Fwd: [PATCHES] support getprinter level 3 again for server handles
Jeremy Allison
jra at samba.org
Wed Sep 14 17:51:12 UTC 2016
On Tue, Sep 13, 2016 at 05:11:08PM +0200, Günther Deschner wrote:
> And here is the patch...
Guenther, with this patch I'm getting:
$ make test TESTS=samba3.rpc.spoolss.printserver
...
Testing OpenPrinter(\\127.0.0.3)
Testing GetPrinterData(Architecture)
Testing OpenPrinter(__INVALID_PRINTER__) with bad name
Testing OpenPrinterEx(__INVALID_PRINTER__) with bad name
Testing OpenPrinter(\\__INVALID_HOST__) with bad name
Testing OpenPrinterEx(\\__INVALID_HOST__) with bad name
Testing OpenPrinter() with bad name
Testing OpenPrinterEx() with bad name
Testing OpenPrinter(\\\) with bad name
Testing OpenPrinterEx(\\\) with bad name
Testing OpenPrinter(\\\__INVALID_PRINTER__) with bad name
Testing OpenPrinterEx(\\\__INVALID_PRINTER__) with bad name
Testing OpenPrinter(\\127.0.0.3\) with bad name
WARNING!: ../source4/torture/rpc/spoolss.c:6348: op.out.result was WERR_OK, expected WERR_INVALID_PRINTER_NAME: unexpected result
UNEXPECTED(failure): samba3.rpc.spoolss.printserver.printserver.openprinter_badnamelist(nt4_dc)
REASON: Exception: Exception: ../source4/torture/rpc/spoolss.c:6404: Expression `test_OpenPrinter_badname(tctx, b, badname)' failed:
Testing GetPrinter level 3
Testing SetPrinter level 3
test_SetPrinter failed: WERR_ACCESS_DENIED
WARNING!: ../source4/torture/rpc/spoolss.c:1299: Expression `((((r.out.result).w) == ((((WERROR) { 0x00000000 })).w)) || (((r.out.result).w) == ((((WERROR) { 0x000003E5 })).w)))' failed: SetPrinter failed
UNEXPECTED(failure): samba3.rpc.spoolss.printserver.printserver.set_printer(nt4_dc)
REASON: Exception: Exception: ../source4/torture/rpc/spoolss.c:8221: Expression `test_SetPrinter(tctx, b, &ctx->server_handle, &info_ctr, &devmode_ctr, &secdesc_ctr, 0)' failed:
Testing ClosePrinter
(the "test_SetPrinter failed: WERR_ACCESS_DENIED" is my
addition to print out what the actual WERR return was).
Can you help me track this down ? I'm guessing it's to do
with the new security descriptor code.
Cheers,
Jeremy.
> -------- Forwarded Message --------
> Subject: [PATCHES] support getprinter level 3 again for server handles
> Date: Tue, 13 Sep 2016 17:04:35 +0200
> From: Günther Deschner <gd at samba.org>
> To: Samba Technical <samba-technical at lists.samba.org>
> CC: Andreas Schneider <asn at redhat.com>
>
> Hi,
>
> sometime during the last spoolss rewrite we lost support for displaying
> the server security descriptor. Leading to warnings when displaying
> server properties with the printer management UI.
>
> This patchset adds it back + tests.
>
> Please review & push.
