2 Unix SMB/CIFS implementation.
4 DsGetNCChanges replication test
6 Copyright (C) Stefan (metze) Metzmacher 2005
7 Copyright (C) Brad Henry 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/cmdline/popt_common.h"
25 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "libcli/cldap/cldap.h"
28 #include "torture/torture.h"
29 #include "../libcli/drsuapi/drsuapi.h"
30 #include "auth/gensec/gensec.h"
31 #include "param/param.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "torture/rpc/torture_rpc.h"
34 #include "torture/drs/proto.h"
35 #include "lib/tsocket/tsocket.h"
36 #include "libcli/resolve/resolve.h"
38 struct DsSyncBindInfo {
39 struct dcerpc_pipe *drs_pipe;
40 struct dcerpc_binding_handle *drs_handle;
41 struct drsuapi_DsBind req;
42 struct GUID bind_guid;
43 struct drsuapi_DsBindInfoCtr our_bind_info_ctr;
44 struct drsuapi_DsBindInfo28 our_bind_info28;
45 struct drsuapi_DsBindInfo28 peer_bind_info28;
46 struct policy_handle bind_handle;
49 struct DsSyncLDAPInfo {
50 struct ldb_context *ldb;
54 struct dcerpc_binding *drsuapi_binding;
57 const char *dest_address;
58 const char *domain_dn;
59 const char *config_dn;
60 const char *schema_dn;
62 /* what we need to do as 'Administrator' */
64 struct cli_credentials *credentials;
65 struct DsSyncBindInfo drsuapi;
66 struct DsSyncLDAPInfo ldap;
69 /* what we need to do as the new dc machine account */
71 struct cli_credentials *credentials;
72 struct DsSyncBindInfo drsuapi;
73 struct drsuapi_DsGetDCInfo2 dc_info2;
74 struct GUID invocation_id;
75 struct GUID object_guid;
78 /* info about the old dc */
80 struct drsuapi_DsGetDomainControllerInfo dc_info;
84 static struct DsSyncTest *test_create_context(struct torture_context *tctx)
87 struct DsSyncTest *ctx;
88 struct drsuapi_DsBindInfo28 *our_bind_info28;
89 struct drsuapi_DsBindInfoCtr *our_bind_info_ctr;
90 const char *binding = torture_setting_string(tctx, "binding", NULL);
93 ctx = talloc_zero(tctx, struct DsSyncTest);
94 if (!ctx) return NULL;
96 status = dcerpc_parse_binding(ctx, binding, &ctx->drsuapi_binding);
97 if (!NT_STATUS_IS_OK(status)) {
98 printf("Bad binding string %s\n", binding);
101 status = dcerpc_binding_set_flags(ctx->drsuapi_binding,
102 DCERPC_SIGN | DCERPC_SEAL, 0);
103 if (!NT_STATUS_IS_OK(status)) {
104 printf("dcerpc_binding_set_flags - %s\n", nt_errstr(status));
108 ctx->ldap_url = talloc_asprintf(ctx, "ldap://%s", ctx->drsuapi_binding->host);
110 make_nbt_name_server(&name, ctx->drsuapi_binding->host);
112 /* do an initial name resolution to find its IP */
113 status = resolve_name_ex(lpcfg_resolve_context(tctx->lp_ctx),
115 &ctx->dest_address, tctx->ev);
116 if (!NT_STATUS_IS_OK(status)) {
117 printf("Failed to resolve %s - %s\n",
118 name.name, nt_errstr(status));
123 ctx->admin.credentials = cmdline_credentials;
125 our_bind_info28 = &ctx->admin.drsuapi.our_bind_info28;
126 our_bind_info28->supported_extensions = 0xFFFFFFFF;
127 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
128 our_bind_info28->site_guid = GUID_zero();
129 our_bind_info28->pid = 0;
130 our_bind_info28->repl_epoch = 1;
132 our_bind_info_ctr = &ctx->admin.drsuapi.our_bind_info_ctr;
133 our_bind_info_ctr->length = 28;
134 our_bind_info_ctr->info.info28 = *our_bind_info28;
136 GUID_from_string(DRSUAPI_DS_BIND_GUID, &ctx->admin.drsuapi.bind_guid);
138 ctx->admin.drsuapi.req.in.bind_guid = &ctx->admin.drsuapi.bind_guid;
139 ctx->admin.drsuapi.req.in.bind_info = our_bind_info_ctr;
140 ctx->admin.drsuapi.req.out.bind_handle = &ctx->admin.drsuapi.bind_handle;
143 ctx->new_dc.credentials = cmdline_credentials;
145 our_bind_info28 = &ctx->new_dc.drsuapi.our_bind_info28;
146 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE;
147 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
