[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Sep 21 20:59:02 UTC 2018
The branch, master has been updated
via 1885410 selftest: Tweak PSO test-suite name
via 5d86675 tests: test ldap search requesting non-existent attribute
via 6c1ff59 acl_read: Rework Samba code to reflect Windows logic
via 93bbe2d tests: Minor code cleanups to confidential_attr test
via 198bcfb python tests: fix format() strings for Python 2.6
via 3b94d31 ldb: Fix dependency of ldb module
from b6efa15 heimdal-build: Avoid using python str.format()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 188541076a1a19acb8a3dd572a5bd4f69350cf41
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Sep 20 13:46:32 2018 +1200
selftest: Tweak PSO test-suite name
There are 2 different PSO tests:
- make test TESTS=ldap.password_settings
- make test TESTS=samba_tool.passwordsettings
There's also another test that's completely unrelated to PSOs:
- make test TESTS=blackbox.password_settings
This patch renames ldap.password_settings --> ldap.passwordsettings.
This means 'make test TESTS=passwordsettings' will run both PSO tests,
but not the unrelated blackbox test.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 21 22:58:17 CEST 2018 on sn-devel-144
commit 5d8667514af9db5283eb9cfe07e9881ff4cf46f3
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Sep 14 14:06:30 2018 +1200
tests: test ldap search requesting non-existent attribute
As an after-thought to commit 563e454e8c55e94a950, we thought it
might be a good idea to add a test case that requests an non-existent
attribute in the attribute-filter as well the search-filter.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6c1ff5909948d7fd3c06e8809980eb505feaa403
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Sep 14 13:27:56 2018 +1200
acl_read: Rework Samba code to reflect Windows logic
This patch should not alter functionality. It is just updating the Samba
code to better match the Windows specification docs.
When fixing Samba BUG #13434, the Microsoft behaviour wasn't clearly
documented, so we made a best guess based on observed behaviour.
The problem was an exception was made to allow "objectClass=*" searches
to return objects, even if you didn't have Read Property rights for the
object's objectClass attribute. However, the logic behind what
attributes were and weren't covered by this exception wasn't clear.
I made a guess that it was attributes belonging to the Public Info
property-set that also have the systemOnly flag set.
Microsoft have confirmed the object visibility behaviour. It turns out
that an optimization is made for the 4 attributes that are always
present for every object (i.e. objectClass, distinguishedName,
name, objectGUID). They're updating their Docs to reflect this.
Now that we know the Windows logic, we can update the Samba code.
This simplifies the code somewhat.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93bbe2d219d66f395023945cb0c67814178c14a3
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Aug 1 17:30:37 2018 +1200
tests: Minor code cleanups to confidential_attr test
+ fix a couple of flake8 warnings
+ add some extra code comments (particularly around the cases where the
child class overrides a particular method, to avoid confusion when
browsing the code).
+ assert_not_in_result() was duplicated (it's only needed for the deny
ACL tests)
+ skip redundant if in dirsync's assert_search_result() (it always has
to use the base-DN - we never pass it this as an args).
