[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall
dbagnall at samba.org
Thu Sep 2 05:57:01 UTC 2021
The branch, master has been updated
via 40b65fcb583 script/autobuild.py: Restore MIT ADDC tests against fl2008*
via 17ae0319db5 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
via 60f1b6cf0ef selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
via 8701ce492fc selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
via fb6c0b9e2a1 pydsdb: Add API to return strings of known UF_ flags
via 8c455268165 selftest: Use addCleanup rather than tearDown in user_account_control.py
via 8b078bbf871 selftest: Modernise user_account_control.py tests use a common self.OU
from 1209c89dcf6 util_sock: fix assignment of sa_socklen
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 40b65fcb5830c6168a3032eb12bb4c8acc940bb3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 09:40:08 2021 +1200
script/autobuild.py: Restore MIT ADDC tests against fl2008*
Commit 7387da74e6f0e33de5f80b9a5e59f268541f52cd incorrectly
ran the fl2000dc and fl2003dc tests twice, rather than the
fl2008dc and fl2008r2dc tests in samba-ad-dc-4b-mitkrb5.
(Now ad-dc-mit-4b)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14815
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Sep 2 05:56:12 UTC 2021 on sn-devel-184
commit 17ae0319db53a7b88e7fb44a9e2fd4bf1d1daa0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:54:39 2021 +1200
selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 60f1b6cf0ef0bf6736d8db9c53fa48fe9f3d8e75
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:51:27 2021 +1200
selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8701ce492fc3a209035b152961d8c17e801b082a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:37:06 2021 +1200
selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
This is a nice easy example of how the test generation
code works, and it combined nicely with the earlier
patch to return string names from the UF_ constants.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fb6c0b9e2a10c9559d3e056bb020bd2c990da998
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 13:03:15 2021 +1200
pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8c455268165f0bbfce17407df2c1746a0e03f828
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:10:56 2021 +1200
selftest: Use addCleanup rather than tearDown in user_account_control.py
self.addCleanup() is called regardless of the test failure or error status
and so is more reliable, particularly during development.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8b078bbf8717b9407cdbc1588dd065164ab78e1b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:07:31 2021 +1200
selftest: Modernise user_account_control.py tests use a common self.OU
We set and use a single self.OU to ensure consistancy and
reduce string duplication.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
libds/common/flag_mapping.c | 50 +++++++
libds/common/flag_mapping.h | 1 +
libds/common/flags.h | 5 +
python/samba/tests/dsdb_api.py | 57 +++++++
script/autobuild.py | 4 +-
selftest/tests.py | 1 +
source4/dsdb/pydsdb.c | 30 ++++
source4/dsdb/tests/python/user_account_control.py | 172 ++++++++++++----------
8 files changed, 241 insertions(+), 79 deletions(-)
create mode 100644 python/samba/tests/dsdb_api.py
Changeset truncated at 500 lines:
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index ddc8ec5c198..020922db659 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
return prim_group_rid;
}
+
+#define FLAG(x) { .name = #x, .uf = x }
+struct {
+ const char *name;
+ uint32_t uf;
+} user_account_control_name_map[] = {
+ FLAG(UF_SCRIPT),
+ FLAG(UF_ACCOUNTDISABLE),
+ FLAG(UF_00000004),
+ FLAG(UF_HOMEDIR_REQUIRED),
+ FLAG(UF_LOCKOUT),
