[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Mon Mar 28 03:12:01 UTC 2022


The branch, master has been updated
       via  0bd4bc40f4a samba-tool: Check specified domain and realm against our own
       via  3dccf63e82b samba-tool: Return correct result for _get_user_realm_domain()
       via  52f9629408e samba-tool delegation: Clarify msDS-AllowedToDelegateTo delegation command documentation
       via  9a480f274b6 samba-tool delegation: Add commands to add/remove principals for RBCD
       via  572f90bdefc samba-tool delegation show: Display information for RBCD
       via  e4ea06ec242 samba-tool delegation: Add function to display security descriptor for RBCD
       via  bd1fd3de5cc s4:selftest: Remove ad_dc_ntvfs env from several tests
      from  67294a23b97 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0bd4bc40f4ad29446577d23e84e059e5bb1e5de5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 24 11:05:57 2022 +1300

    samba-tool: Check specified domain and realm against our own
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Mon Mar 28 03:11:51 UTC 2022 on sn-devel-184

commit 3dccf63e82b38988828001a1d7f3a5a7b24a73de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 24 10:07:35 2022 +1300

    samba-tool: Return correct result for _get_user_realm_domain()
    
    We were returning the realm and the domain in the wrong order.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 52f9629408e7674f28a90d030c475178d644e192
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 14:58:47 2022 +1300

    samba-tool delegation: Clarify msDS-AllowedToDelegateTo delegation command documentation
    
    This makes the difference between msDS-AllowedToDelegateTo and
    msDS-AllowedToActOnBehalfOfOtherIdentity more clear.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9a480f274b62d8e491bcd54bfd189099729ff57a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 14:58:30 2022 +1300

    samba-tool delegation: Add commands to add/remove principals for RBCD
    
    These commands allow updating the
    msDS-AllowedToActOnBehalfOfOtherIdentity attribute with principals
    allowed to delegate to an account.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 572f90bdefcde13611fe50b7a5228fd6e3db2117
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 15:07:50 2022 +1300

    samba-tool delegation show: Display information for RBCD
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e4ea06ec242e6f26a5d997d0ba992bc0d2437cba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 14:56:45 2022 +1300

    samba-tool delegation: Add function to display security descriptor for RBCD
    
    We also check some features of the security descriptor, and display
    warnings if they are not as expected.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bd1fd3de5cc1ee83bb5164277de714a61b0fd544
Author: Andreas Schneider <asn at samba.org>
Date:   Sat Mar 26 08:42:21 2022 +0100

    s4:selftest: Remove ad_dc_ntvfs env from several tests
    
    It doesn't make sense to run tests against ad_dc and ad_dc_ntvfs in
    those cases.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/netcmd/common.py     |  29 ++-
 python/samba/netcmd/delegation.py | 393 +++++++++++++++++++++++++++++++++++++-
 python/samba/netcmd/spn.py        |   4 +-
 source4/selftest/tests.py         |   6 +-
 4 files changed, 413 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/netcmd/common.py b/python/samba/netcmd/common.py
index bb17bfa10f2..4cdccd073ba 100644
--- a/python/samba/netcmd/common.py
+++ b/python/samba/netcmd/common.py
@@ -20,6 +20,7 @@
 import re
 from samba.dcerpc import nbt
 from samba.net import Net
+from samba.netcmd import CommandError
 import ldb
 
 
@@ -27,26 +28,44 @@ import ldb
 NEVER_TIMESTAMP = int(-0x8000000000000000)
 
 
-def _get_user_realm_domain(user):
+def _get_user_realm_domain(user, sam=None):
     r""" get the realm or the domain and the base user
         from user like:
         * username
         * DOMAIN\username
         * username at REALM
+
+         A SamDB object can also be passed in to check
+        our domain or realm against the obtained ones.
     """
     baseuser = user
-    realm = ""
-    domain = ""
     m = re.match(r"(\w+)\\(\w+$)", user)
     if m:
         domain = m.group(1)
         baseuser = m.group(2)
-        return (baseuser.lower(), domain.upper(), realm)
+
+        if sam is not None:
+            our_domain = sam.domain_netbios_name()
+            if domain.lower() != our_domain.lower():
+                raise CommandError(f"Given domain '{domain}' does not match "
+                                   f"our domain '{our_domain}'!")
+
+        return (baseuser.lower(), "", domain.upper())
+
+    realm = ""
     m = re.match(r"(\w+)@(\w+)", user)
     if m:
         baseuser = m.group(1)
         realm = m.group(2)
-    return (baseuser.lower(), domain, realm.upper())
+
+        if sam is not None:
+            our_realm = sam.domain_dns_name()
+            our_realm_initial = our_realm.split('.', 1)[0]
+            if realm.lower() != our_realm_initial.lower():
+                raise CommandError(f"Given realm '{realm}' does not match our "
+                                   f"realm '{our_realm}'!")
+
+    return (baseuser.lower(), realm.upper(), "")
 