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 198bcfbac3985e38a705b101d79713831172a64c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 21 13:22:56 2018 +1200
python tests: fix format() strings for Python 2.6
Python 2.6 wants "{0}".format(x), not "{}".format(x).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b94d31d2478455cd4f370be76da2733216e7041
Author: Amitay Isaacs <amitay at gmail.com>
Date: Fri Sep 21 14:33:42 2018 +1000
ldb: Fix dependency of ldb module
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13626
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/wscript | 2 +-
python/samba/tests/blackbox/check_output.py | 4 +-
python/samba/tests/blackbox/samba_dnsupdate.py | 6 +-
python/samba/tests/dns.py | 12 +--
python/samba/tests/domain_backup_offline.py | 2 +-
python/samba/tests/kcc/kcc_utils.py | 6 +-
python/samba/tests/krb5_credentials.py | 2 +-
python/samba/tests/posixacl.py | 4 +-
python/samba/tests/pso.py | 22 ++--
python/samba/tests/samba_tool/computer.py | 10 +-
python/samba/tests/samba_tool/demote.py | 6 +-
python/samba/tests/samba_tool/dnscmd.py | 32 +++---
selftest/knownfail.d/password_settings | 4 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 73 +++++--------
source4/dsdb/tests/python/confidential_attr.py | 141 +++++++++++++------------
source4/dsdb/tests/python/ldap.py | 8 ++
source4/dsdb/tests/python/password_settings.py | 2 +-
source4/selftest/tests.py | 2 +-
18 files changed, 166 insertions(+), 172 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 51023b4..61acbd2 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -446,7 +446,7 @@ def build(bld):
init_function='ldb_ldb_init',
module_init_name='ldb_init_module',
internal_module=False,
- deps='ldb ldb_tdb ldb_key_value' + lmdb_deps,
+ deps='ldb ldb_tdb_int ldb_key_value' + lmdb_deps,
subsystem='ldb')
# have a separate subsystem for common/ldb.c, so it can rebuild
diff --git a/python/samba/tests/blackbox/check_output.py b/python/samba/tests/blackbox/check_output.py
index 7b92d82..3483a08 100644
--- a/python/samba/tests/blackbox/check_output.py
+++ b/python/samba/tests/blackbox/check_output.py
@@ -55,7 +55,9 @@ class TimeoutHelper():
def _make_cmdline(data='$', repeat=(5 * 1024 * 1024), retcode=0):
"""Build a command to call gen_output.py to generate large output"""
- return 'gen_output.py --data {} --repeat {} --retcode {}'.format(data, repeat, retcode)
+ return 'gen_output.py --data {0} --repeat {1} --retcode {2}'.format(data,
+ repeat,
+ retcode)
class CheckOutputTests(BlackboxTestCase):
diff --git a/python/samba/tests/blackbox/samba_dnsupdate.py b/python/samba/tests/blackbox/samba_dnsupdate.py
index d5f70ea..1e0c164 100644
--- a/python/samba/tests/blackbox/samba_dnsupdate.py
+++ b/python/samba/tests/blackbox/samba_dnsupdate.py
@@ -99,14 +99,14 @@ class SambaDnsUpdateTests(samba.tests.BlackboxTestCase):
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, 'CN=DEFAULTIPSITELINK,CN=IP,'
- 'CN=Inter-Site Transports,CN=Sites,{}'.format(
+ 'CN=Inter-Site Transports,CN=Sites,{0}'.format(
self.samdb.get_config_basedn()))
- m['siteList'] = ldb.MessageElement("CN={},CN=Sites,{}".format(
+ m['siteList'] = ldb.MessageElement("CN={0},CN=Sites,{1}".format(
site_name,
self.samdb.get_config_basedn()),
ldb.FLAG_MOD_ADD, "siteList")
- dns_c = "samba_dnsupdate --verbose --use-file={}".format(tmp_uc)
+ dns_c = "samba_dnsupdate --verbose --use-file={0}".format(tmp_uc)
out = self.check_output(dns_c)
self.assertFalse(site_name.lower() in out, out)
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 50486f0..1e6734f 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -1002,7 +1002,7 @@ class TestZones(DNSTest):
self.fail(str(e))
def ldap_modify_dnsrecs(self, name, func):
- dn = 'DC={},{}'.format(name, self.zone_dn)
+ dn = 'DC={0},{1}'.format(name, self.zone_dn)
dns_recs = self.ldap_get_dns_records(name)
for rec in dns_recs:
func(rec)
@@ -1033,7 +1033,7 @@ class TestZones(DNSTest):