+ FLAG(UF_PASSWD_NOTREQD),
+ FLAG(UF_PASSWD_CANT_CHANGE),
+ FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED),
+
+ FLAG(UF_TEMP_DUPLICATE_ACCOUNT),
+ FLAG(UF_NORMAL_ACCOUNT),
+ FLAG(UF_00000400),
+ FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT),
+
+ FLAG(UF_WORKSTATION_TRUST_ACCOUNT),
+ FLAG(UF_SERVER_TRUST_ACCOUNT),
+ FLAG(UF_00004000),
+ FLAG(UF_00008000),
+
+ FLAG(UF_DONT_EXPIRE_PASSWD),
+ FLAG(UF_MNS_LOGON_ACCOUNT),
+ FLAG(UF_SMARTCARD_REQUIRED),
+ FLAG(UF_TRUSTED_FOR_DELEGATION),
+
+ FLAG(UF_NOT_DELEGATED),
+ FLAG(UF_USE_DES_KEY_ONLY),
+ FLAG(UF_DONT_REQUIRE_PREAUTH),
+ FLAG(UF_PASSWORD_EXPIRED),
+ FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION),
+ FLAG(UF_NO_AUTH_DATA_REQUIRED),
+ FLAG(UF_PARTIAL_SECRETS_ACCOUNT),
+ FLAG(UF_USE_AES_KEYS)
+};
+
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf)
+{
+ int i;
+ for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) {
+ if (uf == user_account_control_name_map[i].uf) {
+ return user_account_control_name_map[i].name;
+ }
+ }
+ return NULL;
+}
diff --git a/libds/common/flag_mapping.h b/libds/common/flag_mapping.h
index ae721da894a..f08d5593af6 100644
--- a/libds/common/flag_mapping.h
+++ b/libds/common/flag_mapping.h
@@ -31,5 +31,6 @@ uint32_t ds_uf2atype(uint32_t uf);
uint32_t ds_gtype2atype(uint32_t gtype);
enum lsa_SidType ds_atype_map(uint32_t atype);
uint32_t ds_uf2prim_group_rid(uint32_t uf);
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf);
#endif /* __LIBDS_COMMON_FLAG_MAPPING_H__ */
diff --git a/libds/common/flags.h b/libds/common/flags.h
index d436f2bafd8..75e04b0c488 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -18,6 +18,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+/* Please keep this list in sync with the flag_mapping.c and pydsdb.c */
+
/* User flags for "userAccountControl" */
#define UF_SCRIPT 0x00000001 /* NT or Lan Manager Login script must be executed */
#define UF_ACCOUNTDISABLE 0x00000002
@@ -53,6 +55,9 @@
#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000
#define UF_USE_AES_KEYS 0x08000000
+/* Please keep this list in sync with the flag_mapping.c and pydsdb.c */
+
+
#define UF_TRUST_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
UF_WORKSTATION_TRUST_ACCOUNT |\
diff --git a/python/samba/tests/dsdb_api.py b/python/samba/tests/dsdb_api.py
new file mode 100644
index 00000000000..997407917af
--- /dev/null
+++ b/python/samba/tests/dsdb_api.py
@@ -0,0 +1,57 @@
+# Unix SMB/CIFS implementation. Tests for dsdb
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2021
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Tests for samba.dsdb."""
+
+from samba.tests import TestCase, DynamicTestCase
+from samba.dsdb import user_account_control_flag_bit_to_string
+import samba
+
+
+ at DynamicTestCase
+class DsdbFlagTests(TestCase):
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+
+ for x in dir(samba.dsdb):
+ if x.startswith("UF_"):
+ cls.generate_dynamic_test("test",
+ x,
+ x,
+ getattr(samba.dsdb, x))
+
+
+ def _test_with_args(self, uf_string, uf_bit):
+ self.assertEqual(user_account_control_flag_bit_to_string(uf_bit),
+ uf_string)
+
+
+ def test_not_a_flag(self):
+ self.assertRaises(KeyError,
+ user_account_control_flag_bit_to_string,
+ 0xabcdef)
+
+ def test_too_long(self):
+ self.assertRaises(OverflowError,
+ user_account_control_flag_bit_to_string,
+ 0xabcdefffff)
+
+ def test_way_too_long(self):
+ self.assertRaises(OverflowError,
+ user_account_control_flag_bit_to_string,
+ 0xabcdeffffffffffff)
diff --git a/script/autobuild.py b/script/autobuild.py
index 9c343d1f29c..e42e2365488 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -713,8 +713,8 @@ tasks = {
"sequence": [
("random-sleep", random_sleep(1, 1)),
("test", make_test(include_envs=[
- "fl2000dc",