148 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
149 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
150 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
151 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
152 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
153 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
154 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
155 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
156 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
157 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
158 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
159 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
160 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
161 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
162 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
163 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
164 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
165 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
166 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
167 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
168 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
169 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
170 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
171 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
172 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
173 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
174 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "xpress", false)) {
175 our_bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS;
177 our_bind_info28->site_guid = GUID_zero();
178 our_bind_info28->pid = 0;
179 our_bind_info28->repl_epoch = 0;
181 our_bind_info_ctr = &ctx->new_dc.drsuapi.our_bind_info_ctr;
182 our_bind_info_ctr->length = 28;
183 our_bind_info_ctr->info.info28 = *our_bind_info28;
185 GUID_from_string(DRSUAPI_DS_BIND_GUID_W2K3, &ctx->new_dc.drsuapi.bind_guid);
187 ctx->new_dc.drsuapi.req.in.bind_guid = &ctx->new_dc.drsuapi.bind_guid;
188 ctx->new_dc.drsuapi.req.in.bind_info = our_bind_info_ctr;
189 ctx->new_dc.drsuapi.req.out.bind_handle = &ctx->new_dc.drsuapi.bind_handle;
191 ctx->new_dc.invocation_id = ctx->new_dc.drsuapi.bind_guid;
198 static bool _test_DsBind(struct torture_context *tctx,
199 struct DsSyncTest *ctx, struct cli_credentials *credentials, struct DsSyncBindInfo *b)
204 status = dcerpc_pipe_connect_b(ctx,
205 &b->drs_pipe, ctx->drsuapi_binding,
207 credentials, tctx->ev, tctx->lp_ctx);
209 if (!NT_STATUS_IS_OK(status)) {
210 printf("Failed to connect to server as a BDC: %s\n", nt_errstr(status));
213 b->drs_handle = b->drs_pipe->binding_handle;
215 status = dcerpc_drsuapi_DsBind_r(b->drs_handle, ctx, &b->req);
216 if (!NT_STATUS_IS_OK(status)) {
217 const char *errstr = nt_errstr(status);
218 printf("dcerpc_drsuapi_DsBind failed - %s\n", errstr);
220 } else if (!W_ERROR_IS_OK(b->req.out.result)) {
221 printf("DsBind failed - %s\n", win_errstr(b->req.out.result));
225 ZERO_STRUCT(b->peer_bind_info28);
226 if (b->req.out.bind_info) {
227 switch (b->req.out.bind_info->length) {
229 struct drsuapi_DsBindInfo24 *info24;
230 info24 = &b->req.out.bind_info->info.info24;
231 b->peer_bind_info28.supported_extensions= info24->supported_extensions;
232 b->peer_bind_info28.site_guid = info24->site_guid;
233 b->peer_bind_info28.pid = info24->pid;
234 b->peer_bind_info28.repl_epoch = 0;
238 struct drsuapi_DsBindInfo48 *info48;
239 info48 = &b->req.out.bind_info->info.info48;
240 b->peer_bind_info28.supported_extensions= info48->supported_extensions;
241 b->peer_bind_info28.site_guid = info48->site_guid;
242 b->peer_bind_info28.pid = info48->pid;
243 b->peer_bind_info28.repl_epoch = info48->repl_epoch;
