samba.git/python/samba/tests/sid_strings.py, branch talloc-2.4.4 Unnamed repository; edit this file 'description' to name the repository. pytest: sid_strings: Samba DN object refuses sub-auth overflow 2024-05-07T23:25:35+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-02T23:29:31+00:00 d801ed8b11125527b0b8193c8d0e430b5fb2c3a7 We were mistakenly asserting something that did not happen with Windows, because Samba already won't parse the DN string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We were mistakenly asserting something that did not happen with
Windows, because Samba already won't parse the DN string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest: sid_strings: adjust to match Windows 2016 2024-05-07T23:25:35+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-02T23:24:02+00:00 edf9b282ba6e3fc089ab2d8a4db122b300b95fe4 9 hex-digit subauths like '0xABCDef123' will not fit in 32 bits, so should be rejected on parsing. In other situations, such as defaultSecurityDescriptor, overflowing SID subauths on Windows will saturate to 0xffffffff, resulting in a valid but probably meaningless SID. It is possible that in previous testing we saw that here, but it is more likely I got confused. In any case, now I see them being rejected, and that is good. The saturating defaultSecurityDescriptor case is tested in SidStringBehavioursThatWindowsAllows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
9 hex-digit subauths like '0xABCDef123' will not fit in 32 bits, so
should be rejected on parsing.

In other situations, such as defaultSecurityDescriptor, overflowing
SID subauths on Windows will saturate to 0xffffffff, resulting in a
valid but probably meaningless SID. It is possible that in previous
testing we saw that here, but it is more likely I got confused. In any
case, now I see them being rejected, and that is good.

The saturating defaultSecurityDescriptor case is tested in
SidStringBehavioursThatWindowsAllows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest: sid_strings: Windows does allow lowercase s-1-... SIDs 2024-05-07T23:25:35+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-02T23:19:16+00:00 473502d170190b6bfe8da29708d347b16e0a2f7f And so should we. Right now, these tests won't pass against Windows because they rely on ldb pre-parsing of the SIDs, so they fail before Windows gets to see them. Running them against Windows looks something like this, BTW: SAMBA_SID_STRINGS_SKIP_LOCAL=1 \ SMB_CONF_PATH=st/ad_dc/etc/smb.conf \ PYTHONPATH=bin/default/python \ DC_SERVER=192.168.122.126 \ DC_USERNAME=Administrator DC_PASSWORD='xxx' \ python3 python/samba/tests/sid_strings.py When things are right, the only failing tests should be from the SidStringBehavioursThatSambaPrefers suite. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
And so should we.

Right now, these tests won't pass against Windows because they rely on
ldb pre-parsing of the SIDs, so they fail before Windows gets to see
them. Running them against Windows looks something like this, BTW:

    SAMBA_SID_STRINGS_SKIP_LOCAL=1  \
    SMB_CONF_PATH=st/ad_dc/etc/smb.conf \
    PYTHONPATH=bin/default/python \
    DC_SERVER=192.168.122.126 \
    DC_USERNAME=Administrator DC_PASSWORD='xxx' \
    python3 python/samba/tests/sid_strings.py

When things are right, the only failing tests should be from the
SidStringBehavioursThatSambaPrefers suite.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest: sid_strings: use more reliable well known SID 2024-05-07T23:25:35+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-02T02:24:18+00:00 fb724c61107b76d32b500802f960aa8e049ccbd8 It seems as if the well-known SID S-1-5-32-579 (DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS) is not always present -- specifically, it was not there on the Windows machine used to develop these tests, but it is there on the one I am now using. S-1-5-32-545 (DOMAIN_ALIAS_RID_USERS) is surely going to exist, so we use that instead. That changes some of the assertions, making some NO_SUCH_OBJECTs into successes. For these tests we are only interested in the parsing of the SIDs, not their meaning, so it's OK to change it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
It seems as if the well-known SID S-1-5-32-579
(DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS) is
not always present -- specifically, it was not there on the
Windows machine used to develop these tests, but it is there on
the one I am now using.

S-1-5-32-545 (DOMAIN_ALIAS_RID_USERS) is surely going to exist,
so we use that instead.

That changes some of the assertions, making some NO_SUCH_OBJECTs
into successes.

For these tests we are only interested in the parsing of the SIDs, not
their meaning, so it's OK to change it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytests: sid_strings: do not fail if epoch ending has zeros 2023-11-15T04:05:34+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-15T00:03:27+00:00 426ca4cf4b667aae03f0344cee449e972de90ac7 To avoid collisions in random OID strings, we started using the epoch date modulus 100 million. The trouble is we did not strip out the leading zeros, so the field might be '00000123' when it should be '123', if the date happened not to correspond to an epoch with a zero in the eighth to last place. This has been the case for most of the last 1041 days, but fortunately the bug was only introduced earlier this year. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Martin Schwenke <mschwenke@ddn.com> 
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
pytest: sid_strings: handle SDDLValueError 2023-11-01T20:10:46+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-10-27T00:20:33+00:00 d47c6654f9603bab40e53a422a2f34187f7b2fb8 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Correct search expression 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T02:07:16+00:00 7efe6b0ab42f7b6af5c82a8f6d412f9da16a963b Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Fix comment 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T02:07:03+00:00 ed97b15fe9795214b6497e91ead943c933d53325 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: Do bad SIDs fail differently in simple-bind? 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-13T00:17:28+00:00 fe8ce9e34e35a61acf9114b2c3e52d2a63d2944c No. That's good and expected because a failure here should fall back to the next thing in the simple bind pecking order (canonical names). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
No.

That's good and expected because a failure here should fall back to the
next thing in the simple bind pecking order (canonical names).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytest:sid_strings: do bad SIDS work in search filters? 2023-04-28T02:15:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-04-13T00:13:26+00:00 a4bbd944ee50e54b2b07c713f624193dd857ec0f Yes. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Yes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>