2 Unix SMB/CIFS implementation.
4 DsGetNCChanges replication test
6 Copyright (C) Stefan (metze) Metzmacher 2005
7 Copyright (C) Brad Henry 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/cmdline/popt_common.h"
25 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "libcli/cldap/cldap.h"
28 #include "torture/torture.h"
29 #include "../libcli/drsuapi/drsuapi.h"
30 #include "auth/gensec/gensec.h"
31 #include "param/param.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "torture/rpc/torture_rpc.h"
34 #include "torture/drs/proto.h"
35 #include "lib/tsocket/tsocket.h"
36 #include "libcli/resolve/resolve.h"
38 struct DsSyncBindInfo
{
39 struct dcerpc_pipe
*drs_pipe
;
40 struct dcerpc_binding_handle
*drs_handle
;
41 struct drsuapi_DsBind req
;
42 struct GUID bind_guid
;
43 struct drsuapi_DsBindInfoCtr our_bind_info_ctr
;
44 struct drsuapi_DsBindInfo28 our_bind_info28
;
45 struct drsuapi_DsBindInfo28 peer_bind_info28
;
46 struct policy_handle bind_handle
;
49 struct DsSyncLDAPInfo
{
50 struct ldb_context
*ldb
;
54 struct dcerpc_binding
*drsuapi_binding
;
57 const char *dest_address
;
58 const char *domain_dn
;
59 const char *config_dn
;
60 const char *schema_dn
;
62 /* what we need to do as 'Administrator' */
64 struct cli_credentials
*credentials
;
65 struct DsSyncBindInfo drsuapi
;
66 struct DsSyncLDAPInfo ldap
;
69 /* what we need to do as the new dc machine account */
71 struct cli_credentials
*credentials
;
72 struct DsSyncBindInfo drsuapi
;
73 struct drsuapi_DsGetDCInfo2 dc_info2
;
74 struct GUID invocation_id
;
75 struct GUID object_guid
;
78 /* info about the old dc */
80 struct drsuapi_DsGetDomainControllerInfo dc_info
;
84 static struct DsSyncTest
*test_create_context(struct torture_context
*tctx
)
87 struct DsSyncTest
*ctx
;
88 struct drsuapi_DsBindInfo28
*our_bind_info28
;
89 struct drsuapi_DsBindInfoCtr
*our_bind_info_ctr
;
90 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
93 ctx
= talloc_zero(tctx
, struct DsSyncTest
);
94 if (!ctx
) return NULL
;
96 status
= dcerpc_parse_binding(ctx
, binding
, &ctx
->drsuapi_binding
);
97 if (!NT_STATUS_IS_OK(status
)) {
98 printf("Bad binding string %s\n", binding
);
101 ctx
->drsuapi_binding
->flags
|= DCERPC_SIGN
| DCERPC_SEAL
;
103 ctx
->ldap_url
= talloc_asprintf(ctx
, "ldap://%s", ctx
->drsuapi_binding
->host
);
105 make_nbt_name_server(&name
, ctx
->drsuapi_binding
->host
);
107 /* do an initial name resolution to find its IP */
108 status
= resolve_name(lpcfg_resolve_context(tctx
->lp_ctx
), &name
, tctx
,
109 &ctx
->dest_address
, tctx
->ev
);
110 if (!NT_STATUS_IS_OK(status
)) {
111 printf("Failed to resolve %s - %s\n",
112 name
.name
, nt_errstr(status
));
117 ctx
->admin
.credentials
= cmdline_credentials
;
119 our_bind_info28
= &ctx
->admin
.drsuapi
.our_bind_info28
;
120 our_bind_info28
->supported_extensions
= 0xFFFFFFFF;
121 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
;
122 our_bind_info28
->site_guid
= GUID_zero();
123 our_bind_info28
->pid
= 0;
124 our_bind_info28
->repl_epoch
= 1;
126 our_bind_info_ctr
= &ctx
->admin
.drsuapi
.our_bind_info_ctr
;
127 our_bind_info_ctr
->length
= 28;
128 our_bind_info_ctr
->info
.info28
= *our_bind_info28
;
130 GUID_from_string(DRSUAPI_DS_BIND_GUID
, &ctx
->admin
.drsuapi
.bind_guid
);
132 ctx
->admin
.drsuapi
.req
.in
.bind_guid
= &ctx
->admin
.drsuapi
.bind_guid
;
133 ctx
->admin
.drsuapi
.req
.in
.bind_info
= our_bind_info_ctr
;
134 ctx
->admin
.drsuapi
.req
.out
.bind_handle
= &ctx
->admin
.drsuapi
.bind_handle
;
137 ctx
->new_dc
.credentials
= cmdline_credentials
;
139 our_bind_info28
= &ctx
->new_dc
.drsuapi
.our_bind_info28
;
140 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_BASE
;
141 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
;
142 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
;
143 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
;
144 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