>
> Thanks,
> Guenther
> --
> Günther Deschner GPG-ID: 8EE11688
> Red Hat gdeschner at redhat.com
> Samba Team gd at samba.org
>
> From 5fe7122aba369c0f327b0d815e3dc302ba0ac6b9 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Fri, 9 Sep 2016 16:00:38 +0200
> Subject: [PATCH 1/8] s4-torture: test GetPrinter level 3 on server handle
> (security descriptor query)
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source4/torture/rpc/spoolss.c | 50 +++++++++++++++++++++++++++++++++++++------
> 1 file changed, 44 insertions(+), 6 deletions(-)
>
> diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
> index 1fcf379..ec48ecb 100644
> --- a/source4/torture/rpc/spoolss.c
> +++ b/source4/torture/rpc/spoolss.c
> @@ -1189,11 +1189,12 @@ static bool test_GetPrinterDriver2(struct torture_context *tctx,
> const char *driver_name,
> const char *environment);
>
> -bool test_GetPrinter_level(struct torture_context *tctx,
> - struct dcerpc_binding_handle *b,
> - struct policy_handle *handle,
> - uint32_t level,
> - union spoolss_PrinterInfo *info)
> +bool test_GetPrinter_level_exp(struct torture_context *tctx,
> + struct dcerpc_binding_handle *b,
> + struct policy_handle *handle,
> + uint32_t level,
> + WERROR expected_werror,
> + union spoolss_PrinterInfo *info)
> {
> struct spoolss_GetPrinter r;
> uint32_t needed;
> @@ -1218,7 +1219,9 @@ bool test_GetPrinter_level(struct torture_context *tctx,
> "GetPrinter failed");
> }
>
> - torture_assert_werr_ok(tctx, r.out.result, "GetPrinter failed");
> + torture_assert_werr_equal(tctx,
> + r.out.result, expected_werror,
> + "GetPrinter failed");
>
> CHECK_NEEDED_SIZE_LEVEL(spoolss_PrinterInfo, r.out.info, r.in.level, needed, 4);
>
> @@ -1229,6 +1232,14 @@ bool test_GetPrinter_level(struct torture_context *tctx,
> return true;
> }
>
> +bool test_GetPrinter_level(struct torture_context *tctx,
> + struct dcerpc_binding_handle *b,
> + struct policy_handle *handle,
> + uint32_t level,
> + union spoolss_PrinterInfo *info)
> +{
> + return test_GetPrinter_level_exp(tctx, b, handle, level, WERR_OK, info);
> +}
>
> static bool test_GetPrinter(struct torture_context *tctx,
> struct dcerpc_binding_handle *b,
> @@ -8087,6 +8098,32 @@ static bool test_get_printer_driver_package_path(struct torture_context *tctx,
> return true;
> }
>
> +static bool test_get_printer_printserverhandle(struct torture_context *tctx,
> + void *private_data)
> +{
> + struct test_spoolss_context *ctx =
> + talloc_get_type_abort(private_data, struct test_spoolss_context);
> +
> + struct dcerpc_pipe *p = ctx->spoolss_pipe;
> + struct dcerpc_binding_handle *b = p->binding_handle;
> + uint32_t levels[] = {0, 1, 2, /* 3,*/ 4, 5, 6, 7, 8};
> + int i;
> +
> + for (i=0;i<ARRAY_SIZE(levels);i++) {
> +
> + torture_assert(tctx,
> + test_GetPrinter_level_exp(tctx, b, &ctx->server_handle, levels[i], WERR_INVALID_LEVEL, NULL),
> + "failed to call GetPrinter");
> + }
> +
> + torture_assert(tctx,
> + test_GetPrinter_level(tctx, b, &ctx->server_handle, 3, NULL),
> + "failed to call GetPrinter");
> +
> + return true;
> +}
> +
> +
> static bool test_PrintServer_Forms_Winreg(struct torture_context *tctx,
> void *private_data)
> {
> @@ -9322,6 +9359,7 @@ struct torture_suite *torture_rpc_spoolss(TALLOC_CTX *mem_ctx)
> torture_tcase_add_simple_test(tcase, "architecture_buffer", test_architecture_buffer);
> torture_tcase_add_simple_test(tcase, "get_core_printer_drivers", test_get_core_printer_drivers);
> torture_tcase_add_simple_test(tcase, "get_printer_driver_package_path", test_get_printer_driver_package_path);
> + torture_tcase_add_simple_test(tcase, "get_printer", test_get_printer_printserverhandle);
>
> torture_suite_add_suite(suite, torture_rpc_spoolss_printer(suite));
>
> --
> 2.7.4
>
>
> From 990bec56aa6be91338d359ae8881c033fb6e2219 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Fri, 9 Sep 2016 16:34:57 +0200
> Subject: [PATCH 2/8] s3-spoolss: Fix _spoolss_GetPrinter behaviour for server
> handles.
