CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors

This favors a test that confirms we got an error over getting exactly
the right error, at least for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest/knownfail.d/uac_objectclass_restrict

@@ -22,10 +22,6 @@
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_WORKSTATION_TRUST_ACCOUNT_computer_replace\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_wp\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_wp\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_INTERDOMAIN_TRUST_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT_UF_PASSWD_NOTREQD\(ad_dc_default\)

selftest/knownfail.d/user_account_control

@@ -1 +0,0 @@
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare.ad_dc_default

source4/dsdb/tests/python/user_account_control.py

@@ -483,7 +483,8 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   f"Unexpectedly able to set userAccountControl to be an Normal "
                                   "account without |UF_PASSWD_NOTREQD Unexpectedly able to "
                                   "set userAccountControl to be a workstation on {m.dn}",
@@ -1203,12 +1204,14 @@ class UserAccountControlTests(samba.tests.TestCase):
             samdb.modify(m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and not priv:
-                self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and priv:
-                self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_UNWILLING_TO_PERFORM],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_WORKSTATION_TRUST_ACCOUNT) and \
@@ -1281,7 +1284,8 @@ class UserAccountControlTests(samba.tests.TestCase):
             m["1objectclass"] = ldb.MessageElement(new_objectclass,
                                                    ldb.FLAG_MOD_ADD, "objectclass")
 
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   "Should have been unable Able to change objectclass of a {objectclass}",
                                   self.admin_samdb.modify, m)