public void SamrValidatePassword_Reset_Success()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
ConnectAndOpenDomain(
GetPdcDnsName(),
_samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle,
out _domainHandle);
_SAM_VALIDATE_INPUT_ARG inputArg = new _SAM_VALIDATE_INPUT_ARG();
inputArg.ValidatePasswordResetInput = new _SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG();
DateTime lockOutTime = DateTime.Now - TimeSpan.FromDays(5);
DateTime lastSetTime = DateTime.Now - TimeSpan.FromDays(6);
_FILETIME lockout = DtypUtility.ToFileTime(lockOutTime);
_FILETIME lastset = DtypUtility.ToFileTime(lastSetTime);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create InputArg for SamValidatePasswordReset, LockoutTime:{0}, PasswordLastSet:{1}, PasswordMustChangeAtNextLogon: {2}, PasswordHistoryLength: {3}.",
lockOutTime.ToString(),
lastSetTime.ToString(),
1,
0));
inputArg.ValidatePasswordResetInput.InputPersistedFields.LockoutTime.QuadPart = (((long)lockout.dwHighDateTime) << 32) | lockout.dwLowDateTime;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordLastSet.QuadPart = (((long)lastset.dwHighDateTime) << 32) | lastset.dwLowDateTime;
inputArg.ValidatePasswordResetInput.ClearPassword = DtypUtility.ToRpcUnicodeString("drowssaP02!");
inputArg.ValidatePasswordResetInput.InputPersistedFields.BadPasswordCount = 1;
inputArg.ValidatePasswordResetInput.PasswordMustChangeAtNextLogon = 1;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordHistoryLength = 0;
inputArg.ValidatePasswordResetInput.ClearLockout = 1;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordHistory = new _SAM_VALIDATE_PASSWORD_HASH[] { };
inputArg.ValidatePasswordResetInput.HashedPassword = new _SAM_VALIDATE_PASSWORD_HASH()
{
Hash = new byte[] { 0xDE, 0xAD, 0xBE, 0xEF },
Length = 4
};
BaseTestSite.Log.Add(LogEntryKind.TestStep, string.Format("Invoke SamrValidatePassword."));
_SAM_VALIDATE_OUTPUT_ARG?outputArg;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrValidatePassword(
_domainHandle,
_PASSWORD_POLICY_VALIDATION_TYPE.SamValidatePasswordReset,
inputArg,
out outputArg
);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrValidatePassword returns success.");
PtfAssert.AreEqual(_SAM_VALIDATE_VALIDATION_STATUS.SamValidateSuccess, outputArg.Value.ValidatePasswordResetOutput.ValidationStatus,
"[MS-SAMR]3.1.5.13.7.3 ValidationStatus MUST be set to SamValidateSuccess.");
PtfAssert.AreEqual(0, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.PasswordLastSet.QuadPart,
"[MS-SAMR]3.1.5.13.7.3 If PasswordMustChangeAtNextLogon is nonzero, PasswordLastSet MUST be set to 0.");
PtfAssert.AreEqual(0, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.LockoutTime.QuadPart,
"[MS-SAMR]3.1.5.13.7.3 LockoutTime MUST be set to 0.");
PtfAssert.AreEqual(0u, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.BadPasswordCount,
"[MS-SAMR]3.1.5.13.7.3 If ValidatePasswordResetInput.InputPersistedFields.BadPasswordCount is nonzero, BadPasswordCount MUST be set to 0.");
}
public void SamrEnumerateDomainsInSamServer_SUCCESS_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_ENUMERATE_DOMAINS.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_ENUMERATE_DOMAINS,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
uint?enumerationContext = 0;
uint countReturned;
_SAMPR_ENUMERATION_BUFFER?enumerationBuffer;
Site.Log.Add(LogEntryKind.TestStep, "SamrEnumerateDomainsInSamServer, PreferedMaximumLength: 1024.");
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrEnumerateDomainsInSamServer(
_serverHandle,
ref enumerationContext,
out enumerationBuffer,
1024,
out countReturned);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrEnumerateDomainsInSamServer must return STATUS_SUCCESS.");
PtfAssert.AreNotEqual <uint>(0, countReturned, "The CountReturned is not zero.");
PtfAssert.IsNotNull(enumerationBuffer, "EnumerationBuffer is not null.");
PtfAssert.AreEqual <uint>(countReturned, enumerationBuffer.Value.EntriesRead, "Verify the EntriesRead property.");
bool builtInDomainFound = false;
foreach (var entry in enumerationBuffer.Value.Buffer)
{
string name = DtypUtility.ToString(entry.Name);
if (string.Compare(name, "BUILTIN", true) == 0)
{
builtInDomainFound = true;
}
PtfAssert.AreEqual <uint>(0, entry.RelativeId, "[MS-SAMR]3.1.5.2.1 Buffer.Buffer.RelativeId is 0.");
}
PtfAssert.IsTrue(builtInDomainFound,
"Client obtains a listing, without duplicates, of the name attribute of the built-in domain object.");