 
 def netcmd_dnsname(lp):
diff --git a/python/samba/netcmd/delegation.py b/python/samba/netcmd/delegation.py
index 54ba71bdf41..35a91aca458 100644
--- a/python/samba/netcmd/delegation.py
+++ b/python/samba/netcmd/delegation.py
@@ -24,6 +24,8 @@ from samba import provision
 from samba import dsdb
 from samba.samdb import SamDB
 from samba.auth import system_session
+from samba.dcerpc import security
+from samba.ndr import ndr_pack, ndr_unpack
 from samba.netcmd.common import _get_user_realm_domain
 from samba.netcmd import (
     Command,
@@ -51,6 +53,89 @@ class cmd_delegation_show(Command):
 
     takes_args = ["accountname"]
 
+    def show_security_descriptor(self, sam, security_descriptor):
+        dacl = security_descriptor.dacl
+        desc_type = security_descriptor.type
+
+        warning_info = ('Security Descriptor of attribute '
+                        'msDS-AllowedToActOnBehalfOfOtherIdentity')
+
+        if dacl is None or not desc_type & security.SEC_DESC_DACL_PRESENT:
+            self.errf.write(f'Warning: DACL not present in {warning_info}!\n')
+            return
+
+        if not desc_type & security.SEC_DESC_SELF_RELATIVE:
+            self.errf.write(f'Warning: DACL in {warning_info} lacks '
+                            f'SELF_RELATIVE flag!\n')
+            return
+
+        first = True
+
+        for ace in dacl.aces:
+            trustee = ace.trustee
+
+            # Convert the trustee SID into a DN if we can.
+            try:
+                res = sam.search(f'<SID={trustee}>',
+                                 scope=ldb.SCOPE_BASE)
+            except ldb.LdbError as err:
+                num, _ = err.args
+                if num != ldb.ERR_NO_SUCH_OBJECT:
+                    raise
+            else:
+                if len(res) == 1:
+                    trustee = res[0].dn
+
+            ignore = False
+
+            if (ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED
+                    or ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED_OBJECT):
+                self.errf.write(f'Warning: ACE in {warning_info} denies '
+                                f'access for trustee {trustee}!\n')
+                # Ignore the ACE if it denies access
+                ignore = True
+            elif (ace.type != security.SEC_ACE_TYPE_ACCESS_ALLOWED
+                    and ace.type != security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT):
+                # Ignore the ACE if it doesn't explicitly allow access
+                ignore = True
+
+            inherit_only = ace.flags & security.SEC_ACE_FLAG_INHERIT_ONLY
+            object_inherit = ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT
+            container_inherit = (
+                ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT)
+            inherited_ace = ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE
+
+            if inherit_only and not object_inherit and not container_inherit:
+                # Ignore the ACE if it is propagated only to child objects, but
+                # neither of the object and container inherit flags are set.
+                ignore = True
+            else:
+                if container_inherit:
+                    self.errf.write(f'Warning: ACE for trustee {trustee} has '
+                                    f'unexpected CONTAINER_INHERIT flag set in '
+                                    f'{warning_info}!\n')
+                    ignore = True
+
+                if inherited_ace:
+                    self.errf.write(f'Warning: ACE for trustee {trustee} has '
+                                    f'unexpected INHERITED_ACE flag set in '
+                                    f'{warning_info}!\n')
+                    ignore = True
+
+            if not ace.access_mask:
+                # Ignore the ACE if it doesn't grant any permissions.
+                ignore = True
+
+            if not ignore:
+                if first:
+                    self.outf.write(f'  Principals that may delegate to this '
+                                    f'account:\n')
+                    first = False
+
+                self.outf.write(f'msDS-AllowedToActOnBehalfOfOtherIdentity: '
+                                f'{trustee}\n')
+
+
     def run(self, accountname, H=None, credopts=None, sambaopts=None, versionopts=None):
         lp = sambaopts.get_loadparm()
         creds = credopts.get_credentials(lp)
@@ -65,18 +150,21 @@ class cmd_delegation_show(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
                          scope=ldb.SCOPE_SUBTREE,
-                         attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
+                         attrs=["userAccountControl", "msDS-AllowedToDelegateTo",
+                                "msDS-AllowedToActOnBehalfOfOtherIdentity"])
         if len(res) == 0:
             raise CommandError("Unable to find account name '%s'" % accountname)
         assert(len(res) == 1)
 
         uac = int(res[0].get("userAccountControl")[0])
         allowed = res[0].get("msDS-AllowedToDelegateTo")
+        allowed_from = res[0].get("msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)
 
         self.outf.write("Account-DN: %s\n" % str(res[0].dn))
         self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n"
@@ -84,9 +172,19 @@ class cmd_delegation_show(Command):
         self.outf.write("UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" %
                         bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION))
 