247 b->peer_bind_info28 = b->req.out.bind_info->info.info28;
250 printf("DsBind - warning: unknown BindInfo length: %u\n",
251 b->req.out.bind_info->length);
258 static bool test_LDAPBind(struct torture_context *tctx, struct DsSyncTest *ctx,
259 struct cli_credentials *credentials, struct DsSyncLDAPInfo *l)
263 struct ldb_context *ldb;
265 const char *modules_option[] = { "modules:paged_searches", NULL };
266 ctx->admin.ldap.ldb = ldb = ldb_init(ctx, tctx->ev);
271 /* Despite us loading the schema from the AD server, we need
272 * the samba handlers to get the extended DN syntax stuff */
273 ret = ldb_register_samba_handlers(ldb);
274 if (ret != LDB_SUCCESS) {
279 ldb_set_modules_dir(ldb, modules_path(ldb, "ldb"));
281 if (ldb_set_opaque(ldb, "credentials", credentials)) {
286 if (ldb_set_opaque(ldb, "loadparm", tctx->lp_ctx)) {
291 ret = ldb_connect(ldb, ctx->ldap_url, 0, modules_option);
292 if (ret != LDB_SUCCESS) {
294 torture_assert_int_equal(tctx, ret, LDB_SUCCESS, "Failed to make LDB connection to target");
297 printf("connected to LDAP: %s\n", ctx->ldap_url);
302 static bool test_GetInfo(struct torture_context *tctx, struct DsSyncTest *ctx)
304 struct ldb_context *ldb = ctx->admin.ldap.ldb;
306 /* We must have LDB connection ready by this time */
307 SMB_ASSERT(ldb != NULL);
309 ctx->domain_dn = ldb_dn_get_linearized(ldb_get_default_basedn(ldb));
310 torture_assert(tctx, ctx->domain_dn != NULL, "Failed to get Domain DN");
312 ctx->config_dn = ldb_dn_get_linearized(ldb_get_config_basedn(ldb));
313 torture_assert(tctx, ctx->config_dn != NULL, "Failed to get Domain DN");
315 ctx->schema_dn = ldb_dn_get_linearized(ldb_get_schema_basedn(ldb));
316 torture_assert(tctx, ctx->schema_dn != NULL, "Failed to get Domain DN");
321 static bool test_analyse_objects(struct torture_context *tctx,
322 struct DsSyncTest *ctx,
323 const char *partition,
324 const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr,
325 uint32_t object_count,
326 const struct drsuapi_DsReplicaObjectListItemEx *first_object,
327 const DATA_BLOB *gensec_skey)
329 static uint32_t object_id;
330 const char *save_values_dir;
331 const struct drsuapi_DsReplicaObjectListItemEx *cur;
332 struct ldb_context *ldb = ctx->admin.ldap.ldb;
333 struct ldb_dn *deleted_dn;
336 struct dsdb_extended_replicated_objects *objs;
337 struct ldb_extended_dn_control *extended_dn_ctrl;
338 struct dsdb_schema *ldap_schema;
340 /* load dsdb_schema using remote prefixMap */
342 drs_util_dsdb_schema_load_ldb(tctx, ldb, mapping_ctr, false),
343 "drs_util_dsdb_schema_load_ldb() failed");
344 ldap_schema = dsdb_get_schema(ldb, NULL);
346 status = dsdb_replicated_objects_convert(ldb,
357 torture_assert_werr_ok(tctx, status, "dsdb_extended_replicated_objects_convert() failed!");
359 extended_dn_ctrl = talloc(objs, struct ldb_extended_dn_control);
360 extended_dn_ctrl->type = 1;
362 deleted_dn = ldb_dn_new(objs, ldb, partition);
363 ldb_dn_add_child_fmt(deleted_dn, "CN=Deleted Objects");
365 for (i=0; i < object_count; i++) {
366 struct ldb_request *search_req;
367 struct ldb_result *res;
368 struct ldb_message *new_msg, *drs_msg, *ldap_msg;
369 const char **attrs = talloc_array(objs, const char *, objs->objects[i].msg->num_elements+1);
370 for (j=0; j < objs->objects[i].msg->num_elements; j++) {
371 attrs[j] = objs->objects[i].msg->elements[j].name;
374 res = talloc_zero(objs, struct ldb_result);
376 return LDB_ERR_OPERATIONS_ERROR;
378 ret = ldb_build_search_req(&search_req, ldb, objs,
379 objs->objects[i].msg->dn,
385 ldb_search_default_callback,
387 if (ret != LDB_SUCCESS) {
390 talloc_steal(search_req, res);
391 ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
392 if (ret != LDB_SUCCESS) {