}
public void SamrValidatePassword_Auth_Success()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
ConnectAndOpenDomain(
GetPdcDnsName(),
_samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle,
out _domainHandle);
_SAM_VALIDATE_INPUT_ARG inputArg = new _SAM_VALIDATE_INPUT_ARG();
inputArg.ValidateAuthenticationInput = new _SAM_VALIDATE_AUTHENTICATION_INPUT_ARG();
DateTime lockOutTime = DateTime.Now - TimeSpan.FromDays(5);
DateTime lastSetTime = DateTime.Now - TimeSpan.FromDays(6);
_FILETIME lockout = DtypUtility.ToFileTime(lockOutTime);
_FILETIME lastset = DtypUtility.ToFileTime(lastSetTime);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create InputArg for SamrValidatePassword, LockoutTime:{0}, PasswordLastSet:{1}, PasswordMatched:{2}, BadPasswordCount: {3}, PasswordHistoryLength: {4}.",
lockOutTime.ToString(),
lastSetTime.ToString(),
1,
1,
0));
inputArg.ValidateAuthenticationInput.InputPersistedFields.LockoutTime.QuadPart = (((long)lockout.dwHighDateTime) << 32) | lockout.dwLowDateTime;
inputArg.ValidateAuthenticationInput.InputPersistedFields.PasswordLastSet.QuadPart = (((long)lastset.dwHighDateTime) << 32) | lastset.dwLowDateTime;
inputArg.ValidateAuthenticationInput.PasswordMatched = 1;
inputArg.ValidateAuthenticationInput.InputPersistedFields.BadPasswordCount = 1;
inputArg.ValidateAuthenticationInput.InputPersistedFields.PasswordHistoryLength = 0;
inputArg.ValidateAuthenticationInput.InputPersistedFields.PasswordHistory = new _SAM_VALIDATE_PASSWORD_HASH[] { };
BaseTestSite.Log.Add(LogEntryKind.TestStep, string.Format("Invoke SamrValidatePassword."));
_SAM_VALIDATE_OUTPUT_ARG?outputArg;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrValidatePassword(
_domainHandle,
_PASSWORD_POLICY_VALIDATION_TYPE.SamValidateAuthentication,
inputArg,
out outputArg
);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrGetUserDomainPasswordInformation returns success.");
PtfAssert.AreEqual(0, outputArg.Value.ValidateAuthenticationOutput.ChangedPersistedFields.LockoutTime.QuadPart,
"[MS-SAMR] 3.1.5.13.7.1 LockoutTime MUST be set to 0 (and continue processing).");
PtfAssert.AreEqual(_SAM_VALIDATE_VALIDATION_STATUS.SamValidateSuccess, outputArg.Value.ValidateAuthenticationOutput.ValidationStatus,
"[MS-SAMR] 3.1.5.13.7.1 ValidationStatus MUST be set to SamValidateSuccess.");
PtfAssert.AreEqual(0u, outputArg.Value.ValidateAuthenticationOutput.ChangedPersistedFields.BadPasswordCount,
"[MS-SAMR] 3.1.5.13.7.1 If BadPasswordCount is nonzero, BadPasswordCount MUST be set to 0.");
}
public void SamrQuerySecurityObject_Server_Group_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.GROUP_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid),
"[MS-SAMR] 3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrConnect2_SUCCESS_NonDC()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect, Server:{0}, DesiredAccess: SAM_SERVER_READ.",
_samrProtocolAdapter.domainMemberFqdn));
HRESULT methodStatus = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrConnect2(
_samrProtocolAdapter.domainMemberFqdn,
out _serverHandle,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_READ);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, methodStatus, "SamrConnect2 returns STATUS_SUCCESS");
PtfAssert.AreNotEqual(IntPtr.Zero, _serverHandle, "SamrConnect2 returns a non-NULL handle.");
}
public void SamrConnect4_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect4, Server:{0}, DesiredAccess: SAM_SERVER_READ.",
_samrProtocolAdapter.pdcNetBIOSName));
HRESULT methodStatus = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrConnect4(
_samrProtocolAdapter.pdcNetBIOSName,
out _serverHandle,
0x02u,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_READ);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, methodStatus, "SamrConnect4 returns STATUS_SUCCESS");
PtfAssert.AreNotEqual(IntPtr.Zero, _serverHandle, "SamrConnect4 returns a non-NULL handle.");
}
public void SamrQuerySecurityObject_Server_SACL()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: ACCESS_SYSTEM_SECURITY.", _samrProtocolAdapter.PDCNetbiosName));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.PDCNetbiosName,
(uint)COMMON_ACCESS_MASK.ACCESS_SYSTEM_SECURITY,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.SACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the Sacl be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
}