>
> Without this the security tab of the print server properties will be obviously
> empty and only display a warning.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source3/rpc_server/spoolss/srv_spoolss_nt.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> index 90aac33..5195c20 100644
> --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> @@ -4804,6 +4804,21 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
> goto err_info_free;
> }
>
> + if (Printer->printer_type == SPLHND_SERVER) {
> + if (r->in.level != 3) {
> + result = WERR_UNKNOWN_LEVEL;
> + goto err_info_free;
> + }
> +
> + result = spoolss_create_default_secdesc(p->mem_ctx,
> + &r->out.info->info3.secdesc);
> + if (!W_ERROR_IS_OK(result)) {
> + goto err_info_free;
> + }
> +
> + goto done;
> + }
> +
> if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
> result = WERR_BADFID;
> goto err_info_free;
> @@ -4880,7 +4895,7 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
> r->in.level, win_errstr(result)));
> goto err_info_free;
> }
> -
> + done:
> *r->out.needed = SPOOLSS_BUFFER_UNION(spoolss_PrinterInfo,
> r->out.info, r->in.level);
> r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL);
> --
> 2.7.4
>
>
> From 70c03382762ec4f8fd45dcbd6de72d3a294cdf80 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Sat, 10 Sep 2016 00:06:27 +0200
> Subject: [PATCH 3/8] s3-rpc_client: add winreg_get_printserver_secdesc.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source3/rpc_client/cli_winreg_spoolss.c | 52 ++++++++++++++++++++++++---------
> source3/rpc_client/cli_winreg_spoolss.h | 17 +++++++++++
> 2 files changed, 56 insertions(+), 13 deletions(-)
>
> diff --git a/source3/rpc_client/cli_winreg_spoolss.c b/source3/rpc_client/cli_winreg_spoolss.c
> index 8014e41..6eaa208 100644
> --- a/source3/rpc_client/cli_winreg_spoolss.c
> +++ b/source3/rpc_client/cli_winreg_spoolss.c
> @@ -1605,15 +1605,15 @@ done:
> return result;
> }
>
> -WERROR winreg_get_printer_secdesc(TALLOC_CTX *mem_ctx,
> - struct dcerpc_binding_handle *winreg_handle,
> - const char *sharename,
> - struct spoolss_security_descriptor **psecdesc)
> +static WERROR winreg_get_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + const char *path,
> + const char *attribute,
> + struct spoolss_security_descriptor **psecdesc)
> {
> struct spoolss_security_descriptor *secdesc;
> uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
> struct policy_handle hive_hnd, key_hnd;
> - const char *path;
> TALLOC_CTX *tmp_ctx;
> NTSTATUS status;
> WERROR result;
> @@ -1624,12 +1624,6 @@ WERROR winreg_get_printer_secdesc(TALLOC_CTX *mem_ctx,
> return WERR_NOMEM;
> }
>
> - path = winreg_printer_data_keyname(tmp_ctx, sharename);
> - if (path == NULL) {
> - talloc_free(tmp_ctx);
> - return WERR_NOMEM;
> - }
> -
> ZERO_STRUCT(hive_hnd);
> ZERO_STRUCT(key_hnd);
>
> @@ -1651,7 +1645,7 @@ WERROR winreg_get_printer_secdesc(TALLOC_CTX *mem_ctx,
> status = dcerpc_winreg_query_sd(tmp_ctx,
> winreg_handle,
> &key_hnd,
> - "Security",
> + attribute,
> &secdesc,
> &result);
> if (!NT_STATUS_IS_OK(status)) {
> @@ -1740,7 +1734,7 @@ create_default:
> status = dcerpc_winreg_set_sd(tmp_ctx,
> winreg_handle,
> &key_hnd,
> - "Security",
> + attribute,
> secdesc,
> &result);
> if (!NT_STATUS_IS_OK(status)) {
> @@ -1767,6 +1761,38 @@ done:
> return result;
> }
>
> +WERROR winreg_get_printer_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + const char *sharename,
> + struct spoolss_security_descriptor **psecdesc)
> +{
> + WERROR result;
> + char *path;
> +
> + path = winreg_printer_data_keyname(mem_ctx, sharename);
> + if (path == NULL) {
> + return WERR_NOMEM;
> + }
> +
> + result = winreg_get_secdesc(mem_ctx, winreg_handle,
> + path,
> + "Security",
> + psecdesc);
> + talloc_free(path);
> +
> + return result;
> +}
> +
> +WERROR winreg_get_printserver_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + struct spoolss_security_descriptor **psecdesc)
> +{
> + return winreg_get_secdesc(mem_ctx, winreg_handle,
> + TOP_LEVEL_CONTROL_KEY,
> + "ServerSecurityDescriptor",
> + psecdesc);
> +}
> +
> WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> struct dcerpc_binding_handle *winreg_handle,
> const char *sharename,
> diff --git a/source3/rpc_client/cli_winreg_spoolss.h b/source3/rpc_client/cli_winreg_spoolss.h
> index aa4d98f..279e585 100644
> --- a/source3/rpc_client/cli_winreg_spoolss.h
> +++ b/source3/rpc_client/cli_winreg_spoolss.h
> @@ -146,6 +146,23 @@ WERROR winreg_get_printer_secdesc(TALLOC_CTX *mem_ctx,
> struct spoolss_security_descriptor **psecdesc);
>
> /**
> + * @brief Get the security descriptor for a printserver.