- "fl2003dc",
+ "fl2008dc",
+ "fl2008r2dc",
])),
("lcov", LCOV_CMD),
("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
diff --git a/selftest/tests.py b/selftest/tests.py
index 46fc8a802bb..fade8eaacf5 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -88,6 +88,7 @@ planpythontestsuite("none", "samba.tests.s3registry")
planpythontestsuite("none", "samba.tests.s3windb")
planpythontestsuite("none", "samba.tests.s3idmapdb")
planpythontestsuite("none", "samba.tests.samba3sam")
+planpythontestsuite("none", "samba.tests.dsdb_api")
planpythontestsuite(
"none", "wafsamba.tests.test_suite",
extra_path=[os.path.join(samba4srcdir, "..", "buildtools"),
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 832899ef1a9..0f3a2bc62bd 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -33,6 +33,7 @@
#include "lib/util/dlinklist.h"
#include "dsdb/kcc/garbage_collect_tombstones.h"
#include "dsdb/kcc/scavenge_dns_records.h"
+#include "libds/common/flag_mapping.h"
#undef strcasecmp
@@ -1401,6 +1402,30 @@ static PyObject *py_dsdb_load_udv_v2(PyObject *self, PyObject *args)
return pylist;
}
+static PyObject *py_dsdb_user_account_control_flag_bit_to_string(PyObject *self, PyObject *args)
+{
+ const char *str;
+ long long uf;
+ if (!PyArg_ParseTuple(args, "L", &uf)) {
+ return NULL;
+ }
+
+ if (uf > UINT32_MAX) {
+ return PyErr_Format(PyExc_OverflowError, "No UF_ flags are over UINT32_MAX");
+ }
+ if (uf < 0) {
+ return PyErr_Format(PyExc_KeyError, "No UF_ flags are less then zero");
+ }
+
+ str = dsdb_user_account_control_flag_bit_to_string(uf);
+ if (str == NULL) {
+ return PyErr_Format(PyExc_KeyError,
+ "No such UF_ flag 0x%08x",
+ (unsigned int)uf);
+ }
+ return PyUnicode_FromString(str);
+}
+
static PyMethodDef py_dsdb_methods[] = {
{ "_samdb_server_site_name", (PyCFunction)py_samdb_server_site_name,
METH_VARARGS, "Get the server site name as a string"},
@@ -1482,6 +1507,11 @@ static PyMethodDef py_dsdb_methods[] = {
"_dsdb_allocate_rid(samdb)"
" -> RID" },
{ "_dsdb_load_udv_v2", (PyCFunction)py_dsdb_load_udv_v2, METH_VARARGS, NULL },
+ { "user_account_control_flag_bit_to_string",
+ (PyCFunction)py_dsdb_user_account_control_flag_bit_to_string,
+ METH_VARARGS,
+ "user_account_control_flag_bit_to_string(bit)"
+ " -> string name" },
{0}
};
diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index 02805ff3adc..97a5ea8e35f 100755
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -26,7 +26,7 @@ from samba.samdb import SamDB
from samba.dcerpc import samr, security, lsa
from samba.credentials import Credentials
from samba.ndr import ndr_unpack, ndr_pack
-from samba.tests import delete_force
+from samba.tests import delete_force, DynamicTestCase
from samba import gensec, sd_utils
from samba.credentials import DONT_USE_KERBEROS
from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError
@@ -40,6 +40,7 @@ from samba.dsdb import UF_SCRIPT, UF_ACCOUNTDISABLE, UF_00000004, UF_HOMEDIR_REQ
UF_TRUSTED_FOR_DELEGATION, UF_NOT_DELEGATED, UF_USE_DES_KEY_ONLY, UF_DONT_REQUIRE_PREAUTH, \
UF_PASSWORD_EXPIRED, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, UF_NO_AUTH_DATA_REQUIRED, \
UF_PARTIAL_SECRETS_ACCOUNT, UF_USE_AES_KEYS
+from samba import dsdb
parser = optparse.OptionParser("user_account_control.py [options] <host>")
@@ -85,11 +86,32 @@ bits = [UF_SCRIPT, UF_ACCOUNTDISABLE, UF_00000004, UF_HOMEDIR_REQUIRED,
account_types = set([UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT])
+ at DynamicTestCase
class UserAccountControlTests(samba.tests.TestCase):
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ for account_type in [UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT]:
+ account_type_str = dsdb.user_account_control_flag_bit_to_string(account_type)
