From fe8ce9e34e35a61acf9114b2c3e52d2a63d2944c Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 13 Apr 2023 12:17:28 +1200 Subject: [PATCH] pytest:sid_strings: Do bad SIDs fail differently in simple-bind? No. That's good and expected because a failure here should fall back to the next thing in the simple bind pecking order (canonical names). Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- python/samba/tests/sid_strings.py | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/python/samba/tests/sid_strings.py b/python/samba/tests/sid_strings.py index e4e11efd12b..5ff1edc0642 100644 --- a/python/samba/tests/sid_strings.py +++ b/python/samba/tests/sid_strings.py @@ -565,6 +565,42 @@ class SidStringsAsDnInSearchFilter(SidStringBase): self.fail(f"expected no failure, got {e}") +@DynamicTestCase +class SidStringsForSimpleBind(SidStringBase): + """Check whether dodgy SID strings work differently for simple-bind. + + One of the many fallbacks for ldap simple bind is SID strings. We + just want to ensure that SIDs that might fail strangely in SID + parsing don't leak that strangeness (they don't). + """ + skip_local = True + # here we are testing only the SID-like SIDs ("S-1-...", not "AA") + cases = {} + cases.update(SidStringsThatStartWithS.cases) + cases.update(SidStringBehavioursThatSambaPrefers.cases) + + @classmethod + def setUpClass(cls): + super().setUpClass() + server = os.environ['DC_SERVER'] + cls.lp = param.LoadParm() + cls.host = f'ldap://{server}' + + def _test_sid_string_with_args(self, code, _dummy): + bind_creds = Credentials() + bind_creds.set_username(code) + bind_creds.set_password("please") + + try: + SamDB(url=self.host, + lp=self.lp, + credentials=bind_creds) + self.fail(f"{code} seems to have connected properly") + except ldb.LdbError as e: + num, msg = e.args + self.assertIn("NT_STATUS_INVALID_PARAMETER", msg) + + if __name__ == '__main__': global_asn1_print = False global_hexdump = False