# The use of SCOPE_SUBTREE here avoids raising an exception in the
# 0 results case for a test below.
- expr = "(&(objectClass=dnsNode)(name={}))".format(name)
+ expr = "(&(objectClass=dnsNode)(name={0}))".format(name)
return self.samdb.search(base=self.zone_dn, scope=ldb.SCOPE_SUBTREE,
expression=expr, attrs=["*"])
@@ -1045,7 +1045,7 @@ class TestZones(DNSTest):
def ldap_get_zone_settings(self):
records = self.samdb.search(base=self.zone_dn, scope=ldb.SCOPE_BASE,
expression="(&(objectClass=dnsZone)" +
- "(name={}))".format(self.zone),
+ "(name={0}))".format(self.zone),
attrs=["dNSProperty"])
self.assertEqual(len(records), 1)
props = [ndr_unpack(dnsp.DnsProperty, r)
@@ -1259,7 +1259,7 @@ class TestZones(DNSTest):
self.dns_tombstone(name5, txt5, self.zone)
self.ldap_get_dns_records(name3)
- expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={})"
+ expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={0})"
expr = expr.format(int(last_update.dwTimeStamp) - 1)
try:
res = self.samdb.search(base=self.zone_dn, scope=ldb.SCOPE_SUBTREE,
@@ -1281,7 +1281,7 @@ class TestZones(DNSTest):
Aging=1, zone=self.zone,
AllowUpdate=dnsp.DNS_ZONE_UPDATE_UNSECURE)
- expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={})"
+ expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={0})"
expr = expr.format(1)
try:
@@ -1328,7 +1328,7 @@ class TestZones(DNSTest):
# Tombstone time longer than 64 characters
try:
- expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={})"
+ expr = "(dnsRecord:1.3.6.1.4.1.7165.4.5.3:={0})"
expr = expr.format("1" * 65)
res = samdb.search(base=self.zone_dn, scope=ldb.SCOPE_SUBTREE,
expression=expr, attrs=["*"])
diff --git a/python/samba/tests/domain_backup_offline.py b/python/samba/tests/domain_backup_offline.py
index 6762e88..f5fa156 100644
--- a/python/samba/tests/domain_backup_offline.py
+++ b/python/samba/tests/domain_backup_offline.py
@@ -111,7 +111,7 @@ class DomainBackupOfflineCmp(SambaToolCmdTest, TestCaseInTempDir):
fn.endswith(".tar.bz2")]
if len(tar_files) != 1:
raise CommandError("expected domain backup to create one tar" +
- " file but got {}".format(len(tar_files)))
+ " file but got {0}".format(len(tar_files)))
backup_file = os.path.join(prov_dir, tar_files[0])
return prov_dir, backup_file
diff --git a/python/samba/tests/kcc/kcc_utils.py b/python/samba/tests/kcc/kcc_utils.py
index ae0aee3..d8c084e 100644
--- a/python/samba/tests/kcc/kcc_utils.py
+++ b/python/samba/tests/kcc/kcc_utils.py
@@ -69,7 +69,7 @@ class SiteCoverageTests(samba.tests.TestCase):
self.samdb.transaction_commit()
def _add_server(self, name, site):
- dn = "CN={},CN=Servers,{}".format(name, site)
+ dn = "CN={0},CN=Servers,{1}".format(name, site)
self.samdb.add({
"dn": dn,
"objectClass": "server",
@@ -78,7 +78,7 @@ class SiteCoverageTests(samba.tests.TestCase):
return dn
def _add_site(self, name):
- dn = "CN={},CN=Sites,{}".format(
+ dn = "CN={0},CN=Sites,{1}".format(
name, self.samdb.get_config_basedn()
)
self.samdb.add({
@@ -94,7 +94,7 @@ class SiteCoverageTests(samba.tests.TestCase):
return dn, name.lower()
def _add_site_link(self, name, links=[], cost=100):
- dn = "CN={},CN=IP,CN=Inter-Site Transports,CN=Sites,{}".format(
+ dn = "CN={0},CN=IP,CN=Inter-Site Transports,CN=Sites,{1}".format(
name, self.samdb.get_config_basedn()
)
self.samdb.add({
diff --git a/python/samba/tests/krb5_credentials.py b/python/samba/tests/krb5_credentials.py
index 58f951e..6c30bef 100644