396 ret = ldb_request_add_control(search_req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_dn_ctrl);
397 if (ret != LDB_SUCCESS) {
401 ret = ldb_request(ldb, search_req);
402 if (ret == LDB_SUCCESS) {
403 ret = ldb_wait(search_req->handle, LDB_WAIT_ALL);
406 torture_assert_int_equal(tctx, ret, LDB_SUCCESS,
407 talloc_asprintf(tctx,
408 "Could not re-fetch object just delivered over DRS: %s",
409 ldb_errstring(ldb)));
410 torture_assert_int_equal(tctx, res->count, 1, "Could not re-fetch object just delivered over DRS");
411 ldap_msg = res->msgs[0];
412 for (j=0; j < ldap_msg->num_elements; j++) {
413 ldap_msg->elements[j].flags = LDB_FLAG_MOD_ADD;
414 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! Skip it on both transports for now here so */
415 if ((ldb_attr_cmp(ldap_msg->elements[j].name, "nTSecurityDescriptor") == 0) &&
416 (ldb_dn_compare(ldap_msg->dn, deleted_dn) == 0)) {
417 ldb_msg_remove_element(ldap_msg, &ldap_msg->elements[j]);
423 ret = ldb_msg_normalize(ldb, search_req,
424 objs->objects[i].msg, &drs_msg);
425 torture_assert(tctx, ret == LDB_SUCCESS,
426 "ldb_msg_normalize() has failed");
428 for (j=0; j < drs_msg->num_elements; j++) {
429 if (drs_msg->elements[j].num_values == 0) {
430 ldb_msg_remove_element(drs_msg, &drs_msg->elements[j]);
434 /* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! */
435 } else if ((ldb_attr_cmp(drs_msg->elements[j].name, "nTSecurityDescriptor") == 0) &&
436 (ldb_dn_compare(drs_msg->dn, deleted_dn) == 0)) {
437 ldb_msg_remove_element(drs_msg, &drs_msg->elements[j]);
440 } else if (ldb_attr_cmp(drs_msg->elements[j].name, "unicodePwd") == 0 ||
441 ldb_attr_cmp(drs_msg->elements[j].name, "dBCSPwd") == 0 ||
442 ldb_attr_cmp(drs_msg->elements[j].name, "ntPwdHistory") == 0 ||
443 ldb_attr_cmp(drs_msg->elements[j].name, "lmPwdHistory") == 0 ||
444 ldb_attr_cmp(drs_msg->elements[j].name, "supplementalCredentials") == 0 ||
445 ldb_attr_cmp(drs_msg->elements[j].name, "priorValue") == 0 ||
446 ldb_attr_cmp(drs_msg->elements[j].name, "currentValue") == 0 ||
447 ldb_attr_cmp(drs_msg->elements[j].name, "trustAuthOutgoing") == 0 ||
448 ldb_attr_cmp(drs_msg->elements[j].name, "trustAuthIncoming") == 0 ||
449 ldb_attr_cmp(drs_msg->elements[j].name, "initialAuthOutgoing") == 0 ||
450 ldb_attr_cmp(drs_msg->elements[j].name, "initialAuthIncoming") == 0) {
452 /* These are not shown over LDAP, so we need to skip them for the comparison */
453 ldb_msg_remove_element(drs_msg, &drs_msg->elements[j]);
457 drs_msg->elements[j].flags = LDB_FLAG_MOD_ADD;
462 ret = ldb_msg_difference(ldb, search_req,
463 drs_msg, ldap_msg, &new_msg);
464 torture_assert(tctx, ret == LDB_SUCCESS, "ldb_msg_difference() has failed");
465 if (new_msg->num_elements != 0) {
467 bool is_warning = true;
469 struct ldb_message_element *el;
470 const struct dsdb_attribute * a;
471 struct ldb_ldif ldif;
472 ldif.changetype = LDB_CHANGETYPE_MODIFY;
474 s = ldb_ldif_write_string(ldb, new_msg, &ldif);
475 s = talloc_asprintf(tctx, "\n# Difference in between DRS and LDAP objects: \n%s", s);
477 ret = ldb_msg_difference(ldb, search_req,
478 ldap_msg, drs_msg, &ldif.msg);
479 torture_assert(tctx, ret == LDB_SUCCESS, "ldb_msg_difference() has failed");
480 s = talloc_asprintf_append(s,
481 "\n# Difference in between LDAP and DRS objects: \n%s",
482 ldb_ldif_write_string(ldb, new_msg, &ldif));
484 s = talloc_asprintf_append(s,
485 "# Should have no objects in 'difference' message. Diff elements: %d",
486 new_msg->num_elements);
489 * In case differences in messages are:
490 * 1. Attributes with different values, i.e. 'replace'
491 * 2. Those attributes are forward-link attributes
492 * then we just warn about those differences.
493 * It turns out windows doesn't send all of those values
494 * in replicated_object but in linked_attributes.
