[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Feb 11 18:29:01 UTC 2021


The branch, master has been updated
       via  8fa53985920 gpo: Security gpext rsop list only own policies
       via  55d432248c3 gpo: Test that Security gpext rsop lists only own policies
       via  ff4279575f2 gpo: Ensure empty Security sections are removed
       via  c27c97ab552 gpo: Test that empty Security sections are removed
      from  551532d0079 s3:registry Renaming get_charset() to smbreg_get_charset()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8fa53985920f16b0e79c4386e90bfd1bb25be347
Author: David Mulder <dmulder at suse.com>
Date:   Tue Dec 15 12:48:30 2020 -0700

    gpo: Security gpext rsop list only own policies
    
    The rsop should only list the policies from
    that extension, not from all policies in the
    same file.
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Feb 11 18:28:09 UTC 2021 on sn-devel-184

commit 55d432248c37071b8206133154edcc4dec7134f7
Author: David Mulder <dmulder at suse.com>
Date:   Tue Feb 9 12:58:49 2021 -0700

    gpo: Test that Security gpext rsop lists only own policies
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit ff4279575f271fbbf04892c79e038d9fbaa96da3
Author: David Mulder <dmulder at suse.com>
Date:   Fri Dec 11 10:38:32 2020 -0700

    gpo: Ensure empty Security sections are removed
    
    Failing to remove the empty section causes tests
    to fail, and is also just bad practice.
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit c27c97ab552d18de00ec4eb9cbc4da457daa15a6
Author: David Mulder <dmulder at suse.com>
Date:   Tue Feb 9 11:06:40 2021 -0700

    gpo: Test that empty Security sections are removed
    
    Ensure that empty sections are removed when
    calling samba-tool gpo manage security set.
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp_sec_ext.py           |  6 ++++--
 python/samba/netcmd/gpo.py           |  2 ++
 python/samba/tests/gpo.py            |  3 ++-
 python/samba/tests/samba_tool/gpo.py | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 43 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py
index 136ba220de7..a9f5bbe5a6c 100644
--- a/python/samba/gp_sec_ext.py
+++ b/python/samba/gp_sec_ext.py
@@ -102,7 +102,8 @@ class gp_krb_ext(gp_inf_ext):
             inf_conf = self.parse(path)
             if not inf_conf:
                 return output
-            for section in inf_conf.sections():
+            if str(self) in inf_conf.sections():
+                section = str(self)
                 output[section] = {k: v for k, v in inf_conf.items(section) \
                                       if gp_krb_ext.apply_map.get(k)}
         return output
@@ -210,7 +211,8 @@ class gp_access_ext(gp_inf_ext):
             inf_conf = self.parse(path)
             if not inf_conf:
                 return output
-            for section in inf_conf.sections():
+            if str(self) in inf_conf.sections():
+                section = str(self)
                 output[section] = {k: v for k, v in inf_conf.items(section) \
                                       if gp_access_ext.apply_map.get(k)}
         return output
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index a0629feb4cd..33069200a44 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1986,6 +1986,8 @@ PasswordComplexity      Password must meet complexity requirements
             inf_data.set(section, policy, value)
         else:
             inf_data.remove_option(section, policy)
+            if len(inf_data.options(section)) == 0:
+                inf_data.remove_section(section)
 
         out = StringIO()
         inf_data.write(out)
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index f2c857a8f26..ba0e91bde79 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -594,7 +594,8 @@ class GPOTests(tests.TestCase):
         # Create krb stage date
         gpofile = os.path.join(local_path, policies, '%s/MACHINE/MICROSOFT/' \
                   'WINDOWS NT/SECEDIT/GPTTMPL.INF')
-        krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n'
+        krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n' \
+                    '[System Access]\nMinimumPasswordAge = 998\n'
 
         for g in [g for g in gpos if g.file_sys_path]:
             ret = stage_file(gpofile % g.name, krb_stage)
diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py
index d678a96352b..588c63a703c 100644
--- a/python/samba/tests/samba_tool/gpo.py
+++ b/python/samba/tests/samba_tool/gpo.py
@@ -692,6 +692,41 @@ class GpoCmdTestCase(SambaToolCmdTest):
         self.assertCmdSuccess(result, out, err,
                               'Failed to unset MaxTicketAge')
 
+    def test_security_nonempty_sections(self):
+        lp = LoadParm()
+        lp.load(os.environ['SERVERCONFFILE'])
+        local_path = lp.get('path', 'sysvol')
+        gpt_inf = os.path.join(local_path, lp.get('realm').lower(), 'Policies',
+                               self.gpo_guid, 'Machine/Microsoft/Windows NT',
+                               'SecEdit/GptTmpl.inf')
+
+        (result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
+                                                 "set"), self.gpo_guid,
+                                                 'MaxTicketAge', '10',
+                                                 "-H", "ldap://%s" %
+                                                 os.environ["SERVER"],
+                                                 "-U%s%%%s" %
+                                                 (os.environ["USERNAME"],
+                                                 os.environ["PASSWORD"]))
+        self.assertCmdSuccess(result, out, err,
+                              'Failed to set MaxTicketAge')
+
+        (result, out, err) = self.runsublevelcmd("gpo", ("manage", "security",
+                                                 "set"), self.gpo_guid,
+                                                 'MaxTicketAge',
+                                                 "-H", "ldap://%s" %
+                                                 os.environ["SERVER"],
+                                                 "-U%s%%%s" %
+                                                 (os.environ["USERNAME"],
+                                                 os.environ["PASSWORD"]))
+        self.assertCmdSuccess(result, out, err,
+                              'Failed to unset MaxTicketAge')
+
+        inf_data = ConfigParser(interpolation=None)
+        inf_data.read(gpt_inf)
+
+        self.assertFalse(inf_data.has_section('Kerberos Policy'))
+
     def test_sudoers_remove(self):
         lp = LoadParm()
         lp.load(os.environ['SERVERCONFFILE'])


-- 
Samba Shared Repository



More information about the samba-cvs mailing list