+ cls.generate_dynamic_test("test_uac_bits_unrelated_modify",
+ account_type_str, account_type)
+
+ for bit in bits:
+ try:
+ bit_str = dsdb.user_account_control_flag_bit_to_string(bit)
+ except KeyError:
+ bit_str = hex(bit)
+
+ cls.generate_dynamic_test("test_uac_bits_add",
+ bit_str, bit, bit_str)
+
+ cls.generate_dynamic_test("test_uac_bits_set",
+ bit_str, bit, bit_str)
+
+
def add_computer_ldap(self, computername, others=None, samdb=None):
if samdb is None:
samdb = self.samdb
- dn = "CN=%s,OU=test_computer_ou1,%s" % (computername, self.base_dn)
+ dn = "CN=%s,%s" % (computername, self.OU)
domainname = ldb.Dn(self.samdb, self.samdb.domain_dn()).canonical_str().replace("/", "")
samaccountname = "%s$" % computername
dnshostname = "%s.%s" % (computername, domainname)
@@ -130,8 +152,9 @@ class UserAccountControlTests(samba.tests.TestCase):
self.unpriv_user_pw = "samba123@"
self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)
- delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
- delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
+ self.OU = "OU=test_computer_ou1,%s" % (self.base_dn)
+
+ delete_force(self.admin_samdb, self.OU, controls=["tree_delete:0"])
delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
@@ -142,6 +165,7 @@ class UserAccountControlTests(samba.tests.TestCase):
self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
self.unpriv_user_dn = res[0].dn
+ self.addCleanup(self.admin_samdb.delete, self.unpriv_user_dn)
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
@@ -150,27 +174,28 @@ class UserAccountControlTests(samba.tests.TestCase):
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
+ self.admin_samdb.create_ou(self.OU)
+ self.addCleanup(self.admin_samdb.delete, self.OU, ["tree_delete:1"])
- self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn)
self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
self.add_computer_ldap("testcomputer-t")
- self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd)
+ self.sd_utils.modify_sd_on_dn(self.OU, old_sd)
self.computernames = ["testcomputer-0"]
# Get the SD of the template account, then force it to match
# what we expect for SeMachineAccountPrivilege accounts, so we
# can confirm we created the accounts correctly
- self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
+ self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,%s" % (self.OU))
- self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
+ self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,%s" % (self.OU))
for ace in self.sd_reference_modify.dacl.aces:
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP
@@ -178,21 +203,12 @@ class UserAccountControlTests(samba.tests.TestCase):
# Now reconnect without domain admin rights
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
- def tearDown(self):
- super(UserAccountControlTests, self).tearDown()
- for computername in self.computernames:
- delete_force(self.admin_samdb, "CN=%s,OU=test_computer_ou1,%s" % (computername, self.base_dn))
- delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
- delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
- delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
-
def test_add_computer_sd_cc(self):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
-
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
computername = self.computernames[0]
sd = ldb.MessageElement((ndr_pack(self.sd_reference_modify)),
@@ -275,9 +291,9 @@ class UserAccountControlTests(samba.tests.TestCase):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
computername = self.computernames[0]
self.add_computer_ldap(computername)
@@ -387,13 +403,13 @@ class UserAccountControlTests(samba.tests.TestCase):
self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE)
