[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Nov 15 05:01:02 UTC 2023
The branch, master has been updated
via b6661e77de2 netcmd: docs: update docs for silo member grant + revoke
via 88ea6b17e17 netcmd: tests: update silo member grant and revoke docstings and comments
via 9708209d759 netcmd: tests: rename silo member tests to grant + revoke
via 2ee86e78cf6 netcmd: tests: rename add_silo_member and remove_silo_member methods in test
via d9552dc08db netcmd: silo member: update docstrings comments and print statements for grant + revoke
via becb0ecf35d netcmd: silo member: update command line options help text for grant + revoke
via fb2453d1a36 netcmd: silo member: rename add and remove commands to grant and revoke
via 047ddb10019 netcmd: silo member: update model docstrings and exception text
via abc3b508313 netcmd: silo member: rename model methods to grant and revoke
via 19613057d90 netcmd: silo member: rename exceptions to grant and revoke
via 422cc1d17d2 netcmd: models: fix incorrect return type should not be User
via 42be08c1928 netcmd: models: Model.query method makes use of Query class
via efedfab33e0 netcmd: models: add Query class to replace simple generator
via 172f55fb0e8 netcmd: docs: document samba-tool user auth silo and policy commands
via c9ba99a948d netcmd: tests: add tests for user auth policy and silo commands
via ca9a11c6e81 netcmd: tests: rename domain_auth_base.py to silo_base.py
via bcc77601f2f netcmd: tests: rename base class to be used by more tests
via 422680f82fd netcmd: add auth silo and policy sub-commands to samba-tool user
via 2f20fa9b90a netcmd: silo member: Make output consistent with user command
via 30992e865c5 netcmd: model: User model str method returns username not cn
via d4e84177ca4 netcmd: tests: make use of unique_name
via d3e18dbe43f netcmd: silo member uses consistent output with other commands
via 0eb727a54d4 netcmd: silo member add and remove should not set assigned_silo
via 9250508601f netcmd: silo member: make use of User.find function
via 921cc1df67e netcmd: model: add a find method to User model to avoid repeating code
via a75cbd85e0f netcmd: model: add missing assigned_policy field on User model
via 925ec0e6c8c netcmd: user: PEP8 E303 E305: fix too many or too little blank lines
via db08030c8f4 netcmd: user: PEP8 E225: missing whitespace around operator
via f1c6d4cb733 netcmd: user: PEP8 E221: fix multiple spaces before operator
via 6b0cb653639 netcmd: user: PEP8 E127: fix hanging indent not lining up
via 30cb66aec48 netcmd: user: PEP8 E502: backslash is redundant between brackets
via cae5456a294 netcmd: user: PEP8 E117: code is overindented
via d9c230ff80d python/samba/tests: Add smbcacl tests for save/restore
via 520e3ac06d5 docs-xml: Update manpages for new -T, --save & --restore options
via fa5725cdb01 s3/utils: Add support to smbcacls to restore dacls from file
via db88697df2b s3/utils: Add functionality to smbcacls to save dacl(s) to a restore file
via dd2133ba486 s3/utils: Add recursive option to smcacls
via 1273f9a2a51 s3/utils: Add save and restore config switches (and help output)
via 8ead28b26b8 s3/utils: ensure sddl_encode/sddl_decode both use domain_sid
via 426ca4cf4b6 pytests: sid_strings: do not fail if epoch ending has zeros
from b649007a532 smbd: remove now unneccessary wrapper vfs_fget_dos_attributes()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b6661e77de2e8bb63385c42f1eee97f835a16775
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 10:21:02 2023 +1300
netcmd: docs: update docs for silo member grant + revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Nov 15 05:00:58 UTC 2023 on atb-devel-224
commit 88ea6b17e17a129d3c4135f0fb42c739effa8f17
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:44:14 2023 +1300
netcmd: tests: update silo member grant and revoke docstings and comments
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9708209d759c2bfd0e3845b5eb890c5abfd21ccc
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:42:33 2023 +1300
netcmd: tests: rename silo member tests to grant + revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2ee86e78cf6119b0280e6777f1c97aa60ae9c4d2
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:35:13 2023 +1300
netcmd: tests: rename add_silo_member and remove_silo_member methods in test
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d9552dc08dbde2d6ed859f06e485103a666dd3f8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:26:15 2023 +1300
