diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 8 | ||||
-rwxr-xr-x | source4/script/tests/test_rpc.sh | 6 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 74 |
3 files changed, 66 insertions, 22 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index b1fcaf4f02..81bfa32398 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -642,12 +642,10 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module "(&(objectSid=%s)(objectclass=domain))", ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); if (ret >= 1) { + /* We don't really like the idea of foreign sids that are not foreign, but it happens */ const char *name = samdb_result_string(dom_msgs[0], "name", NULL); - ldb_set_errstring(module->ldb, talloc_asprintf(mem_ctx, - "Attempt to add foreign SID record with SID %s rejected, because this domian (%s) is already in the database", - dom_sid_string(mem_ctx, sid), name)); - /* We don't really like the idea of foreign sids that are not foreign */ - return LDB_ERR_CONSTRAINT_VIOLATION; + ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", + dom_sid_string(mem_ctx, sid), name); } else if (ret == -1) { ldb_set_errstring(module->ldb, talloc_asprintf(mem_ctx, "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", diff --git a/source4/script/tests/test_rpc.sh b/source4/script/tests/test_rpc.sh index d6b3056876..252acca68f 100755 --- a/source4/script/tests/test_rpc.sh +++ b/source4/script/tests/test_rpc.sh @@ -5,9 +5,9 @@ ncacn_np_tests="RPC-SPOOLSS RPC-SRVSVC RPC-SCHANNEL RPC-JOIN RPC-LSA RPC-ECHO RPC-DSSETUP RPC-ALTERCONTEXT RPC-MULTIBIND NET-API-RPCCONN-BIND NET-API-LISTSHARES NET-API-CREATEUSER NET-API-DELETEUSER" ncalrpc_tests="RPC-SCHANNEL RPC-JOIN RPC-LSA RPC-ECHO RPC-DSSETUP RPC-ALTERCONTEXT RPC-MULTIBIND NET-API-LISTSHARES NET-API-CREATEUSER NET-API-DELETEUSER" ncacn_ip_tcp_tests="RPC-SCHANNEL RPC-JOIN RPC-LSA RPC-ECHO RPC-DSSETUP RPC-ALTERCONTEXT RPC-MULTIBIND NET-API-LISTSHARES NET-API-CREATEUSER NET-API-DELETEUSER" -slow_ncacn_np_tests="RPC-SAMLOGON RPC-SAMR-USERS RPC-SAMR-PASSWORDS" -slow_ncalrpc_tests="RPC-SAMLOGON RPC-SAMR-USERS RPC-SAMR-PASSWORDS" -slow_ncacn_ip_tcp_tests="RPC-SAMLOGON RPC-SAMR-USERS RPC-SAMR-PASSWORDS" +slow_ncacn_np_tests="RPC-SAMLOGON RPC-SAMR RPC-SAMR-USERS RPC-SAMR-PASSWORDS" +slow_ncalrpc_tests="RPC-SAMLOGON RPC-SAMR RPC-SAMR-USERS RPC-SAMR-PASSWORDS" +slow_ncacn_ip_tcp_tests="RPC-SAMLOGON RPC-SAMR RPC-SAMR-USERS RPC-SAMR-PASSWORDS" if [ $# -lt 4 ]; then cat <<EOF diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 306f3cbbbf..79924b1ac7 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -875,7 +875,7 @@ static NTSTATUS test_OpenUser_byname(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.out.user_handle = user_handle; status = dcerpc_samr_OpenUser(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("OpenUser_byname(%s) failed - %s\n", name, nt_errstr(status)); + printf("OpenUser_byname(%s -> %d) failed - %s\n", name, rid, nt_errstr(status)); } return status; @@ -1540,7 +1540,7 @@ static BOOL test_user_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } break; case TORTURE_SAMR_OTHER: - /* Can't happen */ + /* We just need the account to exist */ break; } talloc_free(user_ctx); @@ -1582,6 +1582,26 @@ static BOOL test_alias_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } +static BOOL test_DeleteUser(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct policy_handle *user_handle) +{ + struct samr_DeleteUser d; + NTSTATUS status; + BOOL ret = True; + printf("Testing DeleteUser\n"); + + d.in.user_handle = user_handle; + d.out.user_handle = user_handle; + + status = dcerpc_samr_DeleteUser(p, mem_ctx, &d); + if (!NT_STATUS_IS_OK(status)) { + printf("DeleteUser failed - %s\n", nt_errstr(status)); + ret = False; + } + + return ret; +} + BOOL test_DeleteUser_byname(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle, const char *name) { @@ -1795,6 +1815,7 @@ static BOOL