About failed test sDRightsEffective in your branch

Nadezhda Ivanova nivanova at samba.org
Mon Apr 19 17:34:11 MDT 2010 

Hi Andrew,
The reason this test fails is because, in order to create sDRightsEffective,
we check if the user has SEC_PRIV_SECURITY privilege. We assign that
privilege by making the user a member of Domain Admins - this group has this
privilege. We make the user a member like this:

            self.enable_account(user_dn)
            ldif = """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
            self.ldb_admin.modify_ldif(ldif)

However, it seems that in your branch the privilege mask of the token is not
created correctly, it is all 0, and so security_token_has_privilege returns
false, causing the access check to fail. (access_check.c, line 205)

Here is what the security token of the user looks like at the same place, in
master:
Security context:     : struct security_token
        user_sid                 : *
            user_sid                 :
S-1-5-21-743035996-1693332465-764320900-1009
        group_sid                : *
            group_sid                :
S-1-5-21-743035996-1693332465-764320900-513
        num_sids                 : 0x00000009 (9)
        sids: ARRAY(9)
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-1009
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-513
            sids                     : *
                sids                     : S-1-1-0
            sids                     : *
                sids                     : S-1-5-2
            sids                     : *
                sids                     : S-1-5-11
            sids                     : *
                sids                     : S-1-5-32-545
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-512
            sids                     : *
                sids                     : S-1-5-32-544
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-572
        privilege_mask           : 0x0000000000ffffff (16777215)


And here it is in your branch:

Security context:     : struct security_token
        user_sid                 : *
            user_sid                 :
S-1-5-21-743035996-1693332465-764320900-1011
        group_sid                : *
            group_sid                :
S-1-5-21-743035996-1693332465-764320900-513
        num_sids                 : 0x00000008 (8)
        sids: ARRAY(8)
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-1011
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-513
            sids                     : *
                sids                     : S-1-1-0
            sids                     : *
                sids                     : S-1-5-2
            sids                     : *
                sids                     : S-1-5-11
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-512
            sids                     : *
                sids                     :
S-1-5-21-743035996-1693332465-764320900-572
            sids                     : *
                sids                     : S-1-5-32-545
        privilege_mask           : 0x0000000000000000 (0)

The user sid is different because the test creates and deletes the user
every time. Other than that, the S-1-5-32-544 (Administrators) is missing,
which may be the cause of the privilege mask being all 0


I hope this helps.

Regards,
Nadya

More information about the samba-technical mailing list