netcmd: silo member: update docstrings comments and print statements for grant + revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit becb0ecf35de196377509abe348f7dbacb310ff9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:24:59 2023 +1300
netcmd: silo member: update command line options help text for grant + revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb2453d1a36b11a98045e31927b8267c77edab69
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:20:59 2023 +1300
netcmd: silo member: rename add and remove commands to grant and revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 047ddb10019c893381d37b6bc0186814e4e07252
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:13:04 2023 +1300
netcmd: silo member: update model docstrings and exception text
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit abc3b50831307c22391d2a3abbfc70fad4ca1a1a
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 09:10:14 2023 +1300
netcmd: silo member: rename model methods to grant and revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 19613057d90ca1fa680df85597491bec2a4a7d17
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 08:30:22 2023 +1300
netcmd: silo member: rename exceptions to grant and revoke
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 422cc1d17d28312d9ad9fe6cd6b8890f8b78533c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Nov 9 00:41:51 2023 +1300
netcmd: models: fix incorrect return type should not be User
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42be08c1928e4aabcc302f22a797a85e87f869cc
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 14:06:10 2023 +1300
netcmd: models: Model.query method makes use of Query class
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit efedfab33e01c5a422f1ec9dc11bb071298d65b8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 12:09:22 2023 +1300
netcmd: models: add Query class to replace simple generator
This allows other methods to be added on top of the Query class like .first() and .one()
Sometimes it's useful to raise an exception if 0 rows are returned, while other times it's best to return None.
Having a Query class makes it easy to add methods like .one() and .first() to take care of this requirement.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 172f55fb0e8840204e40a1811167ebd98a82d0c5
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 16:59:31 2023 +1300
netcmd: docs: document samba-tool user auth silo and policy commands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c9ba99a948d8d4a38f0ebe34d680b0c58d2946a0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 15:20:25 2023 +1300
netcmd: tests: add tests for user auth policy and silo commands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca9a11c6e8120e1daa8667ed30e6407e2690f160
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 15:36:53 2023 +1300
netcmd: tests: rename domain_auth_base.py to silo_base.py
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bcc77601f2fb4d5b0bd512aa5fe66d00a230a0a7
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 15:33:55 2023 +1300
netcmd: tests: rename base class to be used by more tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 422680f82fd0284cb747ea93fc9422c6bd721f68
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Oct 30 12:43:57 2023 +1300
netcmd: add auth silo and policy sub-commands to samba-tool user
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f20fa9b90af637b7e5ca8c6227f74f710da170e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 7 18:45:30 2023 +1300
netcmd: silo member: Make output consistent with user command
* Use print with file=self.outf
* Show assigned or unassigned silo
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 30992e865c5abe61147ca7f4288ff9f13bd4dc11
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 7 18:44:20 2023 +1300
netcmd: model: User model str method returns username not cn
If the cn is needed then user.cn can be used, this makes it nicer if using {user} in format strings.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d4e84177ca40ed995246db0b15e76a88704c671b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 7 18:06:22 2023 +1300
netcmd: tests: make use of unique_name
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d3e18dbe43fc2a86fd99d1f12bf5d1996b35a3cb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 7 17:49:18 2023 +1300
netcmd: silo member uses consistent output with other commands
This also includes always spelling out "authentication silo" or "authentication policy" in full, not just calling it "silo."
