[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Mon Oct 25 09:24:01 UTC 2021


The branch, master has been updated
       via  c174e9ebe71 tests/krb5: Check account name and SID in PAC for S4U tests
       via  9ac2d5d991d gp: Apply Firewalld Policy
       via  8f347449190 gp: Test Firewalld Group Policy Apply
       via  7253405c352 gp: Add Firewalld ADMX templates
      from  5094d986b76 lib/krb5_wrap: Fix missing error check in new salt code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c174e9ebe715aad6910d53c1f427a0512c09d651
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Oct 21 16:46:56 2021 +1300

    tests/krb5: Check account name and SID in PAC for S4U tests
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184

commit 9ac2d5d991d16d1957c720fcda3ff6a9ac78dc13
Author: David Mulder <dmulder at suse.com>
Date:   Thu Oct 14 15:36:52 2021 -0600

    gp: Apply Firewalld Policy
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at cryptomilk.org>

commit 8f347449190c698ec4d2720bbf6ffced853ef797
Author: David Mulder <dmulder at suse.com>
Date:   Tue Oct 12 12:54:09 2021 -0600

    gp: Test Firewalld Group Policy Apply
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at cryptomilk.org>

commit 7253405c35247dff192e86598b18d524e1602818
Author: David Mulder <dmulder at suse.com>
Date:   Wed Oct 6 12:46:26 2021 -0600

    gp: Add Firewalld ADMX templates
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at cryptomilk.org>

-----------------------------------------------------------------------

Summary of changes:
 libgpo/admx/en-US/samba.adml             | 105 ++++++++++++++++---
 libgpo/admx/samba.admx                   |  39 +++++--
 python/samba/gp_firewalld_ext.py         | 154 ++++++++++++++++++++++++++++
 python/samba/tests/bin/firewall-cmd      | 110 ++++++++++++++++++++
 python/samba/tests/gpo.py                | 169 +++++++++++++++++++++++++------
 python/samba/tests/krb5/kdc_base_test.py |   4 +
 python/samba/tests/krb5/raw_testcase.py  |  26 +++++
 python/samba/tests/krb5/s4u_tests.py     |  12 +++
 source4/scripting/bin/samba-gpupdate     |   2 +
 9 files changed, 569 insertions(+), 52 deletions(-)
 create mode 100644 python/samba/gp_firewalld_ext.py
 create mode 100755 python/samba/tests/bin/firewall-cmd


Changeset truncated at 500 lines:

diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml
index a954c41a7d0..ad3a37ca142 100755
--- a/libgpo/admx/en-US/samba.adml
+++ b/libgpo/admx/en-US/samba.adml
@@ -3124,12 +3124,84 @@ Example: 192.9.200.1 192.168.2.61</string>
 
        u      Insert the number of current users logged in.
 
