[PATCH 3/3] dbcheck: Add check and test for various invalid userParameters values
abartlet at samba.org
abartlet at samba.org
Wed Jun 18 23:13:16 MDT 2014
From: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8077
Change-Id: I6f2f4169856ce78c62e3a7e74b48520cca9cb9ae
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/dbchecker.py | 90 ++++++++++++++++++
testprogs/blackbox/dbcheck-oldrelease.sh | 154 +++++++++++++++++++++++++++++++
2 files changed, 244 insertions(+)
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index c658610..5c8d785 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,6 +20,7 @@
import ldb
import samba
import time
+from base64 import b64decode
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -64,6 +65,9 @@ class dbcheck(object):
self.fix_replmetadata_zero_invocationid = False
self.fix_deleted_deleted_objects = False
self.fix_dn = False
+ self.fix_base64_userparameters = False
+ self.fix_utf8_userparameters = False
+ self.fix_doubled_userparameters = False
self.reset_well_known_acls = reset_well_known_acls
self.reset_all_well_known_acls = False
self.in_transaction = in_transaction
@@ -522,6 +526,58 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to correct missing instanceType on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype)):
self.report("Corrected instancetype on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype))
+ def err_short_userParameters(self, obj, attrname, value):
+ # This is a truncated userParameters due to a pre 4.1 replication bug
+ self.report("ERROR: incorrect userParameters value on object %s. If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
+
+ def err_base64_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters %s on %s, should not be base64-encoded" % (value, obj.dn))
+ if not self.confirm_all('Convert userParameters from base64 encoding on %s?' % (obj.dn), 'fix_base64_userparameters'):
+ self.report('Not changing userParameters from base64 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(b64decode(obj[attrname][0]), ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct base64-encoded userParameters on %s by converting from base64" % (obj.dn)):
+ self.report("Corrected base64-encoded userParameters on %s by converting from base64" % (obj.dn))
+
+ def err_utf8_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters on %s, should not be psudo-UTF8 encoded" % (obj.dn))
+ if not self.confirm_all('Convert userParameters from UTF8 encoding on %s?' % (obj.dn), 'fix_utf8_userparameters'):
+ self.report('Not changing userParameters from UTF8 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf8').encode('utf-16-le'),
+ ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn)):
+ self.report("Corrected psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn))
+
+ def err_doubled_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters on %s, should not be double UTF16 encoded" % (obj.dn))
+ if not self.confirm_all('Convert userParameters from doubled UTF-16 encoding on %s?' % (obj.dn), 'fix_doubled_userparameters'):
+ self.report('Not changing userParameters from doubled UTF-16 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf-16-le').decode('utf-16-le').encode('utf-16-le'),
+ ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn)):
+ self.report("Corrected doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn))
+
+ def err_odd_userParameters(self, obj, attrname):
+ # This is a truncated userParameters due to a pre 4.1 replication bug
+ self.report("ERROR: incorrect userParameters value on object %s (odd length). If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
+
def find_revealed_link(self, dn, attrname, guid):
'''return a revealed link in an object'''
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname],
@@ -1164,6 +1220,40 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
continue
+ if str(attrname).lower() == 'userparameters':
+ if len(obj[attrname][0]) == 1 and obj[attrname][0][0] == '\x20':
+ error_count += 1
+ self.err_short_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][:16] == '\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00':
+ # This is the correct, normal prefix
+ continue
+
+ elif obj[attrname][0][:20] == 'IAAgACAAIAAgACAAIAAg':
+ # this is the typical prefix from a windows migration
+ error_count += 1
+ self.err_base64_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][1] != '\x00' and obj[attrname][0][3] != '\x00' and obj[attrname][0][5] != '\x00' and obj[attrname][0][7] != '\x00' and obj[attrname][0][9] != '\x00':
+ # This is a prefix that is not in UTF-16 format for the space or munged dialback prefix
+ error_count += 1
+ self.err_utf8_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif len(obj[attrname][0]) % 2 != 0:
+ # This is a value that isn't even in length
+ error_count += 1
+ self.err_odd_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][1] == '\x00' and obj[attrname][0][2] == '\x00' and obj[attrname][0][3] == '\x00' and obj[attrname][0][4] != '\x00' and obj[attrname][0][5] == '\x00':
+ # This is a prefix that would happen if a SAMR-written value was replicated from a Samba 4.1 server to a working server
+ error_count += 1
+ self.err_doubled_userParameters(obj, attrname, obj[attrname])
+ continue
+
# check for empty attributes
for val in obj[attrname]:
if val == '':
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index fbc9e9b..d59c8a8 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -15,6 +15,11 @@ shift 2
release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
undump() {
if test -x $BINDIR/tdbrestore;
then
@@ -24,6 +29,109 @@ undump() {
fi
}
+add_userparameters0() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=localdc,cn=domain controllers,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
+ AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
+ AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
+ BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
+ MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
+ gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
+ AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
+ B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
+ YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
+ MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
+ AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
+ AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
+ NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
+ YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
+ MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
+ AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
+ eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
+-
+EOF
+ fi
+}
+add_userparameters1() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=administrator,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
+ AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
+ AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
+ BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
+ MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
+ gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
+ AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
+ B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
+ YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
+ MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
+ AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
+ AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
+ NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
+ YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
+ MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
+ AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
+ eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
+-
+EOF
+ fi
+}
+add_userparameters2() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=krbtgt,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
+ CAgUAsaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiIAIBQ3R4V0ZQcm9maWxlUGF0aOOAsBgCAU
+ N0eFdGSG9tZURpcuOAsCICAUN0eFdGSG9tZURpckRyaXZl44CwEggBQ3R4U2hhZG9344Sw44Cw44C
+ w44CwLggBQ3R4TWF4RGlzY29ubmVjdGlvblRpbWXjgaXjjLnjkLDjgLAoCAFDdHhNYXhDb25uZWN0
+ aW9uVGltZeOAtOOct+aIseOAsBwIAUN0eE1heElkbGVUaW1l44Gj45yy46Sw44CwIAIBQ3R4V29ya
+ 0RpcmVjdG9yeeOAsBgIAUN0eENmZ0ZsYWdzMeOAsOOBpuOYsuOAuCICAUN0eEluaXRpYWxQcm9ncm
+ Ft44Cw
+-
+EOF
+ fi
+}
+
+add_userparameters3() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=guest,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: QwAAAHQAAAB4AAAAQwAAAGYAAABnAAAAUAAAAHIAAABlAAAAcwAAAGUAAABuA
+ AAAdAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAA
+ AgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACA
+ AAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAUAAAAAsAAAAaAAAACAAAAAEAAABDAAAAdAAA
+ AHgAAABDAAAAZgAAAGcAAABQAAAAcgAAAGUAAABzAAAAZQAAAG4AAAB0AAAANQA1ADEAZQAwAGIAY
+ gAwACAAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcAAABGAAAAUAAAAHIAAABvAAAAZgAAAGkAAABsAA
+ AAZQAAAFAAAABhAAAAdAAAAGgAAAAwADAAGAAAAAIAAAABAAAAQwAAAHQAAAB4AAAAVwAAAEYAAAB
+ IAAAAbwAAAG0AAABlAAAARAAAAGkAAAByAAAAMAAwACIAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcA
+ AABGAAAASAAAAG8AAABtAAAAZQAAAEQAAABpAAAAcgAAAEQAAAByAAAAaQAAAHYAAABlAAAAMAAwA
+ BIAAAAIAAAAAQAAAEMAAAB0AAAAeAAAAFMAAABoAAAAYQAAAGQAAABvAAAAdwAAADAAMQAwADAAMA
+ AwADAAMAAuAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABEAAAAaQAAAHMAAABjAAA
+ AbwAAAG4AAABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAAGUAMAA5
+ ADMAMAA0ADAAMAAoAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABDAAAAbwAAAG4AA
+ ABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAADQAMAA3ADcAMQBiAD
+ AAMAAcAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABJAAAAZAAAAGwAAABlAAAAVAA
+ AAGkAAABtAAAAZQAAAGMAMAAyADcAMAA5ADAAMAAgAAAAAgAAAAEAAABDAAAAdAAAAHgAAABXAAAA
+ bwAAAHIAAABrAAAARAAAAGkAAAByAAAAZQAAAGMAAAB0AAAAbwAAAHIAAAB5AAAAMAAwABgAAAAIA
+ AAAAQAAAEMAAAB0AAAAeAAAAEMAAABmAAAAZwAAAEYAAABsAAAAYQAAAGcAAABzAAAAMQAAADAAMA
+ BmADAAMgA2ADgAMAAiAAAAAgAAAAEAAABDAAAAdAAAAHgAAABJAAAAbgAAAGkAAAB0AAAAaQAAAGE
+ AAABsAAAAUAAAAHIAAABvAAAAZwAAAHIAAABhAAAAbQAAADAAMAA=
+-
+EOF
+ fi
+}
+
reindex() {
$PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
}
@@ -54,6 +162,21 @@ dbcheck_acl_reset_clean() {
fi
}
+# This should 'fail', because it returns the number of modified records
+dbcheck2() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ else
+ exit 1
+ fi
+}
+# But having fixed it all up, this should pass
+dbcheck_clean2() {
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ fi
+}
+
referenceprovision() {
if [ x$RELEASE == x"release-4-0-0" ]; then
$PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1
@@ -79,6 +202,12 @@ if [ -d $release_dir ]; then
testit "dbcheck_clean" dbcheck_clean
testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset
testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean
+ testit "add_userparameters0" add_userparameters1
+ testit "add_userparameters1" add_userparameters1
+ testit "add_userparameters2" add_userparameters2
+ testit "add_userparameters3" add_userparameters3
+ testit_expect_failure "dbcheck2" dbcheck2
+ testit "dbcheck_clean2" dbcheck_clean2
testit "referenceprovision" referenceprovision
testit "ldapcmp" ldapcmp
testit "ldapcmp_sd" ldapcmp_sd
@@ -108,6 +237,31 @@ EOF
subunit_skip_test "dbcheck_clean_acl_reset" <<EOF
no test provision
EOF
+ subunit_start_test add_userparameters0
+ subunit_skip_test add_userparameters0<<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters1
+ subunit_skip_test add_userparameters1<<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters2
+ subunit_skip_test add_userparameters2<<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters3
+ subunit_skip_test add_userparameters3<<EOF
+no test provision
+EOF
+
+ subunit_start_test "dbcheck2"
+ subunit_skip_test "dbcheck2" <<EOF
+no test provision
+EOF
+
subunit_start_test "referenceprovision"
subunit_skip_test "referenceprovision" <<EOF
no test provision
--
2.0.0
More information about the samba-technical
mailing list