selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Michael Adam obnox at samba.org
Tue Feb 17 10:32:16 MST 2015 

On 2015-02-17 at 18:27 +0100, Michael Adam wrote:
> On 2015-02-17 at 18:09 +0100, Stefan (metze) Metzmacher wrote:
> > Hi Michael,
> > 
> > > diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> > > index 1603321..3e2397d 100644
> > > --- a/python/samba/provision/__init__.py
> > > +++ b/python/samba/provision/__init__.py
> > > @@ -1476,8 +1476,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
> > >          return samdb
> > >  
> > >  
> > > -SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > -POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > > +SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > +POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > >  SYSVOL_SERVICE="sysvol"
> > 
> > Aren't these the hardcoded values windows clients expect to be there?
> 
> Could be. That is why I was asking for experts (like you) to
> comment! :-)
> 
> > I guess changing them, just to let our test pass is wrong.
> 
> Ok. Does that mean the ACE values for the owner are completely
> random? And the previous patch that does not adapt the NT ACL
> but simply adapte the posix checks to the values that let
> the test pass is better/correct?

More concretely, the attached patch..

-------------- next part --------------
From 55c2b49358f2d6805f968937dab84adc4c4bd19b Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 17 Feb 2015 16:06:49 +0100
Subject: [PATCH] selftest: fix the posixacl test for the fixed plugin_s4_dc
 env.

The changed env let the posix mapping come out slightly differently
with respect to the owner/domain admin who is not explicitly
nailed down in the original NT acl. This adapts the posix
alc perms for the admins to match the result.

Pair-Programmed-With: Guenther Deschner <gd at samba.org>

Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
---
 python/samba/tests/posixacl.py | 8 ++++----
 selftest/knownfail             | 8 --------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index a6b5118..0ec3a38 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -345,14 +345,14 @@ class PosixAclMappingTests(TestCaseInTempDir):
         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 
         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
-        self.assertEquals(posix_acl.acl[1].a_perm, 6)
+        self.assertEquals(posix_acl.acl[1].a_perm, 7)
         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 
         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 
         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
-        self.assertEquals(posix_acl.acl[3].a_perm, 6)
+        self.assertEquals(posix_acl.acl[3].a_perm, 7)
 
         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
         self.assertEquals(posix_acl.acl[4].a_perm, 7)
@@ -682,14 +682,14 @@ class PosixAclMappingTests(TestCaseInTempDir):
         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 
         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
-        self.assertEquals(posix_acl.acl[1].a_perm, 6)
+        self.assertEquals(posix_acl.acl[1].a_perm, 7)
         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 
         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 
         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
-        self.assertEquals(posix_acl.acl[3].a_perm, 6)
+        self.assertEquals(posix_acl.acl[3].a_perm, 7)
 
         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
         self.assertEquals(posix_acl.acl[4].a_perm, 7)
diff --git a/selftest/knownfail b/selftest/knownfail
index b3cc2d6..64fc2cd 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -314,11 +314,3 @@
 # Differences in our KDC compared to windows
 #
 ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
-#
-# Test does not work, apparently because the calling user and
-# the domain admin use the same uid. This was uncovered by
-# enabling libnss_winbindd in the nsswrapper environment.
-# TODO: fix the test.
-#
-^samba.tests.posixacl.samba.tests.posixacl.PosixAclMappingTests.test_setntacl_sysvol_check_getposixacl\(plugin_s4_dc:local\)$
-^samba.tests.posixacl.samba.tests.posixacl.PosixAclMappingTests.test_setntacl_policies_check_getposixacl\(plugin_s4_dc:local\)$
-- 
2.1.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150217/e1631f97/attachment.pgp>

More information about the samba-technical mailing list