496 for (idx = 0; idx < new_msg->num_elements && is_warning; idx++) {
497 el = &new_msg->elements[idx];
498 a = dsdb_attribute_by_lDAPDisplayName(ldap_schema,
500 if (!(el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE))) {
503 } else if (a->linkID & 1) {
508 torture_warning(tctx, "%s", s);
510 torture_fail(tctx, s);
514 /* search_req is used as a tmp talloc context in the above */
515 talloc_free(search_req);
518 if (!lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "print_pwd_blobs", false)) {
523 save_values_dir = lpcfg_parm_string(tctx->lp_ctx, NULL, "dssync", "save_pwd_blobs_dir");
525 for (cur = first_object; cur; cur = cur->next_object) {
527 bool dn_printed = false;
529 if (!cur->object.identifier) continue;
531 dn = cur->object.identifier->dn;
533 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
534 const char *name = NULL;
535 DATA_BLOB plain_data;
536 struct drsuapi_DsReplicaAttribute *attr;
537 ndr_pull_flags_fn_t pull_fn = NULL;
538 ndr_print_fn_t print_fn = NULL;
540 attr = &cur->object.attribute_ctr.attributes[i];
542 switch (attr->attid) {
543 case DRSUAPI_ATTID_dBCSPwd:
546 case DRSUAPI_ATTID_unicodePwd:
549 case DRSUAPI_ATTID_ntPwdHistory:
550 name = "ntPwdHistory";
552 case DRSUAPI_ATTID_lmPwdHistory:
553 name = "lmPwdHistory";
555 case DRSUAPI_ATTID_supplementalCredentials:
556 name = "supplementalCredentials";
557 pull_fn = (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob;
558 print_fn = (ndr_print_fn_t)ndr_print_supplementalCredentialsBlob;
559 ptr = talloc(ctx, struct supplementalCredentialsBlob);
561 case DRSUAPI_ATTID_priorValue:
564 case DRSUAPI_ATTID_currentValue:
565 name = "currentValue";
567 case DRSUAPI_ATTID_trustAuthOutgoing:
568 name = "trustAuthOutgoing";
569 pull_fn = (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob;
570 print_fn = (ndr_print_fn_t)ndr_print_trustAuthInOutBlob;
571 ptr = talloc(ctx, struct trustAuthInOutBlob);
573 case DRSUAPI_ATTID_trustAuthIncoming:
574 name = "trustAuthIncoming";
575 pull_fn = (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob;
576 print_fn = (ndr_print_fn_t)ndr_print_trustAuthInOutBlob;
577 ptr = talloc(ctx, struct trustAuthInOutBlob);
579 case DRSUAPI_ATTID_initialAuthOutgoing:
580 name = "initialAuthOutgoing";
582 case DRSUAPI_ATTID_initialAuthIncoming:
583 name = "initialAuthIncoming";
589 if (attr->value_ctr.num_values != 1) continue;
591 if (!attr->value_ctr.values[0].blob) continue;
593 plain_data = *attr->value_ctr.values[0].blob;
597 DEBUG(0,("DN[%u] %s\n", object_id, dn));
600 DEBUGADD(0,("ATTR: %s plain.length=%lu\n",
601 name, (long)plain_data.length));
602 if (plain_data.length) {
603 enum ndr_err_code ndr_err;
604 dump_data(0, plain_data.data, plain_data.length);
605 if (save_values_dir) {
607 fname = talloc_asprintf(ctx, "%s/%s%02d",
612 ok = file_save(fname, plain_data.data, plain_data.length);
614 DEBUGADD(0,("Failed to save '%s'\n", fname));
621 /* Can't use '_all' because of PIDL bugs with relative pointers */
622 ndr_err = ndr_pull_struct_blob(&plain_data, ptr,
624 if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
625 ndr_print_debug(print_fn, name, ptr);
627 DEBUG(0, ("Failed to decode %s\n", name));
638 static bool test_GetNCChanges(struct torture_context *tctx,
639 struct DsSyncTest *ctx,
640 const char *nc_dn_str)
645 uint64_t highest_usn = 0;
646 struct drsuapi_DsGetNCChanges r;
647 union drsuapi_DsGetNCChangesRequest req;
648 struct drsuapi_DsReplicaObjectIdentifier nc;
649 struct drsuapi_DsGetNCChangesCtr1 *ctr1 = NULL;
650 struct drsuapi_DsGetNCChangesCtr6 *ctr6 = NULL;
651 uint32_t out_level = 0;
652 struct GUID null_guid;
