[SCM] Samba Shared Repository - branch master updated
Joseph Sutton
jsutton at samba.org
Fri Mar 18 00:12:01 UTC 2022
The branch, master has been updated
via c91af5f1a8b tests/krb5: Simplify logic
via a9025b68b24 tests/krb5: Improve mock RODC creation
via e729606631b selftest: Simplify krb5 test environments
via 80b22a7869f python: Restore SDDL abbreviations for SIDs
via 1137ebc654e sddl: Remove SDDL SID strings unsupported by Windows
via 732d17a129a sddl: Add new SDDL SID strings
via e61fa573fe1 sddl: Fix incorrect SDDL SID strings
via 9b913fcb0f4 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation
via d55b717fd62 python: Use explicit SIDs instead of SDDL abbreviations
via c26ee3ba966 python:tests: Add tests for SDDL SID strings
from ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c91af5f1a8b666cdd305165937bf28c551b88134
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 7 17:07:48 2022 +1300
tests/krb5: Simplify logic
This code can be made part of the previous 'else' branch.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184
commit a9025b68b24956bf543ef85c96a7a8fe91784630
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 7 17:01:40 2022 +1300
tests/krb5: Improve mock RODC creation
Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e729606631b5bfaf7c4ad8c1e70697adf8274777
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 4 16:57:27 2022 +1300
selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 80b22a7869f4ec8320a634810a10d3f058526aa7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 15 10:20:59 2022 +1300
python: Restore SDDL abbreviations for SIDs
This time we use the correct values.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1137ebc654e4dfd91601abd20262024063a495c8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 14 18:18:39 2022 +1300
sddl: Remove SDDL SID strings unsupported by Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 732d17a129ab0f48d0025f5992af38d442b1fc6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 14 18:18:09 2022 +1300
sddl: Add new SDDL SID strings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e61fa573fe1a911460cfb3b64ba05b031d124256
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 14 18:14:15 2022 +1300
sddl: Fix incorrect SDDL SID strings
Change the values to match those used by Windows.
Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9b913fcb0f4e69b9fd7db1c974d7534ef356a318
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 14 19:40:45 2022 +1300
s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation
This is to prepare for the SDDL string being removed.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d55b717fd62a17b424400af0de2bac41c3ae80f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Mar 14 19:40:16 2022 +1300
python: Use explicit SIDs instead of SDDL abbreviations
This is to prepare for changing the SDDL string values.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c26ee3ba9662d03f0c32ee518d7a0a69d3bc8401
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 15 19:24:38 2022 +1300
python:tests: Add tests for SDDL SID strings
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/sddl.c | 43 +++++-
librpc/idl/security.idl | 30 ++++
python/samba/descriptor.py | 16 +-
python/samba/schema.py | 6 +-
python/samba/tests/krb5/kdc_base_test.py | 20 +--
python/samba/tests/krb5/raw_testcase.py | 10 +-
python/samba/tests/sid_strings.py | 235 ++++++++++++++++++++++++++++++
selftest/knownfail.d/sid-strings | 3 +
source4/rpc_server/lsa/lsa_init.c | 2 +-
source4/selftest/tests.py | 241 +++++--------------------------
10 files changed, 373 insertions(+), 233 deletions(-)
create mode 100644 python/samba/tests/sid_strings.py
create mode 100644 selftest/knownfail.d/sid-strings
Changeset truncated at 500 lines:
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 26049ec458a..5bb65ddfd6b 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -92,6 +92,7 @@ static const struct {
{ .code = "CO", .sid = SID_CREATOR_OWNER },
{ .code = "CG", .sid = SID_CREATOR_GROUP },
+ { .code = "OW", .sid = SID_OWNER_RIGHTS },
{ .code = "NU", .sid = SID_NT_NETWORK },
{ .code = "IU", .sid = SID_NT_INTERACTIVE },
@@ -104,7 +105,7 @@ static const struct {
{ .code = "SY", .sid = SID_NT_SYSTEM },
{ .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
{ .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
- { .code = "IS", .sid = SID_NT_IUSR },
+ { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
{ .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
{ .code = "BU", .sid = SID_BUILTIN_USERS },
@@ -115,17 +116,41 @@ static const struct {
{ .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS },
{ .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS },
{ .code = "RE", .sid = SID_BUILTIN_REPLICATOR },
- { .code = "BR", .sid = SID_BUILTIN_RAS_SERVERS },