-       U      Insert the string "1 user" or "<n> users" where <n> is the number of current users logged in.
-
-       v      Insert the version of the OS, that is, the build-date and such.</string>
-    </stringTable>
-    <presentationTable>
-      <presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">
+       U      Insert the string "1 user" or "<n> users" where <n> is the number of current users logged in.
+
+       v      Insert the version of the OS, that is, the build-date and such.</string>
+      <string id="CAT_371A8FF5_990F_47DD_B200_D436AC28A4F9">Firewalld</string>
+      <string id="POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978">Zones</string>
+      <string id="POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978_Help">A list of zones to create. Existing zones on the host will be unaffected.
+
+Rule creation for zones is handled in the Rules setting.</string>
+      <string id="POL_B21F349F_4BF6_473E_8452_047D714F156C">Rules</string>
+      <string id="POL_B21F349F_4BF6_473E_8452_047D714F156C_Help">A JSON dictionary, containing zones paired with a list of rules.
+
+For example, to create rules for the Work and Home zones, specify the following JSON:
+
+{
+  "work": [
+    {"rule": {"family": "ipv4"}, "source address": "172.25.1.7", "service name": "ftp", "reject": {}},
+    {"rule": {}, "source address": "172.25.1.8", "service name": "ftp", "reject": {}}
+  ],
+  "home": [
+    {"rule": {}, "protocol value": "icmp", "reject": {}},
+    {"rule": {"family": "ipv4"}, "source address": "192.168.1.2/32", "service name": "telnet", "accept": {"limit value": "1/m"}}
+  ]
+}
+
+An improperly formatted JSON will be ignored.
+
+The rule structure loosely follows the Firewalld Rich Language Documentation.
+
+General rule structure:
+{
+  "rule": {
+    "family": "ipv4 | ipv6",
+    "priority": "priority"
+  },
+  "source [not] address | mac | ipset": "address[/mask] | mac-address | ipset",
+  "destination [not] adress": "address[/mask]",
+  "service name": "service name",
+  "port": {
+    "port": "port value",
+    "protocol": "tcp | udp"
+  }
+  "protocol value": "protocol value",
+  "icmp-block name": "icmptype name",
+  "Masquerade": true|false,
+  "icmp-type": "icmptype name",
+  "forward-port": {
+    "port": "port value",
+    "protocol": "tcp | udp",
+    "to-port": "port value",
+    "to-addr": "address"
+  },
+  "source-port": {
+    "port": "port value",
+    "protocol": "tcp | udp"
+  },
+  "log": {
+    "prefix": "prefix text",
+    "level": "emerg | alert | crit | error | warning | notice | info | debug",
+    "limit value": "rate/duration"
+  },
+  "audit": {
+    "limit value": "rate/duration"
+  },
+  "accept" : {
+    "limit value": "rate/duration"
+  } | "reject": {
+    "type": "reject type",
+    "limit value": "rate/duration"
+  } | "drop": {
+    "limit value": "rate/duration"
+  } | "mark": {
+    "set": "mark[/mask]",
+    "limit value": "rate/duration"
+  }
+}</string>
+    </stringTable>
+    <presentationTable>
+      <presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">
         <listBox refId="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6">Script and arguments</listBox>
       </presentation>
       <presentation id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">
@@ -4642,9 +4714,18 @@ Example: 192.9.200.1 192.168.2.61</string>
       <presentation id="POL_68E9155C_CB49_428E_AFE0_B89316FFD948">
         <textBox refId="TXT_8075D9EA_6E15_4B2A_833A_B918EE90856F">
           <label>Login Prompt Message</label>
-          <defaultValue>Welcome to \s \r \l</defaultValue>
-        </textBox>
-      </presentation>
-    </presentationTable>
-  </resources>
-</policyDefinitionResources>
+          <defaultValue>Welcome to \s \r \l</defaultValue>
+        </textBox>
+      </presentation>
+      <presentation id="POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978">
+        <listBox refId="LST_5B9AE80A_6529_4313_A9A1_764DF5320930">Firewalld Zones</listBox>
+      </presentation>
+      <presentation id="POL_B21F349F_4BF6_473E_8452_047D714F156C">
+        <textBox refId="TXT_76109A0B_AA79_4F69_ADFC_2B3CA52763D2">
+          <label>Firewalld Rules</label>
+          <defaultValue>{}</defaultValue>
+        </textBox>
+      </presentation>
+    </presentationTable>
+  </resources>
+</policyDefinitionResources>
diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx
index d09956d5394..877c9f2ba23 100755
--- a/libgpo/admx/samba.admx
+++ b/libgpo/admx/samba.admx
@@ -17,12 +17,15 @@
     <category name="CAT_9DEF582D_447A_47E9_A1F5_363558D03FA9" displayName="$(string.CAT_9DEF582D_447A_47E9_A1F5_363558D03FA9)">
       <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />
     </category>
-    <category displayName="$(string.CAT_10827749_64ED_5052_87F7_E81AD421856A)" name="CAT_10827749_64ED_5052_87F7_E81AD421856A">