653 struct dom_sid null_sid;
654 DATA_BLOB gensec_skey;
666 ZERO_STRUCT(null_guid);
667 ZERO_STRUCT(null_sid);
669 highest_usn = lpcfg_parm_int(tctx->lp_ctx, NULL, "dssync", "highest_usn", 0);
671 array[0].level = lpcfg_parm_int(tctx->lp_ctx, NULL, "dssync", "get_nc_changes_level", array[0].level);
673 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "print_pwd_blobs", false)) {
674 const struct samr_Password *nthash;
675 nthash = cli_credentials_get_nt_hash(ctx->new_dc.credentials, ctx);
677 dump_data_pw("CREDENTIALS nthash:", nthash->hash, sizeof(nthash->hash));
680 status = gensec_session_key(ctx->new_dc.drsuapi.drs_pipe->conn->security_state.generic_state,
682 if (!NT_STATUS_IS_OK(status)) {
683 printf("failed to get gensec session key: %s\n", nt_errstr(status));
687 for (i=0; i < ARRAY_SIZE(array); i++) {
688 printf("Testing DsGetNCChanges level %d\n",
691 r.in.bind_handle = &ctx->new_dc.drsuapi.bind_handle;
692 r.in.level = array[i].level;
694 switch (r.in.level) {
701 r.in.req->req5.destination_dsa_guid = ctx->new_dc.invocation_id;
702 r.in.req->req5.source_dsa_invocation_id = null_guid;
703 r.in.req->req5.naming_context = &nc;
704 r.in.req->req5.highwatermark.tmp_highest_usn = highest_usn;
705 r.in.req->req5.highwatermark.reserved_usn = 0;
706 r.in.req->req5.highwatermark.highest_usn = highest_usn;
707 r.in.req->req5.uptodateness_vector = NULL;
708 r.in.req->req5.replica_flags = 0;
709 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "compression", false)) {
710 r.in.req->req5.replica_flags |= DRSUAPI_DRS_USE_COMPRESSION;
712 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "neighbour_writeable", true)) {
713 r.in.req->req5.replica_flags |= DRSUAPI_DRS_WRIT_REP;
715 r.in.req->req5.replica_flags |= DRSUAPI_DRS_INIT_SYNC
716 | DRSUAPI_DRS_PER_SYNC
717 | DRSUAPI_DRS_GET_ANC
718 | DRSUAPI_DRS_NEVER_SYNCED
720 r.in.req->req5.max_object_count = 133;
721 r.in.req->req5.max_ndr_size = 1336770;
722 r.in.req->req5.extended_op = DRSUAPI_EXOP_NONE;
723 r.in.req->req5.fsmo_info = 0;
730 /* nc.dn can be set to any other ad partition */
733 r.in.req->req8.destination_dsa_guid = ctx->new_dc.invocation_id;
734 r.in.req->req8.source_dsa_invocation_id = null_guid;
735 r.in.req->req8.naming_context = &nc;
736 r.in.req->req8.highwatermark.tmp_highest_usn = highest_usn;
737 r.in.req->req8.highwatermark.reserved_usn = 0;
738 r.in.req->req8.highwatermark.highest_usn = highest_usn;
739 r.in.req->req8.uptodateness_vector = NULL;
740 r.in.req->req8.replica_flags = 0;
741 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "compression", false)) {
742 r.in.req->req8.replica_flags |= DRSUAPI_DRS_USE_COMPRESSION;
744 if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "neighbour_writeable", true)) {
745 r.in.req->req8.replica_flags |= DRSUAPI_DRS_WRIT_REP;
747 r.in.req->req8.replica_flags |= DRSUAPI_DRS_INIT_SYNC
748 | DRSUAPI_DRS_PER_SYNC
749 | DRSUAPI_DRS_GET_ANC
750 | DRSUAPI_DRS_NEVER_SYNCED
752 r.in.req->req8.max_object_count = 402;
753 r.in.req->req8.max_ndr_size = 402116;
755 r.in.req->req8.extended_op = DRSUAPI_EXOP_NONE;
756 r.in.req->req8.fsmo_info = 0;
757 r.in.req->req8.partial_attribute_set = NULL;
758 r.in.req->req8.partial_attribute_set_ex = NULL;
759 r.in.req->req8.mapping_ctr.num_mappings = 0;
760 r.in.req->req8.mapping_ctr.mappings = NULL;
767 union drsuapi_DsGetNCChangesCtr ctr;
771 r.out.level_out = &_level;
774 if (r.in.level == 5) {
775 torture_comment(tctx,
776 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
778 (unsigned long long) r.in.req->req5.highwatermark.tmp_highest_usn,
779 (unsigned long long) r.in.req->req5.highwatermark.highest_usn);
