selftest: check for PrimaryGroupId in DC returned group array

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/knownfail.d/pac_primary_group b/selftest/knownfail.d/pac_primary_group
new file mode 100644 (file)
index 0000000..b0efd7d
--- /dev/null
+++ b/selftest/knownfail.d/pac_primary_group
@@ -0,0 +1 @@
+^samba4.rpc.pac.*s4u2self

diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 877b2b3fb423dc79f32032e9bdf7e419636df286..7a5cda74b74e627d492c615a39dc8b12ef52ee32 100644 (file)
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -614,10 +614,46 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx,
                              NETLOGON_NEG_AUTH2_ADS_FLAGS);
 }
 
+#ifdef SAMBA4_USES_HEIMDAL
+static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
+                                                 uint16_t validation_level,
+                                                 const union netr_Validation *validation)
+{
+       const struct netr_SamBaseInfo *base = NULL;
+       int i;
+       switch (validation_level) {
+       case 2:
+               if (!validation || !validation->sam2) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               base = &validation->sam2->base;
+               break;
+       case 3:
+               if (!validation || !validation->sam3) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               base = &validation->sam3->base;
+               break;
+       case 6:
+               if (!validation || !validation->sam6) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               base = &validation->sam6->base;
+               break;
+       default:
+               return NT_STATUS_INVALID_LEVEL;
+       }
+
+       for (i = 0; i < base->groups.count; i++) {
+               if (base->groups.rids[i].rid == base->primary_gid) {
+                       return NT_STATUS_OK;
+               }
+       }
+       return NT_STATUS_INVALID_PARAMETER;
+}
 
 /* Check various ways to get the PAC, in particular check the group membership and
  * other details between the PAC from a normal kinit, S4U2Self and a SamLogon */
-#ifdef SAMBA4_USES_HEIMDAL
 static bool test_S4U2Self(struct torture_context *tctx,
                          struct dcerpc_pipe *p1,
                          struct cli_credentials *credentials,
@@ -873,6 +909,17 @@ static bool test_S4U2Self(struct torture_context *tctx,
 
        torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");
 
+       /* Check that the primary group is present in validation's RID array */
+       status = check_primary_group_in_validation(tmp_ctx, r.in.validation_level, r.out.validation);
+       torture_assert_ntstatus_ok(tctx, status, "check_primary_group_in_validation failed");
+
+       /* Check that the primary group is not duplicated in user_info_dc SID array */
+       for (i = 2; i < netlogon_user_info_dc->num_sids; i++) {
+               torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1],
+                                                   &netlogon_user_info_dc->sids[i]),
+                              "Duplicate PrimaryGroupId in return SID array");
+       }
+
        torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
                                 kinit_session_info->info->account_name, "Account name differs for kinit-based PAC");
        torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,