-      <parentCategory ref="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9"/>
-    </category>
-  </categories>
-  <policies>
-    <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Both" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
+    <category displayName="$(string.CAT_10827749_64ED_5052_87F7_E81AD421856A)" name="CAT_10827749_64ED_5052_87F7_E81AD421856A">
+      <parentCategory ref="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9"/>
+    </category>
+    <category name="CAT_371A8FF5_990F_47DD_B200_D436AC28A4F9" displayName="$(string.CAT_371A8FF5_990F_47DD_B200_D436AC28A4F9)">
+      <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />
+    </category>
+  </categories>
+  <policies>
+    <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Both" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
       <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
@@ -2525,8 +2528,22 @@
       <parentCategory ref="CAT_9DEF582D_447A_47E9_A1F5_363558D03FA9" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
-        <text id="TXT_8075D9EA_6E15_4B2A_833A_B918EE90856F" key="Software\Policies\Samba\Unix Settings\Messages" valueName="issue" />
-      </elements>
-    </policy>
-  </policies>
-</policyDefinitions>
+        <text id="TXT_8075D9EA_6E15_4B2A_833A_B918EE90856F" key="Software\Policies\Samba\Unix Settings\Messages" valueName="issue" />
+      </elements>
+    </policy>
+    <policy name="POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978" class="Machine" displayName="$(string.POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978)" explainText="$(string.POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978_Help)" presentation="$(presentation.POL_ADABE9E0_FFF9_4FFE_A105_03E646C79978)" key="Software\Policies\Samba\Unix Settings\Firewalld" valueName="Zones">
+      <parentCategory ref="CAT_371A8FF5_990F_47DD_B200_D436AC28A4F9" />
+      <supportedOn ref="SUPPORTED_SAMBA_4_16" />
+      <elements>
+        <list id="LST_5B9AE80A_6529_4313_A9A1_764DF5320930" key="Software\Policies\Samba\Unix Settings\Firewalld\Zones" />
+      </elements>
+    </policy>
+    <policy name="POL_B21F349F_4BF6_473E_8452_047D714F156C" class="Machine" displayName="$(string.POL_B21F349F_4BF6_473E_8452_047D714F156C)" explainText="$(string.POL_B21F349F_4BF6_473E_8452_047D714F156C_Help)" presentation="$(presentation.POL_B21F349F_4BF6_473E_8452_047D714F156C)" key="Software\Policies\Samba\Unix Settings\Firewalld" valueName="Rules">
+      <parentCategory ref="CAT_371A8FF5_990F_47DD_B200_D436AC28A4F9" />
+      <supportedOn ref="SUPPORTED_SAMBA_4_16" />
+      <elements>
+        <text id="TXT_76109A0B_AA79_4F69_ADFC_2B3CA52763D2" key="Software\Policies\Samba\Unix Settings\Firewalld\Rules" valueName="Rules" />
+      </elements>
+    </policy>
+  </policies>
+</policyDefinitions>
diff --git a/python/samba/gp_firewalld_ext.py b/python/samba/gp_firewalld_ext.py
new file mode 100644
index 00000000000..4067d44b610
--- /dev/null
+++ b/python/samba/gp_firewalld_ext.py
@@ -0,0 +1,154 @@
+# gp_firewalld_ext samba gpo policy
+# Copyright (C) David Mulder <dmulder at suse.com> 2021
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from samba.gpclass import gp_pol_ext
+import os
+from subprocess import Popen, PIPE
+from hashlib import blake2b
+from shutil import which
+import json
+
+def firewall_cmd(*args):
+    cmd = [which('firewall-cmd')]
+    cmd.extend(list(args))
+
+    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
+    stdoutdata, stderrdata = p.communicate()
+    return p.returncode, stdoutdata
+
+def rule_segment_parse(name, rule_segment):
+    if type(rule_segment) == str:
+        return ('%s=%s' % (name, rule_segment)) + ' '
+    else:
+        return '%s %s ' % (name,
+            ' '.join(['%s=%s' % (k, v) for k, v in rule_segment.items()]))
+
+class gp_firewalld_ext(gp_pol_ext):
+    def __str__(self):
+        return 'Security/Firewalld'
+
+    def apply_zone(self, zone):
+        ret = firewall_cmd('--permanent', '--new-zone=%s' % zone)[0]
+        if ret != 0:
+            self.logger.error('Failed to add new zone %s' % zone)
+        else:
+            self.gp_db.store(str(self), 'zone:%s' % zone, zone)
+        # Default to matching the interface(s) for the default zone
+        ret, out = firewall_cmd('--list-interfaces')
+        if ret != 0:
+            self.logger.error('Failed to set interfaces for zone: %s' % zone)
+        for interface in out.strip().split():
+            ret = firewall_cmd('--permanent', '--zone=%s' % zone,
+                               '--add-interface=%s' % interface.decode())
+            if ret != 0:
+                self.logger.error('Failed to set interfaces for zone: %s' % \
+                                  zone)
+
+    def apply_rules(self, rule_dict):
+        for zone, rules in rule_dict.items():
+            for rule in rules:
+                if 'rule' in rule:
+                    rule_parsed = rule_segment_parse('rule', rule['rule'])
+                else:
+                    rule_parsed = 'rule '
+                for segment in ['source', 'destination', 'service', 'port',
+                                'protocol', 'icmp-block', 'masquerade',
+                                'icmp-type', 'forward-port', 'source-port',
+                                'log', 'audit']:
+                    names = [s for s in rule.keys() if s.startswith(segment)]
+                    for name in names:
+                        rule_parsed += rule_segment_parse(name, rule[name])
+                actions = set(['accept', 'reject', 'drop', 'mark'])
+                segments = set(rule.keys())
+                action = actions.intersection(segments)
+                if len(action) == 1:
+                    rule_parsed += rule_segment_parse(list(action)[0],
+                                                      rule[list(action)[0]])
+                else:
+                    self.logger.error('Invalid firewall rule syntax')
+                ret = firewall_cmd('--permanent', '--zone=%s' % zone,
+                                   '--add-rich-rule', rule_parsed.strip())[0]
+                if ret != 0:
+                    self.logger.error('Failed to add firewall rule: %s' % \
+                                      rule_parsed)
+                else:
+                    rhash = blake2b(rule_parsed.encode()).hexdigest()
+                    self.gp_db.store(str(self), 'rule:%s:%s' % (zone, rhash),
+                                     rule_parsed)
+
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+        for guid, settings in deleted_gpo_list:
+            self.gp_db.set_guid(guid)
+            if str(self) in settings:
+                for attribute, value in settings[str(self)].items():
+                    if attribute.startswith('zone'):
+                        ret = firewall_cmd('--permanent',
+                                           '--delete-zone=%s' % value)[0]
+                        if ret != 0:
+                            self.logger.error('Failed to remove zone: %s' % \
+                                              value)
+                        else:
+                            self.gp_db.delete(str(self), attribute)
+                    elif attribute.startswith('rule'):
+                        _, zone, _ = attribute.split(':')
+                        ret = firewall_cmd('--permanent', '--zone=%s' % zone,
+                                           '--remove-rich-rule', value)[0]
+                        if ret != 0:
+                            self.logger.error('Failed to remove firewall'
+                                              ' rule: %s' % value)
+                        else:
+                            self.gp_db.delete(str(self), attribute)
+            self.gp_db.commit()
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                section = 'Software\\Policies\\Samba\\Unix Settings\\Firewalld'
+                self.gp_db.set_guid(gpo.name)
+                pol_file = 'MACHINE/Registry.pol'
+                path = os.path.join(gpo.file_sys_path, pol_file)
+                pol_conf = self.parse(path)
+                if not pol_conf:
+                    continue
+                for e in pol_conf.entries:
+                    if e.keyname.startswith(section):
+                        if e.keyname.endswith('Rules'):
+                            self.apply_rules(json.loads(e.data))
+                        elif e.keyname.endswith('Zones'):
+                            if e.valuename == '**delvals.':
+                                continue
+                            self.apply_zone(e.data)
+                self.gp_db.commit()
+
+    def rsop(self, gpo):
+        output = {}
+        pol_file = 'MACHINE/Registry.pol'
+        section = 'Software\\Policies\\Samba\\Unix Settings\\Firewalld'
+        if gpo.file_sys_path:
+            path = os.path.join(gpo.file_sys_path, pol_file)
+            pol_conf = self.parse(path)
+            if not pol_conf:
+                return output
+            for e in pol_conf.entries:
+                if e.keyname.startswith(section):
+                    if e.keyname.endswith('Zone'):
+                        if 'Zones' not in output.keys():
+                            output['Zones'] = []
+                        output['Zones'].append(e.data)
+                    elif e.keyname.endswith('Rules'):
+                        if 'Rules' not in output.keys():
+                            output['Rules'] = []
+                        output['Rules'].append(json.loads(e.data))
+        return output
diff --git a/python/samba/tests/bin/firewall-cmd b/python/samba/tests/bin/firewall-cmd
new file mode 100755
index 00000000000..503ae9a772c
--- /dev/null
+++ b/python/samba/tests/bin/firewall-cmd
@@ -0,0 +1,110 @@
