summaryrefslogtreecommitdiff
path: root/source4/torture/drs
diff options
context:
space:
mode:
authorTim Beale <timbeale@catalyst.net.nz>2017-08-16 15:00:31 +1200
committerAndrew Bartlett <abartlet@samba.org>2017-08-29 07:23:28 +0200
commit37ed946c75e4f62b173b943b0db649fdbdbf72ed (patch)
treeedb0d8db598fa4c52b85ea8b63edd8cabffaaff6 /source4/torture/drs
parent2d0766a48b3a62de15aa834b1aedd0f6b8c7f6e1 (diff)
downloadsamba-37ed946c75e4f62b173b943b0db649fdbdbf72ed.tar.gz
selftest: Update getnc_unpriv tests to pass against Samba
In general Windows seems to return BAD_DN rather than ACCESS_DENIED for an unprivileged user. In the the long-term, it's unrealistic to think that Samba and Windows will agree exactly on every error code returned. So for the tests to be maintainable and pass against Windows and Samba, they need to handle differences in expected errors. To get around this problem, I've changed the expected_error to be a set, so that multiple error codes (one for Microsoft, one for Samba) can be specified for each test case. This approach also highlights the cases where Microsoft and Samba currently differ. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source4/torture/drs')
-rw-r--r--source4/torture/drs/python/getnc_unpriv.py48
1 files changed, 28 insertions, 20 deletions
diff --git a/source4/torture/drs/python/getnc_unpriv.py b/source4/torture/drs/python/getnc_unpriv.py
index 41d96110492..a65dd13d99e 100644
--- a/source4/torture/drs/python/getnc_unpriv.py
+++ b/source4/torture/drs/python/getnc_unpriv.py
@@ -111,8 +111,8 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase):
8, req8)
self.fail("Should have failed with user denied access")
except WERRORError as (enum, estr):
- self.assertEquals(enum, expected_error,
- "Got unexpected error: %s" % estr)
+ self.assertTrue(enum in expected_error,
+ "Got unexpected error: %s" % estr)
def _test_repl_single_obj(self, repl_obj, expected_error,
partial_attribute_set=None):
@@ -165,18 +165,19 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase):
self.sd_utils.dacl_add_ace(self.base_dn, self.acl_mod_get_changes)
self._test_repl_single_obj(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
+ expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
self._test_repl_secret(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
+ expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
self._test_repl_secret(repl_obj=self.user_dn,
- expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
+ expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
self._test_repl_secret(repl_obj=self.user_dn,
dest_dsa=self.ldb_dc1.get_ntds_GUID(),
- expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
+ expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
- self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
- self._test_repl_full_on_ou(expected_error=werror.WERR_DS_CANT_FIND_EXPECTED_NC)
+ self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
+ self._test_repl_full_on_ou(expected_error=[werror.WERR_DS_CANT_FIND_EXPECTED_NC,
+ werror.WERR_DS_DRA_ACCESS_DENIED])
# Partial Attribute Sets don't require GET_ALL_CHANGES rights, so we
# expect the following to succeed
@@ -215,16 +216,20 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase):
self._test_repl_single_obj(repl_obj=self.ou,
expected_error=None)
+ # Microsoft returns DB_ERROR, Samba returns ACCESS_DENIED
self._test_repl_secret(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_DB_ERROR)
+ expected_error=[werror.WERR_DS_DRA_DB_ERROR,
+ werror.WERR_DS_DRA_ACCESS_DENIED])
self._test_repl_secret(repl_obj=self.user_dn,
- expected_error=werror.WERR_DS_DRA_DB_ERROR)
+ expected_error=[werror.WERR_DS_DRA_DB_ERROR,
+ werror.WERR_DS_DRA_ACCESS_DENIED])
+ # Note that Windows accepts this but Samba rejects it
self._test_repl_secret(repl_obj=self.user_dn,
dest_dsa=self.ldb_dc1.get_ntds_GUID(),
- expected_error=None)
+ expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
self._test_repl_full(expected_error=None)
- self._test_repl_full_on_ou(expected_error=werror.WERR_DS_CANT_FIND_EXPECTED_NC)
+ self._test_repl_full_on_ou(expected_error=[werror.WERR_DS_CANT_FIND_EXPECTED_NC])
self._test_repl_single_obj(repl_obj=self.ou,
expected_error=None,
@@ -238,24 +243,27 @@ class DrsReplicaSyncUnprivTestCase(drs_base.DrsBaseTestCase):
We expect all these requests to be rejected.
"""
+ # Microsoft usually returns BAD_DN, Samba returns ACCESS_DENIED
+ usual_error = [werror.WERR_DS_DRA_BAD_DN, werror.WERR_DS_DRA_ACCESS_DENIED]
+
self._test_repl_single_obj(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_BAD_DN)
+ expected_error=usual_error)
self._test_repl_secret(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_BAD_DN)
+ expected_error=usual_error)
self._test_repl_secret(repl_obj=self.user_dn,
- expected_error=werror.WERR_DS_DRA_BAD_DN)
+ expected_error=usual_error)
self._test_repl_secret(repl_obj=self.user_dn,
dest_dsa=self.ldb_dc1.get_ntds_GUID(),
- expected_error=werror.WERR_DS_DRA_BAD_DN)
+ expected_error=usual_error)
- self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED)
- self._test_repl_full_on_ou(expected_error=werror.WERR_DS_DRA_BAD_DN)
+ self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED])
+ self._test_repl_full_on_ou(expected_error=usual_error)
self._test_repl_single_obj(repl_obj=self.ou,
- expected_error=werror.WERR_DS_DRA_BAD_DN,
+ expected_error=usual_error,
partial_attribute_set=self.get_partial_attribute_set())
- self._test_repl_full(expected_error=werror.WERR_DS_DRA_ACCESS_DENIED,
+ self._test_repl_full(expected_error=[werror.WERR_DS_DRA_ACCESS_DENIED],
partial_attribute_set=self.get_partial_attribute_set())
View Lorry Controller Status