public void SamrConnect5_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind: Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5: Server:{0}, DesiredAccess: SAM_SERVER_READ.",
_samrProtocolAdapter.pdcNetBIOSName));
SAMPR_REVISION_INFO[] inRevisionInfo = new SAMPR_REVISION_INFO[1];
inRevisionInfo[0] = new SAMPR_REVISION_INFO();
inRevisionInfo[0].V1.Revision = _SAMPR_REVISION_INFO_V1_Revision_Values.V3;
inRevisionInfo[0].V1.SupportedFeatures = SupportedFeatures_Values.V1;
uint outVersion;
SAMPR_REVISION_INFO outRevisionInfo;
HRESULT methodStatus = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrConnect5(
_samrProtocolAdapter.pdcNetBIOSName,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_READ,
0x01u,
inRevisionInfo[0],
out outVersion,
out outRevisionInfo,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, methodStatus, "[MS-SAMR] 3.1.5.1.1 Otherwise, the server MUST return STATUS_SUCCESS.");
PtfAssert.AreEqual(1u, outVersion,
"[MS-SAMR] 3.1.5.1.1 The server MUST set OutVersion to 1 and OutRevisionInfo.Revision to 3.");
PtfAssert.AreEqual(3u, (uint)outRevisionInfo.V1.Revision,
"[MS-SAMR] 3.1.5.1.1 The server MUST set OutVersion to 1 and OutRevisionInfo.Revision to 3.");
PtfAssert.AreEqual(0u, (uint)outRevisionInfo.V1.SupportedFeatures, "[MS-SAMR] 3.1.5.1.1 The remaining fields of OutRevisionInfo MUST be set to zero.");
PtfAssert.AreNotEqual(IntPtr.Zero, _serverHandle, "SamrConnect5 returns a non-NULL handle.");
}
public void SamrSetSecurityObject_Server_Owner_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: WRITE_OWNER.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)Common_ACCESS_MASK.WRITE_OWNER,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BAG:BA");
byte[] buffer = new byte[commonsd.BinaryLength];
commonsd.GetBinaryForm(buffer, 0);
_SAMPR_SR_SECURITY_DESCRIPTOR sd = new _SAMPR_SR_SECURITY_DESCRIPTOR()
{
SecurityDescriptor = buffer,
Length = (uint)buffer.Length
};
Site.Log.Add(LogEntryKind.TestStep,
"SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION.");
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrSetSecurityObject(
_serverHandle,
SecurityInformation_Values.OWNER_SECURITY_INFORMATION,
sd
);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrSetSecurityObject must return STATUS_SUCCESS.");
}
public void SamrLookupDomainInSamServer_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_LOOKUP_DOMAIN.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_LOOKUP_DOMAIN,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrLookupDomainInSamServer, Name: {0}.", _samrProtocolAdapter.domainMemberNetBIOSName));
_RPC_SID?domainID;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrLookupDomainInSamServer(
_serverHandle,
DtypUtility.ToRpcUnicodeString("Builtin"),
out domainID);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrLookupDomainInSamServer must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(domainID, "DomainId is not null.");
string domainSid = DtypUtility.ToSddlString(domainID.Value);
PtfAssert.AreEqual(
"S-1-5-32",
domainSid,
"The objectSid of the builtin domain must be returend.");
}
public void SamrGetDomainPasswordInformation_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep, "Initialize: Create Samr Bind to the server.");
_samrProtocolAdapter.SamrBind(
GetPdcDnsName(),
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
_USER_DOMAIN_PASSWORD_INFORMATION passwordInformation;
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Invoke SamrGetUserDomainPasswordInformation."));
HRESULT hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrGetDomainPasswordInformation(
SAMRProtocolAdapter.RpcAdapter.Handle,
DtypUtility.ToRpcUnicodeString(""),
out passwordInformation);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrGetUserDomainPasswordInformation returns success.");
var attributes = Microsoft.Protocols.TestSuites.ActiveDirectory.Common.Utilities.GetAttributesFromEntry(
_samrProtocolAdapter.primaryDomainDN,
new string[] { "minPwdLength", "pwdProperties" },
GetPdcDnsName(),
_samrProtocolAdapter.ADDSPortNum);
PtfAssert.AreEqual(
(int)attributes["minPwdLength"],
passwordInformation.MinPasswordLength,
"[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.MinPasswordLength MUST be set to the minPwdLength attribute value on the account domain object.");
PtfAssert.AreEqual(
(uint)(int)attributes["pwdProperties"],
passwordInformation.PasswordProperties,
