traffic: Machine accounts were generated as critical objects

Due to the userAccountControl flags we were specifying, the machine
accounts were all created as critical objects. When trying to populate
1000s of machine accounts in a DB, this makes replication unnecessarily
slow (because it has to replicate them all twice).

This patch changes it so when we're just creating machine accounts for
the purpose of populating a semi-realistic DB, we jsut use the default
WORKSTATION_TRUST_ACCOUNT flag.

Note that for the accounts used for traffic-replay, we apparently need
the existing flags in order for the DC to accept certain requests.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Tim Beale <timbeale@samba.org>
Autobuild-Date(master): Mon Nov  5 03:43:24 CET 2018 on sn-devel-144

diff --git a/python/samba/emulate/traffic.py b/python/samba/emulate/traffic.py
index ef08c7e42110f46e1fcbdb8faf86c2c9e14cb514..af05163f145d23cf592c99f005ae8923d60e53a8 100644 (file)
--- a/python/samba/emulate/traffic.py
+++ b/python/samba/emulate/traffic.py
@@ -45,7 +45,8 @@ from samba.auth import system_session
 from samba.dsdb import (
     UF_NORMAL_ACCOUNT,
     UF_SERVER_TRUST_ACCOUNT,
-    UF_TRUSTED_FOR_DELEGATION
+    UF_TRUSTED_FOR_DELEGATION,
+    UF_WORKSTATION_TRUST_ACCOUNT
 )
 from samba.dcerpc.misc import SEC_CHAN_BDC
 from samba import gensec
@@ -1662,19 +1663,28 @@ def generate_traffic_accounts(ldb, instance_id, number, password):
         LOGGER.info("Added %d new user accounts" % added)
 
 
-def create_machine_account(ldb, instance_id, netbios_name, machinepass):
+def create_machine_account(ldb, instance_id, netbios_name, machinepass,
+                           traffic_account=True):
     """Create a machine account via ldap."""
 
     ou = ou_name(ldb, instance_id)
     dn = "cn=%s,%s" % (netbios_name, ou)
     utf16pw = ('"%s"' % get_string(machinepass)).encode('utf-16-le')
 
+    if traffic_account:
+        # we set these bits for the machine account otherwise the replayed
+        # traffic throws up NT_STATUS_NO_TRUST_SAM_ACCOUNT errors
+        account_controls = str(UF_TRUSTED_FOR_DELEGATION |
+                               UF_SERVER_TRUST_ACCOUNT)
+
+    else:
+        account_controls = str(UF_WORKSTATION_TRUST_ACCOUNT)
+
     ldb.add({
         "dn": dn,
         "objectclass": "computer",
         "sAMAccountName": "%s$" % netbios_name,
-        "userAccountControl":
-            str(UF_TRUSTED_FOR_DELEGATION | UF_SERVER_TRUST_ACCOUNT),
+        "userAccountControl": account_controls,
         "unicodePwd": utf16pw})
 
 
@@ -1745,7 +1755,8 @@ def generate_machine_accounts(ldb, instance_id, number, password):
         name = "STGM-%d-%d$" % (instance_id, i)
         if name not in existing_objects:
             name = "STGM-%d-%d" % (instance_id, i)
-            create_machine_account(ldb, instance_id, name, password)
+            create_machine_account(ldb, instance_id, name, password,
+                                   traffic_account=False)
             added += 1
             if added % 50 == 0:
                 LOGGER.info("Created %u/%u machine accounts" % (added, number))