> + *
> + * @param[in] mem_ctx The talloc memory context to use.
> + *
> + * @param[in] b The dcerpc binding handle
> + *
> + * @param[out] psecdesc A pointer to store the security descriptor.
> + *
> + * @return On success WERR_OK, a corresponding DOS error is
> + * something went wrong.
> + */
> +
> +WERROR winreg_get_printserver_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + struct spoolss_security_descriptor **psecdesc);
> +
> +/**
> * @brief Set the security descriptor for a printer.
> *
> * @param[in] mem_ctx The talloc memory context to use.
> --
> 2.7.4
>
>
> From 69626216d0abe20d0a80d252c0435e9e9b7c8dc9 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Sat, 10 Sep 2016 00:07:23 +0200
> Subject: [PATCH 4/8] s3-rpc_client: add winreg_set_printserver_secdesc.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source3/rpc_client/cli_winreg_spoolss.c | 58 ++++++++++++++++++++++++---------
> source3/rpc_client/cli_winreg_spoolss.h | 17 ++++++++++
> 2 files changed, 59 insertions(+), 16 deletions(-)
>
> diff --git a/source3/rpc_client/cli_winreg_spoolss.c b/source3/rpc_client/cli_winreg_spoolss.c
> index 6eaa208..37a20ad 100644
> --- a/source3/rpc_client/cli_winreg_spoolss.c
> +++ b/source3/rpc_client/cli_winreg_spoolss.c
> @@ -1793,16 +1793,16 @@ WERROR winreg_get_printserver_secdesc(TALLOC_CTX *mem_ctx,
> psecdesc);
> }
>
> -WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> - struct dcerpc_binding_handle *winreg_handle,
> - const char *sharename,
> - const struct spoolss_security_descriptor *secdesc)
> +static WERROR winreg_set_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + const char *path,
> + const char *attribute,
> + const struct spoolss_security_descriptor *secdesc)
> {
> const struct spoolss_security_descriptor *new_secdesc = secdesc;
> struct spoolss_security_descriptor *old_secdesc;
> uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
> struct policy_handle hive_hnd, key_hnd;
> - const char *path;
> TALLOC_CTX *tmp_ctx;
> NTSTATUS status;
> WERROR result;
> @@ -1813,12 +1813,6 @@ WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> return WERR_NOMEM;
> }
>
> - path = winreg_printer_data_keyname(tmp_ctx, sharename);
> - if (path == NULL) {
> - talloc_free(tmp_ctx);
> - return WERR_NOMEM;
> - }
> -
> /*
> * The old owner and group sids of the security descriptor are not
> * present when new ACEs are added or removed by changing printer
> @@ -1830,10 +1824,11 @@ WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> struct security_acl *dacl, *sacl;
> size_t size;
>
> - result = winreg_get_printer_secdesc(tmp_ctx,
> - winreg_handle,
> - sharename,
> - &old_secdesc);
> + result = winreg_get_secdesc(tmp_ctx,
> + winreg_handle,
> + path,
> + attribute,
> + &old_secdesc);
> if (!W_ERROR_IS_OK(result)) {
> talloc_free(tmp_ctx);
> return result;
> @@ -1889,7 +1884,7 @@ WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> status = dcerpc_winreg_set_sd(tmp_ctx,
> winreg_handle,
> &key_hnd,
> - "Security",
> + attribute,
> new_secdesc,
> &result);
> if (!NT_STATUS_IS_OK(status)) {
> @@ -1908,6 +1903,37 @@ done:
> return result;
> }
>
> +WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + const char *sharename,
