def _getnc_req10(self, dest_dsa, invocation_id, nc_dn_str, exop,
replica_flags=0, max_objects=0, partial_attribute_set=None,
partial_attribute_set_ex=None, mapping_ctr=None,
- more_flags=0):
+ more_flags=0, nc_guid=None):
req10 = drsuapi.DsGetNCChangesRequest10()
req10.destination_dsa_guid = misc.GUID(dest_dsa) if dest_dsa else misc.GUID()
req10.source_dsa_invocation_id = misc.GUID(invocation_id)
req10.naming_context = drsuapi.DsReplicaObjectIdentifier()
req10.naming_context.dn = str(nc_dn_str)
+ if nc_guid is not None:
+ req10.naming_context.guid = nc_guid
req10.highwatermark = drsuapi.DsReplicaHighWaterMark()
req10.highwatermark.tmp_highest_usn = 0
req10.highwatermark.reserved_usn = 0
# Check that the user has been added to msDSRevealedUsers
self._assert_in_revealed_users(user_dn, expected_user_attributes)
+ def test_admin_repl_secrets_DummyDN_GUID(self):
+ """
+ When a secret attribute is set to be replicated to an RODC with the
+ admin credentials, it should always replicate regardless of whether
+ or not it's in the Allowed RODC Password Replication Group.
+ """
+ rand = random.randint(1, 10000000)
+ expected_user_attributes = [drsuapi.DRSUAPI_ATTID_lmPwdHistory,
+ drsuapi.DRSUAPI_ATTID_supplementalCredentials,
+ drsuapi.DRSUAPI_ATTID_ntPwdHistory,
+ drsuapi.DRSUAPI_ATTID_unicodePwd,
+ drsuapi.DRSUAPI_ATTID_dBCSPwd]
+
+ user_name = "test_rodcA_%s" % rand
+ user_dn = "CN=%s,%s" % (user_name, self.ou)
+ self.ldb_dc1.add({
+ "dn": user_dn,
+ "objectclass": "user",
+ "sAMAccountName": user_name
+ })
+
+ res = self.ldb_dc1.search(base=user_dn, scope=ldb.SCOPE_BASE,
+ attrs=["objectGUID"])
+
+ user_guid = misc.GUID(res[0]["objectGUID"][0])
+
+ # Store some secret on this user
+ self.ldb_dc1.setpassword("(sAMAccountName=%s)" % user_name, 'penguin12#', False, user_name)
+
+ req10 = self._getnc_req10(dest_dsa=str(self.rodc_ctx.ntds_guid),
+ invocation_id=self.ldb_dc1.get_invocation_id(),
+ nc_dn_str="DummyDN",
+ nc_guid=user_guid,
+ exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET,
+ partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb),
+ max_objects=133,
+ replica_flags=0)
+ try:
+ (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, 10, req10)
+ except WERRORError as e1:
+ (enum, estr) = e1.args
+ self.fail(f"DsGetNCChanges failed with {estr}")
+
+ # Check that the user has been added to msDSRevealedUsers
+ self._assert_in_revealed_users(user_dn, expected_user_attributes)
+
def test_rodc_repl_secrets(self):
"""
When a secret attribute is set to be replicated to an RODC with