;
145 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
;
146 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
;
147 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
;
148 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
;
149 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
;
150 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
;
151 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
;
152 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
;
153 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
;
154 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
;
155 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
;
156 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
;
157 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
;
158 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
;
159 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
;
160 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
;
161 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
;
162 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
;
163 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
;
164 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
;
165 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
;
166 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
;
167 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
;
168 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "xpress", false)) {
169 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
;
171 our_bind_info28
->site_guid
= GUID_zero();
172 our_bind_info28
->pid
= 0;
173 our_bind_info28
->repl_epoch
= 0;
175 our_bind_info_ctr
= &ctx
->new_dc
.drsuapi
.our_bind_info_ctr
;
176 our_bind_info_ctr
->length
= 28;
177 our_bind_info_ctr
->info
.info28
= *our_bind_info28
;
179 GUID_from_string(DRSUAPI_DS_BIND_GUID_W2K3
, &ctx
->new_dc
.drsuapi
.bind_guid
);
181 ctx
->new_dc
.drsuapi
.req
.in
.bind_guid
= &ctx
->new_dc
.drsuapi
.bind_guid
;
182 ctx
->new_dc
.drsuapi
.req
.in
.bind_info
= our_bind_info_ctr
;
183 ctx
->new_dc
.drsuapi
.req
.out
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
185 ctx
->new_dc
.invocation_id
= ctx
->new_dc
.drsuapi
.bind_guid
;
192 static bool _test_DsBind(struct torture_context
*tctx
,
193 struct DsSyncTest
*ctx
, struct cli_credentials
*credentials
, struct DsSyncBindInfo
*b
)
198 status
= dcerpc_pipe_connect_b(ctx
,
199 &b
->drs_pipe
, ctx
->drsuapi_binding
,
201 credentials
, tctx
->ev
, tctx
->lp_ctx
);
203 if (!NT_STATUS_IS_OK(status
)) {
204 printf("Failed to connect to server as a BDC: %s\n", nt_errstr(status
));
207 b
->drs_handle
= b
->drs_pipe
->binding_handle
;
209 status
= dcerpc_drsuapi_DsBind_r(b
->drs_handle
, ctx
, &b
->req
);
210 if (!NT_STATUS_IS_OK(status
)) {
211 const char *errstr
= nt_errstr(status
);
212 printf("dcerpc_drsuapi_DsBind failed - %s\n", errstr
);
214 } else if (!W_ERROR_IS_OK(b
->req
.out
.result
)) {
215 printf("DsBind failed - %s\n", win_errstr(b
->req
.out
.result
));
219 ZERO_STRUCT(b
->peer_bind_info28
);
220 if (b
->req
.out
.bind_info
) {
221 switch (b
->req
.out
.bind_info
->length
) {
223 struct drsuapi_DsBindInfo24
*info24
;
224 info24
= &b
->req
.out
.bind_info
->info
.info24
;
225 b
->peer_bind_info28
.supported_extensions
= info24
->supported_extensions
;
226 b
->peer_bind_info28
.site_guid
= info24
->site_guid
;
227 b
->peer_bind_info28
.pid
= info24
->pid
;
228 b
->peer_bind_info28
.repl_epoch
= 0;
232 struct drsuapi_DsBindInfo48
*info48
;
233 info48
= &b
->req
.out
.bind_info
->info
.info48
;
234 b
->peer_bind_info28
.supported_extensions
= info48
->supported_extensions
;
235 b
->peer_bind_info28
.site_guid
= info48
->site_guid
;
236 b
->peer_bind_info28
.pid
= info48
->pid
;
237 b
->peer_bind_info28
.repl_epoch
= info48
->repl_epoch
;
241 b
->peer_bind_info28
= b
->req
.out
.bind_info
->info
.info28
;
244 printf("DsBind - warning: unknown BindInfo length: %u\n",
