r13908: Improve the RPC-SAMSYNC test to cross-check some attributes I wasn't

sure about.

This finds a new ACB_PW_EXPIRED attribute.

Andrew Bartlett
(This used to be commit 54caf94942)

source4/librpc/idl/samr.idl

@@ -36,7 +36,8 @@
 		ACB_TRUSTED_FOR_DELEGATION	= 0x00002000,  /* 1 = Trusted for Delegation */
 		ACB_NOT_DELEGATED		= 0x00004000,  /* 1 = Not delegated */
 		ACB_USE_DES_KEY_ONLY		= 0x00008000,  /* 1 = Use DES key only */
-		ACB_DONT_REQUIRE_PREAUTH	= 0x00010000   /* 1 = Preauth not required */
+		ACB_DONT_REQUIRE_PREAUTH	= 0x00010000,  /* 1 = Preauth not required */
+		ACB_PW_EXPIRED                  = 0x00020000   /* 1 = Password Expired */
 	} samr_AcctFlags;
 
 	/******************/

source4/torture/rpc/samr.c

@@ -178,8 +178,8 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 
 	uint32_t user_extra_flags = 0;
 	if (base_acct_flags == ACB_NORMAL) {
-		/* Don't know what this is, but it is always here for users - you can't get rid of it */
-		user_extra_flags = 0x20000;
+		/* When created, accounts are expired by default */
+		user_extra_flags = ACB_PW_EXPIRED;
 	}
 
 	s.in.user_handle = handle;
@@ -359,7 +359,7 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 			  (base_acct_flags  | ACB_DISABLED | user_extra_flags), 
 			  0);
 	
-	/* Setting PWNOEXP clears the magic 0x20000 flag */
+	/* Setting PWNOEXP clears the magic ACB_PW_EXPIRED flag */
 	TEST_USERINFO_INT_EXP(16, acct_flags, 5, acct_flags, 
 			  (base_acct_flags  | ACB_DISABLED | ACB_PWNOEXP), 
 			  (base_acct_flags  | ACB_DISABLED | ACB_PWNOEXP), 

source4/torture/rpc/samsync.c

@@ -221,8 +221,8 @@ static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx,
 } while (0)
 #define TEST_INT_EQUAL(i1, i2) do {\
 	if (i1 != i2) {\
-	      printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
-		     __location__, i1, i2);\
+	      printf("%s: integer mismatch: " #i1 ": 0x%08x (%d) != " #i2 ": 0x%08x (%d)\n", \
+		     __location__, i1, i1, i2, i2);			\
 	      ret = False;\
 	} \
 } while (0)
@@ -498,7 +498,22 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
 	TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
 		       user->acct_expiry);
 
-	TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
+	TEST_INT_EQUAL((q.out.info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags);
+	if (user->acct_flags & ACB_PWNOEXP) {
+		if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+			printf("ACB flags mismatch: both expired and no expiry!\n");
+			ret = False;
+		}
+		if (q.out.info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) {
+			printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n",
+			       (unsigned long long)q.out.info->info21.force_password_change, 
+			       (unsigned long long)q.out.info->info21.force_password_change,
+			       (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL
+				);
+			ret = False;
+		}
+	}
+
 	TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
 	TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
 	TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
@@ -586,6 +601,10 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
 		if (user->acct_flags & ACB_AUTOLOCK) {
 			return True;
 		}
+	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) {
+		if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+			return True;
+		}
 	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
 		if (!lm_hash_p && !nt_hash_p) {
 			return True;
@@ -618,6 +637,7 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
 		TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
 		TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
 		TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
+		TEST_TIME_EQUAL(q.out.info->info21.force_password_change, info3->base.force_password_change);
 
 		/* Does the concept of a logoff time ever really
 		 * exist? (not in any sensible way, according to the
@@ -1176,21 +1196,24 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 						ret = False;
 					}
 					break;
+				case NETR_DELTA_GROUP_MEMBER:
+				case NETR_DELTA_ALIAS_MEMBER:
+					/* These are harder to cross-check, and we expect them */
+					break;
 				case NETR_DELTA_DELETE_GROUP:
 				case NETR_DELTA_RENAME_GROUP:
 				case NETR_DELTA_DELETE_USER:
 				case NETR_DELTA_RENAME_USER:
-				case NETR_DELTA_GROUP_MEMBER:
 				case NETR_DELTA_DELETE_ALIAS:
 				case NETR_DELTA_RENAME_ALIAS:
-				case NETR_DELTA_ALIAS_MEMBER:
 				case NETR_DELTA_DELETE_TRUST:
 				case NETR_DELTA_DELETE_ACCOUNT:
 				case NETR_DELTA_DELETE_SECRET:
 				case NETR_DELTA_DELETE_GROUP2:
 				case NETR_DELTA_DELETE_USER2:
 				case NETR_DELTA_MODIFY_COUNT:
-					printf("Unhandled delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type);
+				default:
+					printf("Uxpected delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type);
 					ret = False;
 					break;
 				}