2 Unix SMB/CIFS implementation.
4 DsGetNCChanges replication test
6 Copyright (C) Stefan (metze) Metzmacher 2005
7 Copyright (C) Brad Henry 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/cmdline/popt_common.h"
25 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "libcli/cldap/cldap.h"
28 #include "torture/torture.h"
29 #include "../libcli/drsuapi/drsuapi.h"
30 #include "auth/gensec/gensec.h"
31 #include "param/param.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "torture/rpc/torture_rpc.h"
34 #include "torture/drs/proto.h"
35 #include "lib/tsocket/tsocket.h"
36 #include "libcli/resolve/resolve.h"
38 struct DsSyncBindInfo
{
39 struct dcerpc_pipe
*drs_pipe
;
40 struct dcerpc_binding_handle
*drs_handle
;
41 struct drsuapi_DsBind req
;
42 struct GUID bind_guid
;
43 struct drsuapi_DsBindInfoCtr our_bind_info_ctr
;
44 struct drsuapi_DsBindInfo28 our_bind_info28
;
45 struct drsuapi_DsBindInfo28 peer_bind_info28
;
46 struct policy_handle bind_handle
;
49 struct DsSyncLDAPInfo
{
50 struct ldb_context
*ldb
;
54 struct dcerpc_binding
*drsuapi_binding
;
57 const char *dest_address
;
58 const char *domain_dn
;
59 const char *config_dn
;
60 const char *schema_dn
;
62 /* what we need to do as 'Administrator' */
64 struct cli_credentials
*credentials
;
65 struct DsSyncBindInfo drsuapi
;
66 struct DsSyncLDAPInfo ldap
;
69 /* what we need to do as the new dc machine account */
71 struct cli_credentials
*credentials
;
72 struct DsSyncBindInfo drsuapi
;
73 struct drsuapi_DsGetDCInfo2 dc_info2
;
74 struct GUID invocation_id
;
75 struct GUID object_guid
;
78 /* info about the old dc */
80 struct drsuapi_DsGetDomainControllerInfo dc_info
;
84 static struct DsSyncTest
*test_create_context(struct torture_context
*tctx
)
87 struct DsSyncTest
*ctx
;
88 struct drsuapi_DsBindInfo28
*our_bind_info28
;
89 struct drsuapi_DsBindInfoCtr
*our_bind_info_ctr
;
90 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
93 ctx
= talloc_zero(tctx
, struct DsSyncTest
);
94 if (!ctx
) return NULL
;
96 status
= dcerpc_parse_binding(ctx
, binding
, &ctx
->drsuapi_binding
);
97 if (!NT_STATUS_IS_OK(status
)) {
98 printf("Bad binding string %s\n", binding
);
101 ctx
->drsuapi_binding
->flags
|= DCERPC_SIGN
| DCERPC_SEAL
;
103 ctx
->ldap_url
= talloc_asprintf(ctx
, "ldap://%s", ctx
->drsuapi_binding
->host
);
105 make_nbt_name_server(&name
, ctx
->drsuapi_binding
->host
);
107 /* do an initial name resolution to find its IP */
108 status
= resolve_name_ex(lpcfg_resolve_context(tctx
->lp_ctx
),
110 &ctx
->dest_address
, tctx
->ev
);
111 if (!NT_STATUS_IS_OK(status
)) {
112 printf("Failed to resolve %s - %s\n",
113 name
.name
, nt_errstr(status
));
118 ctx
->admin
.credentials
= cmdline_credentials
;
120 our_bind_info28
= &ctx
->admin
.drsuapi
.our_bind_info28
;
121 our_bind_info28
->supported_extensions
= 0xFFFFFFFF;
122 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
;
123 our_bind_info28
->site_guid
= GUID_zero();
124 our_bind_info28
->pid
= 0;
125 our_bind_info28
->repl_epoch
= 1;
127 our_bind_info_ctr
= &ctx
->admin
.drsuapi
.our_bind_info_ctr
;
128 our_bind_info_ctr
->length
= 28;
129 our_bind_info_ctr
->info
.info28
= *our_bind_info28
;
131 GUID_from_string(DRSUAPI_DS_BIND_GUID
, &ctx
->admin
.drsuapi
.bind_guid
);
133 ctx
->admin
.drsuapi
.req
.in
.bind_guid
= &ctx
->admin
.drsuapi
.bind_guid
;
134 ctx
->admin
.drsuapi
.req
.in
.bind_info
= our_bind_info_ctr
;
135 ctx
->admin
.drsuapi
.req
.out
.bind_handle
= &ctx
->admin
.drsuapi
.bind_handle
;
138 ctx
->new_dc
.credentials
= cmdline_credentials
;
140 our_bind_info28
= &ctx
->new_dc
.drsuapi
.our_bind_info28
;
141 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_BASE
;
142 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
;
143 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
;
144 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
;
145 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