--- a/python/samba/tests/krb5_credentials.py
+++ b/python/samba/tests/krb5_credentials.py
@@ -95,7 +95,7 @@ class PyKrb5CredentialsTests(TestCase):
delete_force(self.ldb, self.machine_dn)
# get unicode str for both py2 and py3
pass_unicode = self.machine_pass.encode('utf-8').decode('utf-8')
- utf16pw = u'"{}"'.format(pass_unicode).encode('utf-16-le')
+ utf16pw = u'"{0}"'.format(pass_unicode).encode('utf-16-le')
self.ldb.add({
"dn": self.machine_dn,
"objectclass": "computer",
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 982967f..a758df9 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -823,7 +823,7 @@ class SessionedPosixAclMappingTests(PosixAclMappingTests):
# fake it with admin session as domsid is not in local db
return auth.admin_session(self.lp, str(domsid))
- dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
+ dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
auth.AUTH_SESSION_INFO_AUTHENTICATED |
auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
@@ -844,7 +844,7 @@ class UnixSessionedPosixAclMappingTests(PosixAclMappingTests):
# fake it with admin session as domsid is not in local db
return auth.admin_session(self.lp, str(domsid))
- dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
+ dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
auth.AUTH_SESSION_INFO_AUTHENTICATED |
auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
diff --git a/python/samba/tests/pso.py b/python/samba/tests/pso.py
index af1cd7a..4038ee7 100644
--- a/python/samba/tests/pso.py
+++ b/python/samba/tests/pso.py
@@ -228,18 +228,18 @@ class PasswordSettings:
# all the following fields are mandatory for the PSO object
ldif = """
-dn: {}
+dn: {0}
objectClass: msDS-PasswordSettings
-msDS-PasswordSettingsPrecedence: {}
-msDS-PasswordReversibleEncryptionEnabled: {}
-msDS-PasswordHistoryLength: {}
-msDS-PasswordComplexityEnabled: {}
-msDS-MinimumPasswordLength: {}
-msDS-MinimumPasswordAge: {}
-msDS-MaximumPasswordAge: {}
-msDS-LockoutThreshold: {}
-msDS-LockoutObservationWindow: {}
-msDS-LockoutDuration: {}
+msDS-PasswordSettingsPrecedence: {1}
+msDS-PasswordReversibleEncryptionEnabled: {2}
+msDS-PasswordHistoryLength: {3}
+msDS-PasswordComplexityEnabled: {4}
+msDS-MinimumPasswordLength: {5}
+msDS-MinimumPasswordAge: {6}
+msDS-MaximumPasswordAge: {7}
+msDS-LockoutThreshold: {8}
+msDS-LockoutObservationWindow: {9}
+msDS-LockoutDuration: {10}
""".format(self.dn, self.precedence, plaintext_str, self.history_len,
complexity_str, self.password_len, min_age, max_age,
self.lockout_attempts, lockout_window, lockout_duration)
diff --git a/python/samba/tests/samba_tool/computer.py b/python/samba/tests/samba_tool/computer.py
index 8c5f332..94f6230 100644
--- a/python/samba/tests/samba_tool/computer.py
+++ b/python/samba/tests/samba_tool/computer.py
@@ -254,14 +254,14 @@ class ComputerCmdTestCase(SambaToolCmdTest):
return ou
def _create_computer(self, computer):
- args = '{} {} --description={}'.format(
+ args = '{0} {1} --description={2}'.format(
computer['name'], self.creds, computer["description"])
for ip_address in computer.get('ip_address_list', []):
- args += ' --ip-address={}'.format(ip_address)
+ args += ' --ip-address={0}'.format(ip_address)
for service_principal_name in computer.get('service_principal_name_list', []):
- args += ' --service-principal-name={}'.format(service_principal_name)
+ args += ' --service-principal-name={0}'.format(service_principal_name)
args = args.split()
