samba.git/python/samba/tests/sid_strings.py, branch talloc-2.4.2 Unnamed repository; edit this file 'description' to name the repository. pytests: sid_strings: do not fail if epoch ending has zeros 2023-11-15T04:05:34+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-15T00:03:27+00:00 426ca4cf4b667aae03f0344cee449e972de90ac7 To avoid collisions in random OID strings, we started using the epoch date modulus 100 million. The trouble is we did not strip out the leading zeros, so the field might be '00000123' when it should be '123', if the date happened not to correspond to an epoch with a zero in the eighth to last place. This has been the case for most of the last 1041 days, but fortunately the bug was only introduced earlier this year. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Martin Schwenke <mschwenke@ddn.com> 
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
pytest: sid_strings: handle SDDLValueError 2023-11-01T20:10:46+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-10-27T00:20:33+00:00 d47c6654f9603bab40e53a422a2f34187f7b2fb8 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Correct search expression 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T02:07:16+00:00 7efe6b0ab42f7b6af5c82a8f6d412f9da16a963b Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Fix comment 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T02:07:03+00:00 ed97b15fe9795214b6497e91ead943c933d53325 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: Do bad SIDs fail differently in simple-bind? 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-13T00:17:28+00:00 fe8ce9e34e35a61acf9114b2c3e52d2a63d2944c No. That's good and expected because a failure here should fall back to the next thing in the simple bind pecking order (canonical names). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
No.

That's good and expected because a failure here should fall back to the
next thing in the simple bind pecking order (canonical names).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: do bad SIDS work in search filters? 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-13T00:13:26+00:00 a4bbd944ee50e54b2b07c713f624193dd857ec0f Yes. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Yes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: test SID DNs with ldb parsing 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-13T00:11:48+00:00 866069172bfdfb0235163e9d2624cae12c3a11a0 By using an ldb.Dn as an intermediary, we get to see which SIDs Samba thinks are OK but Windows thinks are bad. It is things like "S-0-5-32-579". Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
By using an ldb.Dn as an intermediary, we get to see which SIDs
Samba thinks are OK but Windows thinks are bad.
It is things like "S-0-5-32-579".

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: test SIDs as search base 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-12T23:21:38+00:00 953ad43f15eb157d0a05edb31b03a20e13c40da4 As a way of testing the interpretation of a SID string in a remote server, we search on the base DN "<SID=x>" where x is a non-existent or malformed SID. On Windows some or all malformed SIDs are detected before the search begins, resulting in a complaint about DN syntax rather than one about missing objects. From this we can get a picture of what Windows considers to be a proper SID in this context. Samba does not make a distinction here, always returning NO_SUCH_OBJECT. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
As a way of testing the interpretation of a SID string in a remote
server, we search on the base DN "<SID=x>" where x is a non-existent
or malformed SID.

On Windows some or all malformed SIDs are detected before the search
begins, resulting in a complaint about DN syntax rather than one about
missing objects.

From this we can get a picture of what Windows considers to be
a proper SID in this context.

Samba does not make a distinction here, always returning NO_SUCH_OBJECT.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: Windows and Samba divergent tests 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-12T01:31:40+00:00 f66b0f868836a9fd1a223e1f374fea61f89d4cd5 The Samba side is aspirational -- what we actually do is generally worse. However the Windows behaviour in these cases seems more surprising still, and seems to be neither documented nor used. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The Samba side is aspirational -- what we actually do is generally
worse. However the Windows behaviour in these cases seems more
surprising still, and seems to be neither documented nor used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: test the strings with local parsing 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-12T23:47:19+00:00 2d75daa9c4de54a5e179a254d7944f6bcd407370 The reason the existing tests send the SID over the wire as SDDL for defaultSecurityDescriptor is it is one of the few ways to force the server to reckon with a SID-string as a SID. At least, that's the case with Windows. In Samba we make no effort to decode the SDDL until it comes to the time of creating an object, at which point we don't notice the difference between bad SDDL and missing SDDL. So here we add a set of dynamic tests that push the strings through our SDDL parsing code. This doesn't tell us very much more, but it is very quick and sort of confirms that the other tests are on the right track. To run against Windows without also running the internal Samba tests, add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The reason the existing tests send the SID over the wire as SDDL for
defaultSecurityDescriptor is it is one of the few ways to force the
server to reckon with a SID-string as a SID. At least, that's the case
with Windows. In Samba we make no effort to decode the SDDL until it
comes to the time of creating an object, at which point we don't notice
the difference between bad SDDL and missing SDDL.

So here we add a set of dynamic tests that push the strings through our
SDDL parsing code. This doesn't tell us very much more, but it is very
quick and sort of confirms that the other tests are on the right track.

To run against Windows without also running the internal Samba tests,
add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>