-        if allowed is not None:
+        if allowed:
+            self.outf.write("  Services this account may delegate to:\n")
             for a in allowed:
                 self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)
+        if allowed_from is not None:
+            try:
+                security_descriptor = ndr_unpack(security.descriptor, allowed_from)
+            except RuntimeError:
+                self.errf.write("Warning: Security Descriptor of attribute "
+                                "msDS-AllowedToActOnBehalfOfOtherIdentity "
+                                "could not be unmarshalled!\n")
+            else:
+                self.show_security_descriptor(sam, security_descriptor)
 
 
 class cmd_delegation_for_any_service(Command):
@@ -130,7 +228,8 @@ class cmd_delegation_for_any_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
         flag = dsdb.UF_TRUSTED_FOR_DELEGATION
@@ -183,7 +282,8 @@ class cmd_delegation_for_any_protocol(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
         flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
@@ -196,7 +296,7 @@ class cmd_delegation_for_any_protocol(Command):
 
 
 class cmd_delegation_add_service(Command):
-    """Add a service principal as msDS-AllowedToDelegateTo."""
+    """Add a service principal to msDS-AllowedToDelegateTo so that an account may delegate to it."""
 
     synopsis = "%prog <accountname> <principal> [options]"
 
@@ -228,7 +328,8 @@ class cmd_delegation_add_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
@@ -250,7 +351,7 @@ class cmd_delegation_add_service(Command):
 
 
 class cmd_delegation_del_service(Command):
-    """Delete a service principal as msDS-AllowedToDelegateTo."""
+    """Delete a service principal from msDS-AllowedToDelegateTo so that an account may no longer delegate to it."""
 
     synopsis = "%prog <accountname> <principal> [options]"
 
@@ -282,7 +383,8 @@ class cmd_delegation_del_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
@@ -303,6 +405,277 @@ class cmd_delegation_del_service(Command):
             raise CommandError(err)
 