> + const struct spoolss_security_descriptor *secdesc)
> +{
> + char *path;
> + WERROR result;
> +
> + path = winreg_printer_data_keyname(mem_ctx, sharename);
> + if (path == NULL) {
> + return WERR_NOMEM;
> + }
> +
> + result = winreg_set_secdesc(mem_ctx, winreg_handle,
> + path,
> + "Security", secdesc);
> + talloc_free(path);
> +
> + return result;
> +}
> +
> +WERROR winreg_set_printserver_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *winreg_handle,
> + const struct spoolss_security_descriptor *secdesc)
> +{
> + return winreg_set_secdesc(mem_ctx, winreg_handle,
> + TOP_LEVEL_CONTROL_KEY,
> + "ServerSecurityDescriptor",
> + secdesc);
> +}
> +
> /* Set printer data over the winreg pipe. */
> WERROR winreg_set_printer_dataex(TALLOC_CTX *mem_ctx,
> struct dcerpc_binding_handle *winreg_handle,
> diff --git a/source3/rpc_client/cli_winreg_spoolss.h b/source3/rpc_client/cli_winreg_spoolss.h
> index 279e585..4fcb64e 100644
> --- a/source3/rpc_client/cli_winreg_spoolss.h
> +++ b/source3/rpc_client/cli_winreg_spoolss.h
> @@ -182,6 +182,23 @@ WERROR winreg_set_printer_secdesc(TALLOC_CTX *mem_ctx,
> const struct spoolss_security_descriptor *secdesc);
>
> /**
> + * @brief Set the security descriptor for a printserver.
> + *
> + * @param[in] mem_ctx The talloc memory context to use.
> + *
> + * @param[in] b The dcerpc binding handle
> + *
> + * @param[in] secdesc The security descriptor to save.
> + *
> + * @return On success WERR_OK, a corresponding DOS error is
> + * something went wrong.
> + */
> +WERROR winreg_set_printserver_secdesc(TALLOC_CTX *mem_ctx,
> + struct dcerpc_binding_handle *b,
> + const struct spoolss_security_descriptor *secdesc);
> +
> +
> +/**
> * @internal
> *
> * @brief Set printer data over the winreg pipe.
> --
> 2.7.4
>
>
> From 9ae2d086ae9a7d3d18ec81a127a2944ec0491793 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Sat, 10 Sep 2016 11:07:06 +0200
> Subject: [PATCH 5/8] s4-torture: test spoolss_SetPrinter level 3 on server
> handle.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source4/torture/rpc/spoolss.c | 40 +++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 39 insertions(+), 1 deletion(-)
>
> diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
> index ec48ecb..89cb161 100644
> --- a/source4/torture/rpc/spoolss.c
> +++ b/source4/torture/rpc/spoolss.c
> @@ -284,7 +284,7 @@ static bool test_OpenPrinter_server(struct torture_context *tctx,
> op.in.printername = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
> op.in.datatype = NULL;
> op.in.devmode_ctr.devmode= NULL;
> - op.in.access_mask = 0;
> + op.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
> op.out.handle = server_handle;
>
> torture_comment(tctx, "Testing OpenPrinter(%s)\n", op.in.printername);
> @@ -8123,6 +8123,43 @@ static bool test_get_printer_printserverhandle(struct torture_context *tctx,
> return true;
> }
>
> +static bool test_set_printer_printserverhandle(struct torture_context *tctx,
> + void *private_data)
> +{
> + struct test_spoolss_context *ctx =
> + talloc_get_type_abort(private_data, struct test_spoolss_context);
> +
> + struct dcerpc_pipe *p = ctx->spoolss_pipe;
> + struct dcerpc_binding_handle *b = p->binding_handle;
