[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall
dbagnall at samba.org
Thu Nov 23 00:33:01 UTC 2023
The branch, master has been updated
via 83e8971c0f1 Claims initial black box tests
via fad29cd0a67 netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes
via 1b4514712d2 netcmd: auth policy: fix missing 'by' in help string
via eaf1bd5623e netcmd: auth policy: add allowed-to-authenticate-to-by-group attributes
via dbeb424e6c2 netcmd: auth policy: rename "from silo" to "from device silo"
via 1e00952c34f netcmd: auth policy: document allowed to authenticate from silo and to by silo attributes
via 42de24d73a9 netcmd: auth policy: add allowed to authenticate to by silo attributes
via 9fe147a02c6 netcmd: models: add field test for SIDField
via 96aaa0059f0 netcmd: models: add a Group model
via e9b1ac93b58 netcmd: models: make systemFlags and systemOnly fields readonly
via c1f56feefb5 netcmd: models: ensure that backlinks are always readonly
via 6255d57ce8e netcmd: models: add readonly attribute on fields to exclude it from save
via e256a04d5d9 netcmd: models: get_base_dn returns default rather than be abstract
via 91cc73352ef netcmd: models: add SIDField field
via 0ce9b753255 netcmd: models: use correct SDDL for authentication silos
via bf07a97931f netcmd: fix typo in groups and computer commands
via 6e3491e2803 selftest: move planoldpythontestsuite up so it can be used by blackbox tests
via faf0b784a13 tests: gensec: docstrings in the middle of code should be comments
from f955d9aa49d smbd: Fix Coverity ID 1499372 Uninitialized scalar variable
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 83e8971c0f1c1db8c3574f83107190ac1ac23db0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Nov 13 23:48:52 2023 +1300
Claims initial black box tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Nov 23 00:32:33 UTC 2023 on atb-devel-224
commit fad29cd0a67de492a2597129d11c9c3abbe0062f
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 15:23:59 2023 +1300
netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1b4514712d2a62899787c33575600749d496e2b3
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 15:41:31 2023 +1300
netcmd: auth policy: fix missing 'by' in help string
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eaf1bd5623e167502d61133baa347e4a5b5b3c96
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 15:09:05 2023 +1300
netcmd: auth policy: add allowed-to-authenticate-to-by-group attributes
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbeb424e6c2aeb4378ee2cbf7e37fa644ffd0208
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 15:03:24 2023 +1300
netcmd: auth policy: rename "from silo" to "from device silo"
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e00952c34f5a82e8b1ca157a359f1fa351650ae
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Nov 16 13:39:23 2023 +1300
netcmd: auth policy: document allowed to authenticate from silo and to by silo attributes
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42de24d73a96ed574fbbe5af938e15e06fc6eac1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Nov 13 23:48:36 2023 +1300
netcmd: auth policy: add allowed to authenticate to by silo attributes
--user-allowed-to-authenticate-to-by-silo
--service-allowed-to-authenticate-to-by-silo
--computer-allowed-to-authenticate-to-by-silo
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fe147a02c6497be12209f7a9a4f4f4a8113440d
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 22 17:18:20 2023 +1300
netcmd: models: add field test for SIDField
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96aaa0059f0c7ed310edb9ebd3c6e81c361f8234
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 16:00:18 2023 +1300
netcmd: models: add a Group model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e9b1ac93b58569c6b6a52091421839574ef92148
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 22 15:38:55 2023 +1300
netcmd: models: make systemFlags and systemOnly fields readonly
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1f56feefb599bf502b0231a4683a24bac8b4e30
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 22 15:35:38 2023 +1300
netcmd: models: ensure that backlinks are always readonly
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6255d57ce8e22ac14e3291f249cb04aa4b7ecebb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 22 14:13:08 2023 +1300
netcmd: models: add readonly attribute on fields to exclude it from save
There was trouble when saving fields like is system object, these need to be excluded on save.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e256a04d5d996ff90d0ed9278c69cf793794cff7
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 15:57:14 2023 +1300
netcmd: models: get_base_dn returns default rather than be abstract
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 91cc73352efca030a41b2f5aa2825da3aa0e52a2
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 12:42:03 2023 +1300
netcmd: models: add SIDField field
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ce9b7532553194da7560e122b68def34b445c81
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Nov 13 23:46:57 2023 +1300
netcmd: models: use correct SDDL for authentication silos
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf07a97931fd9b8e6c5d7dc7ba3950ad6d3a11c6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Nov 21 12:40:03 2023 +1300
netcmd: fix typo in groups and computer commands
Everywhere else it is using Group's except for one place which makes it obvious this was incorrect.
