public void DRSR_RODC_FAS_Add_Attribute()
{
int timeOut = 0;
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
ResultCode r = ResultCode.Other;
// FAS: first try "Employee-Number"
string nc = LdapUtility.GetDnFromNcType(dc1, NamingContext.SchemaNC);
string searchFlagsAttr = "searchFlags";
string attrDn = "CN=Employee-Number," + nc;
string attrName = "employeeNumber";
uint searchFlags = 0;
// wait until FAS is modified on DC01
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
searchFlags = Convert.ToUInt32(
ldapAdapter.GetAttributeValueInString(dc1, attrDn, searchFlagsAttr)
);
if ((searchFlags & kRODC_FAS) != 0)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "FAS already effective.");
// the attribute is already in the FAS
break;
}
ldapAdapter.ModifyAttribute(dc1, attrDn, new DirectoryAttribute(searchFlagsAttr, kRODC_FAS.ToString()));
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue((searchFlags & kRODC_FAS) != 0, "FAS is set successfully on {0}", dc1.NetbiosName);
uint ret = drsTestClient.DrsBind(rodcEnum, EnvironmentConfig.User.ParentDomainAdmin, DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE);
Assert.IsTrue(ret == 0);
ret = drsTestClient.DrsReplicaSync(rodcEnum, DrsReplicaSync_Versions.V1, dc1Enum, DRS_OPTIONS.DRS_FULL_SYNC_NOW, false, NamingContext.SchemaNC);
BaseTestSite.Assert.IsTrue(ret == 0, "Start replica from {0} to {1}.", dc1.NetbiosName, rodc.NetbiosName);
// wait until FAS is replicated to RODC
BaseTestSite.Log.Add(LogEntryKind.Comment, "Waiting for FAS to be replicated, searchFlags: {0}", searchFlags);
bool isReplicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.SchemaNC, attrDn))
{
// exit the loop when FAS is replicated to the RODC
isReplicated = true;
BaseTestSite.Log.Add(LogEntryKind.Comment, "FAS applied.");
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue(isReplicated, "Replica from {0} succeeded.", dc1.NetbiosName);
// create the user first if it doesn't exist.
string userDn = ldapAdapter.TestAddUserObj(dc1);
Assert.IsNotNull(userDn);
// take a "snapshot" of the current RODC replication state.
// We'll use this snapshot to impersonate earlier state of the RODC
// AFTER the changes are replicated to the actual RODC.
USN_VECTOR? usnFrom = null;
UPTODATE_VECTOR_V1_EXT?utdVector = null;
SnapshotReplicationState(dc1, rodc, NamingContext.DomainNC, out usnFrom, out utdVector);
// modify Employee Number
int newValue = _rnd.Next();
DirectoryAttribute employeeNumberAttr = new DirectoryAttribute(attrName, newValue.ToString());
r = ldapAdapter.ModifyAttribute(dc1, userDn, employeeNumberAttr);
Assert.AreEqual <ResultCode>(ResultCode.Success, r);
//ret = drsTestClient.DrsBind(rodcEnum, EnvironmentConfig.User.ParentDomainAdmin, DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE);
//Assert.IsTrue(ret == 0);
ret = drsTestClient.DrsReplicaSync(rodcEnum, DrsReplicaSync_Versions.V1, dc1Enum, DRS_OPTIONS.DRS_ASYNC_OP, false, NamingContext.DomainNC);
BaseTestSite.Assert.IsTrue(ret == 0, "Start replica from {0} to {1}.", dc1.NetbiosName, rodc.NetbiosName);
// Wait until the change is replicated by the actual RODC
bool replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
// First, check the originating USNs on RODC to make sure the replication has completed.
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, userDn))
{
replicated = true;
break;
}
// sleep
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage = null;
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
ret = drsTestClient.DrsBind(dc1Enum, EnvironmentConfig.User.RODCMachineAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
if (replicated)
{
ret = drsTestClient.DrsGetNCChangesV2(
dc1Enum,
dc1,
rodc,
userDn,
usnFrom.Value,
utdVector.Value,
false,
out outVersion,
out outMessage);
}
// remove the temp user
ldapAdapter.DeleteObject(dc1, userDn);
// DRSUnbind
ret = drsTestClient.DrsUnbind(dc1Enum);
Assert.IsTrue(ret == 0);
BaseTestSite.Assert.IsTrue(replicated, "Replica from {0} succeeded.", dc1.NetbiosName);
// check in outMessage that the secret attributes are not replicated.