;
146 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
;
147 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
;
148 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
;
149 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
;
150 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
;
151 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
;
152 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
;
153 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
;
154 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
;
155 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
;
156 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
;
157 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
;
158 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
;
159 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
;
160 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
;
161 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
;
162 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
;
163 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
;
164 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
;
165 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
;
166 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
;
167 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
;
168 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
;
169 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "xpress", false)) {
170 our_bind_info28
->supported_extensions
|= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
;
172 our_bind_info28
->site_guid
= GUID_zero();
173 our_bind_info28
->pid
= 0;
174 our_bind_info28
->repl_epoch
= 0;
176 our_bind_info_ctr
= &ctx
->new_dc
.drsuapi
.our_bind_info_ctr
;
177 our_bind_info_ctr
->length
= 28;
178 our_bind_info_ctr
->info
.info28
= *our_bind_info28
;
180 GUID_from_string(DRSUAPI_DS_BIND_GUID_W2K3
, &ctx
->new_dc
.drsuapi
.bind_guid
);
182 ctx
->new_dc
.drsuapi
.req
.in
.bind_guid
= &ctx
->new_dc
.drsuapi
.bind_guid
;
183 ctx
->new_dc
.drsuapi
.req
.in
.bind_info
= our_bind_info_ctr
;
184 ctx
->new_dc
.drsuapi
.req
.out
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
186 ctx
->new_dc
.invocation_id
= ctx
->new_dc
.drsuapi
.bind_guid
;
193 static bool _test_DsBind(struct torture_context
*tctx
,
194 struct DsSyncTest
*ctx
, struct cli_credentials
*credentials
, struct DsSyncBindInfo
*b
)
199 status
= dcerpc_pipe_connect_b(ctx
,
200 &b
->drs_pipe
, ctx
->drsuapi_binding
,
202 credentials
, tctx
->ev
, tctx
->lp_ctx
);
204 if (!NT_STATUS_IS_OK(status
)) {
205 printf("Failed to connect to server as a BDC: %s\n", nt_errstr(status
));
208 b
->drs_handle
= b
->drs_pipe
->binding_handle
;
210 status
= dcerpc_drsuapi_DsBind_r(b
->drs_handle
, ctx
, &b
->req
);
211 if (!NT_STATUS_IS_OK(status
)) {
212 const char *errstr
= nt_errstr(status
);
213 printf("dcerpc_drsuapi_DsBind failed - %s\n", errstr
);
215 } else if (!W_ERROR_IS_OK(b
->req
.out
.result
)) {
216 printf("DsBind failed - %s\n", win_errstr(b
->req
.out
.result
));
220 ZERO_STRUCT(b
->peer_bind_info28
);
221 if (b
->req
.out
.bind_info
) {
222 switch (b
->req
.out
.bind_info
->length
) {
224 struct drsuapi_DsBindInfo24
*info24
;
225 info24
= &b
->req
.out
.bind_info
->info
.info24
;
226 b
->peer_bind_info28
.supported_extensions
= info24
->supported_extensions
;
227 b
->peer_bind_info28
.site_guid
= info24
->site_guid
;
228 b
->peer_bind_info28
.pid
= info24
->pid
;
229 b
->peer_bind_info28
.repl_epoch
= 0;
233 struct drsuapi_DsBindInfo48
*info48
;
234 info48
= &b
->req
.out
.bind_info
->info
.info48
;
235 b
->peer_bind_info28
.supported_extensions
= info48
->supported_extensions
;
236 b
->peer_bind_info28
.site_guid
= info48
->site_guid
;
237 b
->peer_bind_info28
.pid
= info48
->pid
;
238 b
->peer_bind_info28
.repl_epoch
= info48
->repl_epoch
;
242 b
->peer_bind_info28
= b
->req
.out
.bind_info
->info
.info28
;