Same goes for Computers's vs Computer's
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6e3491e28037aab26019a2b94a3833154adf626c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 15:07:41 2023 +1300
selftest: move planoldpythontestsuite up so it can be used by blackbox tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit faf0b784a13f1629b3251515d17e15d5af2987a4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Nov 8 14:37:12 2023 +1300
tests: gensec: docstrings in the middle of code should be comments
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 60 +++
python/samba/netcmd/computer.py | 2 +-
python/samba/netcmd/domain/auth/policy.py | 205 +++++++--
python/samba/netcmd/domain/models/__init__.py | 1 +
python/samba/netcmd/domain/models/auth_silo.py | 4 +-
python/samba/netcmd/domain/models/fields.py | 30 +-
.../netcmd/domain/models/{site.py => group.py} | 31 +-
python/samba/netcmd/domain/models/model.py | 7 +-
python/samba/netcmd/domain/models/schema.py | 6 +-
python/samba/netcmd/domain/models/site.py | 6 +-
python/samba/netcmd/domain/models/subnet.py | 2 +-
python/samba/netcmd/domain/models/value_type.py | 5 +-
python/samba/netcmd/group.py | 2 +-
python/samba/tests/blackbox/claims.py | 239 +++++++++++
python/samba/tests/gensec.py | 12 +-
.../samba/tests/samba_tool/domain_auth_policy.py | 458 ++++++++++++++++++++-
python/samba/tests/samba_tool/domain_models.py | 44 +-
python/samba/tests/samba_tool/silo_base.py | 6 +
selftest/knownfail.d/usage | 2 +
source4/selftest/tests.py | 43 +-
20 files changed, 1059 insertions(+), 106 deletions(-)
copy python/samba/netcmd/domain/models/{site.py => group.py} (59%)
create mode 100755 python/samba/tests/blackbox/claims.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9baa605fc16..e96ee4fc048 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -742,6 +742,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-from-silo</term>
+ <listitem>
+ <para>
+ User is allowed to authenticate from a given silo.
+ </para>
+ <para>
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --user-allowed-to-authenticate-from
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--user-allowed-to-authenticate-to</term>
<listitem>
@@ -756,6 +768,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-to-by-silo</term>
+ <listitem>
+ <para>
+ User is allowed to authenticate to by a given silo.
+ </para>
+ <para>
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --user-allowed-to-authenticate-to
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--service-tgt-lifetime-mins</term>
<listitem>
@@ -787,6 +811,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-from-silo</term>
+ <listitem>
+ <para>
+ Service is allowed to authenticate from a given silo.
+ </para>
+ <para>
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --service-allowed-to-authenticate-from
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--service-allowed-to-authenticate-to</term>
<listitem>
@@ -801,6 +837,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-to-by-silo</term>
+ <listitem>
+ <para>
+ Service is allowed to authenticate to by a given silo.
+ </para>
+ <para>
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --service-allowed-to-authenticate-to
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--computer-tgt-lifetime-mins</term>
<listitem>
@@ -823,6 +871,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--computer-allowed-to-authenticate-to-by-silo</term>
+ <listitem>
+ <para>
+ Computer is allowed to authenticate to by a given silo.
+ </para>
+ <para>
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --computer-allowed-to-authenticate-to
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect3>
diff --git a/python/samba/netcmd/computer.py b/python/samba/netcmd/computer.py
index e4fbd671222..1413803cf8a 100644
--- a/python/samba/netcmd/computer.py
+++ b/python/samba/netcmd/computer.py
@@ -214,7 +214,7 @@ Example3 shows how to add a new computer in the OrgUnit organizational unit.
"counterpart) to default CN=Computers in which new "
"computer object will be created. E.g. 'OU=<OU name>'"),
type=str),
- Option("--description", help="Computers's description", type=str),
+ Option("--description", help="Computer's description", type=str),
Option("--prepare-oldjoin",
help="Prepare enabled machine account for oldjoin mechanism",
action="store_true"),
diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py
index d0ca96b677a..32a24adafee 100644
--- a/python/samba/netcmd/domain/auth/policy.py
+++ b/python/samba/netcmd/domain/auth/policy.py
@@ -22,7 +22,8 @@
import samba.getopt as options
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo
+from samba.netcmd.domain.models import AuthenticationPolicy,\
+ AuthenticationSilo, Group
from samba.netcmd.domain.models.auth_policy import MIN_TGT_LIFETIME,\
MAX_TGT_LIFETIME, StrongNTLMPolicy
from samba.netcmd.domain.models.exceptions import ModelError
@@ -33,7 +34,7 @@ def check_similar_args(option, args):
"""Helper method for checking similar mutually exclusive args.
