RAW_ACLS smbtorture test
in [Samba]
|
Prev: Failed in "net ads join"
Next: Share permission problem if user is member in more than 16 groups on AD
From: Nagaraj Shyam on 14 Jul 2010 17:20 Test results inline as the mailserver pulled out the attachment. Please read the first post about the thread to get context. ===========================================samba test results================================================================= test: ACLS TESTING SETFILEINFO EA_SET add a new ACE to the DACL torture/raw/acls.c:111: security descriptors don't match! got: expected: remove it again testing nttrans create with sec_desc creating normal file querying ACL adding a new ACE creating a file with an initial ACL torture/raw/acls.c:224: security descriptors don't match! got: expected: TESTING SEC_DESC WITH A NULL DACL creating a file with a empty sd get the original sd set NULL DACL (torture/raw/acls.c:325) Incorrect status NT_STATUS_NO_MEMORY - should be NT_STATUS_OK TESTING SID_CREATOR_OWNER get the original sd set a sec desc allowing no write by CREATOR_OWNER try open for write (torture/raw/acls.c:562) Incorrect status NT_STATUS_OK - should be NT_STATUS_ACCESS_DENIED TESTING FILE GENERIC BITS get the original sd smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND SEC_PRIV_RESTORE - No smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND SEC_PRIV_TAKE_OWNERSHIP - No testing generic bits 0x00000000 torture/raw/acls.c:840: security descriptors don't match! got: expected: (torture/raw/acls.c:852) Incorrect access_flags 0x00170089 - should be 0x00070080 TESTING FILE OWNER BITS get the original sd smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND SEC_PRIV_RESTORE - No smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND SEC_PRIV_TAKE_OWNERSHIP - No open succeeded with access mask 0x00000001 of expected 0x00000082 - should fail (torture/raw/acls.c:1189) Incorrect status NT_STATUS_OK - should be NT_STATUS_ACCESS_DENIED TESTING ACL INHERITANCE get the original sd owner_sid is S-1-5-21-385505261-2069261775-1913586636-500 Expected default sd: at 0 - got: Expected default sd for dir at 0: got: Bad sd in child file at 1 (0) Bad sd in child dir at 1 (parent 0x1) Expected default sd: at 2 - got: (CI) Bad sd in child dir at 2 (parent 0x2) Bad sd in child file at 3 (CI) Bad sd in child dir at 3 (parent 0x3) Expected default sd: at 4 - got: Expected default sd for dir at 4: got: Bad sd in child file at 5 Expected default sd for dir at 5: got: Expected default sd: at 6 - got: (CI & NP) Bad sd in child dir at 6 (parent 0x6) Bad sd in child file at 7 (CI & NP) Bad sd in child dir at 7 (parent 0x7) Expected default sd: at 8 - got: Expected default sd for dir at 8: got: Bad sd in child file at 9 (0) Bad sd in child dir at 9 (parent 0x9) Expected default sd: at 10 - got: (CI) Bad sd in child dir at 10 (parent 0xa) Bad sd in child file at 11 (CI) Bad sd in child dir at 11 (parent 0xb) Expected default sd: at 12 - got: Expected default sd for dir at 12: got: Bad sd in child file at 13 Expected default sd for dir at 13: got: Expected default sd: at 14 - got: (CI & NP) Bad sd in child dir at 14 (parent 0xe) Bad sd in child file at 15 (CI & NP) Bad sd in child dir at 15 (parent 0xf) testing access checks on inherited create with \testsd\inheritance\testfile torture/raw/acls.c:1558: security descriptors don't match! got: expected: failed: w2k3 ACL bug (allowed open when ACL should deny) trying without execute (torture/raw/acls.c:1583) Incorrect status NT_STATUS_OK - should be NT_STATUS_ACCESS_DENIED TESTING DYNAMIC ACL INHERITANCE get the original sd owner_sid is S-1-5-21-385505261-2069261775-1913586636-500 create a file with an inherited acl try and access file with base rights - should be OK try and access file with extra rights - should be denied (torture/raw/acls.c:1723) Incorrect status NT_STATUS_OK - should be NT_STATUS_ACCESS_DENIED put back original sd TESTING ACCESS MASKS FOR SD GET/SET (torture/raw/acls.c:1865) Incorrect status NT_STATUS_INVALID_OWNER - should be NT_STATUS_OK error: ACLS [ Unknown error/failure ] ======================================================w23k test results==================================================== test: ACLS TESTING SETFILEINFO EA_SET add a new ACE to the DACL remove it again testing nttrans create with sec_desc creating normal file querying ACL adding a new ACE creating a file with an initial ACL TESTING SEC_DESC WITH A NULL DACL creating a file with a empty sd get the original sd set NULL DACL get the sd try open for read control try open for write try open for read try open for generic write try open for generic read set DACL with 0 aces get the sd try open for read control try open for write => access_denied try open for read => access_denied try open for generic write => access_denied try open for generic read => access_denied set empty sd get the sd TESTING SID_CREATOR_OWNER get the original sd set a sec desc allowing no write by CREATOR_OWNER try open for write try open for read try open for generic write try open for generic read set a sec desc allowing no write by owner check that sd has been mapped correctly try open for write try open for read try open for generic write try open for generic read set a sec desc allowing generic read by owner check that generic read has been mapped correctly try open for write try open for read try open for generic write try open for generic read put back original sd TESTING FILE GENERIC BITS get the original sd SEC_PRIV_RESTORE - Yes SEC_PRIV_TAKE_OWNERSHIP - Yes testing generic bits 0x00000000 testing generic bits 0x00000000 (anonymous) testing generic bits 0x80000000 testing generic bits 0x80000000 (anonymous) testing generic bits 0x40000000 testing generic bits 0x40000000 (anonymous) testing generic bits 0x20000000 testing generic bits 0x20000000 (anonymous) testing generic bits 0x10000000 testing generic bits 0x10000000 (anonymous) testing generic bits 0x00000001 testing generic bits 0x00000001 (anonymous) testing generic bits 0x00000080 testing generic bits 0x00000080 (anonymous) put back original sd TESTING DIR GENERIC BITS get the original sd SEC_PRIV_RESTORE - Yes SEC_PRIV_TAKE_OWNERSHIP - Yes testing generic bits 0x00000000 testing generic bits 0x00000000 (anonymous) testing generic bits 0x80000000 testing generic bits 0x80000000 (anonymous) testing generic bits 0x40000000 testing generic bits 0x40000000 (anonymous) testing generic bits 0x20000000 testing generic bits 0x20000000 (anonymous) testing generic bits 0x10000000 testing generic bits 0x10000000 (anonymous) put back original sd TESTING FILE OWNER BITS get the original sd SEC_PRIV_RESTORE - Yes SEC_PRIV_TAKE_OWNERSHIP - Yes put back original sd TESTING ACL INHERITANCE get the original sd owner_sid is S-1-5-32-544 testing access checks on inherited create with \testsd\inheritance\testfile failed: w2k3 ACL bug (allowed open when ACL should deny) trying without execute and with full permissions again put back original sd TESTING DYNAMIC ACL INHERITANCE get the original sd owner_sid is S-1-5-32-544 create a file with an inherited acl try and access file with base rights - should be OK try and access file with extra rights - should be denied update parent sd try and access file with base rights - should be OK try and access now - should be OK if dynamic inheritance works Server does not have dynamic inheritance put back original sd TESTING ACCESS MASKS FOR SD GET/SET error: ACLS [ Unknown error/failure ] From: Nagaraj Shyam Sent: Wednesday, July 14, 2010 11:26 AM To: 'samba(a)lists.samba.org' Subject: RAW_ACLS smbtorture test Hi All, I wanted to check the state of the ACL evaluation engine in samba. I have configured my linux sles 10, samba version 3.5.1-3.3-2332 with "ea support = yes", "store dos attributes=yes", "vfs objects = acl_xattr" and get lots of error + some failure messages. I attached the results of running the test against both samba as well as native windows 2003 cifs server. Finally the test itself seems to error out. Are there known issues in the samba acl evaluation engine? Is it being worked on? Thank you for any information/suggestions. Regards. -Shyam -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |