summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/librpc/idl/samr.idl3
-rw-r--r--source4/torture/rpc/samr.c6
-rw-r--r--source4/torture/rpc/samsync.c35
3 files changed, 34 insertions, 10 deletions
diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl
index d511a4f332..5b6fb30ec7 100644
--- a/source4/librpc/idl/samr.idl
+++ b/source4/librpc/idl/samr.idl
@@ -36,7 +36,8 @@
ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */
ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */
- ACB_DONT_REQUIRE_PREAUTH = 0x00010000 /* 1 = Preauth not required */
+ ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */
+ ACB_PW_EXPIRED = 0x00020000 /* 1 = Password Expired */
} samr_AcctFlags;
/******************/
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index e109bb7f30..3950942b54 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -178,8 +178,8 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
uint32_t user_extra_flags = 0;
if (base_acct_flags == ACB_NORMAL) {
- /* Don't know what this is, but it is always here for users - you can't get rid of it */
- user_extra_flags = 0x20000;
+ /* When created, accounts are expired by default */
+ user_extra_flags = ACB_PW_EXPIRED;
}
s.in.user_handle = handle;
@@ -359,7 +359,7 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
(base_acct_flags | ACB_DISABLED | user_extra_flags),
0);
- /* Setting PWNOEXP clears the magic 0x20000 flag */
+ /* Setting PWNOEXP clears the magic ACB_PW_EXPIRED flag */
TEST_USERINFO_INT_EXP(16, acct_flags, 5, acct_flags,
(base_acct_flags | ACB_DISABLED | ACB_PWNOEXP),
(base_acct_flags | ACB_DISABLED | ACB_PWNOEXP),
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 0b4fb14fda..68a5a4a2b6 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -221,8 +221,8 @@ static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx,
} while (0)
#define TEST_INT_EQUAL(i1, i2) do {\
if (i1 != i2) {\
- printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
- __location__, i1, i2);\
+ printf("%s: integer mismatch: " #i1 ": 0x%08x (%d) != " #i2 ": 0x%08x (%d)\n", \
+ __location__, i1, i1, i2, i2); \
ret = False;\
} \
} while (0)
@@ -498,7 +498,22 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
user->acct_expiry);
- TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
+ TEST_INT_EQUAL((q.out.info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags);
+ if (user->acct_flags & ACB_PWNOEXP) {
+ if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+ printf("ACB flags mismatch: both expired and no expiry!\n");
+ ret = False;
+ }
+ if (q.out.info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) {
+ printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n",
+ (unsigned long long)q.out.info->info21.force_password_change,
+ (unsigned long long)q.out.info->info21.force_password_change,
+ (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL
+ );
+ ret = False;
+ }
+ }
+
TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
@@ -586,6 +601,10 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
if (user->acct_flags & ACB_AUTOLOCK) {
return True;
}
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) {
+ if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+ return True;
+ }
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
if (!lm_hash_p && !nt_hash_p) {
return True;
@@ -618,6 +637,7 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
+ TEST_TIME_EQUAL(q.out.info->info21.force_password_change, info3->base.force_password_change);
/* Does the concept of a logoff time ever really
* exist? (not in any sensible way, according to the
@@ -1176,21 +1196,24 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
ret = False;
}
break;
+ case NETR_DELTA_GROUP_MEMBER:
+ case NETR_DELTA_ALIAS_MEMBER:
+ /* These are harder to cross-check, and we expect them */
+ break;
case NETR_DELTA_DELETE_GROUP:
case NETR_DELTA_RENAME_GROUP:
case NETR_DELTA_DELETE_USER:
case NETR_DELTA_RENAME_USER:
- case NETR_DELTA_GROUP_MEMBER:
case NETR_DELTA_DELETE_ALIAS:
case NETR_DELTA_RENAME_ALIAS:
- case NETR_DELTA_ALIAS_MEMBER:
case NETR_DELTA_DELETE_TRUST:
case NETR_DELTA_DELETE_ACCOUNT:
case NETR_DELTA_DELETE_SECRET:
case NETR_DELTA_DELETE_GROUP2:
case NETR_DELTA_DELETE_USER2:
case NETR_DELTA_MODIFY_COUNT:
- printf("Unhandled delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type);
+ default:
+ printf("Uxpected delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type);
ret = False;
break;
}