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0eb727a54d421ac634bee92b6ebaad304fcfe426
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 12:27:56 2023 +1300
netcmd: silo member add and remove should not set assigned_silo
The Windows tools don't do this either
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9250508601f6c0923a9469f1e7200f87c754b29b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 16:46:44 2023 +1300
netcmd: silo member: make use of User.find function
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 921cc1df67e6dd90ae471f24abf735429477299a
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 16:44:18 2023 +1300
netcmd: model: add a find method to User model to avoid repeating code
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a75cbd85e0ffea130857a86e909b4dd318619296
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 31 11:31:10 2023 +1300
netcmd: model: add missing assigned_policy field on User model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 925ec0e6c8cacef7a1f673d8d8786316c68aff12
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:55:01 2023 +1300
netcmd: user: PEP8 E303 E305: fix too many or too little blank lines
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db08030c8f4ffe4c9489bd2ecd9f3ff3a330b429
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:43:39 2023 +1300
netcmd: user: PEP8 E225: missing whitespace around operator
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1c6d4cb733d04f5e548d8d89a9e1f6c1541e328
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:42:14 2023 +1300
netcmd: user: PEP8 E221: fix multiple spaces before operator
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6b0cb65363946bbd2598bd55f5089085f2150661
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:39:54 2023 +1300
netcmd: user: PEP8 E127: fix hanging indent not lining up
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 30cb66aec48d5b8a92cb749f8fadc03e4cb6b066
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:58:26 2023 +1300
netcmd: user: PEP8 E502: backslash is redundant between brackets
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cae5456a294f478c9cdfdbd48e8b6ba1ef664294
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 1 11:28:34 2023 +1300
netcmd: user: PEP8 E117: code is overindented
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d9c230ff80d2bdf6de10b271faa22a5ca5c7de21
Author: Noel Power <noel.power at suse.com>
Date: Fri Sep 2 11:48:08 2022 +0000
python/samba/tests: Add smbcacl tests for save/restore
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 520e3ac06d58a7b4a88fe09054765ced45cae255
Author: Noel Power <noel.power at suse.com>
Date: Tue Sep 27 16:28:28 2022 +0100
docs-xml: Update manpages for new -T, --save & --restore options
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa5725cdb011fb57c97457a82be6be6bd7077f5a
Author: Noel Power <noel.power at suse.com>
Date: Tue Nov 14 09:12:01 2023 +0000
s3/utils: Add support to smbcacls to restore dacls from file
Allow smbcacls to restore dacls to a directory from file created by
with smbcacls '--save' or icalcs /save
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db88697df2be2db1284feecaf595362ebbef94cc
Author: Noel Power <noel.power at suse.com>
Date: Fri Aug 12 11:27:58 2022 +0100
s3/utils: Add functionality to smbcacls to save dacl(s) to a restore file
Add similar functionality to 'icacls name /save'
Save dacls for a file/directory to a restore/save file.
When saving dacls associated with a directory, using the 'recusive'
switch '-T' will recursively save the content of the directory.
Note: the save file produced by smbcacls and icacls are interchangeable
as smbcacls produces (and uses) the same file format.
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd2133ba4862add1943e1a08469780695874f06c
Author: Noel Power <noel.power at suse.com>
Date: Wed Aug 17 15:39:19 2022 +0100
s3/utils: Add recursive option to smcacls
Adds new switch (and associated help) note: nothing using it yet
Subsequent following commits will make use of this option with
'save' functionality
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1273f9a2a514310577759b906c9689d7fd15698b
Author: Noel Power <noel.power at suse.com>
Date: Thu Aug 11 15:26:01 2022 +0100
s3/utils: Add save and restore config switches (and help output)
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8ead28b26b8a83018448a81d52e5a8e7117b7673
Author: Noel Power <noel.power at suse.com>
Date: Fri Aug 26 14:17:07 2022 +0100
s3/utils: ensure sddl_encode/sddl_decode both use domain_sid
prior to this patch sddl_decode get_global_sam_sid was using
'get_global_sam_sid()' but the reciprocal call to sddl_encode uses
'get_domain_sid()' using the domain_sid (instead of local machine sid)
is 'correct'
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 426ca4cf4b667aae03f0344cee449e972de90ac7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 15 13:03:27 2023 +1300