245 printf("DsBind - warning: unknown BindInfo length: %u\n",
246 b
->req
.out
.bind_info
->length
);
253 static bool test_LDAPBind(struct torture_context
*tctx
, struct DsSyncTest
*ctx
,
254 struct cli_credentials
*credentials
, struct DsSyncLDAPInfo
*l
)
258 struct ldb_context
*ldb
;
260 const char *modules_option
[] = { "modules:paged_searches", NULL
};
261 ctx
->admin
.ldap
.ldb
= ldb
= ldb_init(ctx
, tctx
->ev
);
266 /* Despite us loading the schema from the AD server, we need
267 * the samba handlers to get the extended DN syntax stuff */
268 ret
= ldb_register_samba_handlers(ldb
);
269 if (ret
!= LDB_SUCCESS
) {
274 ldb_set_modules_dir(ldb
, modules_path(ldb
, "ldb"));
276 if (ldb_set_opaque(ldb
, "credentials", credentials
)) {
281 if (ldb_set_opaque(ldb
, "loadparm", tctx
->lp_ctx
)) {
286 ret
= ldb_connect(ldb
, ctx
->ldap_url
, 0, modules_option
);
287 if (ret
!= LDB_SUCCESS
) {
289 torture_assert_int_equal(tctx
, ret
, LDB_SUCCESS
, "Failed to make LDB connection to target");
292 printf("connected to LDAP: %s\n", ctx
->ldap_url
);
297 static bool test_GetInfo(struct torture_context
*tctx
, struct DsSyncTest
*ctx
)
299 struct ldb_context
*ldb
= ctx
->admin
.ldap
.ldb
;
301 /* We must have LDB connection ready by this time */
302 SMB_ASSERT(ldb
!= NULL
);
304 ctx
->domain_dn
= ldb_dn_get_linearized(ldb_get_default_basedn(ldb
));
305 torture_assert(tctx
, ctx
->domain_dn
!= NULL
, "Failed to get Domain DN");
307 ctx
->config_dn
= ldb_dn_get_linearized(ldb_get_config_basedn(ldb
));
308 torture_assert(tctx
, ctx
->config_dn
!= NULL
, "Failed to get Domain DN");
310 ctx
->schema_dn
= ldb_dn_get_linearized(ldb_get_schema_basedn(ldb
));
311 torture_assert(tctx
, ctx
->schema_dn
!= NULL
, "Failed to get Domain DN");
316 static bool test_analyse_objects(struct torture_context
*tctx
,
317 struct DsSyncTest
*ctx
,
318 const char *partition
,
319 const struct drsuapi_DsReplicaOIDMapping_Ctr
*mapping_ctr
,
320 uint32_t object_count
,
321 const struct drsuapi_DsReplicaObjectListItemEx
*first_object
,
322 const DATA_BLOB
*gensec_skey
)
324 static uint32_t object_id
;
325 const char *save_values_dir
;
326 const struct drsuapi_DsReplicaObjectListItemEx
*cur
;
327 struct ldb_context
*ldb
= ctx
->admin
.ldap
.ldb
;
328 struct ldb_dn
*deleted_dn
;
331 struct dsdb_extended_replicated_objects
*objs
;
332 struct ldb_extended_dn_control
*extended_dn_ctrl
;
333 struct dsdb_schema
*ldap_schema
;
335 /* load dsdb_schema using remote prefixMap */
337 drs_util_dsdb_schema_load_ldb(tctx
, ldb
, mapping_ctr
, false),
338 "drs_util_dsdb_schema_load_ldb() failed");
339 ldap_schema
= dsdb_get_schema(ldb
, NULL
);
341 status
= dsdb_replicated_objects_convert(ldb
,
352 torture_assert_werr_ok(tctx
, status
, "dsdb_extended_replicated_objects_convert() failed!");
354 extended_dn_ctrl
= talloc(objs
, struct ldb_extended_dn_control
);
355 extended_dn_ctrl
->type
= 1;
357 deleted_dn
= ldb_dn_new(objs
, ldb
, partition
);
358 ldb_dn_add_child_fmt(deleted_dn
, "CN=Deleted Objects");
360 for (i
=0; i
< object_count
; i
++) {
361 struct ldb_request
*search_req
;
362 struct ldb_result
*res
;
363 struct ldb_message
*new_msg
, *drs_msg
, *ldap_msg
;
364 const char **attrs
= talloc_array(objs
, const char *, objs
->objects
[i
].msg
->num_elements
+1);
365 for (j
=0; j
< objs
->objects
[i
].msg
->num_elements
; j
++) {
366 attrs
[j
] = objs
->objects
[i
].msg
->elements
[j
].name
;
369 res
= talloc_zero(objs
, struct ldb_result
);
371 return LDB_ERR_OPERATIONS_ERROR
;
373 ret
= ldb_build_search_req(&search_req
, ldb
, objs
,
374 objs
->objects
[i
].msg
->dn
,
380 ldb_search_default_callback
,
382 if (ret
!= LDB_SUCCESS
) {
385 talloc_steal(search_req
, res
);
386 ret
= ldb_request_add_control(search_req
, LDB_CONTROL_SHOW_DELETED_OID
, true, NULL
);
387 if (ret
!= LDB_SUCCESS
) {
391 ret
= ldb_request_add_control(search_req
, LDB_CONTROL_EXTENDED_DN_OID
, true, extended_dn_ctrl
);
392 if (ret
