torture-lsa: cope with STATUS_SOME_UNMAPPED errors

Now that we support SePrintOperatorPrivilege, an interaction between
the spoolss tests and the privileges tests cause a failure. The
failure happens like this:

 - the spoolss.access test creates and then deletes an account with
   SePrintOperatorPrivilege privilege

 - this leaves the privileges database with an entry for a deleted
   account that is still visible via LSA calls. This is correct
   behaviour (verified against w2k8r2)

 - the lsa.privileges test then enumerates all accounts that have at
   least one privilege, and gets the SID for the deleted account

 - it then called LookupNames and LookupSids on this deleted account,
   and gets an error.

The fix is to not call LookupSids and LookupNames on sids which have
SID_NAME_UNKNOWN as the type

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 5d4f597fcb685b21ac151316c3e81ae68ff20e49..9283fc3e31f6454ce05849dd9574cbf3b97974b2 100644 (file)
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -176,19 +176,28 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b,
        struct lsa_String *names;
        uint32_t count = 0;
        int i;
+       uint32_t *input_idx;
 
        torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count);
 
        sids.count = 0;
        sids.sids = NULL;
 
+
+       r.in.num_names = 0;
+
+       input_idx = talloc_array(tctx, uint32_t, tnames->count);
        names = talloc_array(tctx, struct lsa_String, tnames->count);
+
        for (i=0;i<tnames->count;i++) {
-               init_lsa_String(&names[i], tnames->names[i].name.string);
+               if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
+                       init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
+                       input_idx[r.in.num_names] = i;
+                       r.in.num_names++;
+               }
        }
 
        r.in.handle = handle;
-       r.in.num_names = tnames->count;
        r.in.names = names;
        r.in.sids = &sids;
        r.in.level = 1;
@@ -201,7 +210,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b,
                                   "LookupNames failed");
        if (NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED) ||
            NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
-               for (i=0;i< tnames->count;i++) {
+               for (i=0;i< r.in.num_names;i++) {
                        if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
                                torture_comment(tctx, "LookupName of %s was unmapped\n",
                                       tnames->names[i].name.string);
@@ -219,22 +228,23 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b,
                return false;
        }
 
-       for (i=0;i< tnames->count;i++) {
+       for (i=0;i< r.in.num_names;i++) {
                if (i < count) {
-                       if (sids.sids[i].sid_type != tnames->names[i].sid_type) {
+                       if (sids.sids[i].sid_type != tnames->names[input_idx[i]].sid_type) {
                                torture_comment(tctx, "LookupName of %s got unexpected name type: %s\n",
-                                      tnames->names[i].name.string, sid_type_lookup(sids.sids[i].sid_type));
+                                               tnames->names[input_idx[i]].name.string,
+                                               sid_type_lookup(sids.sids[i].sid_type));
                                return false;
                        }
                        if ((sids.sids[i].sid_type == SID_NAME_DOMAIN) &&
                            (sids.sids[i].rid != (uint32_t)-1)) {
                                torture_comment(tctx, "LookupName of %s got unexpected rid: %d\n",
-                                       tnames->names[i].name.string, sids.sids[i].rid);
+                                       tnames->names[input_idx[i]].name.string, sids.sids[i].rid);
                                return false;
                        }
                } else if (i >=count) {
                        torture_comment(tctx, "LookupName of %s failed to return a result\n",
-                              tnames->names[i].name.string);
+                              tnames->names[input_idx[i]].name.string);
                        return false;
                }
        }
@@ -394,14 +404,22 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b,
 
        sids.count = 0;
        sids.sids = NULL;
+       uint32_t *input_idx;
+
+       r.in.num_names = 0;
 
+       input_idx = talloc_array(tctx, uint32_t, tnames->count);
        names = talloc_array(tctx, struct lsa_String, tnames->count);
+
        for (i=0;i<tnames->count;i++) {
-               init_lsa_String(&names[i], tnames->names[i].name.string);
+               if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
+                       init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
+                       input_idx[r.in.num_names] = i;
+                       r.in.num_names++;
+               }
        }
 
        r.in.handle = handle;
-       r.in.num_names = tnames->count;
        r.in.names = names;
        r.in.sids = &sids;
        r.in.level = 1;
@@ -446,19 +464,26 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b,
        struct lsa_String *names;
        uint32_t count = 0;
        int i;
+       uint32_t *input_idx;
 
        torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count);
 
        sids.count = 0;
        sids.sids = NULL;
 
+       r.in.num_names = 0;
+
+       input_idx = talloc_array(tctx, uint32_t, tnames->count);
        names = talloc_array(tctx, struct lsa_String, tnames->count);
        for (i=0;i<tnames->count;i++) {
-               init_lsa_String(&names[i], tnames->names[i].name.string);
+               if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
+                       init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
+                       input_idx[r.in.num_names] = i;
+                       r.in.num_names++;
+               }
        }
 
        r.in.handle = handle;
-       r.in.num_names = tnames->count;
        r.in.names = names;
        r.in.sids = &sids;
        r.in.level = 1;
@@ -501,15 +526,23 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b,
        struct lsa_String *names;
        uint32_t count = 0;
        int i;
+       uint32_t *input_idx;
 
        torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count);
 
        sids.count = 0;
        sids.sids = NULL;
 
+       r.in.num_names = 0;
+
+       input_idx = talloc_array(tctx, uint32_t, tnames->count);
        names = talloc_array(tctx, struct lsa_String, tnames->count);
        for (i=0;i<tnames->count;i++) {
-               init_lsa_String(&names[i], tnames->names[i].name.string);
+               if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
+                       init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
+                       input_idx[r.in.num_names] = i;
+                       r.in.num_names++;
+               }
        }
 
        r.in.num_names = tnames->count;
@@ -571,7 +604,8 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
                "LookupSids failed");
-       if (!NT_STATUS_IS_OK(r.out.result)) {
+       if (!NT_STATUS_IS_OK(r.out.result) &&
+           !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
                torture_comment(tctx, "LookupSids failed - %s\n",
                                nt_errstr(r.out.result));
                return false;
@@ -615,7 +649,8 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids2_r(b, tctx, &r),
                "LookupSids2 failed");
-       if (!NT_STATUS_IS_OK(r.out.result)) {
+       if (!NT_STATUS_IS_OK(r.out.result) &&
+           !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
                torture_comment(tctx, "LookupSids2 failed - %s\n",
                                nt_errstr(r.out.result));
                return false;