredentials3(p1, tctx, negotiate_flags,
 				    machine_credentials, &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	netlogon_creds_client_authenticator(creds, &a);
 
@@ -3413,7 +3468,7 @@ static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx,
 }
 
 static bool test_GetDomainInfo(struct torture_context *tctx,
-			       struct dcerpc_pipe *p,
+			       struct dcerpc_pipe *p1,
 			       struct cli_credentials *machine_credentials)
 {
 	struct netr_LogonGetDomainInfo r;
@@ -3436,14 +3491,20 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
 	char **spns = NULL;
 	int num_spns = 0;
 	char *temp_str;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
 	torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
 
-	if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
 				    machine_credentials, &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	/* We won't double-check this when we are over 'local' transports */
 	if (dcerpc_server_name(p)) {
@@ -3868,7 +3929,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
 }
 
 static bool test_GetDomainInfo_async(struct torture_context *tctx,
-				     struct dcerpc_pipe *p,
+				     struct dcerpc_pipe *p1,
 				     struct cli_credentials *machine_credentials)
 {
 	NTSTATUS status;
@@ -3882,6 +3943,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
 	int i;
 	union netr_WorkstationInfo query;
 	union netr_DomainInfo info;
+	struct dcerpc_pipe *p = NULL;
 
 	torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
 
@@ -3889,6 +3951,10 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
 				    machine_credentials, &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
 
 	ZERO_STRUCT(r);
 	r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
diff --git a/source4/torture/rpc/netlogon.h b/source4/torture/rpc/netlogon.h
index f2f2a6f9c95..a4ab8f00ce0 100644
--- a/source4/torture/rpc/netlogon.h
+++ b/source4/torture/rpc/netlogon.h
@@ -28,3 +28,10 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
 			    uint32_t negotiate_flags,
 			    struct cli_credentials *machine_credentials,
 			    struct netlogon_creds_CredentialState **creds_out);
+
+bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
+			       struct torture_context *tctx,
+			       struct cli_credentials *machine_credentials,
+			       struct netlogon_creds_CredentialState *creds,
+			       uint32_t additional_flags,
+			       struct dcerpc_pipe **_p2);
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 196d9f8f575..dd44796f0d1 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -118,7 +118,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
 /* Also happens to be a really good one-step verfication of our Kerberos stack */
 
 static bool test_PACVerify(struct torture_context *tctx,
-			   struct dcerpc_pipe *p,
+			   struct dcerpc_pipe *p1,
 			   struct cli_credentials *credentials,
 			   enum netr_SchannelType secure_channel_type,
 			   const char *test_machine_name,
@@ -151,7 +151,8 @@ static bool test_PACVerify(struct torture_context *tctx,
 	struct auth_session_info *session_info;
 	struct pac_data *pac_data;
 
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 	TALLOC_CTX *tmp_ctx = talloc_new(tctx);
 	torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
 
@@ -175,11 +176,16 @@ static bool test_PACVerify(struct torture_context *tctx,
 						    credentials);
 	torture_assert(tctx, server_creds, "Failed to copy of credentials");
 
-	if (!test_SetupCredentials2(p, tctx, negotiate_flags,
+	if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
 				    server_creds, secure_channel_type,
 				    &creds)) {
 		return false;
 	}
+	if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
 
 	auth_context = talloc_zero(tmp_ctx, struct auth4_context);
 	torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
@@ -525,14 +531,15 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx,
 
 /* Check various ways to get the PAC, in particular check the group membership and other details between the PAC from a normal kinit, S2U4Self and a SamLogon */
 static bool test_S2U4Self(struct torture_context *tctx,
-			  struct dcerpc_pipe *p,
+			  struct dcerpc_pipe *p1,
 			  struct cli_credentials *credentials,
 			  enum netr_SchannelType secure_channel_type,
 			  const char *test_machine_name,
 			  uint32_t negotiate_flags)
 {
 	NTSTATUS status;
-	struct dcerpc_binding_handle *b = p->binding_handle;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
 
 	struct netr_LogonSamLogon r;
 
@@ -584,6 +591,17 @@ static bool test_S2U4Self(struct torture_context *tctx,
 						    credentials);
 	torture_assert(tctx, server_creds, "Failed to copy of credentials");
 
+	if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
+				    server_creds, secure_channel_type,
+				    &creds)) {
+		return false;
+	}
+	if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
+				       DCERPC_SIGN | DCERPC_SEAL, &p)) {
+		return false;
+	}
+	b = p->binding_handle;
+
 	auth_context = talloc_zero(tmp_ctx, struct auth4_context);
 	torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
 
@@ -744,12 +762,6 @@ static bool test_S2U4Self(struct torture_context *tctx,
 	r.out.validation = &validation;
 	r.out.authoritative = &authoritative;
 
-	if (!test_SetupCredentials2(p, tctx, negotiate_flags,
-				    server_creds, secure_channel_type,
-				    &creds)) {
-		return false;
-	}
-
 	ZERO_STRUCT(auth2);
 	netlogon_creds_client_authenticator(creds, &auth);