!= LDB_SUCCESS
) {
396 ret
= ldb_request(ldb
, search_req
);
397 if (ret
== LDB_SUCCESS
) {
398 ret
= ldb_wait(search_req
->handle
, LDB_WAIT_ALL
);
401 torture_assert_int_equal(tctx
, ret
, LDB_SUCCESS
,
402 talloc_asprintf(tctx
,
403 "Could not re-fetch object just delivered over DRS: %s",
404 ldb_errstring(ldb
)));
405 torture_assert_int_equal(tctx
, res
->count
, 1, "Could not re-fetch object just delivered over DRS");
406 ldap_msg
= res
->msgs
[0];
407 for (j
=0; j
< ldap_msg
->num_elements
; j
++) {
408 ldap_msg
->elements
[j
].flags
= LDB_FLAG_MOD_ADD
;
409 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! Skip it on both transports for now here so */
410 if ((ldb_attr_cmp(ldap_msg
->elements
[j
].name
, "nTSecurityDescriptor") == 0) &&
411 (ldb_dn_compare(ldap_msg
->dn
, deleted_dn
) == 0)) {
412 ldb_msg_remove_element(ldap_msg
, &ldap_msg
->elements
[j
]);
418 ret
= ldb_msg_normalize(ldb
, search_req
,
419 objs
->objects
[i
].msg
, &drs_msg
);
420 torture_assert(tctx
, ret
== LDB_SUCCESS
,
421 "ldb_msg_normalize() has failed");
423 for (j
=0; j
< drs_msg
->num_elements
; j
++) {
424 if (drs_msg
->elements
[j
].num_values
== 0) {
425 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
429 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! */
430 } else if ((ldb_attr_cmp(drs_msg
->elements
[j
].name
, "nTSecurityDescriptor") == 0) &&
431 (ldb_dn_compare(drs_msg
->dn
, deleted_dn
) == 0)) {
432 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
435 } else if (ldb_attr_cmp(drs_msg
->elements
[j
].name
, "unicodePwd") == 0 ||
436 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "dBCSPwd") == 0 ||
437 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "ntPwdHistory") == 0 ||
438 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "lmPwdHistory") == 0 ||
439 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "supplementalCredentials") == 0 ||
440 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "priorValue") == 0 ||
441 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "currentValue") == 0 ||
442 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "trustAuthOutgoing") == 0 ||
443 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "trustAuthIncoming") == 0 ||
444 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "initialAuthOutgoing") == 0 ||
445 ldb_attr_cmp(drs_msg
->elements
[j
].name
, "initialAuthIncoming") == 0) {
447 /* These are not shown over LDAP, so we need to skip them for the comparison */
448 ldb_msg_remove_element(drs_msg
, &drs_msg
->elements
[j
]);
452 drs_msg
->elements
[j
].flags
= LDB_FLAG_MOD_ADD
;
457 ret
= ldb_msg_difference(ldb
, search_req
,
458 drs_msg
, ldap_msg
, &new_msg
);
459 torture_assert(tctx
, ret
== LDB_SUCCESS
, "ldb_msg_difference() has failed");
460 if (new_msg
->num_elements
!= 0) {
462 bool is_warning
= true;
464 struct ldb_message_element
*el
;
465 const struct dsdb_attribute
* a
;
466 struct ldb_ldif ldif
;
467 ldif
.changetype
= LDB_CHANGETYPE_MODIFY
;
469 s
= ldb_ldif_write_string(ldb
, new_msg
, &ldif
);
470 s
= talloc_asprintf(tctx
, "\n# Difference in between DRS and LDAP objects: \n%s", s
);
472 ret
= ldb_msg_difference(ldb
, search_req
,
473 ldap_msg
, drs_msg
, &ldif
.msg
);
474 torture_assert(tctx
, ret
== LDB_SUCCESS
, "ldb_msg_difference() has failed");
475 s
= talloc_asprintf_append(s
,
476 "\n# Difference in between LDAP and DRS objects: \n%s",
477 ldb_ldif_write_string(ldb
, new_msg
, &ldif
));
479 s
= talloc_asprintf_append(s
,
480 "# Should have no objects in 'difference' message. Diff elements: %d",
481 new_msg
->num_elements
);
484 * In case differences in messages are:
485 * 1. Attributes with different values, i.e. 'replace'
486 * 2. Those attributes are forward-link attributes
487 * then we just warn about those differences.
488 * It turns out windows doesn't send all of those values
489 * in replicated_object but in linked_attributes.
