s4-torture: add a special check for administrators and privileges

lsa privileges calls don't expand groups. darn.

source4/torture/basic/denytest.c

@@ -2715,17 +2715,17 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
-					    owner_sid, 
-					    sec_privilege_name(SEC_PRIV_RESTORE));
+	status = torture_check_privilege(cli, 
+					 owner_sid, 
+					 sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n", 
 			owner_sid,
 			has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
-					    owner_sid, 
-					    sec_privilege_name(SEC_PRIV_BACKUP));
+	status = torture_check_privilege(cli, 
+					 owner_sid, 
+					 sec_privilege_name(SEC_PRIV_BACKUP));
 	has_backup_privilege = NT_STATUS_IS_OK(status);
 	torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n", 
 			owner_sid,

source4/torture/raw/acls.c

@@ -778,21 +778,21 @@ static bool test_generic_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
@@ -943,21 +943,21 @@ static bool test_generic_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
@@ -1132,21 +1132,21 @@ static bool test_owner_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 

source4/torture/util.h

@@ -93,5 +93,8 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
 			     struct smbcli_tree **res);
 
 
+NTSTATUS torture_check_privilege(struct smbcli_state *cli, 
+				 const char *sid_str,
+				 const char *privilege);
 
 #endif /* _TORTURE_UTIL_H_ */

source4/torture/util_smb.c

@@ -33,6 +33,8 @@
 #include "auth/credentials/credentials.h"
 #include "libcli/resolve/resolve.h"
 #include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/util/clilsa.h"
 
 
 /**
@@ -927,3 +929,37 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
 	talloc_free(tmp_ctx);
 	return NT_STATUS_OK;
 }
+
+/* 
+   a wrapper around smblsa_sid_check_privilege, that tries to take
+   account of the fact that the lsa privileges calls don't expand
+   group memberships, using an explicit check for administrator. There
+   must be a better way ...
+ */
+NTSTATUS torture_check_privilege(struct smbcli_state *cli, 
+				 const char *sid_str,
+				 const char *privilege)
+{
+	struct dom_sid *sid;
+	TALLOC_CTX *tmp_ctx = talloc_new(cli);
+	uint32_t rid;
+	NTSTATUS status;
+
+	sid = dom_sid_parse_talloc(tmp_ctx, sid_str);
+	if (sid == NULL) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INVALID_SID;
+	}
+
+	status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
+	NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
+
+	if (rid == DOMAIN_RID_ADMINISTRATOR) {
+		/* assume the administrator has them all */
+		return NT_STATUS_OK;
+	}
+
+	talloc_free(tmp_ctx);
+
+	return smblsa_sid_check_privilege(cli, sid_str, privilege);
+}