@@ -290,9 +290,9 @@ class ComputerCmdTestCase(SambaToolCmdTest):
def _find_dns_record(self, name, ip_address):
name = name.rstrip('$') # computername
records = self.samdb.search(
- base="DC=DomainDnsZones,{}".format(self.samdb.get_default_basedn()),
+ base="DC=DomainDnsZones,{0}".format(self.samdb.get_default_basedn()),
scope=ldb.SCOPE_SUBTREE,
- expression="(&(objectClass=dnsNode)(name={}))".format(name),
+ expression="(&(objectClass=dnsNode)(name={0}))".format(name),
attrs=['dnsRecord', 'dNSTombstoned'])
# unpack data and compare
diff --git a/python/samba/tests/samba_tool/demote.py b/python/samba/tests/samba_tool/demote.py
index 0726d2b..ce57ad1 100644
--- a/python/samba/tests/samba_tool/demote.py
+++ b/python/samba/tests/samba_tool/demote.py
@@ -25,7 +25,7 @@ class DemoteCmdTestCase(SambaToolCmdTest):
def setUp(self):
super(DemoteCmdTestCase, self).setUp()
- self.creds_string = "-U{}%{}".format(
+ self.creds_string = "-U{0}%{1}".format(
os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"])
self.dc_server = os.environ['DC_SERVER']
@@ -58,10 +58,10 @@ class DemoteCmdTestCase(SambaToolCmdTest):
self.assertCmdSuccess(result, out, err)
# the above A record points to this host
- dnshostname = '{}.{}'.format(server, zone)
+ dnshostname = '{0}.{1}'.format(server, zone)
# add a SRV record points to above host
- srv_record = "{} 65530 65530 65530".format(dnshostname)
+ srv_record = "{0} 65530 65530 65530".format(dnshostname)
self.runsubcmd(
"dns", "add", self.dc_server, zone, 'testrecord', "SRV",
srv_record, self.creds_string)
diff --git a/python/samba/tests/samba_tool/dnscmd.py b/python/samba/tests/samba_tool/dnscmd.py
index 64e34dc..3d3d768 100644
--- a/python/samba/tests/samba_tool/dnscmd.py
+++ b/python/samba/tests/samba_tool/dnscmd.py
@@ -670,7 +670,7 @@ class DnsCmdTestCase(SambaToolCmdTest):
'testa', "A", self.testip, self.creds_string)
# the above A record points to this host
- dnshostname = '{}.{}'.format('testa', self.zone.lower())
+ dnshostname = '{0}.{1}'.format('testa', self.zone.lower())
# add a CNAME record points to above host
self.runsubcmd("dns", "add", os.environ["SERVER"], self.zone,
@@ -685,7 +685,7 @@ class DnsCmdTestCase(SambaToolCmdTest):
'testptr', "PTR", dnshostname, self.creds_string)
# add a SRV record points to above host
- srv_record = "{} 65530 65530 65530".format(dnshostname)
+ srv_record = "{0} 65530 65530 65530".format(dnshostname)
self.runsubcmd("dns", "add", os.environ["SERVER"], self.zone,
'testsrv', "SRV", srv_record, self.creds_string)
@@ -697,9 +697,9 @@ class DnsCmdTestCase(SambaToolCmdTest):
for record_name in ['testa', 'testcname', 'testns', 'testptr', 'testsrv']:
records = self.samdb.search(
- base="DC=DomainDnsZones,{}".format(self.samdb.get_default_basedn()),
+ base="DC=DomainDnsZones,{0}".format(self.samdb.get_default_basedn()),
scope=ldb.SCOPE_SUBTREE,
- expression="(&(objectClass=dnsNode)(name={}))".format(record_name),
+ expression="(&(objectClass=dnsNode)(name={0}))".format(record_name),
attrs=["dNSTombstoned"])
self.assertEqual(len(records), 1)
@@ -716,7 +716,7 @@ class DnsCmdTestCase(SambaToolCmdTest):
'notesta', "A", self.testip, self.creds_string)
# the above A record points to this host
- dnshostname = '{}.{}'.format('testa', self.zone.lower())
+ dnshostname = '{0}.{1}'.format('testa', self.zone.lower())
# add a CNAME record points to above host
self.runsubcmd("dns", "add", os.environ["SERVER"], self.zone,