245 b
->req
.out
.bind_info
->length
);
252 static bool test_LDAPBind(struct torture_context
*tctx
, struct DsSyncTest
*ctx
,
253 struct cli_credentials
*credentials
, struct DsSyncLDAPInfo
*l
)
257 struct ldb_context
*ldb
;
259 const char *modules_option
[] = { "modules:paged_searches", NULL
};
260 ctx
->admin
.ldap
.ldb
= ldb
= ldb_init(ctx
, tctx
->ev
);
265 /* Despite us loading the schema from the AD server, we need
266 * the samba handlers to get the extended DN syntax stuff */
267 ret
= ldb_register_samba_handlers(ldb
);
268 if (ret
!= LDB_SUCCESS
) {
273 ldb_set_modules_dir(ldb
,
276 lpcfg_modulesdir(tctx
->lp_ctx
)));
278 if (ldb_set_opaque(ldb
, "credentials", credentials
)) {
283 if (ldb_set_opaque(ldb
, "loadparm", tctx
->lp_ctx
)) {
288 ret
= ldb_connect(ldb
, ctx
->ldap_url
, 0, modules_option
);
289 if (ret
!= LDB_SUCCESS
) {
291 torture_assert_int_equal(tctx
, ret
, LDB_SUCCESS
, "Failed to make LDB connection to target");
294 printf("connected to LDAP: %s\n", ctx
->ldap_url
);
299 static bool test_GetInfo(struct torture_context
*tctx
, struct DsSyncTest
*ctx
)
301 struct ldb_context
*ldb
= ctx
->admin
.ldap
.ldb
;
303 /* We must have LDB connection ready by this time */
304 SMB_ASSERT(ldb
!= NULL
);
306 ctx
->domain_dn
= ldb_dn_get_linearized(ldb_get_default_basedn(ldb
));
307 torture_assert(tctx
, ctx
->domain_dn
!= NULL
, "Failed to get Domain DN");
309 ctx
->config_dn
= ldb_dn_get_linearized(ldb_get_config_basedn(ldb
));
310 torture_assert(tctx
, ctx
->config_dn
!= NULL
, "Failed to get Domain DN");
312 ctx
->schema_dn
= ldb_dn_get_linearized(ldb_get_schema_basedn(ldb
));
313 torture_assert(tctx
, ctx
->schema_dn
!= NULL
, "Failed to get Domain DN");
318 static bool test_analyse_objects(struct torture_context
*tctx
,
319 struct DsSyncTest
*ctx
,
320 const char *partition
,
321 const struct drsuapi_DsReplicaOIDMapping_Ctr
*mapping_ctr
,
322 uint32_t object_count
,
323 const struct drsuapi_DsReplicaObjectListItemEx
*first_object
,
324 const DATA_BLOB
*gensec_skey
)
326 static uint32_t object_id
;
327 const char *save_values_dir
;
328 const struct drsuapi_DsReplicaObjectListItemEx
*cur
;
329 struct ldb_context
*ldb
= ctx
->admin
.ldap
.ldb
;
330 struct ldb_dn
*deleted_dn
;
333 struct dsdb_extended_replicated_objects
*objs
;
334 struct ldb_extended_dn_control
*extended_dn_ctrl
;
335 struct dsdb_schema
*ldap_schema
;
337 /* load dsdb_schema using remote prefixMap */
339 drs_util_dsdb_schema_load_ldb(tctx
, ldb
, mapping_ctr
, false),
340 "drs_util_dsdb_schema_load_ldb() failed");
341 ldap_schema
= dsdb_get_schema(ldb
, NULL
);
343 status
= dsdb_replicated_objects_convert(ldb
,
353 torture_assert_werr_ok(tctx
, status
, "dsdb_extended_replicated_objects_convert() failed!");
355 extended_dn_ctrl
= talloc(objs
, struct ldb_extended_dn_control
);
356 extended_dn_ctrl
->type
= 1;
358 deleted_dn
= ldb_dn_new(objs
, ldb
, partition
);
359 ldb_dn_add_child_fmt(deleted_dn
, "CN=Deleted Objects");
361 for (i
=0; i
< object_count
; i
++) {
362 struct ldb_request
*search_req
;
363 struct ldb_result
*res
;
364 struct ldb_message
*new_msg
, *drs_msg
, *ldap_msg
;
365 const char **attrs
= talloc_array(objs
, const char *, objs
->objects
[i
].msg
->num_elements
+1);
366 for (j
=0; j
< objs
->objects
[i
].msg
->num_elements
; j
++) {
367 attrs
[j
] = objs
->objects
[i
].msg
->elements
[j
].name
;
370 res
= talloc_zero(objs
, struct ldb_result
);
372 return LDB_ERR_OPERATIONS_ERROR
;
374 ret
= ldb_build_search_req(&search_req
, ldb
, objs
,
375 objs
->objects
[i
].msg
->dn
,
381 ldb_search_default_callback
,
383 if (ret
!= LDB_SUCCESS
) {
386 talloc_steal(search_req
, res
);
387 ret
= ldb_request_add_control(search_req
, LDB_CONTROL_SHOW_DELETED_OID
, true, NULL
);
388 if (ret
!= LDB_SUCCESS
) {
392 ret
= ldb_request_add_control(search_req
, LDB_CONTROL_EXTENDED_DN_OID
, true, extended_dn_ctrl
);
393 if (ret