pytests: sid_strings: do not fail if epoch ending has zeros
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke at ddn.com>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 58 +-
docs-xml/manpages/smbcacls.1.xml | 26 +
python/samba/netcmd/domain/auth/silo_member.py | 73 +--
python/samba/netcmd/domain/models/auth_silo.py | 18 +-
python/samba/netcmd/domain/models/exceptions.py | 4 +-
python/samba/netcmd/domain/models/model.py | 32 +-
python/samba/netcmd/domain/models/query.py | 81 +++
python/samba/netcmd/domain/models/user.py | 20 +
python/samba/netcmd/user/__init__.py | 2 +
python/samba/netcmd/user/add.py | 22 +-
python/samba/netcmd/user/add_unix_attrs.py | 4 +-
.../samba/netcmd/{domain => user}/auth/__init__.py | 14 +-
python/samba/netcmd/user/auth/policy.py | 170 +++++
python/samba/netcmd/user/auth/silo.py | 189 ++++++
python/samba/netcmd/user/edit.py | 1 -
python/samba/netcmd/user/readpasswords/common.py | 72 +-
.../netcmd/user/readpasswords/syncpasswords.py | 8 +-
python/samba/netcmd/user/rename.py | 10 +-
.../samba/tests/blackbox/smbcacls_save_restore.py | 205 ++++++
.../samba/tests/samba_tool/domain_auth_policy.py | 4 +-
python/samba/tests/samba_tool/domain_auth_silo.py | 54 +-
.../{domain_auth_base.py => silo_base.py} | 4 +-
python/samba/tests/samba_tool/user_auth_policy.py | 86 +++
python/samba/tests/samba_tool/user_auth_silo.py | 84 +++
python/samba/tests/sid_strings.py | 2 +-
selftest/target/Samba3.pm | 3 +
source3/utils/smbcacls.c | 727 ++++++++++++++++++++-
source4/selftest/tests.py | 10 +
28 files changed, 1801 insertions(+), 182 deletions(-)
create mode 100644 python/samba/netcmd/domain/models/query.py
copy python/samba/netcmd/{domain => user}/auth/__init__.py (72%)
create mode 100644 python/samba/netcmd/user/auth/policy.py
create mode 100644 python/samba/netcmd/user/auth/silo.py
create mode 100644 python/samba/tests/blackbox/smbcacls_save_restore.py
rename python/samba/tests/samba_tool/{domain_auth_base.py => silo_base.py} (98%)
create mode 100644 python/samba/tests/samba_tool/user_auth_policy.py
create mode 100644 python/samba/tests/samba_tool/user_auth_silo.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 6dfe07ea813..9baa605fc16 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -1278,8 +1278,8 @@
</refsect3>
<refsect3>
- <title>domain auth silo member add</title>
- <para>Add a member to an authentication silo.</para>
+ <title>domain auth silo member grant</title>
+ <para>Grant a member access to an authentication silo.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
@@ -1296,7 +1296,7 @@
<varlistentry>
<term>--member</term>
<listitem><para>
- Member to add to the silo (DN or account name).
+ Member to grant access to the silo (DN or account name).
</para></listitem>
</varlistentry>
</variablelist>
@@ -1328,8 +1328,8 @@
</refsect3>
<refsect3>
- <title>domain auth silo member remove</title>
- <para>Remove a member from an authentication silo.</para>
+ <title>domain auth silo member revoke</title>
+ <para>Revoke a member from an authentication silo.</para>
<variablelist>
<varlistentry>
<term>-H, --URL</term>
@@ -1346,7 +1346,7 @@
<varlistentry>
<term>--member</term>
<listitem><para>
- Member to remove from the silo (DN or account name).
+ Member to revoke from the silo (DN or account name).
</para></listitem>
</varlistentry>
</variablelist>
@@ -2716,6 +2716,52 @@
(typically the PDC-emulator).</para>
</refsect3>
+<refsect3>
+ <title>user auth policy assign <replaceable>username</replaceable> [options]</title>
+ <para>Set assigned authentication policy for user.</para>
+ <variablelist>
+ <varlistentry>
+ <term>--policy</term>
+ <listitem><para>
+ Name of authentication policy to assign or leave empty to remove.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>user auth policy remove <replaceable>username</replaceable></title>
+ <para>Remove assigned authentication policy from user.</para>
+</refsect3>
+
+<refsect3>
+ <title>user auth policy view <replaceable>username</replaceable></title>
+ <para>View the assigned authentication policy for user.</para>
+</refsect3>
+
+<refsect3>
+ <title>user auth silo assign <replaceable>username</replaceable> [options]</title>
+ <para>Set assigned authentication silo for user.</para>
+ <variablelist>
+ <varlistentry>
+ <term>--silo</term>
+ <listitem><para>
+ Name of authentication silo to assign or leave empty to remove.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>user auth silo remove <replaceable>username</replaceable></title>
+ <para>Remove assigned authentication silo from user.</para>
+</refsect3>
+
+<refsect3>
+ <title>user auth silo view <replaceable>username</replaceable></title>
+ <para>View the assigned authentication silo for user.</para>
+</refsect3>
+
<refsect2>
<title>vampire [options] <replaceable>domain</replaceable></title>
<para>Join and synchronise a remote AD domain to the local server.
diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
index a99d2d192f6..8cd63fc6abb 100644
--- a/docs-xml/manpages/smbcacls.1.xml
+++ b/docs-xml/manpages/smbcacls.1.xml
@@ -29,7 +29,10 @@
<arg choice="opt">-C|--chown=USERNAME</arg>
<arg choice="opt">-G|--chgrp=GROUPNAME</arg>
<arg choice="opt">-I|--inherit=STRING</arg>
+ <arg choice="opt">--recurse</arg>
<arg choice="opt">--propagate-inheritance</arg>
+ <arg choice="opt">--save=savefile</arg>
+ <arg choice="opt">--restore=restorefile</arg>
<arg choice="opt">--numeric</arg>
<arg choice="opt">--sddl</arg>
<arg choice="opt">--query-security-info=INT</arg>
@@ -171,6 +174,29 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--save savefile</term>
+ <listitem><para> stores the DACLs in sddl format
+ of the specified file or folder for later use with restore.
+ SACLS, owner or integrity labels are not stored.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--restore savefile</term>
+ <listitem><para> applies the stored DACLS to files in
+ directory.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--recurse</term>
+ <listitem><para> indicates the operation is performed on
+ directory and all files/directories below. (only applies
+ to save option)
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term>--numeric</term>
<listitem><para>This option displays all ACL information in numeric
diff --git a/python/samba/netcmd/domain/auth/silo_member.py b/python/samba/netcmd/domain/auth/silo_member.py
index 294519255d0..9b414006e74 100644
--- a/python/samba/netcmd/domain/auth/silo_member.py
+++ b/python/samba/netcmd/domain/auth/silo_member.py
@@ -21,14 +21,13 @@
#
import samba.getopt as options
-from ldb import Dn
from samba.netcmd import Command, CommandError, Option, SuperCommand
from samba.netcmd.domain.models import AuthenticationSilo, User
from samba.netcmd.domain.models.exceptions import ModelError
-class cmd_domain_auth_silo_member_add(Command):
- """Add a member to an authentication silo."""
+class cmd_domain_auth_silo_member_grant(Command):
+ """Grant a member access to an authentication silo."""
synopsis = "%prog -H <URL> [options]"
@@ -43,7 +42,7 @@ class cmd_domain_auth_silo_member_add(Command):
help="Name of authentication silo (required).",
dest="name", action="store", type=str, required=True),
Option("--member",
- help="Member to add to the silo (DN or account name).",
+ help="Member to grant access to the silo (DN or account name).",
dest="member", action="store", type=str, required=True),
]
@@ -61,32 +60,29 @@ class cmd_domain_auth_silo_member_add(Command):
if silo is None:
raise CommandError(f"Authentication silo {name} not found.")
- # Try a Dn first, then sAMAccountName.
try:
- user_query = {"dn": Dn(ldb, member)}
- except ValueError:
- user_query = {"username": member}
-
- try:
- user = User.get(ldb, **user_query)
+ user = User.find(ldb, member)
except ModelError as e:
raise CommandError(e)
# Ensure the user actually exists first.
if user is None:
- raise CommandError(f"User '{member}' not found.")
-
- # Set the assigned silo.
- user.assigned_silo = silo.dn
+ raise CommandError(f"User {member} not found.")
- # Add member and save user.
+ # Grant access to member.
try:
- silo.add_member(ldb, user)
- user.save(ldb)
+ silo.grant(ldb, user)
except ModelError as e:
raise CommandError(e)
- self.outf.write(f"User '{user.name}' added to the {name} silo.\n")
+ # Display silo assigned status.
+ if user.assigned_silo and user.assigned_silo == silo.dn:
+ status = "assigned"
+ else:
+ status = "unassigned"
+
+ print(f"User {user} granted access to the authentication silo {name} ({status}).",
+ file=self.outf)
class cmd_domain_auth_silo_member_list(Command):
@@ -133,11 +129,11 @@ class cmd_domain_auth_silo_member_list(Command):
self.print_json([member.as_dict() for member in members])
else:
for member in members:
- self.outf.write(f"{member.dn}\n")
+ print(member.dn, file=self.outf)
-class cmd_domain_auth_silo_member_remove(Command):
- """Remove a member from an authentication silo."""
