How to add SeBackup privilege for make test user ?

Andrew Bartlett abartlet at samba.org
Fri Oct 26 18:23:41 MDT 2012 

On Fri, 2012-10-26 at 16:05 -0700, Jeremy Allison wrote:
> On Fri, Oct 26, 2012 at 12:44:02PM +1100, Andrew Bartlett wrote:
> > On Thu, 2012-10-25 at 16:48 -0700, Jeremy Allison wrote:
> > > Hi Andrew and Jelmer,
> > > 
> > > I'm adding a regression test for my fix for the crash
> > > in smbd when doing a listing for a user with SeBackup
> > > privilege.
> > > 
> > > However this depends on the test user being used in
> > > the source3/script/tests/test_smbclient_s3.sh test
> > > scripts having SeBackup privilege assigned.
> > > 
> > > We seem to only create the one test user ($USER)
> > > who is logged in, and that user doesn't have
> > > SeBackup privilege. How do I fix that ?
> > > 
> > > When I do:
> > > 
> > > net rpc rights grant $USERNAME SeBackupPrivilege -U$USERNAME%$PASSWORD -I $SERVER_IP
> > > 
> > > before trying the backup list, I get:
> > > 
> > > Could not connect to server 127.0.0.2
> > > The username or password was not correct.
> > > Connection failed: NT_STATUS_LOGON_FAILURE
> > > 
> > > which is plainly incorrect as this is the
> > > same user and password that smbclient uses
> > > (although I'm not sure if this user has the
> > > rights to add SeBackupPrivilege).
> > > 
> > > Any clues here ?
> > 
> > Two thoughts come to mind:
> > 
> > if you run the test in plugin_s4_dc, you will probably have the
> > privileges already, which might unblock you.
> 
> I don't think plugin_s4_dc has the smbclient tests setup,
> so that makes it harder, unless you can show me how to run
> an smbclient test there.

Tests are declared against environments by (in this case)
source3/selftest/tests.py.  See for example how on line 213 we loop over
a list of environments.

>From memory, it might be due to some winbind stuff that we don't support
in the AD DC that is why that test isn't run at the moment. 

> > On why 'net rpc rights': the command you are running is missing
> > $ADDARGS, which contains a pointer to the smb.conf (we need a test
> > smb.conf, not the system default), and missing that might be why it
> > fails. 
> > 
> > Otherwise, playing around with make testenv is often very helpful for
> > this kind of thing.
> > 
> > SELFTEST_TESTENV=s3dc make testenv
> 
> Thanks, that helped a lot.
> 
> > We can also create more test users if you want, but it's a little
> > involved in the s3dc case.  For a privileges test, it might be worth
> > it. 
> 
> Actually, for the Samba3 case it looks like it's easier
> to use tdbtool to directly insert the privilege record
> in account_policy.tdb. That way I can add the changes
> into source3/script/tests/test_smbclient_s3.sh, which has
> all the smbclient infrastructure setup.

What about using 'net sam rights'?  We shouldn't need to resort to
tdbtool. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list