{ .code = "RU", .sid = SID_BUILTIN_PREW2K },
{ .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS },
{ .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
- { .code = "IF", .sid = SID_BUILTIN_INCOMING_FOREST_TRUST },
+
+ { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
+ { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
+ { .code = "IS", .sid = SID_BUILTIN_IUSERS },
+ { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
+ { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
+ { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
+ { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
+ { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
+ { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
+ { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
+ { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
+ { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
+
+ { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
+
+ { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
+
+ { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
+ { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
+ { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
+ { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
+ { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
+
+ { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
+ { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
+
+ { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
{ .code = "LA", .sid = NULL, .rid = DOMAIN_RID_ADMINISTRATOR },
{ .code = "LG", .sid = NULL, .rid = DOMAIN_RID_GUEST },
- { .code = "LK", .sid = NULL, .rid = DOMAIN_RID_KRBTGT },
- { .code = "ER", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
{ .code = "DA", .sid = NULL, .rid = DOMAIN_RID_ADMINS },
{ .code = "DU", .sid = NULL, .rid = DOMAIN_RID_USERS },
{ .code = "DG", .sid = NULL, .rid = DOMAIN_RID_GUESTS },
@@ -135,7 +160,13 @@ static const struct {
{ .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS },
{ .code = "EA", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_ADMINS },
{ .code = "PA", .sid = NULL, .rid = DOMAIN_RID_POLICY_ADMINS },
- { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_READONLY_DCS },
+
+ { .code = "CN", .sid = NULL, .rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
+
+ { .code = "AP", .sid = NULL, .rid = DOMAIN_RID_PROTECTED_USERS },
+ { .code = "KA", .sid = NULL, .rid = DOMAIN_RID_KEY_ADMINS },
+ { .code = "EK", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
+
{ .code = "RS", .sid = NULL, .rid = DOMAIN_RID_RAS_SERVERS }
};
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 9845becd826..6b867595a28 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -274,9 +274,18 @@ interface security
const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
+ const string SID_BUILTIN_IUSERS = "S-1-5-32-568";
const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
+ const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575";
+ const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576";
+ const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
+ const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
+ const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579";
+ const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580";
+
+ const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
/* UID/GID mapping Samba style */
const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
@@ -295,6 +304,16 @@ interface security
const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+ const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
+
+ const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
+
+ const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
+ const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
+ const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
+ const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
+ const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
+
/*
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
@@ -320,6 +339,10 @@ interface security
const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
const int DOMAIN_RID_POLICY_ADMINS = 520;
const int DOMAIN_RID_READONLY_DCS = 521;
+ const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522;
+ const int DOMAIN_RID_PROTECTED_USERS = 525;
+ const int DOMAIN_RID_KEY_ADMINS = 526;
+ const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527;
const int DOMAIN_RID_RAS_SERVERS = 553;
const int DOMAIN_RID_RODC_ALLOW = 571;
const int DOMAIN_RID_RODC_DENY = 572;
@@ -344,9 +367,16 @@ interface security
const int BUILTIN_RID_AUTH_ACCESS = 560;
const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
+ const int BUILTIN_RID_IUSERS = 568;
const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