+#!/usr/bin/python3
+import optparse
+import os, sys, re
+import pickle
+try:
+    from firewall.core.rich import Rich_Rule
+except ImportError:
+    Rich_Rule = None
+
+sys.path.insert(0, "bin/python")
+
+if __name__ == "__main__":
+    parser = optparse.OptionParser('firewall-cmd [options]')
+    parser.add_option('--list-interfaces', default=False, action="store_true")
+    parser.add_option('--permanent', default=False, action="store_true")
+    parser.add_option('--new-zone')
+    parser.add_option('--get-zones', default=False, action="store_true")
+    parser.add_option('--delete-zone')
+    parser.add_option('--zone')
+    parser.add_option('--add-interface')
+    parser.add_option('--add-rich-rule')
+    parser.add_option('--remove-rich-rule')
+    parser.add_option('--list-rich-rules', default=False, action="store_true")
+
+    (opts, args) = parser.parse_args()
+
+    # Use a dir we can write to in the testenv
+    if 'LOCAL_PATH' in os.environ:
+        data_dir = os.path.realpath(os.environ.get('LOCAL_PATH'))
+    else:
+        data_dir = os.path.dirname(os.path.realpath(__file__))
+    dump_file = os.path.join(data_dir, 'firewall-cmd.dump')
+    if os.path.exists(dump_file):
+        with open(dump_file, 'rb') as r:
+            data = pickle.load(r)
+    else:
+        data = {}
+
+    if opts.list_interfaces:
+        if not opts.zone: # default zone dummy interface
+            print('eth0')
+        else:
+            assert 'zone_interfaces' in data
+            assert opts.zone in data['zone_interfaces'].keys()
+            for interface in data['zone_interfaces'][opts.zone]:
+                sys.stdout.write('%s ' % interface)
+            print()
+    elif opts.new_zone:
+        if 'zones' not in data:
+            data['zones'] = []
+        data['zones'].append(opts.new_zone)
+    elif opts.get_zones:
+        if 'zones' in data:
+            for zone in data['zones']:
+                sys.stdout.write('%s ' % zone)
+            print()
+    elif opts.delete_zone:
+        assert 'zones' in data
+        assert opts.delete_zone in data['zones']
+        data['zones'].remove(opts.delete_zone)
+        if len(data['zones']) == 0:
+            del data['zones']
+        if 'zone_interfaces' in data and opts.zone in data['zone_interfaces'].keys():
+            del data['zone_interfaces'][opts.zone]
+    elif opts.add_interface:
+        assert opts.zone
+        assert 'zones' in data
+        assert opts.zone in data['zones']
+        if 'zone_interfaces' not in data:
+            data['zone_interfaces'] = {}
+        if opts.zone not in data['zone_interfaces'].keys():
+            data['zone_interfaces'][opts.zone] = []
+        data['zone_interfaces'][opts.zone].append(opts.add_interface)
+    elif opts.add_rich_rule:
+        assert opts.zone
+        if 'rules' not in data:
+            data['rules'] = {}
+        if opts.zone not in data['rules']:
+            data['rules'][opts.zone] = []
+        # Test rule parsing if firewalld is installed
+        if Rich_Rule:
+            # Parsing failure will throw an exception
+            data['rules'][opts.zone].append(str(Rich_Rule(rule_str=opts.add_rich_rule)))
+        else:
+            data['rules'][opts.zone].append(opts.add_rich_rule)
+    elif opts.remove_rich_rule:
+        assert opts.zone
+        assert 'rules' in data
+        assert opts.zone in data['rules'].keys()
+        if Rich_Rule:
+            rich_rule = str(Rich_Rule(rule_str=opts.remove_rich_rule))
+            assert rich_rule in data['rules'][opts.zone]
+            data['rules'][opts.zone].remove(rich_rule)
+        else:
+            assert opts.remove_rich_rule in data['rules'][opts.zone]
+            data['rules'][opts.zone].remove(opts.remove_rich_rule)
+    elif opts.list_rich_rules:
+        assert opts.zone
+        assert 'rules' in data
+        assert opts.zone in data['rules'].keys()
+        for rule in data['rules'][opts.zone]:
+            print(rule)
+
+    if opts.permanent:
+        if data == {}:
+            if os.path.exists(dump_file):
+                os.unlink(dump_file)
+        else:
+            with open(dump_file, 'wb') as w:
+                pickle.dump(data, w)
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 05f12312c6e..918a7845690 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -44,6 +44,7 @@ from samba.gp_gnome_settings_ext import gp_gnome_settings_ext
 from samba.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext
 from samba.gp_firefox_ext import gp_firefox_ext
 from samba.gp_chromium_ext import gp_chromium_ext
+from samba.gp_firewalld_ext import gp_firewalld_ext
 import logging
 from samba.credentials import Credentials
 from samba.gp_msgs_ext import gp_msgs_ext
@@ -61,6 +62,7 @@ from samba.gpclass import get_dc_hostname
 from samba import Ldb
 from samba.auth import system_session
 import json
+from shutil import which
 
