abartlet at samba.org
Thu Jun 4 05:59:58 GMT 2009
I've been reviewing the RPC-SAMR-LARGE-DC test, and I don't think we
should try and hold Samba4 to it's strict behaviours.
The test relies for it's verification on the behaviour of the
SamrQueryInformationDomain call (we call this samr_QueryDomainInfo), and
the 'general information' level.
Looking in the MS-SAMR document, the accuracy of the returned numbers is
defined in 126.96.36.199.1.1 as:
> 5. The Buffer.General.UserCount field SHOULD<49> be the count of
> objects with the objectClass
> user (or derived from user). The accuracy is bounded by the
> requirement that if there is at least
> one user object, the value MUST be greater than 0.
The Windows behaviour note is:
> <49> Section 188.8.131.52.1.1: On non-DC configurations, the exact value is
> returned. On DC
> configurations, Windows estimates this count.
Given this behaviour, we can't make this test pass against a Windows
2008 domain controller. Also, it means that no client would be relying
on this for an exact value return.
Sadly, it seems it is not possible to use these totals (even when
accurate) for groups and aliases. The definition provided in MS-ATDS
for what groups are included in the count (184.108.40.206.1.1:
groupType=GROUP_TYPE_SECURITY_ACCOUNT) does not match the definition for
enumeration (220.127.116.11.3: groupType attribute value MUST be one of
GROUP_TYPE_SECURITY_UNIVERSAL or GROUP_TYPE_SECURITY_ACCOUNT)
I'll patch up the easy cases - mistakes in the test - but I have serious
reservations about having tests in smbtorture that cannot be verified
against windows domains, and can't see how the groups and aliases test
can still remain.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090604/464b13ce/attachment.bin
More information about the samba-technical