import re
import random
-sys.path.append("bin/python")
+sys.path.insert(0, "bin/python")
import samba
samba.ensure_external_module("testtools", "testtools")
samba.ensure_external_module("subunit", "subunit/python")
from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
# For running the test unit
-from samba.ndr import ndr_pack, ndr_unpack
+from samba.ndr import ndr_pack
from samba.dcerpc import security
from samba import gensec, sd_utils
from samba.samdb import SamDB
-from samba.credentials import Credentials
+from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.auth import system_session
from samba.dsdb import DS_DOMAIN_FUNCTION_2008
from samba.dcerpc.security import (
creds_tmp.set_workstation(creds.get_workstation())
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
| gensec.FEATURE_SEAL)
+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
return ldb_target
self.ldb_admin.newuser("testuser8", "samba123@")
self.ldb_admin.add_remove_group_members("Enterprise Admins",
- "testuser1,testuser5,testuser6,testuser8",
+ ["testuser1", "testuser5", "testuser6", "testuser8"],
add_members_operation=True)
self.ldb_admin.add_remove_group_members("Domain Admins",
- "testuser2,testuser5,testuser6,testuser7",
+ ["testuser2","testuser5","testuser6","testuser7"],
add_members_operation=True)
self.ldb_admin.add_remove_group_members("Schema Admins",
- "testuser3,testuser6,testuser7,testuser8",
+ ["testuser3","testuser6","testuser7","testuser8"],
add_members_operation=True)
self.results = {
self.assertEqual("O:DAG:DA", res)
########################################################################################
- # Inharitance tests for DACL
+ # Inheritance tests for DACL
class DaclDescriptorTests(DescriptorTests):
def deleteAll(self):
delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
def setUp(self):
res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
expression="distinguishedName=%s" % object_dn)
# Make sure top testing OU has been deleted before starting the test
- self.assertEqual(res, [])
+ self.assertEqual(len(res), 0)
self.ldb_admin.create_ou(object_dn)
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
# Make sure there are inheritable ACEs initially
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
- self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
+ self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
+ self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
def test_212(self):
""" Provide ACE with IO flag, should be ignored
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
+ def test_214(self):
+ """ Test behavior of ACEs containing generic rights
+ """
+ ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+ ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+ ou_dn2 = "OU=test_inherit_ou2," + ou_dn
+ ou_dn3 = "OU=test_inherit_ou3," + ou_dn
+ ou_dn4 = "OU=test_inherit_ou4," + ou_dn
+ ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+ ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
+ # Create inheritable-free OU
+ mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ mod = "D:(A;CI;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+ mod = "D:(A;CIIO;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
+ mod = "D:(A;;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
+ mod = "D:(A;IO;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
+
+ self.ldb_admin.create_ou(ou_dn5)
+ self.ldb_admin.create_ou(ou_dn6)
+
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
+ self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
+ self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
+ self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
+ self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+ self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
+ self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
+
+ def test_215(self):
+ """ Make sure IO flag is removed in child objects
+ """
+ ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+ ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+ ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+ # Create inheritable-free OU
+ mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ mod = "D:(A;CIIO;WP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+ self.ldb_admin.create_ou(ou_dn5)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+ self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
+
+ def test_216(self):
+ """ Make sure ID ACES provided by user are ignored
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:(D;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
+
+ def test_217(self):
+ """ Make sure ID ACES provided by user are not ignored if P flag is set
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:P(A;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
+
########################################################################################
# User 2, Domain Admins
self.ldb_admin.newuser("testuser_attr2", "samba123@")
self.ldb_admin.add_remove_group_members("Domain Admins",
- "testuser_attr2",
+ ["testuser_attr2"],
add_members_operation=True)
def test_sDRightsEffective(self):