s4: torture: samr: Add test for dcesrc_lsa_valid_AccountRight change.

Against ad_dc we get NT_STATUS_OK, but against nt_dc we get NT_STATUS_NO_SUCH_PRIVILEGE,
so check for both. We can't use TARGET_IS_SAMBA3() here as this is set for talking to smbd
even when run under the ad_dc.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 1d02bd25ef5c98ce2d03acdb5927c3a778760b00..b4dc417c2cafae061d0ca6a57b739270b0f722ff 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -458,6 +458,9 @@ for t in tests:
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER/compound_find -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
+    elif t == "rpc.samr.users.privileges":
+        plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:nt4_dc=true')
+        plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
     else:
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')

diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index dcdbb8ad5503fabba9fabd87543482615cede694..92861f4c8aaaba4f17fa4e060619fe25a75db7c9 100644 (file)
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -39,6 +39,7 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
+#include "torture/util.h"
 
 #define TEST_ACCOUNT_NAME "samrtorturetest"
 #define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
@@ -4777,6 +4778,41 @@ static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
                        "Failed to add privileges");
        }
 
+       {
+               struct lsa_RightSet rights;
+               struct lsa_StringLarge names[2];
+               struct lsa_AddAccountRights r;
+
+               torture_comment(tctx, "Testing LSA AddAccountRights 1\n");
+
+               init_lsa_StringLarge(&names[0], "SeInteractiveLogonRight");
+               init_lsa_StringLarge(&names[1], NULL);
+
+               rights.count = 1;
+               rights.names = names;
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.in.rights = &rights;
+
+               torture_assert_ntstatus_ok(tctx, dcerpc_lsa_AddAccountRights_r(lb, tctx, &r),
+                       "lsa_AddAccountRights 1 failed");
+
+               if (torture_setting_bool(tctx, "nt4_dc", false)) {
+                       /*
+                        * The NT4 DC doesn't implement Rights.
+                        */
+                       torture_assert_ntstatus_equal(tctx, r.out.result,
+                               NT_STATUS_NO_SUCH_PRIVILEGE,
+                               "Add rights failed with incorrect error");
+               } else {
+                       torture_assert_ntstatus_ok(tctx, r.out.result,
+                               "Failed to add rights");
+
+               }
+       }
+
+
        {
                struct lsa_EnumAccounts r;
                uint32_t resume_handle = 0;
@@ -4810,6 +4846,14 @@ static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
        {
                struct lsa_EnumAccountRights r;
                struct lsa_RightSet user_rights;
+               uint32_t expected_count = 2;
+
+               if (torture_setting_bool(tctx, "nt4_dc", false)) {
+                       /*
+                        * NT4 DC doesn't store rights.
+                        */
+                       expected_count = 1;
+               }
 
                torture_comment(tctx, "Testing LSA EnumAccountRights\n");
 
@@ -4822,7 +4866,7 @@ static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, r.out.result,
                        "Failed to enum rights for account");
 
-               if (user_rights.count < 1) {
+               if (user_rights.count < expected_count) {
                        torture_result(tctx, TORTURE_FAIL, "failed to find newly added rights");
                        return false;
                }