 
+class cmd_delegation_add_principal(Command):
+    """Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account."""
+
+    synopsis = "%prog <accountname> <principal> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+    }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server",
+               type=str, metavar="URL", dest="H"),
+    ]
+
+    takes_args = ["accountname", "principal"]
+
+    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
+            versionopts=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
+        if H is None:
+            path = paths.samdb
+        else:
+            path = H
+
+        sam = SamDB(path, session_info=system_session(),
+                    credentials=creds, lp=lp)
+        # TODO once I understand how, use the domain info to naildown
+        # to the correct domain
+        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)
+
+        account_res = sam.search(
+            expression="sAMAccountName=%s" %
+            ldb.binary_encode(cleanedaccount),
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["msDS-AllowedToActOnBehalfOfOtherIdentity"])
+        if len(account_res) == 0:
+            raise CommandError(f"Unable to find account name '{accountname}'")
+        assert(len(account_res) == 1)
+
+        data = account_res[0].get(
+            "msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)
+        if data is None:
+            # Create the security descriptor if it is not present.
+            owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
+
+            security_desc = security.descriptor()
+            security_desc.revision = security.SD_REVISION
+            security_desc.type = (security.SEC_DESC_DACL_PRESENT |
+                                  security.SEC_DESC_SELF_RELATIVE)
+            security_desc.owner_sid = owner_sid
+
+            dacl = None
+        else:
+            try:
+                security_desc = ndr_unpack(security.descriptor, data)
+            except RuntimeError:
+                raise CommandError(f"Security Descriptor of attribute "
+                                   f"msDS-AllowedToActOnBehalfOfOtherIdentity "
+                                   f"for account '{accountname}' could not be "
+                                   f"unmarshalled!")
+
+            dacl = security_desc.dacl
+
+        if dacl is None:
+            # Create the DACL if it is not present.
+            dacl = security.acl()
+            dacl.revision = security.SECURITY_ACL_REVISION_ADS
+            dacl.num_aces = 0
+
+        # TODO once I understand how, use the domain info to naildown
+        # to the correct domain
+        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)
+
+        princ_res = sam.search(expression="sAMAccountName=%s" %
+                               ldb.binary_encode(cleanedprinc),
+                               scope=ldb.SCOPE_SUBTREE,
+                               attrs=["objectSid"])
+        if len(princ_res) == 0:
+            raise CommandError(f"Unable to find principal name '{principal}'")
+        assert(len(princ_res) == 1)
+
+        princ_sid = security.dom_sid(
+            sam.schema_format_value(
+                "objectSID",
+                princ_res[0].get("objectSID", idx=0)).decode("utf-8"))
+
+        aces = dacl.aces
+
+        # Check that there is no existing ACE for this principal.
+        if any(ace.trustee == princ_sid for ace in aces):
+            raise CommandError(
+                f"ACE for principal '{principal}' already present in Security "
+                f"Descriptor of attribute "
+                f"msDS-AllowedToActOnBehalfOfOtherIdentity for account "
+                f"'{accountname}'.")
+
+        # Create the new ACE.
+        ace = security.ace()
+        ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
+        ace.flags = 0
+        ace.access_mask = security.SEC_ADS_GENERIC_ALL
+        ace.trustee = princ_sid
+
+        aces.append(ace)
+
+        dacl.aces = aces
+        dacl.num_aces += 1
+
+        security_desc.dacl = dacl
+
+        new_data = ndr_pack(security_desc)
+
+        # Set the new security descriptor. First, delete the original value to
+        # detect a race condition if someone else updates the attribute at the
+        # same time.
+        msg = ldb.Message()
+        msg.dn = account_res[0].dn
+        if data is not None:
+            msg["0"] = ldb.MessageElement(
+                data, ldb.FLAG_MOD_DELETE,
+                "msDS-AllowedToActOnBehalfOfOtherIdentity")
+        msg["1"] = ldb.MessageElement(
+            new_data, ldb.FLAG_MOD_ADD,
+            "msDS-AllowedToActOnBehalfOfOtherIdentity")
+        try:
+            sam.modify(msg)
+        except ldb.LdbError as err:
+            num, _ = err.args
+            if num == ldb.ERR_NO_SUCH_ATTRIBUTE:
+                raise CommandError(
+                    f"Refused to update attribute "
+                    f"msDS-AllowedToActOnBehalfOfOtherIdentity for account "
+                    f"'{accountname}': a conflicting attribute update "
+                    f"occurred simultaneously.")
+            else:
+                raise CommandError(err)
+
+
+class cmd_delegation_del_principal(Command):
+    """Delete a principal from msDS-AllowedToActOnBehalfOfOtherIdentity that may no longer delegate to an account."""
+
+    synopsis = "%prog <accountname> <principal> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+    }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server",
+               type=str, metavar="URL", dest="H"),
+    ]
+
+    takes_args = ["accountname", "principal"]
+
+    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
+            versionopts=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
+        if H is None:
+            path = paths.samdb
+        else:
+            path = H
+
+        sam = SamDB(path, session_info=system_session(),
+                    credentials=creds, lp=lp)
+        # TODO once I understand how, use the domain info to naildown
+        # to the correct domain
+        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)
+
+        account_res = sam.search(
+            expression="sAMAccountName=%s" %
+            ldb.binary_encode(cleanedaccount),
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["msDS-AllowedToActOnBehalfOfOtherIdentity"])
+        if len(account_res) == 0:
+            raise CommandError("Unable to find account name '%s'" % accountname)
+        assert(len(account_res) == 1)
+
+        data = account_res[0].get(
+            "msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)
+        if data is None:
+            raise CommandError(f"Attribute "
+                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
+                               f"account '{accountname}' not present!")
+
+        try:
+            security_desc = ndr_unpack(security.descriptor, data)
+        except RuntimeError:
+            raise CommandError(f"Security Descriptor of attribute "
+                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
+                               f"account '{accountname}' could not be "
+                               f"unmarshalled!")
+
+        dacl = security_desc.dacl
+        if dacl is None:
+            raise CommandError(f"DACL not present on Security Descriptor of "
+                               f"attribute "
+                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
+                               f"account '{accountname}'!")
+
+        # TODO once I understand how, use the domain info to naildown
+        # to the correct domain
+        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)
+
+        princ_res = sam.search(expression="sAMAccountName=%s" %
+                               ldb.binary_encode(cleanedprinc),
+                               scope=ldb.SCOPE_SUBTREE,
+                               attrs=["objectSid"])
+        if len(princ_res) == 0:
+            raise CommandError(f"Unable to find principal name '{principal}'")
+        assert(len(princ_res) == 1)
+
+        princ_sid = security.dom_sid(
+            sam.schema_format_value(
+                "objectSID",
+                princ_res[0].get("objectSID", idx=0)).decode("utf-8"))
+
+        old_aces = dacl.aces
+


-- 
Samba Shared Repository



More information about the samba-cvs mailing list