!= LDB_SUCCESS
) {
397 ret
= ldb_request(ldb
, search_req
);
398 if (ret
== LDB_SUCCESS
) {
399 ret
= ldb_wait(search_req
->handle
, LDB_WAIT_ALL
);
402 torture_assert_int_equal(tctx
, ret
, LDB_SUCCESS
,
403 talloc_asprintf(tctx
,
404 "Could not re-fetch object just delivered over DRS: %s",
405 ldb_errstring(ldb
)));
406 torture_assert_int_equal(tctx
, res
->count
, 1, "Could not re-fetch object just delivered over DRS");
407 ldap_msg
= res
->msgs
[0];
408 for (j
=0; j
< ldap_msg
->num_elements
; j
++) {
409 ldap_msg
->elements
[j
].flags
= LDB_FLAG_MOD_ADD
;
410 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! Skip it on both transports for now here so */
411 if ((ldb_attr_cmp(ldap_msg
->elements
[j
].name
, "nTSecurityDescriptor") == 0) &&
412 (ldb_dn_compare(ldap_msg
->dn
, deleted_dn
) == 0)) {
413 ldb_msg_remove_element(ldap_msg
, &ldap_msg
->elements
[j
]);
419 ret
= ldb_msg_normalize(ldb
, search_req
,
420 objs
->objects
[i
].msg
, &drs_msg
);
421 torture_assert(tctx
, ret
== LDB_SUCCESS
,
422 "ldb_msg_normalize() has failed");
424 for (j
=0; j
< drs_msg
->num_elements
; j
++) {
425 if (drs_msg
->elements
[j
].num_values
== 0) {
426 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
430 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! */
431 } else if ((ldb_attr_cmp(drs_msg
->elements
[j
].name
, "nTSecurityDescriptor") == 0) &&
432 (ldb_dn_compare(drs_msg
->dn
, deleted_dn
) == 0)) {
433 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
436 } else if (ldb_attr_cmp(drs_msg
->elements
[j
].name
, "unicodePwd") == 0 ||
437 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "dBCSPwd") == 0 ||
438 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "ntPwdHistory") == 0 ||
439 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "lmPwdHistory") == 0 ||
440 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "supplementalCredentials") == 0 ||
441 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "priorValue") == 0 ||
442 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "currentValue") == 0 ||
443 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "trustAuthOutgoing") == 0 ||
444 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "trustAuthIncoming") == 0 ||
445 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "initialAuthOutgoing") == 0 ||
446 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "initialAuthIncoming") == 0) {
448 /* These are not shown over LDAP, so we need to skip them for the comparison */
449 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
453 drs_msg
->elements
[j
].flags
= LDB_FLAG_MOD_ADD
;
458 ret
= ldb_msg_difference(ldb
, search_req
,
459 drs_msg
, ldap_msg
, &new_msg
);
460 torture_assert(tctx
, ret
== LDB_SUCCESS
, "ldb_msg_difference() has failed");
461 if (new_msg
->num_elements
!= 0) {
463 bool is_warning
= true;
465 struct ldb_message_element
*el
;
466 const struct dsdb_attribute
* a
;
467 struct ldb_ldif ldif
;
468 ldif
.changetype
= LDB_CHANGETYPE_MODIFY
;
470 s
= ldb_ldif_write_string(ldb
, new_msg
, &ldif
);
471 s
= talloc_asprintf(tctx
, "\n# Difference in between DRS and LDAP objects: \n%s", s
);
473 ret
= ldb_msg_difference(ldb
, search_req
,
474 ldap_msg
, drs_msg
, &ldif
.msg
);
475 torture_assert(tctx
, ret
== LDB_SUCCESS
, "ldb_msg_difference() has failed");
476 s
= talloc_asprintf_append(s
,
477 "\n# Difference in between LDAP and DRS objects: \n%s",
478 ldb_ldif_write_string(ldb
, new_msg
, &ldif
));
480 s
= talloc_asprintf_append(s
,
481 "# Should have no objects in 'difference' message. Diff elements: %d",
482 new_msg
->num_elements
);
485 * In case differences in messages are:
486 * 1. Attributes with different values, i.e. 'replace'
487 * 2. Those attributes are forward-link attributes
488 * then we just warn about those differences.
489 * It turns out windows doesn't send all of those values
490 * in replicated_object but in linked_attributes.
