From 93510eb513598431c260cd0b85a02d0e49cc821b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Feb 2015 13:37:16 +1300
Subject: [PATCH] backupkey: Change expected error codes to match Windows
 2008R2 and Windows 2012R2

This is done in both smbtoture and in our server

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 source4/rpc_server/backupkey/dcesrv_backupkey.c |  4 ++--
 source4/torture/rpc/backupkey.c                 | 11 +++++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 4c9115c50e7..22c86c750f4 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -608,7 +608,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 				&lsa_secret);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("Error while fetching secret %s\n", cert_secret_name));
-		return WERR_FILE_NOT_FOUND;
+		return WERR_INVALID_DATA;
 	} else if (lsa_secret.length == 0) {
 		/* we do not have the real secret attribute, like if we are an RODC */
 		return WERR_INVALID_PARAMETER;
@@ -661,7 +661,7 @@ static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 		hx509_private_key_free(&pk);
 		if (res != 0) {
 			/* We are not able to decrypt the secret, looks like something is wrong */
-			return WERR_INVALID_DATA;
+			return WERR_INVALID_PARAMETER;
 		}
 		blob_us.data = uncrypted_secret.data;
 		blob_us.length = uncrypted_secret.length;
diff --git a/source4/torture/rpc/backupkey.c b/source4/torture/rpc/backupkey.c
index 81876438855..967ea470869 100644
--- a/source4/torture/rpc/backupkey.c
+++ b/source4/torture/rpc/backupkey.c
@@ -775,7 +775,7 @@ static bool test_RestoreGUID_ko(struct torture_context *tctx,
 		out_blob.length = *r->out.data_out_len;
 		ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
 		torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
-		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Wrong error code");
+		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAM, "Wrong error code");
 	} else {
 		struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
@@ -980,7 +980,14 @@ static bool test_RestoreGUID_badcertguid(struct torture_context *tctx,
 		out_blob.length = *r->out.data_out_len;
 		ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
 		torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
-		torture_assert_werr_equal(tctx, r->out.result, WERR_FILE_NOT_FOUND, "Bad error code on wrong has in access check");
+
+		/* 
+		 * Windows 2012R2 has, presumably, a programming error
+		 * returning an NTSTATUS code on this interface 
+		 */
+		if (W_ERROR_V(r->out.result) != NT_STATUS_V(NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+			torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
+		}
 	} else {
 		struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-- 
2.11.4.GIT