[PATCH] DsReplGetInfo() for DS_REPL_INFO_REPSTO infoType
erick.nogueira.nascimento at gmail.com
Fri Feb 12 10:25:14 MST 2010
Sorry for the late reply.
I was working on the DS_REPL_INFO_METADATA_FOR_OBJ infoType when I
received your message, that is why I didn't reply earlier.
I've fixed the things you said, and some few others.
The fixes are on the last commit of my repo:
> > On the torture test for DsGetReplInfo(), torture/rpc/dsgetinfo.c,
> > the request for the DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA infoType returns
> > WERR_UNKNOWN_LEVEL (the right value, because samba doesn't that infoType
> > yet),
> > but the test stops at this infoType (it says expected WERR_OK), and
> > doesn't run the other ones. How can I make it continue and test the other
> > infoTypes ?
> If you look at the test_getinfo() code, you'll see that it tries to
> cope with this by looking for DCERPC_FAULT_INVALID_TAG and just
> reporting that the server doesn't support that info level if it sees
> that error code. The reason that doesn't work with Samba is that Samba
> does have the info level in our IDL file, so we pass the NDR parsing
> layer, and thus do not produce a RPC fault.
> So I'd suggest that you modify the test_getinfo() code to look for
> WERR_INVALID_LEVEL, and if it gets that return then just print a
> warning and increment a counter of failed levels. Then return false at
> the end of the function if that counter is != 0.
I've commented the call to torture_drsuapi_assert_call() on test_getinfo(),
because some infoTypes require a DN to be specified on the request,
and there is no DN yet
on the request for these infoTypes. So, while the torture test is not
complete, and for the ease
of testing, I've comment that call.
> > I've seen that someone (maybe you, I'm not right) modified
> > dcesrv_drsuapi_DsReplicaGetInfo()
> > on dcesrv_drsuapi.c such that the user level must be at least
> > SECURITY_ADMINISTRATOR, is that right?
> that's right
> > If so, that must be the same required level for other calls, for example
> > dcesrv_drsuapi_DsReplicaSync() and dcesrv_drsuapi_DsExecuteKCC(), right?
> DsReplicaSync() already checked for authorization by calling
> drs_security_level_check() which checks that the caller is a domain
> controller. DsExecuteKCC() makes the same check.
> It is possible that we should change these to allow administrators to
> make these calls. Can you test against Windows and see if
> administrators can make all these calls? If they can, then we should
> add a common function that checks for SECURITY_ADMINISTRATOR and use
> that common function in these various drs functions.
I've called DsGetReplInfo() for all infoTypes against w2k8-r2, using smbtorture
with Administrator credentials, and it accepted all the calls.
Actually, the calls for the METADATA_FOR_OBJ, METADATA_2_FOR_OBJ,
METADATA_FOR_ATTR_VALUE and METADATA_2_FOR_ATTR_VALUE infoTypes return
WERR_INVALID_PARAM, before the access checking is made. So I don't
know exactly if they would accept the SECURITY_ADMINISTRATOR user
level on AccessCheckAttr() and AccessCheckCAR() functions for these
infoTypes (see MS-DRSR 18.104.22.168).
Erick Nogueira do Nascimento
Institute of Computing
Campinas State University
More information about the samba-technical