492 for (idx
= 0; idx
< new_msg
->num_elements
&& is_warning
; idx
++) {
493 el
= &new_msg
->elements
[idx
];
494 a
= dsdb_attribute_by_lDAPDisplayName(ldap_schema
,
496 if (!(el
->flags
& (LDB_FLAG_MOD_ADD
|LDB_FLAG_MOD_REPLACE
))) {
499 } else if (a
->linkID
& 1) {
504 torture_warning(tctx
, "%s", s
);
506 torture_fail(tctx
, s
);
510 /* search_req is used as a tmp talloc context in the above */
511 talloc_free(search_req
);
514 if (!lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "print_pwd_blobs", false)) {
519 save_values_dir
= lpcfg_parm_string(tctx
->lp_ctx
, NULL
, "dssync", "save_pwd_blobs_dir");
521 for (cur
= first_object
; cur
; cur
= cur
->next_object
) {
523 struct dom_sid
*sid
= NULL
;
525 bool dn_printed
= false;
527 if (!cur
->object
.identifier
) continue;
529 dn
= cur
->object
.identifier
->dn
;
530 if (cur
->object
.identifier
->sid
.num_auths
> 0) {
531 sid
= &cur
->object
.identifier
->sid
;
532 rid
= sid
->sub_auths
[sid
->num_auths
- 1];
535 for (i
=0; i
< cur
->object
.attribute_ctr
.num_attributes
; i
++) {
536 const char *name
= NULL
;
537 DATA_BLOB plain_data
;
538 struct drsuapi_DsReplicaAttribute
*attr
;
539 ndr_pull_flags_fn_t pull_fn
= NULL
;
540 ndr_print_fn_t print_fn
= NULL
;
542 attr
= &cur
->object
.attribute_ctr
.attributes
[i
];
544 switch (attr
->attid
) {
545 case DRSUAPI_ATTID_dBCSPwd
:
548 case DRSUAPI_ATTID_unicodePwd
:
551 case DRSUAPI_ATTID_ntPwdHistory
:
552 name
= "ntPwdHistory";
554 case DRSUAPI_ATTID_lmPwdHistory
:
555 name
= "lmPwdHistory";
557 case DRSUAPI_ATTID_supplementalCredentials
:
558 name
= "supplementalCredentials";
559 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_supplementalCredentialsBlob
;
560 print_fn
= (ndr_print_fn_t
)ndr_print_supplementalCredentialsBlob
;
561 ptr
= talloc(ctx
, struct supplementalCredentialsBlob
);
563 case DRSUAPI_ATTID_priorValue
:
566 case DRSUAPI_ATTID_currentValue
:
567 name
= "currentValue";
569 case DRSUAPI_ATTID_trustAuthOutgoing
:
570 name
= "trustAuthOutgoing";
571 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
;
572 print_fn
= (ndr_print_fn_t
)ndr_print_trustAuthInOutBlob
;
573 ptr
= talloc(ctx
, struct trustAuthInOutBlob
);
575 case DRSUAPI_ATTID_trustAuthIncoming
:
576 name
= "trustAuthIncoming";
577 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
;
578 print_fn
= (ndr_print_fn_t
)ndr_print_trustAuthInOutBlob
;
579 ptr
= talloc(ctx
, struct trustAuthInOutBlob
);
581 case DRSUAPI_ATTID_initialAuthOutgoing
:
582 name
= "initialAuthOutgoing";
584 case DRSUAPI_ATTID_initialAuthIncoming
:
585 name
= "initialAuthIncoming";
591 if (attr
->value_ctr
.num_values
!= 1) continue;
593 if (!attr
->value_ctr
.values
[0].blob
) continue;
595 plain_data
= *attr
->value_ctr
.values
[0].blob
;
599 DEBUG(0,("DN[%u] %s\n", object_id
, dn
));
602 DEBUGADD(0,("ATTR: %s plain.length=%lu\n",
603 name
, (long)plain_data
.length
));
604 if (plain_data
.length
) {
605 enum ndr_err_code ndr_err
;
606 dump_data(0, plain_data
.data
, plain_data
.length
);
607 if (save_values_dir
) {
609 fname
= talloc_asprintf(ctx
, "%s/%s%02d",
614 ok
= file_save(fname
, plain_data
.data
, plain_data
.length
);
616 DEBUGADD(0,("Failed to save '%s'\n", fname
));
623 /* Can't use '_all' because of PIDL bugs with relative pointers */
624 ndr_err
= ndr_pull_struct_blob(&plain_data
, ptr
,
626 if (NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
627 ndr_print_debug(print_fn
, name
, ptr
);
629 DEBUG(0, ("Failed to decode %s\n", name
));
640 static bool test_GetNCChanges(struct torture_context
*tctx
,
641 struct DsSyncTest
*ctx
,
642 const char *nc_dn_str
)
647 uint64_t highest_usn
= 0;
648 struct drsuapi_DsGetNCChanges r
;
649 union drsuapi_DsGetNCChangesRequest req
;
650 struct drsuapi_DsReplicaObjectIdentifier nc
;
651 struct drsuapi_DsGetNCChangesCtr1
*ctr1
= NULL
;
652 struct drsuapi_DsGetNCChangesCtr6
*ctr6
= NULL
;
653 uint32_t out_level
= 0;
