r3885: Add security descriptor comparison to our RPC-SAMSYNC test. We now

verify that the security descriptor found in the SamSync is the same
as what is available over SAMR.

Unfortunately, the administrator seems unable to retrieve the SACL on
the security descriptor, so I've added a new function to compare with
a mask.

Andrew Bartlett
(This used to be commit 39ae5e1dac31a22086be50fb23261e02be877f3f)

1 files changed, 21 insertions, 0 deletions

diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 5ed5ef5c76..a4056e5e71 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -224,3 +224,24 @@ BOOL security_descriptor_equal(const struct security_descriptor *sd1,
 
 	return True;	
 }
+
+/*
+  compare two security descriptors, but allow certain (missing) parts
+  to be masked out of the comparison
+*/
+BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1, 
+				    const struct security_descriptor *sd2, 
+				    uint32 mask)
+{
+	if (sd1 == sd2) return True;
+	if (!sd1 || !sd2) return False;
+	if (sd1->revision != sd2->revision) return False;
+	if ((sd1->type & mask) != (sd2->type & mask)) return False;
+
+	if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+	if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+	if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl))      return False;
+	if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl))      return False;
+
+	return True;	
+}