- def test_uac_bits_set(self):
+ def _test_uac_bits_set_with_args(self, bit, bit_str):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
computername = self.computernames[0]
self.add_computer_ldap(computername)
@@ -421,33 +437,35 @@ class UserAccountControlTests(samba.tests.TestCase):
invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT])
- for bit in bits:
- m = ldb.Message()
- m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(bit | UF_PASSWD_NOTREQD),
- ldb.FLAG_MOD_REPLACE, "userAccountControl")
- try:
- self.samdb.modify(m)
- if (bit in priv_bits):
- self.fail("Unexpectedly able to set userAccountControl bit 0x%08X on %s" % (bit, m.dn))
- except LdbError as e:
- (enum, estr) = e.args
- if bit in invalid_bits:
- self.assertEqual(enum, ldb.ERR_OTHER, "was not able to set 0x%08X on %s" % (bit, m.dn))
- # No point going on, try the next bit
- continue
- elif (bit in priv_bits):
- self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
- else:
- self.fail("Unable to set userAccountControl bit 0x%08X on %s: %s" % (bit, m.dn, estr))
+ m = ldb.Message()
+ m.dn = res[0].dn
+ m["userAccountControl"] = ldb.MessageElement(str(bit | UF_PASSWD_NOTREQD),
+ ldb.FLAG_MOD_REPLACE, "userAccountControl")
+ try:
+ self.samdb.modify(m)
+ if (bit in priv_bits):
+ self.fail("Unexpectedly able to set userAccountControl bit 0x%08X (%s), on %s"
+ % (bit, bit_str, m.dn))
+ except LdbError as e:
+ (enum, estr) = e.args
+ if bit in invalid_bits:
+ self.assertEqual(enum,
+ ldb.ERR_OTHER,
+ "was not able to set 0x%08X (%s) on %s"
+ % (bit, bit_str, m.dn))
+ elif (bit in priv_bits):
+ self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+ else:
+ self.fail("Unable to set userAccountControl bit 0x%08X (%s) on %s: %s"
+ % (bit, bit_str, m.dn, estr))
- def uac_bits_unrelated_modify_helper(self, account_type):
+ def _test_uac_bits_unrelated_modify_with_args(self, account_type):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
computername = self.computernames[0]
self.add_computer_ldap(computername, others={"userAccountControl": [str(account_type)]})
@@ -608,21 +626,15 @@ class UserAccountControlTests(samba.tests.TestCase):
UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD,
"bit 0X%08x should have been removed" % bit)
- def test_uac_bits_unrelated_modify_normal(self):
- self.uac_bits_unrelated_modify_helper(UF_NORMAL_ACCOUNT)
-
- def test_uac_bits_unrelated_modify_workstation(self):
- self.uac_bits_unrelated_modify_helper(UF_WORKSTATION_TRUST_ACCOUNT)
-
- def test_uac_bits_add(self):
+ def _test_uac_bits_add_with_args(self, bit, bit_str):
computername = self.computernames[0]
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
+ old_sd = self.sd_utils.read_sd_on_dn(self.OU)
- self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace(self.OU, mod)
invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT])
# These bits are privileged, but authenticated users have that CAR by default, so this is a pain to test
@@ -633,24 +645,30 @@ class UserAccountControlTests(samba.tests.TestCase):
priv_bits = set([UF_INTERDOMAIN_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION])
- for bit in bits:
- try:
- self.add_computer_ldap(computername, others={"userAccountControl": [str(bit)]})
- delete_force(self.admin_samdb, "CN=%s,OU=test_computer_ou1,%s" % (computername, self.base_dn))
- if bit in priv_bits:
- self.fail("Unexpectdly able to set userAccountControl bit 0x%08X on %s" % (bit, computername))
-
- except LdbError as e4:
- (enum, estr) = e4.args
- if bit in invalid_bits:
- self.assertEqual(enum, ldb.ERR_OTHER, "Invalid bit 0x%08X was able to be set on %s" % (bit, computername))
- # No point going on, try the next bit
- continue
--
Samba Shared Repository
More information about the samba-cvs
mailing list