+class cmd_domain_auth_silo_member_revoke(Command):
+ """Revoke a member from an authentication silo."""
synopsis = "%prog -H <URL> [options]"
@@ -152,7 +148,7 @@ class cmd_domain_auth_silo_member_remove(Command):
help="Name of authentication silo (required).",
dest="name", action="store", type=str, required=True),
Option("--member",
- help="Member to remove from the silo (DN or account name).",
+ help="Member to revoke from the silo (DN or account name).",
dest="member", action="store", type=str, required=True),
]
@@ -170,39 +166,36 @@ class cmd_domain_auth_silo_member_remove(Command):
if silo is None:
raise CommandError(f"Authentication silo {name} not found.")
- # Try a Dn first, then sAMAccountName.
try:
- user_query = {"dn": Dn(ldb, member)}
- except ValueError:
- user_query = {"username": member}
-
- try:
- user = User.get(ldb, **user_query)
+ user = User.find(ldb, member)
except ModelError as e:
raise CommandError(e)
# Ensure the user actually exists first.
if user is None:
- raise CommandError(f"User '{member}' not found.")
-
- # Unset the assigned silo.
- user.assigned_silo = None
+ raise CommandError(f"User {member} not found.")
- # Remove member and save user.
+ # Revoke member access.
try:
- silo.remove_member(ldb, user)
- user.save(ldb)
+ silo.revoke(ldb, user)
except ModelError as e:
raise CommandError(e)
- self.outf.write(f"User '{user.name}' removed from the {name} silo.\n")
+ # Display silo assigned status.
+ if user.assigned_silo and user.assigned_silo == silo.dn:
+ status = "assigned"
+ else:
+ status = "unassigned"
+
+ print(f"User {user} revoked from the authentication silo {name} ({status}).",
+ file=self.outf)
class cmd_domain_auth_silo_member(SuperCommand):
"""Manage members in an authentication silo."""
subcommands = {
- "add": cmd_domain_auth_silo_member_add(),
+ "grant": cmd_domain_auth_silo_member_grant(),
"list": cmd_domain_auth_silo_member_list(),
- "remove": cmd_domain_auth_silo_member_remove(),
+ "revoke": cmd_domain_auth_silo_member_revoke(),
}
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
index 28d94e64fa3..f09b6a6654a 100644
--- a/python/samba/netcmd/domain/models/auth_silo.py
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -24,7 +24,7 @@ from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE, LdbError, Message, MessageElement
from samba.sd_utils import escaped_claim_id
-from .exceptions import AddMemberError, RemoveMemberError
+from .exceptions import GrantMemberError, RevokeMemberError
from .fields import DnField, BooleanField, StringField
from .model import Model
@@ -53,14 +53,14 @@ class AuthenticationSilo(Model):
def get_object_class():
return "msDS-AuthNPolicySilo"
- def add_member(self, ldb, member):
- """Add a member to the Authentication Silo.
+ def grant(self, ldb, member):
+ """Grant a member access to the Authentication Silo.
Rather than saving the silo object and writing the entire member
list out again, just add one member only.
:param ldb: Ldb connection
- :param member: Member to add to silo
+ :param member: Member to grant access to silo
"""
# Create a message with only an add member operation.
message = Message(dn=self.dn)
@@ -71,19 +71,19 @@ class AuthenticationSilo(Model):
try:
ldb.modify(message)
except LdbError as e:
- raise AddMemberError(f"Failed to add silo member: {e}")
+ raise GrantMemberError(f"Failed to grant access to silo member: {e}")
# If the modify operation was successful refresh members field.
self.refresh(ldb, fields=["members"])
- def remove_member(self, ldb, member):
- """Remove a member from the Authentication Silo.
+ def revoke(self, ldb, member):
+ """Revoke a member from the Authentication Silo.
Rather than saving the silo object and writing the entire member
list out again, just remove one member only.
:param ldb: Ldb connection
- :param member: Member to remove from silo
+ :param member: Member to revoke from silo
"""
# Create a message with only a remove member operation.
message = Message(dn=self.dn)
@@ -94,7 +94,7 @@ class AuthenticationSilo(Model):
try:
ldb.modify(message)
except LdbError as e:
- raise RemoveMemberError(f"Failed to remove silo member: {e}")
+ raise RevokeMemberError(f"Failed to revoke silo member: {e}")