test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, static BOOL test_CreateUser(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *domain_handle, + struct policy_handle *user_handle_out, enum torture_samr_choice which_ops) { @@ -1865,15 +1886,19 @@ static BOOL test_CreateUser(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ret = False; } - printf("Testing DeleteUser (createuser2 test)\n"); - - d.in.user_handle = &user_handle; - d.out.user_handle = &user_handle; - - status = dcerpc_samr_DeleteUser(p, user_ctx, &d); - if (!NT_STATUS_IS_OK(status)) { - printf("DeleteUser failed - %s\n", nt_errstr(status)); + if (user_handle_out) { + *user_handle_out = user_handle; + } else { + printf("Testing DeleteUser (createuser test)\n"); + + d.in.user_handle = &user_handle; + d.out.user_handle = &user_handle; + + status = dcerpc_samr_DeleteUser(p, user_ctx, &d); + if (!NT_STATUS_IS_OK(status)) { + printf("DeleteUser failed - %s\n", nt_errstr(status)); ret = False; + } } } @@ -2805,7 +2830,7 @@ static BOOL test_QueryDomainInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } } - return True; + return ret; } @@ -3050,6 +3075,7 @@ static BOOL test_AddGroupMember(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, status = test_LookupName(p, mem_ctx, domain_handle, TEST_ACCOUNT_NAME, &rid); if (!NT_STATUS_IS_OK(status)) { + printf("test_AddGroupMember looking up name " TEST_ACCOUNT_NAME " failed - %s\n", nt_errstr(status)); return False; } @@ -3150,9 +3176,20 @@ static BOOL test_CreateDomainGroup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return True; } - if (NT_STATUS_EQUAL(status, NT_STATUS_GROUP_EXISTS) || - NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_GROUP_EXISTS)) { if (!test_DeleteGroup_byname(p, mem_ctx, domain_handle, r.in.name->string)) { + + printf("CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string, + nt_errstr(status)); + return False; + } + status = dcerpc_samr_CreateDomainGroup(p, mem_ctx, &r); + } + if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { + if (!test_DeleteUser_byname(p, mem_ctx, domain_handle, r.in.name->string)) { + + printf("CreateDomainGroup failed: Could not delete user %s - %s\n", r.in.name->string, + nt_errstr(status)); return False; } status = dcerpc_samr_CreateDomainGroup(p, mem_ctx, &r); @@ -3163,6 +3200,7 @@ static BOOL test_CreateDomainGroup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } if (!test_AddGroupMember(p, mem_ctx, domain_handle, group_handle)) { + printf("CreateDomainGroup failed - %s\n", nt_errstr(status)); ret = False; } @@ -3209,10 +3247,12 @@ static BOOL test_OpenDomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct samr_OpenDomain r; struct policy_handle domain_handle; struct policy_handle alias_handle; + struct policy_handle user_handle; struct policy_handle group_handle; BOOL ret = True; ZERO_STRUCT(alias_handle); + ZERO_STRUCT(user_handle); ZERO_STRUCT(group_handle); ZERO_STRUCT(domain_handle); @@ -3236,10 +3276,11 @@ static BOOL test_OpenDomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, switch (which_ops) { case TORTURE_SAMR_USER_ATTRIBUTES: case TORTURE_SAMR_PASSWORDS: - ret &= test_CreateUser(p, mem_ctx, &domain_handle, which_ops); + ret &= test_CreateUser(p, mem_ctx, &domain_handle, NULL, which_ops); ret &= test_CreateUser2(p, mem_ctx, &domain_handle, which_ops); break; case TORTURE_SAMR_OTHER: + ret &= test_CreateUser(p, mem_ctx, &domain_handle, &user_handle, which_ops); ret &= test_QuerySecurity(p, mem_ctx, &domain_handle); ret &= test_RemoveMemberFromForeignDomain(p, mem_ctx, &domain_handle); ret &= test_CreateAlias(p, mem_ctx, &domain_handle, &alias_handle, sid); @@ -3268,6 +3309,11 @@ static BOOL test_OpenDomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, break; } + if (!policy_handle_empty(&user_handle) && + !test_DeleteUser(p, mem_ctx, &user_handle)) { + ret = False; + } + if (!policy_handle_empty(&alias_handle) && !test_DeleteAlias(p, mem_ctx, &alias_handle)) { ret = False; |