From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 27 Oct 2023 00:16:56 +0000 (+1300)
Subject: samba-tool: try to present diagnostics for SDDL errors.
X-Git-Tag: talloc-2.4.2~891
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc2498f35b4bc39b939069863ab5e8483aa026ec;p=thirdparty%2Fsamba.git

samba-tool: try to present diagnostics for SDDL errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/netcmd/__init__.py b/python/samba/netcmd/__init__.py
index 31541a98347..7ddc1dc0828 100644
--- a/python/samba/netcmd/__init__.py
+++ b/python/samba/netcmd/__init__.py
@@ -29,6 +29,7 @@ from samba.auth import system_session
 from samba.getopt import Option, OptionParser
 from samba.logger import get_samba_logger
 from samba.samdb import SamDB
+from samba.dcerpc.security import SDDLValueError
 
 from .encoders import JSONEncoder
 
@@ -115,6 +116,29 @@ class Command(object):
         else:
             print(f"{err}{klass}: {msg} - {evalue}", file=self.errf)
 
+    def _print_sddl_value_error(self, e):
+        generic_msg, specific_msg, position, sddl = e.args
+        print(f"{colour.c_DARK_RED('ERROR')}: {generic_msg}\n",
+              file=self.errf)
+        print(f' {sddl}', file=self.errf)
+        # If the SDDL contains non-ascii characters, the byte offset
+        # provided by the exception won't agree with the visual offset
+        # because those characters will be encoded as multiple bytes.
+        #
+        # To account for this we'll attempt to measure the string
+        # length of the specified number of bytes. That is not quite
+        # the same as the visual length, because the SDDL could
+        # contain zero-width, full-width, or combining characters, but
+        # it is closer.
+        try:
+            position = len((sddl.encode()[:position]).decode())
+        except ValueError:
+            # use the original position
+            pass
+
+        print(f"{colour.c_DARK_YELLOW('^'):>{position + 2}}", file=self.errf)
+        print(f' {specific_msg}', file=self.errf)
+
     def ldb_connect(self, hostopts, sambaopts, credopts):
         """Helper to connect to Ldb database using command line opts."""
         lp = sambaopts.get_loadparm()
@@ -163,6 +187,10 @@ class Command(object):
             else:
                 self._print_error(message, ldb_emsg, 'ldb')
 
+        elif isinstance(inner_exception, SDDLValueError):
+            self._print_sddl_value_error(inner_exception)
+            force_traceback = False
+
         elif isinstance(inner_exception, AssertionError):
             self._print_error(message, klass='assert')
             force_traceback = True
diff --git a/selftest/knownfail.d/samba-tool-sddl-errors b/selftest/knownfail.d/samba-tool-sddl-errors
new file mode 100644
index 00000000000..a1b9e1a9e29
--- /dev/null
+++ b/selftest/knownfail.d/samba-tool-sddl-errors
@@ -0,0 +1 @@
+samba.tests.samba_tool.domain_auth_policy.samba.tests.samba_tool.domain_auth_policy.AuthPolicyCmdTestCase.test_authentication_policy_create_invalid_sddl