"[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.PasswordProperties MUST be set to the pwdProperties attribute value on the account domain object.");
}
public void SamrChangePasswordUser_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
string oldPassword = "******";
string newPassword = "******";
CreateTempUser createTempUser = new CreateTempUser(
_samrProtocolAdapter,
testUserName,
oldPassword,
AdtsUserAccountControl.ADS_UF_NORMAL_ACCOUNT);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create test user, username:{0} password:{1}.", testUserName, oldPassword));
Common.UpdatesStorage.GetInstance().PushUpdate(createTempUser);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Set user must change password to user:{0}.", testUserName));
Common.Utilities.UserMustChangePassword(
_samrProtocolAdapter.pdcFqdn,
_samrProtocolAdapter.ADDSPortNum,
_samrProtocolAdapter.primaryDomainUserContainerDN,
testUserName);
ConnectAndOpenUser(
GetPdcDnsName(),
_samrProtocolAdapter.primaryDomainFqdn,
testUserName,
out _userHandle);
SamrCryptography samrCryptography = new SamrCryptography(oldPassword, newPassword);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("SamrChangePasswordUser, OldPassword:{0}, NewPassword:{1}.", oldPassword, newPassword));
HRESULT hresult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrChangePasswordUser(
_userHandle,
1,
samrCryptography.GetOldLmEncryptedWithNewLm(),
samrCryptography.GetNewLmEncryptedWithOldLm(),
1,
samrCryptography.GetOldNtEncryptedWithNewNt(),
samrCryptography.GetNewNtEncryptedWithOldNt(),
0,
samrCryptography.GetNewNtEncryptedWithNewLm(),
0,
samrCryptography.GetNewLmEncryptedWithNewNt());
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hresult, "SamrChangePasswordUser returns success.");
}
public void SamrUnicodeChangePasswordUser2_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
string oldPassword = "******";
string newPassword = "******";
CreateTempUser createTempUser = new CreateTempUser(
_samrProtocolAdapter,
testUserName,
oldPassword,
AdtsUserAccountControl.ADS_UF_NORMAL_ACCOUNT);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create test user, username:{0} password:{1}.", testUserName, oldPassword));
Common.UpdatesStorage.GetInstance().PushUpdate(createTempUser);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Set user must change password to user:{0}.", testUserName));
Common.Utilities.UserMustChangePassword(
_samrProtocolAdapter.pdcFqdn,
_samrProtocolAdapter.ADDSPortNum,
_samrProtocolAdapter.primaryDomainUserContainerDN,
testUserName);
Site.Log.Add(LogEntryKind.TestStep, "Initialize: Create Samr Bind to the server.");
_samrProtocolAdapter.SamrBind(
GetPdcDnsName(),
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
SamrCryptography samrCryptography = new SamrCryptography(oldPassword, newPassword);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("SamrUnicodeChangePasswordUser2, OldPassword:{0}, NewPassword:{1}.", oldPassword, newPassword));
HRESULT hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrUnicodeChangePasswordUser2(
SAMRProtocolAdapter.RpcAdapter.Handle,
DtypUtility.ToRpcUnicodeString(_samrProtocolAdapter.pdcNetBIOSName),
DtypUtility.ToRpcUnicodeString(testUserName),
samrCryptography.GetNewPasswordEncryptedWithOldNt(),
samrCryptography.GetOldNtEncryptedWithNewNt(),
0x01,
samrCryptography.GetNewPasswordEncryptedWithOldLm(PasswordType.Unicode),
samrCryptography.GetOldLmOwfPasswordEncryptedWithNewNt());
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrOemChangePasSamrUnicodeChangePasswordUser2swordUser2 returns success.");
}
public void SamrQuerySecurityObject_Server_DACL_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
Site.Log.Add(LogEntryKind.TestStep,
"Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
bool worldSidFound = false;
uint worldSidMask = 0;
bool adminSidFound = false;
uint adminSidMask = 0;
foreach (var o in sd.Dacl.Value.Aces)
{
if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
{
continue;
}
Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
switch (DtypUtility.ToSddlString(ace.Sid))
{
case AdministratorSid:
adminSidFound = true;
adminSidMask = ace.Mask;
break;
case WorldSid:
worldSidFound = true;
worldSidMask = ace.Mask;
break;
}
}
PtfAssert.IsTrue(worldSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
"The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
PtfAssert.IsTrue(adminSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
"The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
}
