summaryrefslogtreecommitdiffstats
path: root/source4/torture
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-11-20 00:29:04 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:01 -0500
commit5d35fe6f711985ac337da812bdbde006172bf256 (patch)
tree9f9ae277aa9823e00b898c68b78c7e232b9e3906 /source4/torture
parentd95a256d1b7f579666c852740d32ba0f446a4c66 (diff)
downloadsamba-5d35fe6f711985ac337da812bdbde006172bf256.tar.gz
samba-5d35fe6f711985ac337da812bdbde006172bf256.tar.xz
samba-5d35fe6f711985ac337da812bdbde006172bf256.zip
r3885: Add security descriptor comparison to our RPC-SAMSYNC test. We now
verify that the security descriptor found in the SamSync is the same as what is available over SAMR. Unfortunately, the administrator seems unable to retrieve the SACL on the security descriptor, so I've added a new function to compare with a mask. Andrew Bartlett (This used to be commit 39ae5e1dac31a22086be50fb23261e02be877f3f)
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/rpc/samsync.c46
1 files changed, 46 insertions, 0 deletions
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 7f9cf321dcc..be56e4593eb 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -164,6 +164,24 @@ static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
return domain_handle;
}
+static struct sec_desc_buf *samsync_query_sec_desc(TALLOC_CTX *mem_ctx,
+ struct samsync_state *samsync_state,
+ struct policy_handle *handle)
+{
+ struct samr_QuerySecurity r;
+ NTSTATUS status;
+
+ r.in.handle = handle;
+ r.in.sec_info = 0x7;
+
+ status = dcerpc_samr_QuerySecurity(samsync_state->p_samr, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("QuerySecurity failed - %s\n", nt_errstr(status));
+ return NULL;
+ }
+
+ return r.out.sdbuf;
+}
#define TEST_UINT64_EQUAL(i1, i2) do {\
if (i1 != i2) {\
@@ -187,6 +205,7 @@ static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
ret = False;\
} \
} while (0)
+
#define TEST_STRING_EQUAL(s1, s2) do {\
if (!((!s1.string || s1.string[0]=='\0') && (!s2.string || s2.string[0]=='\0')) \
&& strcmp_safe(s1.string, s2.string) != 0) {\
@@ -196,6 +215,25 @@ static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
} \
} while (0)
+/* The ~SEC_DESC_SACL_PRESENT is because we don't, as administrator,
+ * get back the SACL part of the SD when we ask over SAMR */
+
+#define TEST_SEC_DESC_EQUAL(sd1, handle) do {\
+ struct sec_desc_buf *sdbuf = samsync_query_sec_desc(mem_ctx, samsync_state, \
+ handle); \
+ if (!sdbuf || !sdbuf->sd) { \
+ ret = False; \
+ } else {\
+ if (!security_descriptor_mask_equal(sd1.sd, sdbuf->sd, \
+ ~SEC_DESC_SACL_PRESENT)) {\
+ printf("Security Descriptor Mismatch for %s:\n", #sd1);\
+ ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamSync", sd1.sd);\
+ ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamR", sdbuf->sd);\
+ ret = False;\
+ }\
+ }\
+} while (0)
+
static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
@@ -279,6 +317,8 @@ static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *sam
TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time,
domain->domain_create_time);
+ TEST_SEC_DESC_EQUAL(domain->sdbuf, samsync_state->domain_handle[database_id]);
+
return ret;
}
@@ -351,6 +391,8 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
q.in.user_handle = &user_handle;
q.in.level = 21;
+ TEST_SEC_DESC_EQUAL(user->sdbuf, &user_handle);
+
nt_status = dcerpc_samr_QueryUserInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
return False;
@@ -546,6 +588,8 @@ static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *sams
q.in.alias_handle = &alias_handle;
q.in.level = 1;
+ TEST_SEC_DESC_EQUAL(alias->sdbuf, &alias_handle);
+
nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
return False;
@@ -593,6 +637,8 @@ static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *sams
q.in.group_handle = &group_handle;
q.in.level = 1;
+ TEST_SEC_DESC_EQUAL(group->sdbuf, &group_handle);
+
nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
return False;