diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-09-02 18:41:45 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-09-04 12:29:10 +1000 |
| commit | 389d35708ea910e68468648396f405e52907c749 (patch) | |
| tree | 9f93b98b8b33149824fc7d81cb7ebbedb188d241 | |
| parent | 48323d88cc4ca3a08d1bd79c748061c775d57eca (diff) | |
| download | samba-389d35708ea910e68468648396f405e52907c749.tar.gz samba-389d35708ea910e68468648396f405e52907c749.tar.bz2 samba-389d35708ea910e68468648396f405e52907c749.zip | |
torture-lsa: cope with STATUS_SOME_UNMAPPED errors
Now that we support SePrintOperatorPrivilege, an interaction between
the spoolss tests and the privileges tests cause a failure. The
failure happens like this:
- the spoolss.access test creates and then deletes an account with
SePrintOperatorPrivilege privilege
- this leaves the privileges database with an entry for a deleted
account that is still visible via LSA calls. This is correct
behaviour (verified against w2k8r2)
- the lsa.privileges test then enumerates all accounts that have at
least one privilege, and gets the SID for the deleted account
- it then called LookupNames and LookupSids on this deleted account,
and gets an error.
The fix is to not call LookupSids and LookupNames on sids which have
SID_NAME_UNKNOWN as the type
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | source4/torture/rpc/lsa.c | 65 |
1 files changed, 50 insertions, 15 deletions
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 5d4f597fcb..9283fc3e31 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -176,19 +176,28 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, struct lsa_String *names; uint32_t count = 0; int i; + uint32_t *input_idx; torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; + + r.in.num_names = 0; + + input_idx = talloc_array(tctx, uint32_t, tnames->count); names = talloc_array(tctx, struct lsa_String, tnames->count); + for (i=0;i<tnames->count;i++) { - init_lsa_String(&names[i], tnames->names[i].name.string); + if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) { + init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string); + input_idx[r.in.num_names] = i; + r.in.num_names++; + } } r.in.handle = handle; - r.in.num_names = tnames->count; r.in.names = names; r.in.sids = &sids; r.in.level = 1; @@ -201,7 +210,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, "LookupNames failed"); if (NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED) || NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) { - for (i=0;i< tnames->count;i++) { + for (i=0;i< r.in.num_names;i++) { if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) { torture_comment(tctx, "LookupName of %s was unmapped\n", tnames->names[i].name.string); @@ -219,22 +228,23 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, return false; } - for (i=0;i< tnames->count;i++) { + for (i=0;i< r.in.num_names;i++) { if (i < count) { - if (sids.sids[i].sid_type != tnames->names[i].sid_type) { + if (sids.sids[i].sid_type != tnames->names[input_idx[i]].sid_type) { torture_comment(tctx, "LookupName of %s got unexpected name type: %s\n", - tnames->names[i].name.string, sid_type_lookup(sids.sids[i].sid_type)); + tnames->names[input_idx[i]].name.string, + sid_type_lookup(sids.sids[i].sid_type)); return false; } if ((sids.sids[i].sid_type == SID_NAME_DOMAIN) && (sids.sids[i].rid != (uint32_t)-1)) { torture_comment(tctx, "LookupName of %s got unexpected rid: %d\n", - tnames->names[i].name.string, sids.sids[i].rid); + tnames->names[input_idx[i]].name.string, sids.sids[i].rid); return false; } } else if (i >=count) { torture_comment(tctx, "LookupName of %s failed to return a result\n", - tnames->names[i].name.string); + tnames->names[input_idx[i]].name.string); return false; } } @@ -394,14 +404,22 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, sids.count = 0; sids.sids = NULL; + uint32_t *input_idx; + + r.in.num_names = 0; + input_idx = talloc_array(tctx, uint32_t, tnames->count); names = talloc_array(tctx, struct lsa_String, tnames->count); + for (i=0;i<tnames->count;i++) { - init_lsa_String(&names[i], tnames->names[i].name.string); + if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) { + init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string); + input_idx[r.in.num_names] = i; + r.in.num_names++; + } } r.in.handle = handle; - r.in.num_names = tnames->count; r.in.names = names; r.in.sids = &sids; r.in.level = 1; @@ -446,19 +464,26 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, struct lsa_String *names; uint32_t count = 0; int i; + uint32_t *input_idx; torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; + r.in.num_names = 0; + + input_idx = talloc_array(tctx, uint32_t, tnames->count); names = talloc_array(tctx, struct lsa_String, tnames->count); for (i=0;i<tnames->count;i++) { - init_lsa_String(&names[i], tnames->names[i].name.string); + if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) { + init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string); + input_idx[r.in.num_names] = i; + r.in.num_names++; + } } r.in.handle = handle; - r.in.num_names = tnames->count; r.in.names = names; r.in.sids = &sids; r.in.level = 1; @@ -501,15 +526,23 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, struct lsa_String *names; uint32_t count = 0; int i; + uint32_t *input_idx; torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; + r.in.num_names = 0; + + input_idx = talloc_array(tctx, uint32_t, tnames->count); names = talloc_array(tctx, struct lsa_String, tnames->count); for (i=0;i<tnames->count;i++) { - init_lsa_String(&names[i], tnames->names[i].name.string); + if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) { + init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string); + input_idx[r.in.num_names] = i; + r.in.num_names++; + } } r.in.num_names = tnames->count; @@ -571,7 +604,8 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r), "LookupSids failed"); - if (!NT_STATUS_IS_OK(r.out.result)) { + if (!NT_STATUS_IS_OK(r.out.result) && + !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) { torture_comment(tctx, "LookupSids failed - %s\n", nt_errstr(r.out.result)); return false; @@ -615,7 +649,8 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids2_r(b, tctx, &r), "LookupSids2 failed"); - if (!NT_STATUS_IS_OK(r.out.result)) { + if (!NT_STATUS_IS_OK(r.out.result) && + !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) { torture_comment(tctx, "LookupSids2 failed - %s\n", nt_errstr(r.out.result)); return false; |