DRS_MSG_GETCHGREPLY_V6 replyV6 = outMessage.Value.V6;
REPLENTINFLIST[] objectList = replyV6.pObjects;
if (objectList != null)
{
foreach (REPLENTINFLIST entInf in objectList)
{
for (int i = 0; i < entInf.Entinf.AttrBlock.attrCount; ++i)
{
ATTR attr = entInf.Entinf.AttrBlock.pAttr[i];
string displayName = GetLdapDisplayName(dc1, attr.attrTyp, replyV6.PrefixTableSrc);
if (displayName == attrName)
{
// examine the new value
string value = System.Text.Encoding.Unicode.GetString(
attr.AttrVal.pAVal[0].pVal);
BaseTestSite.Assert.AreNotEqual <string>(
newValue.ToString(),
value,
"{0} is in FAS, should not be replicated", attrName);
}
}
}
}
// FAS: Remove "Employee-Number" from the FAS
DirectoryAttribute searchAttr = new DirectoryAttribute(searchFlagsAttr, "0");
r = ldapAdapter.ModifyAttribute(dc1, attrDn, searchAttr);
}
public void DRSR_RODC_Credential_Caching_Revealed()
{
int timeOut = 0;
DrsrTestChecker.Check();
EnvironmentConfig.Machine rodcEnum = EnvironmentConfig.Machine.RODC;
EnvironmentConfig.Machine dc1Enum = EnvironmentConfig.Machine.WritableDC1;
DsServer dc1 = (DsServer)EnvironmentConfig.MachineStore[dc1Enum];
DsServer rodc = (DsServer)EnvironmentConfig.MachineStore[rodcEnum];
// take a snapshot of the current replication state of the RODC
USN_VECTOR? usnFrom = null;
UPTODATE_VECTOR_V1_EXT?utdVector = null;
SnapshotReplicationState(dc1, rodc, NamingContext.DomainNC, out usnFrom, out utdVector);
// we need a user and put it into the Revealed List.
// create the user first if it doesn't exist.
string nc = LdapUtility.GetDnFromNcType(dc1, NamingContext.DomainNC);
string userDn = ldapAdapter.TestAddUserObj(dc1);
Assert.IsNotNull(userDn);
// add this user to the "Allowed RODC Password Replication Group"
string allowedDn = "CN=Allowed RODC Password Replication Group, CN=Users,"
+ LdapUtility.GetDnFromNcType(dc1, NamingContext.DomainNC);
ResultCode r = ldapAdapter.AddObjectToGroup(dc1, userDn, allowedDn);
Assert.IsTrue(r == ResultCode.Success);
// Set password of the user
LdapUtility.ChangeUserPassword(dc1, userDn, "1*admin");
// wait until the object is replicated by the actual RODC
bool replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, userDn))
{
replicated = true;
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
// wait until the "Allowed RODC Password Replication Group object is replicated by the actual RODC
replicated = false;
for (timeOut = 0; timeOut < kMaxTimeOut; ++timeOut)
{
if (IsObjectReplicated(dc1, rodc, NamingContext.DomainNC, allowedDn))
{
replicated = true;
break;
}
System.Threading.Thread.Sleep(kMaxTimeoutInMilliseconds);
}
BaseTestSite.Assert.IsTrue(replicated, "{0} should be replicated to the RODC", allowedDn);
// DRSBind
DRS_EXTENSIONS_IN_FLAGS clientCapabilities
= DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_BASE
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_GETCHGREPLY_V6
| DRS_EXTENSIONS_IN_FLAGS.DRS_EXT_STRONG_ENCRYPTION;
uint ret = drsTestClient.DrsBind(dc1Enum, EnvironmentConfig.User.RODCMachineAccount, clientCapabilities);
Assert.IsTrue(ret == 0);
uint?outVersion;
DRS_MSG_GETCHGREPLY?outMessage = null;
ret = drsTestClient.DrsGetNCChangesV2(
dc1Enum,
dc1,
rodc,
userDn,
usnFrom.Value,
utdVector.Value,
true, // request secrets
out outVersion,
out outMessage);
// DRSUnbind
ret = drsTestClient.DrsUnbind(dc1Enum);
Assert.IsTrue(ret == 0);
ldapAdapter.DeleteObject(dc1, userDn);
// check in outMessage that the secret attributes are not replicated.
DRS_MSG_GETCHGREPLY_V6 replyV6 = outMessage.Value.V6;
REPLENTINFLIST[] objectList = replyV6.pObjects;
bool secretFound = false;
string firstSecretAttrbute = null;
foreach (REPLENTINFLIST entInf in objectList)
{
for (int i = 0; i < entInf.Entinf.AttrBlock.attrCount; ++i)
{
ATTR attr = entInf.Entinf.AttrBlock.pAttr[i];
if (IsSecretAttribute(dc1, attr.attrTyp, replyV6.PrefixTableSrc, out firstSecretAttrbute))
{
if (attr.AttrVal.pAVal != null)
{
secretFound = true;
}
}
}
}
BaseTestSite.Assert.IsTrue(
secretFound,
"Secret attribute {0} should appear in the response when user is in the revealed list",
firstSecretAttrbute);
}