491 for (idx
= 0; idx
< new_msg
->num_elements
&& is_warning
; idx
++) {
492 el
= &new_msg
->elements
[idx
];
493 a
= dsdb_attribute_by_lDAPDisplayName(ldap_schema
,
495 if (!(el
->flags
& (LDB_FLAG_MOD_ADD
|LDB_FLAG_MOD_REPLACE
))) {
498 } else if (a
->linkID
& 1) {
503 torture_warning(tctx
, "%s", s
);
505 torture_fail(tctx
, s
);
509 /* search_req is used as a tmp talloc context in the above */
510 talloc_free(search_req
);
513 if (!lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "print_pwd_blobs", false)) {
518 save_values_dir
= lpcfg_parm_string(tctx
->lp_ctx
, NULL
, "dssync", "save_pwd_blobs_dir");
520 for (cur
= first_object
; cur
; cur
= cur
->next_object
) {
522 struct dom_sid
*sid
= NULL
;
524 bool dn_printed
= false;
526 if (!cur
->object
.identifier
) continue;
528 dn
= cur
->object
.identifier
->dn
;
529 if (cur
->object
.identifier
->sid
.num_auths
> 0) {
530 sid
= &cur
->object
.identifier
->sid
;
531 rid
= sid
->sub_auths
[sid
->num_auths
- 1];
534 for (i
=0; i
< cur
->object
.attribute_ctr
.num_attributes
; i
++) {
535 const char *name
= NULL
;
536 DATA_BLOB plain_data
;
537 struct drsuapi_DsReplicaAttribute
*attr
;
538 ndr_pull_flags_fn_t pull_fn
= NULL
;
539 ndr_print_fn_t print_fn
= NULL
;
541 attr
= &cur
->object
.attribute_ctr
.attributes
[i
];
543 switch (attr
->attid
) {
544 case DRSUAPI_ATTID_dBCSPwd
:
547 case DRSUAPI_ATTID_unicodePwd
:
550 case DRSUAPI_ATTID_ntPwdHistory
:
551 name
= "ntPwdHistory";
553 case DRSUAPI_ATTID_lmPwdHistory
:
554 name
= "lmPwdHistory";
556 case DRSUAPI_ATTID_supplementalCredentials
:
557 name
= "supplementalCredentials";
558 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_supplementalCredentialsBlob
;
559 print_fn
= (ndr_print_fn_t
)ndr_print_supplementalCredentialsBlob
;
560 ptr
= talloc(ctx
, struct supplementalCredentialsBlob
);
562 case DRSUAPI_ATTID_priorValue
:
565 case DRSUAPI_ATTID_currentValue
:
566 name
= "currentValue";
568 case DRSUAPI_ATTID_trustAuthOutgoing
:
569 name
= "trustAuthOutgoing";
570 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
;
571 print_fn
= (ndr_print_fn_t
)ndr_print_trustAuthInOutBlob
;
572 ptr
= talloc(ctx
, struct trustAuthInOutBlob
);
574 case DRSUAPI_ATTID_trustAuthIncoming
:
575 name
= "trustAuthIncoming";
576 pull_fn
= (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
;
577 print_fn
= (ndr_print_fn_t
)ndr_print_trustAuthInOutBlob
;
578 ptr
= talloc(ctx
, struct trustAuthInOutBlob
);
580 case DRSUAPI_ATTID_initialAuthOutgoing
:
581 name
= "initialAuthOutgoing";
583 case DRSUAPI_ATTID_initialAuthIncoming
:
584 name
= "initialAuthIncoming";
590 if (attr
->value_ctr
.num_values
!= 1) continue;
592 if (!attr
->value_ctr
.values
[0].blob
) continue;
594 plain_data
= *attr
->value_ctr
.values
[0].blob
;
598 DEBUG(0,("DN[%u] %s\n", object_id
, dn
));
601 DEBUGADD(0,("ATTR: %s plain.length=%lu\n",
602 name
, (long)plain_data
.length
));
603 if (plain_data
.length
) {
604 enum ndr_err_code ndr_err
;
605 dump_data(0, plain_data
.data
, plain_data
.length
);
606 if (save_values_dir
) {
608 fname
= talloc_asprintf(ctx
, "%s/%s%02d",
613 ok
= file_save(fname
, plain_data
.data
, plain_data
.length
);
615 DEBUGADD(0,("Failed to save '%s'\n", fname
));
622 /* Can't use '_all' because of PIDL bugs with relative pointers */
623 ndr_err
= ndr_pull_struct_blob(&plain_data
, ptr
,
625 if (NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
626 ndr_print_debug(print_fn
, name
, ptr
);
628 DEBUG(0, ("Failed to decode %s\n", name
));
639 static bool test_GetNCChanges(struct torture_context
*tctx
,
640 struct DsSyncTest
*ctx
,
641 const char *nc_dn_str
)
646 uint64_t highest_usn
= 0;
647 struct drsuapi_DsGetNCChanges r
;
648 union drsuapi_DsGetNCChangesRequest req
;
649 struct drsuapi_DsReplicaObjectIdentifier nc
;
650 struct drsuapi_DsGetNCChangesCtr1
*ctr1
= NULL
;
651 struct drsuapi_DsGetNCChangesCtr6
*ctr6
= NULL
;
652 uint32_t out_level