# If the modify operation was successful refresh members field.
self.refresh(ldb, fields=["members"])
diff --git a/python/samba/netcmd/domain/models/exceptions.py b/python/samba/netcmd/domain/models/exceptions.py
index b28b423f64d..14ebd774d09 100644
--- a/python/samba/netcmd/domain/models/exceptions.py
+++ b/python/samba/netcmd/domain/models/exceptions.py
@@ -44,11 +44,11 @@ class DoesNotExist(ModelError):
pass
-class AddMemberError(ModelError):
+class GrantMemberError(ModelError):
pass
-class RemoveMemberError(ModelError):
+class RevokeMemberError(ModelError):
pass
diff --git a/python/samba/netcmd/domain/models/model.py b/python/samba/netcmd/domain/models/model.py
index a1eee7116a1..200a1fadc6c 100644
--- a/python/samba/netcmd/domain/models/model.py
+++ b/python/samba/netcmd/domain/models/model.py
@@ -28,9 +28,10 @@ from ldb import ERR_NO_SUCH_OBJECT, FLAG_MOD_ADD, FLAG_MOD_REPLACE, LdbError,\
from samba.sd_utils import SDUtils
from .exceptions import DeleteError, DoesNotExist, FieldError,\
- MultipleObjectsReturned, ProtectError, UnprotectError
+ ProtectError, UnprotectError
from .fields import DateTimeField, DnField, Field, GUIDField, IntegerField,\
StringField
+from .query import Query
# Keeps track of registered models.
# This gets populated by the ModelMeta class.
@@ -246,11 +247,7 @@ class Model(metaclass=ModelMeta):
raise DoesNotExist(f"Container does not exist: {base_dn}")
raise
- # For now this returns a simple generator of model instances.
- # This could eventually become a QuerySet class if we need to add
- # additional methods on the return value for example .order_by()
- for message in result:
- yield cls.from_message(ldb, message)
+ return Query(cls, ldb, result)
@classmethod
def get(cls, ldb, **kwargs):
@@ -261,7 +258,7 @@ class Model(metaclass=ModelMeta):
:param ldb: Ldb connection
:param kwargs: Search criteria as keyword args
- :returns: User object or None if not found
+ :returns: Model instance or None if not found
:raises: MultipleObjects returned if there are more than one results
"""
# If a DN is provided use that to get the object directly.
@@ -278,27 +275,10 @@ class Model(metaclass=ModelMeta):
return None
else:
raise
- else:
- base_dn = cls.get_search_dn(ldb)
- # If the container does not exist produce a friendly error message.
- try:
- res = ldb.search(base_dn,
- scope=SCOPE_SUBTREE,
- expression=cls.build_expression(**kwargs))
- except LdbError as e:
- if e.args[0] == ERR_NO_SUCH_OBJECT:
- raise DoesNotExist(f"Container does not exist: {base_dn}")
- raise
-
- # Expect to get one object back or raise MultipleObjectsReturned.
- # For multiple records, please call .query() instead.
- count = len(res)
- if count > 1:
- raise MultipleObjectsReturned(
- f"More than one object returned (got {count}).")
- elif count == 1:
return cls.from_message(ldb, res[0])
+ else:
+ return cls.query(ldb, **kwargs).get()
@classmethod
def create(cls, ldb, **kwargs):
diff --git a/python/samba/netcmd/domain/models/query.py b/python/samba/netcmd/domain/models/query.py
new file mode 100644
index 00000000000..9cdb65099c1
--- /dev/null
+++ b/python/samba/netcmd/domain/models/query.py
@@ -0,0 +1,81 @@
+# Unix SMB/CIFS implementation.
+#
+# Query class for the ORM to the Ldb database.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob at catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import re
+
+from .exceptions import DoesNotExist, MultipleObjectsReturned
+
+RE_SPLIT_CAMELCASE = re.compile(r"[A-Z](?:[a-z]+|[A-Z]*(?=[A-Z]|$))")
+
+
+class Query:
+ """Simple Query class used by the `Model.query` method."""
+
+ def __init__(self, model, ldb, result):
+ self.model = model
+ self.ldb = ldb
+ self.result = result
+ self.count = result.count
+ self.name = " ".join(RE_SPLIT_CAMELCASE.findall(model.__name__)).lower()
+
+ def __iter__(self):
+ """Loop over Query class yields Model instances."""
+ for message in self.result:
+ yield self.model.from_message(self.ldb, message)
+
+ def first(self):
+ """Returns the first item in the Query or None for no results."""
+ if self.result.count:
+ return self.model.from_message(self.ldb, self.result[0])
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list