> + union spoolss_PrinterInfo info;
> + struct spoolss_SetPrinterInfoCtr info_ctr;
> + struct spoolss_SetPrinterInfo3 info3;
> + struct spoolss_DevmodeContainer devmode_ctr;
> + struct sec_desc_buf secdesc_ctr;
> +
> + torture_assert(tctx,
> + test_GetPrinter_level(tctx, b, &ctx->server_handle, 3, &info),
> + "failed to call GetPrinter");
> +
> + secdesc_ctr.sd = info.info3.secdesc;
> + secdesc_ctr.sd->owner_sid = NULL;
> + secdesc_ctr.sd->group_sid = NULL;
> +
> + info3.sec_desc_ptr = NULL;
> +
> + info_ctr.level = 3;
> + info_ctr.info.info3 = &info3;
> +
> + ZERO_STRUCT(devmode_ctr);
> +
> + torture_assert(tctx,
> + test_SetPrinter(tctx, b, &ctx->server_handle, &info_ctr,
> + &devmode_ctr, &secdesc_ctr, 0),
> + "");
> +
> + return true;
> +}
> +
>
> static bool test_PrintServer_Forms_Winreg(struct torture_context *tctx,
> void *private_data)
> @@ -9360,6 +9397,7 @@ struct torture_suite *torture_rpc_spoolss(TALLOC_CTX *mem_ctx)
> torture_tcase_add_simple_test(tcase, "get_core_printer_drivers", test_get_core_printer_drivers);
> torture_tcase_add_simple_test(tcase, "get_printer_driver_package_path", test_get_printer_driver_package_path);
> torture_tcase_add_simple_test(tcase, "get_printer", test_get_printer_printserverhandle);
> + torture_tcase_add_simple_test(tcase, "set_printer", test_set_printer_printserverhandle);
>
> torture_suite_add_suite(suite, torture_rpc_spoolss_printer(suite));
>
> --
> 2.7.4
>
>
> From 2b0f6936d0b1558c99c38beea04e63794ee7585d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Sat, 10 Sep 2016 11:09:44 +0200
> Subject: [PATCH 6/8] s3-spoolss: use server sd stored in the backend in
> _spoolss_GetPrinter level 3
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source3/rpc_server/spoolss/srv_spoolss_nt.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> index 5195c20..1cbea09 100644
> --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> @@ -4805,12 +4805,24 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
> }
>
> if (Printer->printer_type == SPLHND_SERVER) {
> +
> + struct dcerpc_binding_handle *b;
> +
> if (r->in.level != 3) {
> result = WERR_UNKNOWN_LEVEL;
> goto err_info_free;
> }
>
> - result = spoolss_create_default_secdesc(p->mem_ctx,
> + result = winreg_printer_binding_handle(p->mem_ctx,
> + get_session_info_system(),
> + p->msg_ctx,
> + &b);
> + if (!W_ERROR_IS_OK(result)) {
> + goto err_info_free;
> + }
> +
> + result = winreg_get_printserver_secdesc(p->mem_ctx,
> + b,
> &r->out.info->info3.secdesc);
> if (!W_ERROR_IS_OK(result)) {
> goto err_info_free;
> --
> 2.7.4
>
>
> From 2a3608e5b73c1a8b14ee3ebf73b3bb7a4af1f43f Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Sat, 10 Sep 2016 11:10:12 +0200
> Subject: [PATCH 7/8] s3-spoolss: allow SetPrinter level 3 for server handles
> as well.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source3/rpc_server/spoolss/srv_spoolss_nt.c | 60 +++++++++++++++++++++++------
> 1 file changed, 49 insertions(+), 11 deletions(-)
>
> diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> index 1cbea09..5b385d0 100644
> --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> @@ -6083,14 +6083,15 @@ static WERROR update_printer_sec(struct policy_handle *handle,
> {