= 0;
653 struct GUID null_guid
;
654 struct dom_sid null_sid
;
655 DATA_BLOB gensec_skey
;
667 ZERO_STRUCT(null_guid
);
668 ZERO_STRUCT(null_sid
);
670 highest_usn
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
, "dssync", "highest_usn", 0);
672 array
[0].level
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
, "dssync", "get_nc_changes_level", array
[0].level
);
674 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "print_pwd_blobs", false)) {
675 const struct samr_Password
*nthash
;
676 nthash
= cli_credentials_get_nt_hash(ctx
->new_dc
.credentials
, ctx
);
678 dump_data_pw("CREDENTIALS nthash:", nthash
->hash
, sizeof(nthash
->hash
));
681 status
= gensec_session_key(ctx
->new_dc
.drsuapi
.drs_pipe
->conn
->security_state
.generic_state
,
683 if (!NT_STATUS_IS_OK(status
)) {
684 printf("failed to get gensec session key: %s\n", nt_errstr(status
));
688 for (i
=0; i
< ARRAY_SIZE(array
); i
++) {
689 printf("Testing DsGetNCChanges level %d\n",
692 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
693 r
.in
.level
= array
[i
].level
;
695 switch (r
.in
.level
) {
702 r
.in
.req
->req5
.destination_dsa_guid
= ctx
->new_dc
.invocation_id
;
703 r
.in
.req
->req5
.source_dsa_invocation_id
= null_guid
;
704 r
.in
.req
->req5
.naming_context
= &nc
;
705 r
.in
.req
->req5
.highwatermark
.tmp_highest_usn
= highest_usn
;
706 r
.in
.req
->req5
.highwatermark
.reserved_usn
= 0;
707 r
.in
.req
->req5
.highwatermark
.highest_usn
= highest_usn
;
708 r
.in
.req
->req5
.uptodateness_vector
= NULL
;
709 r
.in
.req
->req5
.replica_flags
= 0;
710 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "compression", false)) {
711 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_USE_COMPRESSION
;
713 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "neighbour_writeable", true)) {
714 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_WRIT_REP
;
716 r
.in
.req
->req5
.replica_flags
|= DRSUAPI_DRS_INIT_SYNC
717 | DRSUAPI_DRS_PER_SYNC
718 | DRSUAPI_DRS_GET_ANC
719 | DRSUAPI_DRS_NEVER_SYNCED
721 r
.in
.req
->req5
.max_object_count
= 133;
722 r
.in
.req
->req5
.max_ndr_size
= 1336770;
723 r
.in
.req
->req5
.extended_op
= DRSUAPI_EXOP_NONE
;
724 r
.in
.req
->req5
.fsmo_info
= 0;
731 /* nc.dn can be set to any other ad partition */
734 r
.in
.req
->req8
.destination_dsa_guid
= ctx
->new_dc
.invocation_id
;
735 r
.in
.req
->req8
.source_dsa_invocation_id
= null_guid
;
736 r
.in
.req
->req8
.naming_context
= &nc
;
737 r
.in
.req
->req8
.highwatermark
.tmp_highest_usn
= highest_usn
;
738 r
.in
.req
->req8
.highwatermark
.reserved_usn
= 0;
739 r
.in
.req
->req8
.highwatermark
.highest_usn
= highest_usn
;
740 r
.in
.req
->req8
.uptodateness_vector
= NULL
;
741 r
.in
.req
->req8
.replica_flags
= 0;
742 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "compression", false)) {
743 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_USE_COMPRESSION
;
745 if (lpcfg_parm_bool(tctx
->lp_ctx
, NULL
, "dssync", "neighbour_writeable", true)) {
746 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_WRIT_REP
;
748 r
.in
.req
->req8
.replica_flags
|= DRSUAPI_DRS_INIT_SYNC
749 | DRSUAPI_DRS_PER_SYNC
750 | DRSUAPI_DRS_GET_ANC
751 | DRSUAPI_DRS_NEVER_SYNCED
753 r
.in
.req
->req8
.max_object_count
= 402;
754 r
.in
.req
->req8
.max_ndr_size
= 402116;
756 r
.in
.req
->req8
.extended_op
= DRSUAPI_EXOP_NONE
;
757 r
.in
.req
->req8
.fsmo_info
= 0;
758 r
.in
.req
->req8
.partial_attribute_set
= NULL
;
759 r
.in
.req
->req8
.partial_attribute_set_ex
= NULL
;
760 r
.in
.req
->req8
.mapping_ctr
.num_mappings
= 0;
761 r
.in
.req
->req8
.mapping_ctr
.mappings
= NULL
;
768 union drsuapi_DsGetNCChangesCtr ctr
;
772 r
.out
.level_out
= &_level
;
775 if (r
.in
.level
== 5) {
776 torture_comment(tctx
,
777 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
779 (unsigned long long) r
.in
.req
->req5
.highwatermark
.tmp_highest_usn
,
780 (unsigned long long) r