 realm = os.environ.get('REALM')
 policies = realm + '/POLICIES'
@@ -6832,6 +6834,43 @@ b"""
 }
 """
 
+firewalld_reg_pol = \
+b"""
+<?xml version="1.0" encoding="utf-8"?>
+<PolFile num_entries="6" signature="PReg" version="1">
+    <Entry type="4" type_name="REG_DWORD">
+        <Key>Software\Policies\Samba\Unix Settings\Firewalld</Key>
+        <ValueName>Zones</ValueName>
+        <Value>1</Value>
+    </Entry>
+    <Entry type="4" type_name="REG_DWORD">
+        <Key>Software\Policies\Samba\Unix Settings\Firewalld</Key>
+        <ValueName>Rules</ValueName>
+        <Value>1</Value>
+    </Entry>
+    <Entry type="1" type_name="REG_SZ">
+        <Key>Software\Policies\Samba\Unix Settings\Firewalld\Rules</Key>
+        <ValueName>Rules</ValueName>
+        <Value>{"work": [{"rule": {"family": "ipv4"}, "source address": "172.25.1.7", "service name": "ftp", "reject": {}}]}</Value>
+    </Entry>
+    <Entry type="1" type_name="REG_SZ">
+        <Key>Software\Policies\Samba\Unix Settings\Firewalld\Zones</Key>
+        <ValueName>**delvals.</ValueName>
+        <Value> </Value>
+    </Entry>
+    <Entry type="1" type_name="REG_SZ">
+        <Key>Software\Policies\Samba\Unix Settings\Firewalld\Zones</Key>


-- 
Samba Shared Repository



More information about the samba-cvs mailing list