selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database

This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7ff743d65dcf27ffe0c6861720e8ce531bfa378d)

2 files changed, 107 insertions, 0 deletions

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 5cc46d703e1..3ee001e147d 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1460,6 +1460,9 @@ planoldpythontestsuite(env, "ridalloc_exop",
 #
 # That is why this test is run on the isolated environment and not on
 # those connected with ad_dc (vampiredc/promoteddc)
+#
+# The chgdcpass enviroment is likewise isolated and emulates Samba 4.5
+# with regard to GET_ANC
 
 env = 'schema_pair_dc'
 planoldpythontestsuite("%s:local" % env, "samba_tool_drs",
@@ -1467,6 +1470,12 @@ planoldpythontestsuite("%s:local" % env, "samba_tool_drs",
                        name="samba4.drs.samba_tool_drs.python(%s)" % env,
                        environ={'DC1': '$DC_SERVER', 'DC2': '$SERVER'},
                        extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+for env in ['chgdcpass', 'schema_pair_dc']:
+    planoldpythontestsuite("%s:local" % env, "samba_tool_drs_critical",
+                           extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
+                           name="samba4.drs.samba_tool_drs_critical.python(%s)" % env,
+                           environ={'DC1': '$DC_SERVER', 'DC2': '$SERVER'},
+                           extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
 planoldpythontestsuite(env, "getnc_schema",
                        extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
                        name="samba4.drs.getnc_schema.python(%s)" % env,
diff --git a/source4/torture/drs/python/samba_tool_drs_critical.py b/source4/torture/drs/python/samba_tool_drs_critical.py
new file mode 100644
index 00000000000..47f9e942dc9
--- /dev/null
+++ b/source4/torture/drs/python/samba_tool_drs_critical.py
@@ -0,0 +1,98 @@
+# Blackbox tests for "samba-tool drs" command
+# Copyright (C) Kamen Mazdrashki <kamenim@samba.org> 2011
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Blackbox tests for samba-tool drs."""
+
+import samba.tests
+import os
+import ldb
+import drs_base
+import random
+
+class SambaToolDrsTests(drs_base.DrsBaseTestCase):
+    """Blackbox test case for samba-tool drs."""
+
+    def setUp(self):
+        super(SambaToolDrsTests, self).setUp()
+
+        self.dc1 = samba.tests.env_get_var_value("DC1")
+        self.dc2 = samba.tests.env_get_var_value("DC2")
+
+        creds = self.get_credentials()
+        self.cmdline_creds = "-U%s/%s%%%s" % (creds.get_domain(),
+                                              creds.get_username(), creds.get_password())
+
+    def tearDown(self):
+        self._enable_inbound_repl(self.dnsname_dc1)
+        self._enable_inbound_repl(self.dnsname_dc2)
+
+        self.rm_files('names.tdb', allow_missing=True)
+        self.rm_dirs('etc', 'msg.lock', 'private', 'state', 'bind-dns',
+                     allow_missing=True)
+
+        super(SambaToolDrsTests, self).tearDown()
+
+    # This test is for the Samba 4.5 emulation servers (but runs
+    # against a normal server as well) that fail to correctly
+    # implement DRSUAPI_DRS_GET_ANC when DRSUAPI_DRS_CRITICAL_ONLY is
+    # set.
+    def test_samba_tool_drs_clone_dc_critical_object_chain(self):
+        """Tests 'samba-tool drs clone-dc-database' command with a Critical/non-critical/critical object chain."""
+
+        samdb = samba.tests.connect_samdb(self.dc1, lp=self.get_loadparm(),
+                                          credentials=self.get_credentials(),
+                                          ldap_only=True)
+        server_rootdse = samdb.search(base="",
+                                      scope=samba.tests.ldb.SCOPE_BASE)[0]
+        nc_name = server_rootdse["defaultNamingContext"][0]
+        server_ldap_service_name = str(server_rootdse["ldapServiceName"][0])
+        server_realm = server_ldap_service_name.split(":")[0]
+
+        not_critical_dn = f"OU=not-critical{random.randint(1, 10000000)},{nc_name}"
+        samdb.create_ou(not_critical_dn)
+        self.addCleanup(samdb.delete,
+                        not_critical_dn)
+        domain_sid = samdb.get_domain_sid()
+        admin_sid = f"{domain_sid}-500"
+        samdb.rename(f"<SID={admin_sid}>",
+                     f"cn=administrator,{not_critical_dn}")
+        self.addCleanup(samdb.rename,
+                        f"<SID={admin_sid}>",
+                        f"cn=administrator,cn=users,{nc_name}")
+
+        try:
+            out = self.check_output("samba-tool drs clone-dc-database %s --server=%s %s --targetdir=%s"
+                                    % (server_realm,
+                                       self.dc1,
+                                       self.cmdline_creds,
+                                       self.tempdir))
+        except samba.tests.BlackboxProcessError as e:
+            self.fail("Error calling samba-tool: %s" % e)
+
+        local_samdb = samba.tests.connect_samdb("ldb://" + os.path.join(self.tempdir, "private", "sam.ldb"),
+                                          ldap_only=False, lp=self.get_loadparm())
+
+        # Check administrator was replicated and is in the right place
+        res = local_samdb.search(base=str(nc_name),
+                                 expression="(&(objectclass=user)(cn=administrator))",
+                                 attrs=[], scope=ldb.SCOPE_SUBTREE)
+        self.assertEquals(len(res), 1)
+
+        admin_obj = res[0]
+
+        self.assertEquals(admin_obj.dn, ldb.Dn(samdb, f"cn=administrator,{not_critical_dn}"))