const int BUILTIN_RID_EVENT_LOG_READERS = 573;
const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
+ const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
+ const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576;
+ const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577;
+ const int BUILTIN_RID_HYPER_V_ADMINS = 578;
+ const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579;
+ const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580;
/********************************************************************
This is a list of privileges reported by a WIndows 2008 R2 DC
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 09983481992..ac4c7e3273d 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -65,7 +65,7 @@ def get_config_descriptor(domain_sid, name_map={}):
"(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
"S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \
"(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
return sddl2binary(sddl, domain_sid, name_map)
@@ -92,7 +92,7 @@ def get_config_partitions_descriptor(domain_sid, name_map={}):
def get_config_sites_descriptor(domain_sid, name_map={}):
sddl = "D:" \
"(A;;RPLCLORC;;;AU)" \
- "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \
+ "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;RO)" \
"(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
"(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
"S:" \
@@ -147,7 +147,7 @@ def get_domain_descriptor(domain_sid, name_map={}):
"(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
@@ -158,7 +158,7 @@ def get_domain_descriptor(domain_sid, name_map={}):
"(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \
"(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
"(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
"(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
@@ -211,7 +211,7 @@ def get_domain_builtin_descriptor(domain_sid, name_map={}):
"(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
@@ -222,7 +222,7 @@ def get_domain_builtin_descriptor(domain_sid, name_map={}):
"(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \
"(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
"(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
"(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
@@ -335,7 +335,7 @@ def get_dns_partition_descriptor(domain_sid, name_map={}):
"(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
"(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
"(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
@@ -345,7 +345,7 @@ def get_dns_partition_descriptor(domain_sid, name_map={}):
"(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \
"(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
"(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
"(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
diff --git a/python/samba/schema.py b/python/samba/schema.py
index a3adc162fa3..54ed616a557 100644
--- a/python/samba/schema.py
+++ b/python/samba/schema.py
@@ -48,9 +48,9 @@ def get_schema_descriptor(domain_sid, name_map={}):
"(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
"(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
"(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ER)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;RO)" \
"S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \
"(AU;CISA;WP;;;WD)" \
"(AU;SA;CR;;;BA)" \
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 9c79411d487..4fa9384cba9 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -198,17 +198,19 @@ class KDCBaseTest(RawKerberosTest):
admin_creds = self.get_admin_creds()
lp = self.get_lp()
- rodc_name = 'KRB5RODC'
+ rodc_name = self.get_new_username()
site_name = 'Default-First-Site-Name'
- type(self)._rodc_ctx = DCJoinContext(server=self.dc_host,
- creds=admin_creds,
- lp=lp,
- site=site_name,
- netbios_name=rodc_name,
- targetdir=None,
- domain=None)
- self.create_rodc(self._rodc_ctx)
+ rodc_ctx = DCJoinContext(server=self.dc_host,
+ creds=admin_creds,
+ lp=lp,
+ site=site_name,
+ netbios_name=rodc_name,
+ targetdir=None,
+ domain=None)
+ self.create_rodc(rodc_ctx)
+
+ type(self)._rodc_ctx = rodc_ctx
return self._rodc_ctx
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 69c52b25761..bb3b7280515 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2756,11 +2756,11 @@ class RawKerberosTest(TestCaseInTempDir):
expect_pac_attrs_pac_request = kdc_exchange_dict[
'pac_request']
- if expect_pac_attrs is None:
- if self.expect_extra_pac_buffers:
- expect_pac_attrs = expect_extra_pac_buffers
- else:
- require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO)
+ if expect_pac_attrs is None:
+ if self.expect_extra_pac_buffers:
+ expect_pac_attrs = expect_extra_pac_buffers
+ else:
+ require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO)
if expect_pac_attrs:
expected_types.append(krb5pac.PAC_TYPE_ATTRIBUTES_INFO)
diff --git a/python/samba/tests/sid_strings.py b/python/samba/tests/sid_strings.py
new file mode 100644
index 00000000000..ece35c12bfc
--- /dev/null
+++ b/python/samba/tests/sid_strings.py
@@ -0,0 +1,235 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Catalyst.NET Ltd 2022
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import random
+import string
+import sys
+import time
+
+import ldb
+
+from samba import param
+
+from samba.auth import system_session
+from samba.credentials import Credentials
+from samba.dcerpc import security
+from samba.ndr import ndr_unpack
+from samba.samdb import SamDB
+from samba.tests import (
+ DynamicTestCase,
+ TestCase,
+ delete_force,
+ env_get_var_value,
+)
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
+
+ at DynamicTestCase
+class SidStringTests(TestCase):
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ if env_get_var_value('CHECK_ALL_COMBINATIONS',
+ allow_missing=True):
+ for x in string.ascii_uppercase:
+ for y in string.ascii_uppercase:
+ code = x + y
+ if code not in cls.cases:
+ cls.cases[code] = None
+
+ for code, expected_sid in cls.cases.items():
+ name = code
+
+ cls.generate_dynamic_test('test_sid_string', name,
+ code, expected_sid)
+
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+
+ server = os.environ['DC_SERVER']
+ host = f'ldap://{server}'
+
+ lp = param.LoadParm()
+ lp.load(os.environ['SMB_CONF_PATH'])
+
+ creds = Credentials()
+ creds.guess(lp)
+ creds.set_username(env_get_var_value('DC_USERNAME'))
+ creds.set_password(env_get_var_value('DC_PASSWORD'))
+
+ cls.ldb = SamDB(host, credentials=creds,
+ session_info=system_session(lp), lp=lp)
+ cls.base_dn = cls.ldb.domain_dn()
+ cls.schema_dn = cls.ldb.get_schema_basedn().get_linearized()
+
+ def _test_sid_string_with_args(self, code, expected_sid):
+ random_suffix = random.randint(0, 100000)
+ timestamp = time.strftime('%s', time.gmtime())
+
+ class_name = f'my-Sid-String-Class{timestamp}{random_suffix}'
+ class_ldap_display_name = class_name.replace('-', '')
+
+ class_dn = f'CN={class_name},{self.schema_dn}'
+
+ ldif = f'''
+dn: {class_dn}
+objectClass: classSchema
+cn: {class_name}
+governsId: 1.3.6.1.4.1.7165.4.6.2.6.3.{random_suffix}
+subClassOf: top
+possSuperiors: domainDNS
+defaultSecurityDescriptor: O:{code}
+'''
+ try:
+ self.ldb.add_ldif(ldif)
+ except ldb.LdbError as err:
+ num, _ = err.args
+ self.assertEqual(num, ldb.ERR_UNWILLING_TO_PERFORM)
+ self.assertIsNone(expected_sid)
+ return
+
+ # Search for created objectclass
+ res = self.ldb.search(class_dn, scope=ldb.SCOPE_BASE,
+ attrs=['defaultSecurityDescriptor'])
+ self.assertEqual(1, len(res))
+ self.assertEqual(res[0].get('defaultSecurityDescriptor', idx=0),
+ f'O:{code}'.encode('utf-8'))
+
+ ldif = '''
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+'''
+ self.ldb.modify_ldif(ldif)
+
+ object_name = f'sddl_{timestamp}_{random_suffix}'
+ object_dn = f'CN={object_name},{self.base_dn}'
+
+ ldif = f'''
+dn: {object_dn}
+objectClass: {class_ldap_display_name}
+cn: {object_name}
+'''
+ self.ldb.add_ldif(ldif)
+
+ # Search for created object
+ res = self.ldb.search(object_dn, scope=ldb.SCOPE_BASE,
+ attrs=['nTSecurityDescriptor'])
+ self.assertEqual(1, len(res))
+
+ # Delete the object
+ delete_force(self.ldb, object_dn)
+
+ data = res[0].get('nTSecurityDescriptor', idx=0)
+ descriptor = ndr_unpack(security.descriptor, data)
+
+ domain_sid = self.ldb.get_domain_sid()
+
+ if expected_sid is None:
+ expected_sid = f'{domain_sid}-{security.DOMAIN_RID_ADMINS}'
+ else:
+ expected_sid = expected_sid.format(domain_sid=domain_sid)
+
+ owner_sid = str(descriptor.owner_sid)
+
+ self.assertEqual(expected_sid, owner_sid)
+
+ cases = {
+ 'AA': 'S-1-5-32-579',
+ 'AC': 'S-1-15-2-1',
+ 'AN': 'S-1-5-7',
+ 'AO': 'S-1-5-32-548',
+ 'AP': '{domain_sid}-525',
+ 'AS': 'S-1-18-1',
+ 'AU': 'S-1-5-11',
+ 'BA': 'S-1-5-32-544',
+ 'BG': 'S-1-5-32-546',
+ 'BO': 'S-1-5-32-551',
+ 'BU': 'S-1-5-32-545',
+ 'CA': '{domain_sid}-517',
+ 'CD': 'S-1-5-32-574',
+ 'CG': 'S-1-3-1',
+ 'CN': '{domain_sid}-522',
+ 'CO': 'S-1-3-0',
+ 'CY': 'S-1-5-32-569',
+ 'DC': '{domain_sid}-515',
+ 'DD': '{domain_sid}-516',
+ 'DG': '{domain_sid}-514',
+ 'DU': '{domain_sid}-513',
+ 'EA': '{domain_sid}-519',
+ 'ED': 'S-1-5-9',
+ 'EK': '{domain_sid}-527',
+ 'ER': 'S-1-5-32-573',
+ 'ES': 'S-1-5-32-576',
+ 'HA': 'S-1-5-32-578',
+ 'HI': 'S-1-16-12288',
+ 'IS': 'S-1-5-32-568',
+ 'IU': 'S-1-5-4',
+ 'KA': '{domain_sid}-526',
+ 'LA': '{domain_sid}-500',
+ 'LG': '{domain_sid}-501',
+ 'LS': 'S-1-5-19',
+ 'LU': 'S-1-5-32-559',
+ 'LW': 'S-1-16-4096',
+ 'ME': 'S-1-16-8192',
+ 'MP': 'S-1-16-8448',
+ 'MS': 'S-1-5-32-577',
+ 'MU': 'S-1-5-32-558',
+ 'NO': 'S-1-5-32-556',
+ 'NS': 'S-1-5-20',
--
Samba Shared Repository
More information about the samba-cvs
mailing list