type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option,
metavar="SDDL")
- self.add_option("--computer-allowed-to-authenticate-to-by-group",
- help="The computer account (server, workstation) service requires the connecting user to be in GROUP",
- type=str, dest="allowed_to_authenticate_to_by_group",
- action="callback", callback=self.set_option,
- metavar="GROUP")
- self.add_option("--computer-allowed-to-authenticate-to-by-silo",
- help="The computer account (server, workstation) service requires the connecting user to be in SILO",
- type=str, dest="allowed_to_authenticate_to_by_silo",
- action="callback", callback=self.set_option,
- metavar="SILO")
class cmd_domain_auth_policy_list(Command):
[serviceopts.allowed_to_authenticate_to,
serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
- check_similar_args("--computer-allowed-to-authenticate-to",
- [computeropts.allowed_to_authenticate_to,
- computeropts.allowed_to_authenticate_to_by_group,
- computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
- # Generate SDDL for authenticating computer accounts to a group
- if computeropts.allowed_to_authenticate_to_by_group:
- group = Group.get(
- ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
- computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
-
- # Generate SDDL for authenticating computer accounts to a silo
- if computeropts.allowed_to_authenticate_to_by_silo:
- silo = AuthenticationSilo.get(
- ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
- computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
-
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
[serviceopts.allowed_to_authenticate_to,
serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
- check_similar_args("--computer-allowed-to-authenticate-to",
- [computeropts.allowed_to_authenticate_to,
- computeropts.allowed_to_authenticate_to_by_group,
- computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
- # Generate SDDL for authenticating computer accounts to a group
- if computeropts.allowed_to_authenticate_to_by_group:
- group = Group.get(
- ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
- computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
-
- # Generate SDDL for authenticating computer accounts to a silo
- if computeropts.allowed_to_authenticate_to_by_silo:
- silo = AuthenticationSilo.get(
- ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
- computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
-
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
self.assertIn("--computer-tgt-lifetime-mins must be between 45 and 2147483647",
err)
- def test_create__computer_allowed_to_authenticate_to_by_group(self):
- """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
- name = self.unique_name()
- expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
- self.device_group.object_sid)
-
- # Create a user with authenticate to by group attribute.
- self.addCleanup(self.delete_authentication_policy, name=name, force=True)
- result, out, err = self.runcmd(
- "domain", "auth", "policy", "create", "--name", name,
- "--computer-allowed-to-authenticate-to-by-group",
- self.device_group.name)
- self.assertIsNone(result, msg=err)
-
- # Check user allowed to authenticate to field was modified.
- policy = self.get_authentication_policy(name)
- self.assertEqual(str(policy["cn"]), name)
- desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
- sddl = ndr_unpack(security.descriptor, desc).as_sddl()
- self.assertEqual(sddl, expected)
-
- def test_create__computer_allowed_to_authenticate_to_by_silo(self):
- """Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
- name = self.unique_name()
- expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
- 'AuthenticationSilo == "QA"))')
-
- # Create a user with authenticate to by silo attribute.
- self.addCleanup(self.delete_authentication_policy, name=name, force=True)
- result, out, err = self.runcmd(
- "domain", "auth", "policy", "create", "--name", name,
- "--computer-allowed-to-authenticate-to-by-silo", "QA")
- self.assertIsNone(result, msg=err)
-
- # Check user allowed to authenticate to field was modified.
- policy = self.get_authentication_policy(name)
- self.assertEqual(str(policy["cn"]), name)
- desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
- sddl = ndr_unpack(security.descriptor, desc).as_sddl()
- self.assertEqual(sddl, expected)
-
def test_create__valid_sddl(self):
"""Test creating a new authentication policy with valid SDDL in a field."""
name = self.unique_name()
self.assertEqual(result, -1)
self.assertIn("--service-allowed-to-authenticate-to argument repeated 2 times.", err)
- def test_create__computer_allowed_to_authenticate_to_repeated(self):
+ def test_computer_allowed_to_authenticate_to__set_repeated(self):
"""Test repeating similar arguments doesn't make sense to use together.
- --computer-allowed-to-authenticate-to
- --computer-allowed-to-authenticate-to-by-silo
+ computer-allowed-to-authenticate-to set --by-group
+ computer-allowed-to-authenticate-to set --by-silo
"""
- sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))'
name = self.unique_name()
- result, out, err = self.runcmd("domain", "auth", "policy", "create",
- "--name", name,
- "--computer-allowed-to-authenticate-to",
- sddl,
- "--computer-allowed-to-authenticate-to-by-silo",
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+
+ result, out, err = self.runcmd("domain", "auth", "policy",
+ "computer-allowed-to-authenticate-to",
+ "set", "--name", name,
+ "--by-group",
+ self.device_group.name,
+ "--by-silo",
"QA")
self.assertEqual(result, -1)
- self.assertIn("--computer-allowed-to-authenticate-to argument repeated 2 times.", err)
+ self.assertIn("Cannot have both --by-group and --by-silo options.", err)
def test_create__fails(self):
"""Test creating an authentication policy, but it fails."""
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
- def test_modify__computer_allowed_to_authenticate_to_by_group(self):
- """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
+ def test_computer_allowed_to_authenticate_to__set_by_group(self):
+ """Tests the computer-allowed-to-authenticate-to set --by-group shortcut."""
name = self.unique_name()
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
self.device_group.object_sid)
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate to field
- result, out, err = self.runcmd("domain", "auth", "policy", "modify",
- "--name", name,
- "--computer-allowed-to-authenticate-to-by-group",
+ result, out, err = self.runcmd("domain", "auth", "policy",
+ "computer-allowed-to-authenticate-to",
+ "set", "--name", name, "--by-group",
self.device_group.name)
self.assertIsNone(result, msg=err)
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
- def test_modify__computer_allowed_to_authenticate_to_by_silo(self):
- """Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
+ def test_computer_allowed_to_authenticate_to__set_by_silo(self):
+ """Tests the computer-allowed-to-authenticate-to set --by-silo shortcut."""
name = self.unique_name()
expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
'AuthenticationSilo == "QA"))')
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate to field
- result, out, err = self.runcmd("domain", "auth", "policy", "modify",
- "--name", name,
- "--computer-allowed-to-authenticate-to-by-silo",
+ result, out, err = self.runcmd("domain", "auth", "policy",
+ "computer-allowed-to-authenticate-to",
+ "set", "--name", name, "--by-silo",
"QA")
self.assertIsNone(result, msg=err)