@@ -731,7 +731,7 @@ class DnsCmdTestCase(SambaToolCmdTest):
'notestptr', "PTR", dnshostname, self.creds_string)
# add a SRV record points to above host
- srv_record = "{} 65530 65530 65530".format(dnshostname)
+ srv_record = "{0} 65530 65530 65530".format(dnshostname)
self.runsubcmd("dns", "add", os.environ["SERVER"], self.zone,
'notestsrv', "SRV", srv_record, self.creds_string)
@@ -747,9 +747,9 @@ class DnsCmdTestCase(SambaToolCmdTest):
for record_name in ['notestcname', 'notestns', 'notestptr', 'notestsrv']:
records = self.samdb.search(
- base="DC=DomainDnsZones,{}".format(self.samdb.get_default_basedn()),
+ base="DC=DomainDnsZones,{0}".format(self.samdb.get_default_basedn()),
scope=ldb.SCOPE_SUBTREE,
- expression="(&(objectClass=dnsNode)(name={}))".format(record_name),
+ expression="(&(objectClass=dnsNode)(name={0}))".format(record_name),
attrs=["dNSTombstoned"])
self.assertEqual(len(records), 1)
@@ -776,30 +776,30 @@ class DnsCmdTestCase(SambaToolCmdTest):
host, "A", self.testip, self.creds_string)
# the above A record points to this host
- dnshostname = '{}.{}'.format(host, self.zone.lower())
+ dnshostname = '{0}.{1}'.format(host, self.zone.lower())
# add a SRV record points to above host
- srv_record = "{} 65530 65530 65530".format(dnshostname)
+ srv_record = "{0} 65530 65530 65530".format(dnshostname)
self.runsubcmd("dns", "add", os.environ["SERVER"], self.zone,
srv_name, "SRV", srv_record, self.creds_string)
records = self.samdb.search(
- base="DC=DomainDnsZones,{}".format(self.samdb.get_default_basedn()),
+ base="DC=DomainDnsZones,{0}".format(self.samdb.get_default_basedn()),
scope=ldb.SCOPE_SUBTREE,
- expression="(&(objectClass=dnsNode)(name={}))".format(srv_name),
+ expression="(&(objectClass=dnsNode)(name={0}))".format(srv_name),
attrs=['dnsRecord'])
# should have 2 records here
self.assertEqual(len(records[0]['dnsRecord']), 2)
# cleanup record for dns host1
- dnshostname1 = 'host1.{}'.format(self.zone.lower())
+ dnshostname1 = 'host1.{0}'.format(self.zone.lower())
self.runsubcmd("dns", "cleanup", os.environ["SERVER"],
dnshostname1, self.creds_string)
records = self.samdb.search(
- base="DC=DomainDnsZones,{}".format(self.samdb.get_default_basedn()),
+ base="DC=DomainDnsZones,{0}".format(self.samdb.get_default_basedn()),
scope=ldb.SCOPE_SUBTREE,
- expression="(&(objectClass=dnsNode)(name={}))".format(srv_name),
+ expression="(&(objectClass=dnsNode)(name={0}))".format(srv_name),
attrs=['dnsRecord', 'dNSTombstoned'])
# dnsRecord for host1 should be deleted
@@ -810,7 +810,7 @@ class DnsCmdTestCase(SambaToolCmdTest):
dns_record_obj = ndr_unpack(dnsp.DnssrvRpcRecord, dns_record_bin)
# dnsRecord for host2 is still there and is the only one
- dnshostname2 = 'host2.{}'.format(self.zone.lower())
+ dnshostname2 = 'host2.{0}'.format(self.zone.lower())
self.assertEqual(dns_record_obj.data.nameTarget, dnshostname2)
# assert that the record isn't spuriously tombstoned
diff --git a/selftest/knownfail.d/password_settings b/selftest/knownfail.d/password_settings
index 7525b20..c733c23 100644
--- a/selftest/knownfail.d/password_settings
+++ b/selftest/knownfail.d/password_settings
@@ -1,4 +1,4 @@
# highlights a minor corner-case discrepancy between Windows and Samba
-samba4.ldap.password_settings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
-samba4.ldap.password_settings.python.python3.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
+samba4.ldap.passwordsettings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
