From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 6 Mar 2025 12:40:30 +0000 (+0100)
Subject: s4:dsdb/tests: let the token_group.py test work against Windows 2025
X-Git-Tag: tevent-0.17.0~586
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86ed8753fa01b715994269b11cb73809e1deb85e;p=thirdparty%2Fsamba.git

s4:dsdb/tests: let the token_group.py test work against Windows 2025

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/selftest/knownfail.d/samba4.tokengroups b/selftest/knownfail.d/samba4.tokengroups
new file mode 100644
index 00000000000..2aecef243e3
--- /dev/null
+++ b/selftest/knownfail.d/samba4.tokengroups
@@ -0,0 +1 @@
+^samba4.tokengroups.*.test_dn_tokenGroups
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index df45ee0f331..d802453e0bc 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -143,6 +143,7 @@ class StaticTokenTest(samba.tests.TestCase):
         extra_sids.append(security.SID_WORLD)
         extra_sids.append(security.SID_NT_NETWORK)
         extra_sids.append(security.SID_NT_AUTHENTICATED_USERS)
+        extra_sids.append(security.SID_NT_THIS_ORGANIZATION)
         extra_sids.append(security.SID_BUILTIN_PREW2K)
         if creds.get_kerberos_state() == MUST_USE_KERBEROS:
             extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
@@ -417,6 +418,7 @@ class DynamicTokenTest(samba.tests.TestCase):
         extra_sids.append(security.SID_WORLD)
         extra_sids.append(security.SID_NT_NETWORK)
         extra_sids.append(security.SID_NT_AUTHENTICATED_USERS)
+        extra_sids.append(security.SID_NT_THIS_ORGANIZATION)
         extra_sids.append(security.SID_BUILTIN_PREW2K)
         if creds.get_kerberos_state() == MUST_USE_KERBEROS:
             extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
@@ -644,7 +646,9 @@ class DynamicTokenTest(samba.tests.TestCase):
                                            domain_sid)
         user_handle = samr_conn.OpenUser(samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, user_rid)
         rids = samr_conn.GetGroupsForUser(user_handle)
+        user_info = samr_conn.QueryUserInfo(user_handle, 1)
         samr_dns = set()
+        found_primary_gid = False
         for rid in rids.rids:
             self.assertEqual(rid.attributes, security.SE_GROUP_DEFAULT_FLAGS)
             sid = "%s-%d" % (domain_sid, rid.rid)
@@ -652,8 +656,13 @@ class DynamicTokenTest(samba.tests.TestCase):
                                         attrs=[])
             samr_dns.add(res[0].dn.get_casefold())
 
-        user_info = samr_conn.QueryUserInfo(user_handle, 1)
-        self.assertEqual(rids.rids[0].rid, user_info.primary_gid)
+            # Note Windows 2025 has the primary_group_rid as
+            # the last element in the rids array
+            if rid.rid == user_info.primary_gid:
+                self.assertFalse(found_primary_gid)
+                found_primary_gid = True
+
+        self.assertTrue(found_primary_gid)
 
         tokenGroupsSet = set()
         res = self.ldb.search(self.user_sid_dn, scope=ldb.SCOPE_BASE, attrs=["tokenGroupsGlobalAndUniversal"])