654 struct GUID null_guid
;
655 struct dom_sid null_sid
;
656 DATA_BLOB gensec_skey
;
668 ZERO_STRUCT(null_guid
);
669 ZERO_STRUCT(null_sid
);
671 highest_usn
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
, "dssync", "highest_usn", 0);
673 array
[0].level
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
, "dssync", "get_nc_changes_level", array
[0].level
);
675 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "print_pwd_blobs", false)) {
676 const struct samr_Password
*nthash
;
677 nthash
= cli_credentials_get_nt_hash(ctx
->new_dc
.credentials
, ctx
);
679 dump_data_pw("CREDENTIALS nthash:", nthash
->hash
, sizeof(nthash
->hash
));
682 status
= gensec_session_key(ctx
->new_dc
.drsuapi
.drs_pipe
->conn
->security_state
.generic_state
,
684 if (!NT_STATUS_IS_OK(status
)) {
685 printf("failed to get gensec session key: %s\n", nt_errstr(status
));
689 for (i
=0; i
< ARRAY_SIZE(array
); i
++) {
690 printf("Testing DsGetNCChanges level %d\n",
693 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
694 r
.in
.level
= array
[i
].level
;
696 switch (r
.in
.level
) {
703 r
.in
.req
->req5
.destination_dsa_guid
= ctx
->new_dc
.invocation_id
;
704 r
.in
.req
->req5
.source_dsa_invocation_id
= null_guid
;
705 r
.in
.req
->req5
.naming_context
= &nc
;
706 r
.in
.req
->req5
.highwatermark
.tmp_highest_usn
= highest_usn
;
707 r
.in
.req
->req5
.highwatermark
.reserved_usn
= 0;
708 r
.in
.req
->req5
.highwatermark
.highest_usn
= highest_usn
;
709 r
.in
.req
->req5
.uptodateness_vector
= NULL
;
710 r
.in
.req
->req5
.replica_flags
= 0;
711 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "compression", false)) {
712 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_USE_COMPRESSION
;
714 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "neighbour_writeable", true)) {
715 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_WRIT_REP
;
717 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_INIT_SYNC
718 | DRSUAPI_DRS_PER_SYNC
719 | DRSUAPI_DRS_GET_ANC
720 | DRSUAPI_DRS_NEVER_SYNCED
722 r
.in
.req
->req5
.max_object_count
= 133;
723 r
.in
.req
->req5
.max_ndr_size
= 1336770;
724 r
.in
.req
->req5
.extended_op
= DRSUAPI_EXOP_NONE
;
725 r
.in
.req
->req5
.fsmo_info
= 0;
732 /* nc.dn can be set to any other ad partition */
735 r
.in
.req
->req8
.destination_dsa_guid
= ctx
->new_dc
.invocation_id
;
736 r
.in
.req
->req8
.source_dsa_invocation_id
= null_guid
;
737 r
.in
.req
->req8
.naming_context
= &nc
;
738 r
.in
.req
->req8
.highwatermark
.tmp_highest_usn
= highest_usn
;
739 r
.in
.req
->req8
.highwatermark
.reserved_usn
= 0;
740 r
.in
.req
->req8
.highwatermark
.highest_usn
= highest_usn
;
741 r
.in
.req
->req8
.uptodateness_vector
= NULL
;
742 r
.in
.req
->req8
.replica_flags
= 0;
743 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "compression", false)) {
744 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_USE_COMPRESSION
;
746 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "neighbour_writeable", true)) {
747 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_WRIT_REP
;
749 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_INIT_SYNC
750 | DRSUAPI_DRS_PER_SYNC
751 | DRSUAPI_DRS_GET_ANC
752 | DRSUAPI_DRS_NEVER_SYNCED
754 r
.in
.req
->req8
.max_object_count
= 402;
755 r
.in
.req
->req8
.max_ndr_size
= 402116;
757 r
.in
.req
->req8
.extended_op
= DRSUAPI_EXOP_NONE
;
758 r
.in
.req
->req8
.fsmo_info
= 0;
759 r
.in
.req
->req8
.partial_attribute_set
= NULL
;
760 r
.in
.req
->req8
.partial_attribute_set_ex
= NULL
;
761 r
.in
.req
->req8
.mapping_ctr
.num_mappings
= 0;
762 r
.in
.req
->req8
.mapping_ctr
.mappings
= NULL
;
769 union drsuapi_DsGetNCChangesCtr ctr
;
773 r
.out
.level_out
= &_level
;
776 if (r
.in
.level
== 5) {
777 torture_comment(tctx
,
778 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
780 (unsigned long long) r
.in
.req
->req5
.highwatermark
.tmp_highest_usn
,
781 (unsigned long long) r