782 if (r.in.level == 8) {
783 torture_comment(tctx,
784 "start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",
786 (unsigned long long) r.in.req->req8.highwatermark.tmp_highest_usn,
787 (unsigned long long) r.in.req->req8.highwatermark.highest_usn);
790 status = dcerpc_drsuapi_DsGetNCChanges_r(ctx->new_dc.drsuapi.drs_handle, ctx, &r);
791 torture_drsuapi_assert_call(tctx, ctx->new_dc.drsuapi.drs_pipe, status,
792 &r, "dcerpc_drsuapi_DsGetNCChanges");
794 if (ret == true && *r.out.level_out == 1) {
796 ctr1 = &r.out.ctr->ctr1;
797 } else if (ret == true && *r.out.level_out == 2 &&
798 r.out.ctr->ctr2.mszip1.ts) {
800 ctr1 = &r.out.ctr->ctr2.mszip1.ts->ctr1;
803 if (out_level == 1) {
804 torture_comment(tctx,
805 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
807 (unsigned long long) ctr1->new_highwatermark.tmp_highest_usn,
808 (unsigned long long) ctr1->new_highwatermark.highest_usn);
810 if (!test_analyse_objects(tctx, ctx, nc_dn_str, &ctr1->mapping_ctr, ctr1->object_count,
811 ctr1->first_object, &gensec_skey)) {
815 if (ctr1->more_data) {
816 r.in.req->req5.highwatermark = ctr1->new_highwatermark;
821 if (ret == true && *r.out.level_out == 6) {
823 ctr6 = &r.out.ctr->ctr6;
824 } else if (ret == true && *r.out.level_out == 7
825 && r.out.ctr->ctr7.level == 6
826 && r.out.ctr->ctr7.type == DRSUAPI_COMPRESSION_TYPE_MSZIP
827 && r.out.ctr->ctr7.ctr.mszip6.ts) {
829 ctr6 = &r.out.ctr->ctr7.ctr.mszip6.ts->ctr6;
830 } else if (ret == true && *r.out.level_out == 7
831 && r.out.ctr->ctr7.level == 6
832 && r.out.ctr->ctr7.type == DRSUAPI_COMPRESSION_TYPE_XPRESS
833 && r.out.ctr->ctr7.ctr.xpress6.ts) {
835 ctr6 = &r.out.ctr->ctr7.ctr.xpress6.ts->ctr6;
838 if (out_level == 6) {
839 torture_comment(tctx,
840 "end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",
842 (unsigned long long) ctr6->new_highwatermark.tmp_highest_usn,
843 (unsigned long long) ctr6->new_highwatermark.highest_usn);
845 if (!test_analyse_objects(tctx, ctx, nc_dn_str, &ctr6->mapping_ctr, ctr6->object_count,
846 ctr6->first_object, &gensec_skey)) {
850 if (ctr6->more_data) {
851 r.in.req->req8.highwatermark = ctr6->new_highwatermark;
864 * Test DsGetNCChanges() DRSUAPI call against one
865 * or more Naming Contexts.
866 * Specific NC to test with may be supplied
867 * in lp_ctx configuration. If no NC is specified,
868 * it will test DsGetNCChanges() on all NCs on remote DC
870 static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx)
874 const char *nc_dn_str;
875 const char **nc_list;
877 nc_list = const_str_list(str_list_make_empty(ctx));
878 torture_assert(tctx, nc_list, "Not enough memory!");
880 /* make a list of partitions to test with */
881 nc_dn_str = lpcfg_parm_string(tctx->lp_ctx, NULL, "dssync", "partition");
882 if (nc_dn_str == NULL) {
883 nc_list = str_list_add_const(nc_list, ctx->domain_dn);
884 nc_list = str_list_add_const(nc_list, ctx->config_dn);
885 nc_list = str_list_add_const(nc_list, ctx->schema_dn);
887 nc_list = str_list_add_const(nc_list, nc_dn_str);
890 count = str_list_length(nc_list);
891 for (i = 0; i < count && ret; i++) {
892 torture_comment(tctx, "\nNaming Context: %s\n", nc_list[i]);
893 ret = test_GetNCChanges(tctx, ctx, nc_list[i]);
896 talloc_free(nc_list);
901 static bool test_FetchNT4Data(struct torture_context *tctx,
902 struct DsSyncTest *ctx)
905 struct drsuapi_DsGetNT4ChangeLog r;
906 union drsuapi_DsGetNT4ChangeLogRequest req;
907 union drsuapi_DsGetNT4ChangeLogInfo info;
908 uint32_t level_out = 0;
909 struct GUID null_guid;
910 struct dom_sid null_sid;
913 ZERO_STRUCT(null_guid);
914 ZERO_STRUCT(null_sid);
918 r.in.bind_handle = &ctx->new_dc.drsuapi.bind_handle;
