diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2017-08-16 15:00:31 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-08-29 07:23:28 +0200 |
commit | 37ed946c75e4f62b173b943b0db649fdbdbf72ed (patch) | |
tree | edb0d8db598fa4c52b85ea8b63edd8cabffaaff6 /source4/torture/drs | |
parent | 2d0766a48b3a62de15aa834b1aedd0f6b8c7f6e1 (diff) | |
download | samba-37ed946c75e4f62b173b943b0db649fdbdbf72ed.tar.gz |
selftest: Update getnc_unpriv tests to pass against Samba
In general Windows seems to return BAD_DN rather than ACCESS_DENIED for
an unprivileged user. In the the long-term, it's unrealistic to think
that Samba and Windows will agree exactly on every error code returned.
So for the tests to be maintainable and pass against Windows and Samba,
they need to handle differences in expected errors. To get around this
problem, I've changed the expected_error to be a set, so that multiple
error codes (one for Microsoft, one for Samba) can be specified for each
test case. This approach also highlights the cases where Microsoft and
Samba currently differ.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source4/torture/drs')
-rw-r--r-- | source4/torture/drs/python/getnc_unpriv.py | 48 |
1 files changed, 28 insertions, 20 deletions
diff --git a/source4/torture/drs/python/getnc_unpriv.py b/source4/torture/drs/python/getnc_unpriv.py index 41d96110492..a65dd13d99e 100644 --- a/source4/torture/drs/python/getnc_unpriv.py +++ b/source4/torture/drs/python/getnc_unpriv.py @@ -111,8 +111,8 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase): 8, req8) self.fail("Should have failed with user denied access") except WERRORError as (enum, estr): - self.assertEquals(enum, expected_error, - "Got unexpected error: %s" % estr) + self.assertTrue(enum in expected_error, + "Got unexpected error: %s" % estr) def _test_repl_single_obj(self, repl_obj, expected_error, partial_attribute_set=None): @@ -165,18 +165,19 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase): self.sd_utils.dacl_add_ace(self.base_dn, self.acl_mod_get_changes) self._test_repl_single_obj(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) + expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) self._test_repl_secret(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) + expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) self._test_repl_secret(repl_obj=self.user_dn, - expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) + expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) self._test_repl_secret(repl_obj=self.user_dn, dest_dsa=self.ldb_dc1.get_ntds_GUID(), - expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) + expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) - self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) - self._test_repl_full_on_ou(expected_error=werror.WERR_DS_CANT_FIND_EXPECTED_NC) + self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) + self._test_repl_full_on_ou(expected_error=[werror.WERR_DS_CANT_FIND_EXPECTED_NC, + werror.WERR_DS_DRA_ACCESS_DENIED]) # Partial Attribute Sets don't require GET_ALL_CHANGES rights, so we # expect the following to succeed @@ -215,16 +216,20 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase): self._test_repl_single_obj(repl_obj=self.ou, expected_error=None) + # Microsoft returns DB_ERROR, Samba returns ACCESS_DENIED self._test_repl_secret(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_DB_ERROR) + expected_error=[werror.WERR_DS_DRA_DB_ERROR, + werror.WERR_DS_DRA_ACCESS_DENIED]) self._test_repl_secret(repl_obj=self.user_dn, - expected_error=werror.WERR_DS_DRA_DB_ERROR) + expected_error=[werror.WERR_DS_DRA_DB_ERROR, + werror.WERR_DS_DRA_ACCESS_DENIED]) + # Note that Windows accepts this but Samba rejects it self._test_repl_secret(repl_obj=self.user_dn, dest_dsa=self.ldb_dc1.get_ntds_GUID(), - expected_error=None) + expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) self._test_repl_full(expected_error=None) - self._test_repl_full_on_ou(expected_error=werror.WERR_DS_CANT_FIND_EXPECTED_NC) + self._test_repl_full_on_ou(expected_error=[werror.WERR_DS_CANT_FIND_EXPECTED_NC]) self._test_repl_single_obj(repl_obj=self.ou, expected_error=None, @@ -238,24 +243,27 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase): We expect all these requests to be rejected. """ + # Microsoft usually returns BAD_DN, Samba returns ACCESS_DENIED + usual_error = [werror.WERR_DS_DRA_BAD_DN, werror.WERR_DS_DRA_ACCESS_DENIED] + self._test_repl_single_obj(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_BAD_DN) + expected_error=usual_error) self._test_repl_secret(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_BAD_DN) + expected_error=usual_error) self._test_repl_secret(repl_obj=self.user_dn, - expected_error=werror.WERR_DS_DRA_BAD_DN) + expected_error=usual_error) self._test_repl_secret(repl_obj=self.user_dn, dest_dsa=self.ldb_dc1.get_ntds_GUID(), - expected_error=werror.WERR_DS_DRA_BAD_DN) + expected_error=usual_error) - self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED) - self._test_repl_full_on_ou(expected_error=werror.WERR_DS_DRA_BAD_DN) + self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED]) + self._test_repl_full_on_ou(expected_error=usual_error) self._test_repl_single_obj(repl_obj=self.ou, - expected_error=werror.WERR_DS_DRA_BAD_DN, + expected_error=usual_error, partial_attribute_set=self.get_partial_attribute_set()) - self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED, + self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED], partial_attribute_set=self.get_partial_attribute_set()) |