.in
.req
->req5
.highwatermark
.highest_usn
);
784 if (r
.in
.level
== 8) {
785 torture_comment(tctx
,
786 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
788 (unsigned long long) r
.in
.req
->req8
.highwatermark
.tmp_highest_usn
,
789 (unsigned long long) r
.in
.req
->req8
.highwatermark
.highest_usn
);
792 status
= dcerpc_drsuapi_DsGetNCChanges_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
793 torture_drsuapi_assert_call(tctx
, ctx
->new_dc
.drsuapi
.drs_pipe
, status
,
794 &r
, "dcerpc_drsuapi_DsGetNCChanges");
796 if (ret
== true && *r
.out
.level_out
== 1) {
798 ctr1
= &r
.out
.ctr
->ctr1
;
799 } else if (ret
== true && *r
.out
.level_out
== 2 &&
800 r
.out
.ctr
->ctr2
.mszip1
.ts
) {
802 ctr1
= &r
.out
.ctr
->ctr2
.mszip1
.ts
->ctr1
;
805 if (out_level
== 1) {
806 torture_comment(tctx
,
807 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
809 (unsigned long long) ctr1
->new_highwatermark
.tmp_highest_usn
,
810 (unsigned long long) ctr1
->new_highwatermark
.highest_usn
);
812 if (!test_analyse_objects(tctx
, ctx
, nc_dn_str
, &ctr1
->mapping_ctr
, ctr1
->object_count
,
813 ctr1
->first_object
, &gensec_skey
)) {
817 if (ctr1
->more_data
) {
818 r
.in
.req
->req5
.highwatermark
= ctr1
->new_highwatermark
;
823 if (ret
== true && *r
.out
.level_out
== 6) {
825 ctr6
= &r
.out
.ctr
->ctr6
;
826 } else if (ret
== true && *r
.out
.level_out
== 7
827 && r
.out
.ctr
->ctr7
.level
== 6
828 && r
.out
.ctr
->ctr7
.type
== DRSUAPI_COMPRESSION_TYPE_MSZIP
829 && r
.out
.ctr
->ctr7
.ctr
.mszip6
.ts
) {
831 ctr6
= &r
.out
.ctr
->ctr7
.ctr
.mszip6
.ts
->ctr6
;
832 } else if (ret
== true && *r
.out
.level_out
== 7
833 && r
.out
.ctr
->ctr7
.level
== 6
834 && r
.out
.ctr
->ctr7
.type
== DRSUAPI_COMPRESSION_TYPE_XPRESS
835 && r
.out
.ctr
->ctr7
.ctr
.xpress6
.ts
) {
837 ctr6
= &r
.out
.ctr
->ctr7
.ctr
.xpress6
.ts
->ctr6
;
840 if (out_level
== 6) {
841 torture_comment(tctx
,
842 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
844 (unsigned long long) ctr6
->new_highwatermark
.tmp_highest_usn
,
845 (unsigned long long) ctr6
->new_highwatermark
.highest_usn
);
847 if (!test_analyse_objects(tctx
, ctx
, nc_dn_str
, &ctr6
->mapping_ctr
, ctr6
->object_count
,
848 ctr6
->first_object
, &gensec_skey
)) {
852 if (ctr6
->more_data
) {
853 r
.in
.req
->req8
.highwatermark
= ctr6
->new_highwatermark
;
866 * Test DsGetNCChanges() DRSUAPI call against one
867 * or more Naming Contexts.
868 * Specific NC to test with may be supplied
869 * in lp_ctx configuration. If no NC is specified,
870 * it will test DsGetNCChanges() on all NCs on remote DC
872 static bool test_FetchData(struct torture_context
*tctx
, struct DsSyncTest
*ctx
)
876 const char *nc_dn_str
;
877 const char **nc_list
;
879 nc_list
= const_str_list(str_list_make_empty(ctx
));
880 torture_assert(tctx
, nc_list
, "Not enough memory!");
882 /* make a list of partitions to test with */
883 nc_dn_str
= lpcfg_parm_string(tctx
->lp_ctx
, NULL
, "dssync", "partition");
884 if (nc_dn_str
== NULL
) {
885 nc_list
= str_list_add_const(nc_list
, ctx
->domain_dn
);
886 nc_list
= str_list_add_const(nc_list
, ctx
->config_dn
);
887 nc_list
= str_list_add_const(nc_list
, ctx
->schema_dn
);
889 nc_list
= str_list_add_const(nc_list
, nc_dn_str
);
892 count
= str_list_length(nc_list
);
893 for (i
= 0; i
< count
&& ret
; i
++) {
894 torture_comment(tctx
, "\nNaming Context: %s\n", nc_list
[i
]);
895 ret
= test_GetNCChanges(tctx
, ctx
, nc_list
[i
]);
898 talloc_free(nc_list
);
903 static bool test_FetchNT4Data(struct torture_context
*tctx
,
904 struct DsSyncTest
*ctx
)
907 struct drsuapi_DsGetNT4ChangeLog r
;
908 union drsuapi_DsGetNT4ChangeLogRequest req
;
909 union drsuapi_DsGetNT4ChangeLogInfo info
;
910 uint32_t level_out
= 0;
911 struct GUID null_guid
;
912 struct dom_sid null_sid
;
915 ZERO_STRUCT(null_guid
);
916 ZERO_STRUCT(null_sid
);
920 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
