s4-selftest/drs: Confirm GetNCChanges REPL_SECRET works with a DummyDN and real GUID

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2022-12-15 16:02:55 +1300
committer: Stefan Metzmacher <metze@samba.org> 2023-01-31 12:50:33 +0000
commit: 7c43388576f768db564aaf15a47d3f9ce5796fb3 (patch)
tree: 5452ab42e84c855528ca2fdb26f199e3a40e38e9 /source4/torture/drs/python/repl_rodc.py
parent: 539221dda33f03a1abf5ee5f3153db0fe1a9bfe6 (diff)
download: samba-7c43388576f768db564aaf15a47d3f9ce5796fb3.tar.gz
1 files changed, 46 insertions, 0 deletions
diff --git a/source4/torture/drs/python/repl_rodc.py b/source4/torture/drs/python/repl_rodc.py
index bf609250dd1..317d4a0c24a 100644
--- a/source4/torture/drs/python/repl_rodc.py
+++ b/source4/torture/drs/python/repl_rodc.py
@@ -159,6 +159,52 @@ class DrsRodcTestCase(drs_base.DrsBaseTestCase):
         # Check that the user has been added to msDSRevealedUsers
         self._assert_in_revealed_users(user_dn, expected_user_attributes)
 
+    def test_admin_repl_secrets_DummyDN_GUID(self):
+        """
+        When a secret attribute is set to be replicated to an RODC with the
+        admin credentials, it should always replicate regardless of whether
+        or not it's in the Allowed RODC Password Replication Group.
+        """
+        rand = random.randint(1, 10000000)
+        expected_user_attributes = [drsuapi.DRSUAPI_ATTID_lmPwdHistory,
+                                    drsuapi.DRSUAPI_ATTID_supplementalCredentials,
+                                    drsuapi.DRSUAPI_ATTID_ntPwdHistory,
+                                    drsuapi.DRSUAPI_ATTID_unicodePwd,
+                                    drsuapi.DRSUAPI_ATTID_dBCSPwd]
+
+        user_name = "test_rodcA_%s" % rand
+        user_dn = "CN=%s,%s" % (user_name, self.ou)
+        self.ldb_dc1.add({
+            "dn": user_dn,
+            "objectclass": "user",
+            "sAMAccountName": user_name
+        })
+
+        res = self.ldb_dc1.search(base=user_dn, scope=ldb.SCOPE_BASE,
+                                  attrs=["objectGUID"])
+
+        user_guid = misc.GUID(res[0]["objectGUID"][0])
+
+        # Store some secret on this user
+        self.ldb_dc1.setpassword("(sAMAccountName=%s)" % user_name, 'penguin12#', False, user_name)
+
+        req10 = self._getnc_req10(dest_dsa=str(self.rodc_ctx.ntds_guid),
+                                  invocation_id=self.ldb_dc1.get_invocation_id(),
+                                  nc_dn_str="DummyDN",
+                                  nc_guid=user_guid,
+                                  exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET,
+                                  partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb),
+                                  max_objects=133,
+                                  replica_flags=0)
+        try:
+            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, 10, req10)
+        except WERRORError as e1:
+            (enum, estr) = e1.args
+            self.fail(f"DsGetNCChanges failed with {estr}")
+
+        # Check that the user has been added to msDSRevealedUsers
+        self._assert_in_revealed_users(user_dn, expected_user_attributes)
+
     def test_rodc_repl_secrets(self):
         """
         When a secret attribute is set to be replicated to an RODC with
author	Andrew Bartlett <abartlet@samba.org>	2022-12-15 16:02:55 +1300
committer	Stefan Metzmacher <metze@samba.org>	2023-01-31 12:50:33 +0000
commit	7c43388576f768db564aaf15a47d3f9ce5796fb3 (patch)
tree	5452ab42e84c855528ca2fdb26f199e3a40e38e9 /source4/torture/drs/python/repl_rodc.py
parent	539221dda33f03a1abf5ee5f3153db0fe1a9bfe6 (diff)
download	samba-7c43388576f768db564aaf15a47d3f9ce5796fb3.tar.gz