> struct spoolss_security_descriptor *new_secdesc = NULL;
> struct spoolss_security_descriptor *old_secdesc = NULL;
> - const char *printer;
> + const char *printer = NULL;
> WERROR result;
> int snum;
> struct printer_handle *Printer = find_printer_index_by_hnd(p, handle);
> struct dcerpc_binding_handle *b;
> TALLOC_CTX *tmp_ctx = NULL;
> + bool ok = false;
>
> - if (!Printer || !get_printer_snum(p, handle, &snum, NULL)) {
> + if (!Printer) {
> DEBUG(2,("update_printer_sec: Invalid handle (%s:%u:%u)\n",
> OUR_HANDLE(handle)));
>
> @@ -6103,15 +6104,41 @@ static WERROR update_printer_sec(struct policy_handle *handle,
> result = WERR_INVALID_PARAM;
> goto done;
> }
> - printer = lp_const_servicename(snum);
> +
> + switch (Printer->printer_type) {
> + case SPLHND_SERVER:
> + break;
> + case SPLHND_PRINTER:
> + if (!get_printer_snum(p, handle, &snum, NULL)) {
> + DEBUG(2,("update_printer_sec: Invalid handle (%s:%u:%u)\n",
> + OUR_HANDLE(handle)));
> + result = WERR_BADFID;
> + goto done;
> + }
> + printer = lp_const_servicename(snum);
> + break;
> + default:
> + break;
> + }
>
> /* Check the user has permissions to change the security
> descriptor. By experimentation with two NT machines, the user
> requires Full Access to the printer to change security
> information. */
>
> - if ( Printer->access_granted != PRINTER_ACCESS_ADMINISTER ) {
> - DEBUG(4,("update_printer_sec: updated denied by printer permissions\n"));
> + switch (Printer->printer_type) {
> + case SPLHND_SERVER:
> + ok = Printer->access_granted == SERVER_ACCESS_ADMINISTER;
> + break;
> + case SPLHND_PRINTER:
> + ok = Printer->access_granted == PRINTER_ACCESS_ADMINISTER;
> + break;
> + default:
> + break;
> + }
> +
> + if (!ok) {
> + DEBUG(4,("update_printer_sec: updated denied by printer permissions (access_granted: 0x%08x)\n", Printer->access_granted));
> result = WERR_ACCESS_DENIED;
> goto done;
> }
> @@ -6131,9 +6158,15 @@ static WERROR update_printer_sec(struct policy_handle *handle,
>
> /* NT seems to like setting the security descriptor even though
> nothing may have actually changed. */
> - result = winreg_get_printer_secdesc(tmp_ctx, b,
> - printer,
> - &old_secdesc);
> +
> + if (printer != NULL) {
> + result = winreg_get_printer_secdesc(tmp_ctx, b,
> + printer,
> + &old_secdesc);
> + } else {
> + result = winreg_get_printserver_secdesc(tmp_ctx, b,
> + &old_secdesc);
> + }
> if (!W_ERROR_IS_OK(result)) {
> DEBUG(2,("update_printer_sec: winreg_get_printer_secdesc_internal() failed\n"));
> result = WERR_BADFID;
> @@ -6181,9 +6214,14 @@ static WERROR update_printer_sec(struct policy_handle *handle,
> goto done;
> }
>
> - result = winreg_set_printer_secdesc(tmp_ctx, b,
> - printer,
> - new_secdesc);
> + if (printer != NULL) {
> + result = winreg_set_printer_secdesc(tmp_ctx, b,
> + printer,
> + new_secdesc);
> + } else {
> + result = winreg_set_printserver_secdesc(tmp_ctx, b,
> + new_secdesc);
> + }
>
> done:
> talloc_free(tmp_ctx);
> --
> 2.7.4
>
>
> From fdffc268d605556d4c7106f275a97ed50c7025bf Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
> Date: Tue, 13 Sep 2016 09:28:03 +0200
> Subject: [PATCH 8/8] s4-torture: add new test to compare
> "ServerSecurityDescriptor" and GetPrinter level 3.