.in
.req
->req5
.highwatermark
.highest_usn
);
783 if (r
.in
.level
== 8) {
784 torture_comment(tctx
,
785 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
787 (unsigned long long) r
.in
.req
->req8
.highwatermark
.tmp_highest_usn
,
788 (unsigned long long) r
.in
.req
->req8
.highwatermark
.highest_usn
);
791 status
= dcerpc_drsuapi_DsGetNCChanges_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
792 torture_drsuapi_assert_call(tctx
, ctx
->new_dc
.drsuapi
.drs_pipe
, status
,
793 &r
, "dcerpc_drsuapi_DsGetNCChanges");
795 if (ret
== true && *r
.out
.level_out
== 1) {
797 ctr1
= &r
.out
.ctr
->ctr1
;
798 } else if (ret
== true && *r
.out
.level_out
== 2 &&
799 r
.out
.ctr
->ctr2
.mszip1
.ts
) {
801 ctr1
= &r
.out
.ctr
->ctr2
.mszip1
.ts
->ctr1
;
804 if (out_level
== 1) {
805 torture_comment(tctx
,
806 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
808 (unsigned long long) ctr1
->new_highwatermark
.tmp_highest_usn
,
809 (unsigned long long) ctr1
->new_highwatermark
.highest_usn
);
811 if (!test_analyse_objects(tctx
, ctx
, nc_dn_str
, &ctr1
->mapping_ctr
, ctr1
->object_count
,
812 ctr1
->first_object
, &gensec_skey
)) {
816 if (ctr1
->more_data
) {
817 r
.in
.req
->req5
.highwatermark
= ctr1
->new_highwatermark
;
822 if (ret
== true && *r
.out
.level_out
== 6) {
824 ctr6
= &r
.out
.ctr
->ctr6
;
825 } else if (ret
== true && *r
.out
.level_out
== 7
826 && r
.out
.ctr
->ctr7
.level
== 6
827 && r
.out
.ctr
->ctr7
.type
== DRSUAPI_COMPRESSION_TYPE_MSZIP
828 && r
.out
.ctr
->ctr7
.ctr
.mszip6
.ts
) {
830 ctr6
= &r
.out
.ctr
->ctr7
.ctr
.mszip6
.ts
->ctr6
;
831 } else if (ret
== true && *r
.out
.level_out
== 7
832 && r
.out
.ctr
->ctr7
.level
== 6
833 && r
.out
.ctr
->ctr7
.type
== DRSUAPI_COMPRESSION_TYPE_XPRESS
834 && r
.out
.ctr
->ctr7
.ctr
.xpress6
.ts
) {
836 ctr6
= &r
.out
.ctr
->ctr7
.ctr
.xpress6
.ts
->ctr6
;
839 if (out_level
== 6) {
840 torture_comment(tctx
,
841 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
843 (unsigned long long) ctr6
->new_highwatermark
.tmp_highest_usn
,
844 (unsigned long long) ctr6
->new_highwatermark
.highest_usn
);
846 if (!test_analyse_objects(tctx
, ctx
, nc_dn_str
, &ctr6
->mapping_ctr
, ctr6
->object_count
,
847 ctr6
->first_object
, &gensec_skey
)) {
851 if (ctr6
->more_data
) {
852 r
.in
.req
->req8
.highwatermark
= ctr6
->new_highwatermark
;
865 * Test DsGetNCChanges() DRSUAPI call against one
866 * or more Naming Contexts.
867 * Specific NC to test with may be supplied
868 * in lp_ctx configuration. If no NC is specified,
869 * it will test DsGetNCChanges() on all NCs on remote DC
871 static bool test_FetchData(struct torture_context
*tctx
, struct DsSyncTest
*ctx
)
875 const char *nc_dn_str
;
876 const char **nc_list
;
878 nc_list
= const_str_list(str_list_make_empty(ctx
));
879 torture_assert(tctx
, nc_list
, "Not enough memory!");
881 /* make a list of partitions to test with */
882 nc_dn_str
= lpcfg_parm_string(tctx
->lp_ctx
, NULL
, "dssync", "partition");
883 if (nc_dn_str
== NULL
) {
884 nc_list
= str_list_add_const(nc_list
, ctx
->domain_dn
);
885 nc_list
= str_list_add_const(nc_list
, ctx
->config_dn
);
886 nc_list
= str_list_add_const(nc_list
, ctx
->schema_dn
);
888 nc_list
= str_list_add_const(nc_list
, nc_dn_str
);
891 count
= str_list_length(nc_list
);
892 for (i
= 0; i
< count
&& ret
; i
++) {
893 torture_comment(tctx
, "\nNaming Context: %s\n", nc_list
[i
]);
894 ret
= test_GetNCChanges(tctx
, ctx
, nc_list
[i
]);
897 talloc_free(nc_list
);
902 static bool test_FetchNT4Data(struct torture_context
*tctx
,
903 struct DsSyncTest
*ctx
)
906 struct drsuapi_DsGetNT4ChangeLog r
;
907 union drsuapi_DsGetNT4ChangeLogRequest req
;
908 union drsuapi_DsGetNT4ChangeLogInfo info
;
909 uint32_t level_out
= 0;
910 struct GUID null_guid
;
911 struct dom_sid null_sid
;
914 ZERO_STRUCT(null_guid
);
915 ZERO_STRUCT(null_sid
);
919 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
