From 4d024e6e64d34491f99d91485ed375d0632df31a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Mar 2006 03:24:29 +0000 Subject: r13908: Improve the RPC-SAMSYNC test to cross-check some attributes I wasn't sure about. This finds a new ACB_PW_EXPIRED attribute. Andrew Bartlett (This used to be commit 54caf949425cb9a3437bd7051930384167b5e07d) --- source4/librpc/idl/samr.idl | 3 ++- source4/torture/rpc/samr.c | 6 +++--- source4/torture/rpc/samsync.c | 35 +++++++++++++++++++++++++++++------ 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl index d511a4f332..5b6fb30ec7 100644 --- a/source4/librpc/idl/samr.idl +++ b/source4/librpc/idl/samr.idl @@ -36,7 +36,8 @@ ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */ ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */ ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */ - ACB_DONT_REQUIRE_PREAUTH = 0x00010000 /* 1 = Preauth not required */ + ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */ + ACB_PW_EXPIRED = 0x00020000 /* 1 = Password Expired */ } samr_AcctFlags; /******************/ diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index e109bb7f30..3950942b54 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -178,8 +178,8 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, uint32_t user_extra_flags = 0; if (base_acct_flags == ACB_NORMAL) { - /* Don't know what this is, but it is always here for users - you can't get rid of it */ - user_extra_flags = 0x20000; + /* When created, accounts are expired by default */ + user_extra_flags = ACB_PW_EXPIRED; } s.in.user_handle = handle; @@ -359,7 +359,7 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, (base_acct_flags | ACB_DISABLED | user_extra_flags), 0); - /* Setting PWNOEXP clears the magic 0x20000 flag */ + /* Setting PWNOEXP clears the magic ACB_PW_EXPIRED flag */ TEST_USERINFO_INT_EXP(16, acct_flags, 5, acct_flags, (base_acct_flags | ACB_DISABLED | ACB_PWNOEXP), (base_acct_flags | ACB_DISABLED | ACB_PWNOEXP), diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 0b4fb14fda..68a5a4a2b6 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -221,8 +221,8 @@ static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx, } while (0) #define TEST_INT_EQUAL(i1, i2) do {\ if (i1 != i2) {\ - printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \ - __location__, i1, i2);\ + printf("%s: integer mismatch: " #i1 ": 0x%08x (%d) != " #i2 ": 0x%08x (%d)\n", \ + __location__, i1, i1, i2, i2); \ ret = False;\ } \ } while (0) @@ -498,7 +498,22 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy TEST_TIME_EQUAL(q.out.info->info21.acct_expiry, user->acct_expiry); - TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags); + TEST_INT_EQUAL((q.out.info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags); + if (user->acct_flags & ACB_PWNOEXP) { + if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) { + printf("ACB flags mismatch: both expired and no expiry!\n"); + ret = False; + } + if (q.out.info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) { + printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n", + (unsigned long long)q.out.info->info21.force_password_change, + (unsigned long long)q.out.info->info21.force_password_change, + (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL + ); + ret = False; + } + } + TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present); TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present); TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired); @@ -586,6 +601,10 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy if (user->acct_flags & ACB_AUTOLOCK) { return True; } + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) { + if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) { + return True; + } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { if (!lm_hash_p && !nt_hash_p) { return True; @@ -618,6 +637,7 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon); TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry); TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change); + TEST_TIME_EQUAL(q.out.info->info21.force_password_change, info3->base.force_password_change); /* Does the concept of a logoff time ever really * exist? (not in any sensible way, according to the @@ -1176,21 +1196,24 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state, ret = False; } break; + case NETR_DELTA_GROUP_MEMBER: + case NETR_DELTA_ALIAS_MEMBER: + /* These are harder to cross-check, and we expect them */ + break; case NETR_DELTA_DELETE_GROUP: case NETR_DELTA_RENAME_GROUP: case NETR_DELTA_DELETE_USER: case NETR_DELTA_RENAME_USER: - case NETR_DELTA_GROUP_MEMBER: case NETR_DELTA_DELETE_ALIAS: case NETR_DELTA_RENAME_ALIAS: - case NETR_DELTA_ALIAS_MEMBER: case NETR_DELTA_DELETE_TRUST: case NETR_DELTA_DELETE_ACCOUNT: case NETR_DELTA_DELETE_SECRET: case NETR_DELTA_DELETE_GROUP2: case NETR_DELTA_DELETE_USER2: case NETR_DELTA_MODIFY_COUNT: - printf("Unhandled delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type); + default: + printf("Uxpected delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type); ret = False; break; } -- cgit