pytest:sid_strings: test SIDs as search base

As a way of testing the interpretation of a SID string in a remote server, we search on the base DN "<SID=x>" where x is a non-existent or malformed SID. On Windows some or all malformed SIDs are detected before the search begins, resulting in a complaint about DN syntax rather than one about missing objects. From this we can get a picture of what Windows considers to be a proper SID in this context. Samba does not make a distinction here, always returning NO_SUCH_OBJECT. Signed-off-by: Douglas Bagnall <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
tgl1986 · Apr 28, 2023 · 953ad43 · 953ad43
1 parent f66b0f8
commit 953ad43
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/python/samba/tests/sid_strings.py b/python/samba/tests/sid_strings.py
@@ -399,6 +399,75 @@ class SidStringBehavioursThatSambaPrefers(SidStringBase):
     }
 
 
+@DynamicTestCase
+class SidStringsAsDnInSearchBase(SidStringBase):
+    """How does a bad <SID=x> dn work as a search base, if at all?
+
+    This suggests that Windows does the SID parsing
+    (INVALID_DN_SYNTAX) before starting the search (NO_SUCH_OBJECT).
+
+    Currently Samba does not.
+    """
+    skip_local = True
+    cases = {' S-1-1-1-1-1-1-1': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-0-5-32-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-000000000001-5-20-243': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-000000001-5-32-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-01-05-020-0243': ldb.ERR_NO_SUCH_OBJECT,
+             'S-01-5-32-11579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-0x1-0-0-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-0x1-0x5-020-0243': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-0x1-5-20-243': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-0x1-5-40-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-0x1-500000000-20-243': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-0': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0-0-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0x05-32-11579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0x5-0x20-0x243': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0x50000000-32-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0x500000000-0x500000000-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0x500000000-32-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-0xABcDef123-0xABCDef123-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-1-1-1-1-1-1': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-21474836480-32-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-22': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-22-1': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-22-1-0': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-281474976710655-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-281474976710656-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-3-0': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-3-99': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-0-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-040-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-0x20-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-11111111111111111111111111111111111-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-5-18446744073709551615-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-5-18446744073709551616-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-5-3 2-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-32 -11111579': None,
+             'S-1-5-32- 579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-5-32--579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-5-32-11579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-4294967295-579': ldb.ERR_NO_SUCH_OBJECT,
+             'S-1-5-9999999999-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-1-99999999999999999999999999999999999999-32-11111111111': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-10-5-32-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'S-2-5-32-579': ldb.ERR_INVALID_DN_SYNTAX,
+             's-1-5-32-579': ldb.ERR_INVALID_DN_SYNTAX,
+             'AA': ldb.ERR_INVALID_DN_SYNTAX,
+        }
+
+    def _test_sid_string_with_args(self, code, expected):
+        try:
+            self.ldb.search(base=f"<SID={code}>",
+                            scope=ldb.SCOPE_BASE,
+                            attrs=[])
+        except ldb.LdbError as e:
+            self.assertEqual(e.args[0], expected)
+        else:
+            self.assertIsNone(expected)
+
+
 if __name__ == '__main__':
     global_asn1_print = False
     global_hexdump = False

diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
@@ -49,6 +49,13 @@
 ^samba.tests.sid_strings.+.SidStringTests.test_sid_string_internal_Aa.ad_dc
 ^samba.tests.sid_strings.+.SidStringTests.test_sid_string_internal_aA.ad_dc
 ^samba.tests.sid_strings.+.SidStringTests.test_sid_string_internal_aa.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-0-5-32-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-000000000001-5-20-243.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-000000001-5-32-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-1-3-0.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-1-5-3.2-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-10-5-32-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsAsDnInSearchBase.test_sid_string_S-2-5-32-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_.S-1-1-1-1-1-1-1.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-0.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-0x05-32-579.ad_dc