>
> Guenther
>
> Signed-off-by: Guenther Deschner <gd at samba.org>
> ---
> source4/torture/rpc/spoolss.c | 75 ++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 74 insertions(+), 1 deletion(-)
>
> diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
> index 89cb161..ad7df37 100644
> --- a/source4/torture/rpc/spoolss.c
> +++ b/source4/torture/rpc/spoolss.c
> @@ -4952,13 +4952,43 @@ do {\
> }
>
> #undef test_dm
> -#undef test_sd
>
> torture_comment(tctx, "Printer Info and winreg consistency test succeeded\n\n");
>
> return true;
> }
>
> +static bool test_GetPrintserverInfo_winreg(struct torture_context *tctx,
> + struct dcerpc_binding_handle *b,
> + struct policy_handle *handle,
> + struct dcerpc_binding_handle *winreg_handle,
> + struct policy_handle *hive_handle)
> +{
> + union spoolss_PrinterInfo info;
> + struct policy_handle key_handle;
> +
> + torture_comment(tctx, "Testing Printserver Info and winreg consistency\n");
> +
> + torture_assert(tctx,
> + test_GetPrinter_level(tctx, b, handle, 3, &info),
> + "failed to get printer info level 2");
> +
> + torture_assert(tctx,
> + test_winreg_OpenKey(tctx, winreg_handle, hive_handle, TOP_LEVEL_CONTROL_KEY, &key_handle), "");
> +
> + test_sd("ServerSecurityDescriptor", info.info3.secdesc);
> +
> + torture_assert(tctx,
> + test_winreg_CloseKey(tctx, winreg_handle, &key_handle), "");
> +
> +#undef test_sd
> +
> + torture_comment(tctx, "Printserver Info and winreg consistency test succeeded\n\n");
> +
> + return true;
> +}
> +
> +
> static bool test_PrintProcessors(struct torture_context *tctx,
> struct dcerpc_binding_handle *b,
> const char *environment,
> @@ -5770,6 +5800,33 @@ static bool test_PrinterInfo_winreg(struct torture_context *tctx,
> return ret;
> }
>
> +static bool test_PrintserverInfo_winreg(struct torture_context *tctx,
> + struct dcerpc_pipe *p,
> + struct policy_handle *handle)
> +{
> + struct dcerpc_binding_handle *b = p->binding_handle;
> + struct dcerpc_pipe *p2;
> + bool ret = true;
> + struct policy_handle hive_handle;
> + struct dcerpc_binding_handle *b2;
> +
> + torture_assert_ntstatus_ok(tctx,
> + torture_rpc_connection(tctx, &p2, &ndr_table_winreg),
> + "could not open winreg pipe");
> + b2 = p2->binding_handle;
> +
> + torture_assert(tctx, test_winreg_OpenHKLM(tctx, b2, &hive_handle), "");
> +
> + ret = test_GetPrintserverInfo_winreg(tctx, b, handle, b2, &hive_handle);
> +
> + test_winreg_CloseKey(tctx, b2, &hive_handle);
> +
> + talloc_free(p2);
> +
> + return ret;
> +}
> +
> +
> static bool test_DriverInfo_winreg(struct torture_context *tctx,
> struct dcerpc_pipe *p,
> struct policy_handle *handle,
> @@ -8726,6 +8783,21 @@ static bool test_printer_info_winreg(struct torture_context *tctx,
> return true;
> }
>
> +static bool test_printserver_info_winreg(struct torture_context *tctx,
> + void *private_data)
> +{
> + struct test_spoolss_context *t =
> + (struct test_spoolss_context *)talloc_get_type_abort(private_data, struct test_spoolss_context);
> + struct dcerpc_pipe *p = t->spoolss_pipe;
> +
> + torture_assert(tctx,
> + test_PrintserverInfo_winreg(tctx, p, &t->server_handle),
> + "failed to test printserver info winreg");
> +
> + return true;
> +}
> +
> +
> static bool test_printer_change_id(struct torture_context *tctx,
> void *private_data)
> {
> @@ -9398,6 +9470,7 @@ struct torture_suite *torture_rpc_spoolss(TALLOC_CTX *mem_ctx)
> torture_tcase_add_simple_test(tcase, "get_printer_driver_package_path", test_get_printer_driver_package_path);
> torture_tcase_add_simple_test(tcase, "get_printer", test_get_printer_printserverhandle);
> torture_tcase_add_simple_test(tcase, "set_printer", test_set_printer_printserverhandle);
> + torture_tcase_add_simple_test(tcase, "printserver_info_winreg", test_printserver_info_winreg);
>
> torture_suite_add_suite(suite, torture_rpc_spoolss_printer(suite));
>
> --
> 2.7.4
>
More information about the samba-technical
mailing list