922 r
.out
.level_out
= &level_out
;
924 req
.req1
.flags
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
,
925 "dssync", "nt4changelog_flags",
926 DRSUAPI_NT4_CHANGELOG_GET_CHANGELOG
|
927 DRSUAPI_NT4_CHANGELOG_GET_SERIAL_NUMBERS
);
928 req
.req1
.preferred_maximum_length
= lpcfg_parm_int(tctx
->lp_ctx
, NULL
,
929 "dssync", "nt4changelog_preferred_len",
933 req
.req1
.restart_length
= cookie
.length
;
934 req
.req1
.restart_data
= cookie
.data
;
938 status
= dcerpc_drsuapi_DsGetNT4ChangeLog_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
939 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_IMPLEMENTED
)) {
941 "DsGetNT4ChangeLog not supported: NT_STATUS_NOT_IMPLEMENTED");
942 } else if (!NT_STATUS_IS_OK(status
)) {
943 const char *errstr
= nt_errstr(status
);
944 if (NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
946 "DsGetNT4ChangeLog not supported: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE");
949 talloc_asprintf(tctx
, "dcerpc_drsuapi_DsGetNT4ChangeLog failed - %s\n",
951 } else if (W_ERROR_EQUAL(r
.out
.result
, WERR_INVALID_DOMAIN_ROLE
)) {
953 "DsGetNT4ChangeLog not supported: WERR_INVALID_DOMAIN_ROLE");
954 } else if (!W_ERROR_IS_OK(r
.out
.result
)) {
956 talloc_asprintf(tctx
, "DsGetNT4ChangeLog failed - %s\n",
957 win_errstr(r
.out
.result
)));
958 } else if (*r
.out
.level_out
!= 1) {
960 talloc_asprintf(tctx
, "DsGetNT4ChangeLog unknown level - %u\n",
962 } else if (NT_STATUS_IS_OK(r
.out
.info
->info1
.status
)) {
963 } else if (NT_STATUS_EQUAL(r
.out
.info
->info1
.status
, STATUS_MORE_ENTRIES
)) {
964 cookie
.length
= r
.out
.info
->info1
.restart_length
;
965 cookie
.data
= r
.out
.info
->info1
.restart_data
;
969 talloc_asprintf(tctx
, "DsGetNT4ChangeLog failed - %s\n",
970 nt_errstr(r
.out
.info
->info1
.status
)));
980 * DSSYNC test case setup
982 static bool torture_dssync_tcase_setup(struct torture_context
*tctx
, void **data
)
985 struct DsSyncTest
*ctx
;
987 *data
= ctx
= test_create_context(tctx
);
988 torture_assert(tctx
, ctx
, "test_create_context() failed");
990 bret
= _test_DsBind(tctx
, ctx
, ctx
->admin
.credentials
, &ctx
->admin
.drsuapi
);
991 torture_assert(tctx
, bret
, "_test_DsBind() failed");
993 bret
= test_LDAPBind(tctx
, ctx
, ctx
->admin
.credentials
, &ctx
->admin
.ldap
);
994 torture_assert(tctx
, bret
, "test_LDAPBind() failed");
996 bret
= test_GetInfo(tctx
, ctx
);
997 torture_assert(tctx
, bret
, "test_GetInfo() failed");
999 bret
= _test_DsBind(tctx
, ctx
, ctx
->new_dc
.credentials
, &ctx
->new_dc
.drsuapi
);
1000 torture_assert(tctx
, bret
, "_test_DsBind() failed");
1006 * DSSYNC test case cleanup
1008 static bool torture_dssync_tcase_teardown(struct torture_context
*tctx
, void *data
)
1010 struct DsSyncTest
*ctx
;
1011 struct drsuapi_DsUnbind r
;
1012 struct policy_handle bind_handle
;
1014 ctx
= talloc_get_type(data
, struct DsSyncTest
);
1017 r
.out
.bind_handle
= &bind_handle
;
1019 /* Unbing admin handle */
1020 r
.in
.bind_handle
= &ctx
->admin
.drsuapi
.bind_handle
;
1021 dcerpc_drsuapi_DsUnbind_r(ctx
->admin
.drsuapi
.drs_handle
, ctx
, &r
);
1023 /* Unbing new_dc handle */
1024 r
.in
.bind_handle
= &ctx
->new_dc
.drsuapi
.bind_handle
;
1025 dcerpc_drsuapi_DsUnbind_r(ctx
->new_dc
.drsuapi
.drs_handle
, ctx
, &r
);
1033 * DSSYNC test case implementation
1035 void torture_drs_rpc_dssync_tcase(struct torture_suite
*suite
)
1037 typedef bool (*run_func
) (struct torture_context
*test
, void *tcase_data
);
1039 struct torture_test
*test
;
1040 struct torture_tcase
*tcase
= torture_suite_add_tcase(suite
, "dssync");
1042 torture_tcase_set_fixture(tcase
,
1043 torture_dssync_tcase_setup
,
1044 torture_dssync_tcase_teardown
);
1046 test
= torture_tcase_add_simple_test(tcase
, "DC_FetchData", (run_func
)test_FetchData
);
1047 test
= torture_tcase_add_simple_test(tcase
, "FetchNT4Data", (run_func
)test_FetchNT4Data
);
