From c20f77fe0fb9625072a4866a16a9e6a7138a94a4 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 31 May 2019 17:22:50 +0300 Subject: [PATCH] selftest: check for PrimaryGroupId in DC returned group array BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa) --- selftest/knownfail.d/pac_primary_group | 1 + source4/torture/rpc/remote_pac.c | 49 +++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 selftest/knownfail.d/pac_primary_group diff --git a/selftest/knownfail.d/pac_primary_group b/selftest/knownfail.d/pac_primary_group new file mode 100644 index 00000000000..b0efd7d6385 --- /dev/null +++ b/selftest/knownfail.d/pac_primary_group @@ -0,0 +1 @@ +^samba4.rpc.pac.*s4u2self diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 35d4eab6f53..3ada0704612 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -615,10 +615,46 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS); } +#ifdef SAMBA4_USES_HEIMDAL +static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, + uint16_t validation_level, + const union netr_Validation *validation) +{ + const struct netr_SamBaseInfo *base = NULL; + int i; + switch (validation_level) { + case 2: + if (!validation || !validation->sam2) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam2->base; + break; + case 3: + if (!validation || !validation->sam3) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam3->base; + break; + case 6: + if (!validation || !validation->sam6) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam6->base; + break; + default: + return NT_STATUS_INVALID_LEVEL; + } + + for (i = 0; i < base->groups.count; i++) { + if (base->groups.rids[i].rid == base->primary_gid) { + return NT_STATUS_OK; + } + } + return NT_STATUS_INVALID_PARAMETER; +} /* Check various ways to get the PAC, in particular check the group membership and * other details between the PAC from a normal kinit, S4U2Self and a SamLogon */ -#ifdef SAMBA4_USES_HEIMDAL static bool test_S4U2Self(struct torture_context *tctx, struct dcerpc_pipe *p1, struct cli_credentials *credentials, @@ -875,6 +911,17 @@ static bool test_S4U2Self(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed"); + /* Check that the primary group is present in validation's RID array */ + status = check_primary_group_in_validation(tmp_ctx, r.in.validation_level, r.out.validation); + torture_assert_ntstatus_ok(tctx, status, "check_primary_group_in_validation failed"); + + /* Check that the primary group is not duplicated in user_info_dc SID array */ + for (i = 2; i < netlogon_user_info_dc->num_sids; i++) { + torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1], + &netlogon_user_info_dc->sids[i]), + "Duplicate PrimaryGroupId in return SID array"); + } + torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, kinit_session_info->info->account_name, "Account name differs for kinit-based PAC"); torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, -- 2.47.2