921 r.out.level_out = &level_out;
923 req.req1.flags = lpcfg_parm_int(tctx->lp_ctx, NULL,
924 "dssync", "nt4changelog_flags",
925 DRSUAPI_NT4_CHANGELOG_GET_CHANGELOG |
926 DRSUAPI_NT4_CHANGELOG_GET_SERIAL_NUMBERS);
927 req.req1.preferred_maximum_length = lpcfg_parm_int(tctx->lp_ctx, NULL,
928 "dssync", "nt4changelog_preferred_len",
932 req.req1.restart_length = cookie.length;
933 req.req1.restart_data = cookie.data;
937 status = dcerpc_drsuapi_DsGetNT4ChangeLog_r(ctx->new_dc.drsuapi.drs_handle, ctx, &r);
938 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
940 "DsGetNT4ChangeLog not supported: NT_STATUS_NOT_IMPLEMENTED");
941 } else if (!NT_STATUS_IS_OK(status)) {
942 const char *errstr = nt_errstr(status);
943 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
945 "DsGetNT4ChangeLog not supported: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE");
948 talloc_asprintf(tctx, "dcerpc_drsuapi_DsGetNT4ChangeLog failed - %s\n",
950 } else if (W_ERROR_EQUAL(r.out.result, WERR_INVALID_DOMAIN_ROLE)) {
952 "DsGetNT4ChangeLog not supported: WERR_INVALID_DOMAIN_ROLE");
953 } else if (!W_ERROR_IS_OK(r.out.result)) {
955 talloc_asprintf(tctx, "DsGetNT4ChangeLog failed - %s\n",
956 win_errstr(r.out.result)));
957 } else if (*r.out.level_out != 1) {
959 talloc_asprintf(tctx, "DsGetNT4ChangeLog unknown level - %u\n",
961 } else if (NT_STATUS_IS_OK(r.out.info->info1.status)) {
962 } else if (NT_STATUS_EQUAL(r.out.info->info1.status, STATUS_MORE_ENTRIES)) {
963 cookie.length = r.out.info->info1.restart_length;
964 cookie.data = r.out.info->info1.restart_data;
968 talloc_asprintf(tctx, "DsGetNT4ChangeLog failed - %s\n",
969 nt_errstr(r.out.info->info1.status)));
979 * DSSYNC test case setup
981 static bool torture_dssync_tcase_setup(struct torture_context *tctx, void **data)
984 struct DsSyncTest *ctx;
986 *data = ctx = test_create_context(tctx);
987 torture_assert(tctx, ctx, "test_create_context() failed");
989 bret = _test_DsBind(tctx, ctx, ctx->admin.credentials, &ctx->admin.drsuapi);
990 torture_assert(tctx, bret, "_test_DsBind() failed");
992 bret = test_LDAPBind(tctx, ctx, ctx->admin.credentials, &ctx->admin.ldap);
993 torture_assert(tctx, bret, "test_LDAPBind() failed");
995 bret = test_GetInfo(tctx, ctx);
996 torture_assert(tctx, bret, "test_GetInfo() failed");
998 bret = _test_DsBind(tctx, ctx, ctx->new_dc.credentials, &ctx->new_dc.drsuapi);
999 torture_assert(tctx, bret, "_test_DsBind() failed");
1005 * DSSYNC test case cleanup
1007 static bool torture_dssync_tcase_teardown(struct torture_context *tctx, void *data)
1009 struct DsSyncTest *ctx;
1010 struct drsuapi_DsUnbind r;
1011 struct policy_handle bind_handle;
1013 ctx = talloc_get_type(data, struct DsSyncTest);
1016 r.out.bind_handle = &bind_handle;
1018 /* Unbing admin handle */
1019 r.in.bind_handle = &ctx->admin.drsuapi.bind_handle;
1020 dcerpc_drsuapi_DsUnbind_r(ctx->admin.drsuapi.drs_handle, ctx, &r);
1022 /* Unbing new_dc handle */
1023 r.in.bind_handle = &ctx->new_dc.drsuapi.bind_handle;
1024 dcerpc_drsuapi_DsUnbind_r(ctx->new_dc.drsuapi.drs_handle, ctx, &r);
1032 * DSSYNC test case implementation
1034 void torture_drs_rpc_dssync_tcase(struct torture_suite *suite)
1036 typedef bool (*run_func) (struct torture_context *test, void *tcase_data);
1037 struct torture_tcase *tcase = torture_suite_add_tcase(suite, "dssync");
1039 torture_tcase_set_fixture(tcase,
1040 torture_dssync_tcase_setup,
1041 torture_dssync_tcase_teardown);
1043 torture_tcase_add_simple_test(tcase, "DC_FetchData", (run_func)test_FetchData);
1044 torture_tcase_add_simple_test(tcase, "FetchNT4Data", (run_func)test_FetchNT4Data);