+samba4.ldap.passwordsettings.python.python3.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 280845a..6ab4780 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -38,9 +38,6 @@
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
-/* The attributeSecurityGuid for the Public Information Property-Set */
-#define PUBLIC_INFO_PROPERTY_SET "e48d0154-bcf8-11d1-8702-00c04fb96050"
-
struct aclread_context {
struct ldb_module *module;
struct ldb_request *req;
@@ -282,16 +279,13 @@ static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name,
struct aclread_context *ac,
struct security_descriptor *sd,
const struct dsdb_class *objectclass,
- struct dom_sid *sid, struct ldb_dn *dn,
- bool *is_public_info)
+ struct dom_sid *sid, struct ldb_dn *dn)
{
int ret;
const struct dsdb_attribute *attr = NULL;
uint32_t access_mask;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- *is_public_info = false;
-
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, attr_name);
if (!attr) {
ldb_debug_set(ldb,
@@ -302,35 +296,6 @@ static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name,
return LDB_SUCCESS;
}
- /*
- * If we have no Read Property (RP) rights for a child object, it should
- * still appear as a visible object in 'objectClass=*' searches,
- * as long as we have List Contents (LC) rights for it.
- * This is needed for the acl.py tests (e.g. test_search1()).
- * I couldn't find the Windows behaviour documented in the specs, so
- * this is a guess, but it seems to only apply to attributes in the
- * Public Information Property Set that have the systemOnly flag set to
- * TRUE. (This makes sense in a way, as it's not disclosive to find out
- * that a child object has a 'objectClass' or 'name' attribute, as every
- * object has these attributes).
- */
- if (attr->systemOnly) {
- struct GUID public_info_guid;
- NTSTATUS status;
-
- status = GUID_from_string(PUBLIC_INFO_PROPERTY_SET,
- &public_info_guid);
- if (!NT_STATUS_IS_OK(status)) {
- ldb_set_errstring(ldb, "Public Info GUID parse error");
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- if (GUID_compare(&attr->attributeSecurityGUID,
- &public_info_guid) == 0) {
- *is_public_info = true;
- }
- }
-
access_mask = get_attr_access_mask(attr, ac->sd_flags);
/* the access-mask should be non-zero. Skip attribute otherwise */
@@ -399,8 +364,14 @@ static int parse_tree_check_attr_access(struct ldb_parse_tree *tree,
{
struct parse_tree_aclread_ctx *ctx = NULL;
const char *attr_name = NULL;
- bool is_public_info = false;
int ret;
+ static const char * const attrs_always_present[] = {
+ "objectClass",
+ "distinguishedName",
+ "name",
+ "objectGUID",
+ NULL
+ };
ctx = (struct parse_tree_aclread_ctx *)private_context;
@@ -418,9 +389,24 @@ static int parse_tree_check_attr_access(struct ldb_parse_tree *tree,
return LDB_SUCCESS;
}
+ /*
+ * If the search filter is checking for an attribute's presence, and the
+ * attribute is always present, we can skip access rights checks. Every
+ * object has these attributes, and so there's no security reason to
+ * hide their presence.
+ * Note: the acl.py tests (e.g. test_search1()) rely on this exception.
+ * I.e. even if we lack Read Property (RP) rights for a child object, it
+ * should still appear as a visible object in 'objectClass=*' searches,
+ * so long as we have List Contents (LC) rights for the object.
--
Samba Shared Repository
More information about the samba-cvs
mailing list