diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2019-05-31 17:22:50 +0300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2019-07-03 12:38:13 +0000 |
| commit | 3700998419738caa1ca8672fbf5dbaccaaa498fa (patch) | |
| tree | b5d8bdb336bf5061e3c9ca4ac70b2aac22052ee4 | |
| parent | 60afe949c3e664f81c9b0db9c54f701aa2874a5e (diff) | |
| download | samba-3700998419738caa1ca8672fbf5dbaccaaa498fa.tar.gz | |
selftest: check for PrimaryGroupId in DC returned group array
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | selftest/knownfail.d/pac_primary_group | 1 | ||||
| -rw-r--r-- | source4/torture/rpc/remote_pac.c | 49 |
2 files changed, 49 insertions, 1 deletions
diff --git a/selftest/knownfail.d/pac_primary_group b/selftest/knownfail.d/pac_primary_group new file mode 100644 index 00000000000..b0efd7d6385 --- /dev/null +++ b/selftest/knownfail.d/pac_primary_group @@ -0,0 +1 @@ +^samba4.rpc.pac.*s4u2self diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 877b2b3fb42..7a5cda74b74 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -614,10 +614,46 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS); } +#ifdef SAMBA4_USES_HEIMDAL +static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, + uint16_t validation_level, + const union netr_Validation *validation) +{ + const struct netr_SamBaseInfo *base = NULL; + int i; + switch (validation_level) { + case 2: + if (!validation || !validation->sam2) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam2->base; + break; + case 3: + if (!validation || !validation->sam3) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam3->base; + break; + case 6: + if (!validation || !validation->sam6) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam6->base; + break; + default: + return NT_STATUS_INVALID_LEVEL; + } + + for (i = 0; i < base->groups.count; i++) { + if (base->groups.rids[i].rid == base->primary_gid) { + return NT_STATUS_OK; + } + } + return NT_STATUS_INVALID_PARAMETER; +} /* Check various ways to get the PAC, in particular check the group membership and * other details between the PAC from a normal kinit, S4U2Self and a SamLogon */ -#ifdef SAMBA4_USES_HEIMDAL static bool test_S4U2Self(struct torture_context *tctx, struct dcerpc_pipe *p1, struct cli_credentials *credentials, @@ -873,6 +909,17 @@ static bool test_S4U2Self(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed"); + /* Check that the primary group is present in validation's RID array */ + status = check_primary_group_in_validation(tmp_ctx, r.in.validation_level, r.out.validation); + torture_assert_ntstatus_ok(tctx, status, "check_primary_group_in_validation failed"); + + /* Check that the primary group is not duplicated in user_info_dc SID array */ + for (i = 2; i < netlogon_user_info_dc->num_sids; i++) { + torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1], + &netlogon_user_info_dc->sids[i]), + "Duplicate PrimaryGroupId in return SID array"); + } + torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, kinit_session_info->info->account_name, "Account name differs for kinit-based PAC"); torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, |