[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Mon Mar 20 20:21:01 UTC 2023
The branch, master has been updated
via 35380fa6a5b gpupdate: Use winbind separator in PAM Access Policies
via 893cfefa9ed gpupdate: Test that PAM Access uses winbind separator
from f3fad5a189f libcli/security: prepare sddl machine/forest_sid handling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 35380fa6a5bcf84827a007332f83ac7f84ffacbb
Author: David Mulder <dmulder at samba.org>
Date: Thu Mar 16 15:31:33 2023 -0600
gpupdate: Use winbind separator in PAM Access Policies
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224
commit 893cfefa9ed6048fc45d0a5d2b48a4821e8ff3d1
Author: David Mulder <dmulder at samba.org>
Date: Thu Mar 16 15:39:47 2023 -0600
gpupdate: Test that PAM Access uses winbind separator
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/gp/vgp_access_ext.py | 18 ++++++++++++++----
python/samba/tests/gpo.py | 11 +++++++----
2 files changed, 21 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/gp/vgp_access_ext.py b/python/samba/gp/vgp_access_ext.py
index c41bc678176..4748352d14a 100644
--- a/python/samba/gp/vgp_access_ext.py
+++ b/python/samba/gp/vgp_access_ext.py
@@ -82,6 +82,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
deny_conf = self.parse(path)
entries = []
policy_files = []
+ winbind_sep = self.lp.get('winbind separator')
if allow_conf:
policy = allow_conf.find('policysetting')
data = policy.find('data')
@@ -90,7 +91,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
- entries.append('+:%s\\%s:ALL' % (domain, name))
+ entries.append('+:%s%s%s:ALL' % (domain,
+ winbind_sep,
+ name))
if len(allow_listelements) > 0:
log.info('Adding an implicit deny ALL because an allow'
' entry is present')
@@ -102,7 +105,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
adobject = listelement.find('adobject')
name = adobject.find('name').text
domain = adobject.find('domain').text
- entries.append('-:%s\\%s:ALL' % (domain, name))
+ entries.append('-:%s%s%s:ALL' % (domain,
+ winbind_sep,
+ name))
if len(allow_listelements) > 0:
log.warn("Deny entry '%s' is meaningless with "
"allow present" % entries[-1])
@@ -143,6 +148,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
path = os.path.join(gpo.file_sys_path, deny)
deny_conf = self.parse(path)
entries = []
+ winbind_sep = self.lp.get('winbind separator')
if allow_conf:
policy = allow_conf.find('policysetting')
data = policy.find('data')
@@ -153,7 +159,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
domain = adobject.find('domain').text
if str(self) not in output.keys():
output[str(self)] = []
- output[str(self)].append('+:%s\\%s:ALL' % (name, domain))
+ output[str(self)].append('+:%s%s%s:ALL' % (name,
+ winbind_sep,
+ domain))
if len(allow_listelements) > 0:
output[str(self)].append('-:ALL:ALL')
if deny_conf:
@@ -165,5 +173,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier):
domain = adobject.find('domain').text
if str(self) not in output.keys():
output[str(self)] = []
- output[str(self)].append('-:%s\\%s:ALL' % (name, domain))
+ output[str(self)].append('-:%s%s%s:ALL' % (name,
+ winbind_sep,
+ domain))
return output
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index b9ded20c828..8aea59eb61a 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -6415,6 +6415,9 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
+ winbind_sep = self.lp.get('winbind separator')
+ self.addCleanup(self.lp.set, 'winbind separator', winbind_sep)
+ self.lp.set('winbind separator', '+')
ext = vgp_access_ext(self.lp, machine_creds,
machine_creds.get_username(), store)
@@ -6517,10 +6520,10 @@ class GPOTests(tests.TestCase):
# Check the access config for the correct access.conf entries
print('Config file %s found' % gp_cfg)
data = open(gp_cfg, 'r').read()
- self.assertIn('+:%s\\goodguy:ALL' % realm, data)
- self.assertIn('+:%s\\goodguys:ALL' % realm, data)
- self.assertIn('-:%s\\badguy:ALL' % realm, data)
- self.assertIn('-:%s\\badguys:ALL' % realm, data)
+ self.assertIn('+:%s+goodguy:ALL' % realm, data)
+ self.assertIn('+:%s+goodguys:ALL' % realm, data)
+ self.assertIn('-:%s+badguy:ALL' % realm, data)
+ self.assertIn('-:%s+badguys:ALL' % realm, data)
# Check that a call to gpupdate --rsop also succeeds
ret = rsop(self.lp)
--
Samba Shared Repository
More information about the samba-cvs
mailing list