923 r
.out
.level_out
= &level_out
;
925 req
.req1
.flags
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
,
926 "dssync", "nt4changelog_flags",
927 DRSUAPI_NT4_CHANGELOG_GET_CHANGELOG
|
928 DRSUAPI_NT4_CHANGELOG_GET_SERIAL_NUMBERS
);
929 req
.req1
.preferred_maximum_length
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
,
930 "dssync", "nt4changelog_preferred_len",
934 req
.req1
.restart_length
= cookie
.length
;
935 req
.req1
.restart_data
= cookie
.data
;
939 status
= dcerpc_drsuapi_DsGetNT4ChangeLog_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
940 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_IMPLEMENTED
)) {
942 "DsGetNT4ChangeLog not supported: NT_STATUS_NOT_IMPLEMENTED");
943 } else if (!NT_STATUS_IS_OK(status
)) {
944 const char *errstr
= nt_errstr(status
);
945 if (NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
947 "DsGetNT4ChangeLog not supported: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE");
950 talloc_asprintf(tctx
, "dcerpc_drsuapi_DsGetNT4ChangeLog failed - %s\n",
952 } else if (W_ERROR_EQUAL(r
.out
.result
, WERR_INVALID_DOMAIN_ROLE
)) {
954 "DsGetNT4ChangeLog not supported: WERR_INVALID_DOMAIN_ROLE");
955 } else if (!W_ERROR_IS_OK(r
.out
.result
)) {
957 talloc_asprintf(tctx
, "DsGetNT4ChangeLog failed - %s\n",
958 win_errstr(r
.out
.result
)));
959 } else if (*r
.out
.level_out
!= 1) {
961 talloc_asprintf(tctx
, "DsGetNT4ChangeLog unknown level - %u\n",
963 } else if (NT_STATUS_IS_OK(r
.out
.info
->info1
.status
)) {
964 } else if (NT_STATUS_EQUAL(r
.out
.info
->info1
.status
, STATUS_MORE_ENTRIES
)) {
965 cookie
.length
= r
.out
.info
->info1
.restart_length
;
966 cookie
.data
= r
.out
.info
->info1
.restart_data
;
970 talloc_asprintf(tctx
, "DsGetNT4ChangeLog failed - %s\n",
971 nt_errstr(r
.out
.info
->info1
.status
)));
981 * DSSYNC test case setup
983 static bool torture_dssync_tcase_setup(struct torture_context
*tctx
, void **data
)
986 struct DsSyncTest
*ctx
;
988 *data
= ctx
= test_create_context(tctx
);
989 torture_assert(tctx
, ctx
, "test_create_context() failed");
991 bret
= _test_DsBind(tctx
, ctx
, ctx
->admin
.credentials
, &ctx
->admin
.drsuapi
);
992 torture_assert(tctx
, bret
, "_test_DsBind() failed");
994 bret
= test_LDAPBind(tctx
, ctx
, ctx
->admin
.credentials
, &ctx
->admin
.ldap
);
995 torture_assert(tctx
, bret
, "test_LDAPBind() failed");
997 bret
= test_GetInfo(tctx
, ctx
);
998 torture_assert(tctx
, bret
, "test_GetInfo() failed");
1000 bret
= _test_DsBind(tctx
, ctx
, ctx
->new_dc
.credentials
, &ctx
->new_dc
.drsuapi
);
1001 torture_assert(tctx
, bret
, "_test_DsBind() failed");
1007 * DSSYNC test case cleanup
1009 static bool torture_dssync_tcase_teardown(struct torture_context
*tctx
, void *data
)
1011 struct DsSyncTest
*ctx
;
1012 struct drsuapi_DsUnbind r
;
1013 struct policy_handle bind_handle
;
1015 ctx
= talloc_get_type(data
, struct DsSyncTest
);
1018 r
.out
.bind_handle
= &bind_handle
;
1020 /* Unbing admin handle */
1021 r
.in
.bind_handle
= &ctx
->admin
.drsuapi
.bind_handle
;
1022 dcerpc_drsuapi_DsUnbind_r(ctx
->admin
.drsuapi
.drs_handle
, ctx
, &r
);
1024 /* Unbing new_dc handle */
1025 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
1026 dcerpc_drsuapi_DsUnbind_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
1034 * DSSYNC test case implementation
1036 void torture_drs_rpc_dssync_tcase(struct torture_suite
*suite
)
1038 typedef bool (*run_func
) (struct torture_context
*test
, void *tcase_data
);
1040 struct torture_test
*test
;
1041 struct torture_tcase
*tcase
= torture_suite_add_tcase(suite
, "dssync");
1043 torture_tcase_set_fixture(tcase
,
1044 torture_dssync_tcase_setup
,
1045 torture_dssync_tcase_teardown
);
1047 test
= torture_tcase_add_simple_test(tcase
, "DC_FetchData", (run_func
)test_FetchData
);
1048 test
= torture_tcase_add_simple_test(tcase
, "FetchNT4Data", (run_func
)test_FetchNT4Data
);