Example: --user-allowed-to-authenticate-from and
- --user-allowed-to-authenticate-from-silo
+ --user-allowed-to-authenticate-from-device-silo
"""
num = sum(arg is not None for arg in args)
if num > 1:
@@ -60,14 +61,26 @@ class UserOptions(options.OptionGroup):
help="Conditions user is allowed to authenticate from.",
type=str, dest="allowed_to_authenticate_from",
action="callback", callback=self.set_option)
- self.add_option("--user-allowed-to-authenticate-from-silo",
- help="User is allowed to authenticate from silo.",
- type=str, dest="allowed_to_authenticate_from_silo",
+ self.add_option("--user-allowed-to-authenticate-from-device-silo",
+ help="User is allowed to authenticate from a device in a silo.",
+ type=str, dest="allowed_to_authenticate_from_device_silo",
+ action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-from-device-group",
+ help="User is allowed to authenticate from a device in group.",
+ type=str, dest="allowed_to_authenticate_from_device_group",
action="callback", callback=self.set_option)
self.add_option("--user-allowed-to-authenticate-to",
help="Conditions user is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-to-by-group",
+ help="User is allowed to authenticate to by group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-to-by-silo",
+ help="User is allowed to authenticate to by silo.",
+ type=str, dest="allowed_to_authenticate_to_by_silo",
+ action="callback", callback=self.set_option)
class ServiceOptions(options.OptionGroup):
@@ -90,14 +103,26 @@ class ServiceOptions(options.OptionGroup):
help="Conditions service is allowed to authenticate from.",
type=str, dest="allowed_to_authenticate_from",
action="callback", callback=self.set_option)
- self.add_option("--service-allowed-to-authenticate-from-silo",
- help="Service is allowed to authenticate from silo.",
- type=str, dest="allowed_to_authenticate_from_silo",
+ self.add_option("--service-allowed-to-authenticate-from-device-silo",
+ help="Service is allowed to authenticate from a device in a silo.",
+ type=str, dest="allowed_to_authenticate_from_device_silo",
+ action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-from-device-group",
+ help="Service is allowed to authenticate from a device in group.",
+ type=str, dest="allowed_to_authenticate_from_device_group",
action="callback", callback=self.set_option)
self.add_option("--service-allowed-to-authenticate-to",
help="Conditions service is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-to-by-group",
+ help="Service is allowed to authenticate to by group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-to-by-silo",
+ help="Service is allowed to authenticate to by silo.",
+ type=str, dest="allowed_to_authenticate_to_by_silo",
+ action="callback", callback=self.set_option)
class ComputerOptions(options.OptionGroup):
@@ -115,6 +140,14 @@ class ComputerOptions(options.OptionGroup):
help="Conditions computer is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--computer-allowed-to-authenticate-to-by-group",
+ help="Computer is allowed to authenticate to by group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
+ self.add_option("--computer-allowed-to-authenticate-to-by-silo",
+ help="Computer is allowed to authenticate to by silo.",
+ type=str, dest="allowed_to_authenticate_to_by_silo",
+ action="callback", callback=self.set_option)
class cmd_domain_auth_policy_list(Command):
@@ -239,25 +272,87 @@ class cmd_domain_auth_policy_create(Command):
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
- useropts.allowed_to_authenticate_from_silo])
+ useropts.allowed_to_authenticate_from_device_group,
+ useropts.allowed_to_authenticate_from_device_silo])
+ check_similar_args("--user-allowed-to-authenticate-to",
+ [useropts.allowed_to_authenticate_to,
+ useropts.allowed_to_authenticate_to_by_group,
+ useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
- serviceopts.allowed_to_authenticate_from_silo])
+ serviceopts.allowed_to_authenticate_from_device_group,
+ serviceopts.allowed_to_authenticate_from_device_silo])
+ check_similar_args("--service-allowed-to-authenticate-to",
+ [serviceopts.allowed_to_authenticate_to,
+ serviceopts.allowed_to_authenticate_to_by_group,
+ serviceopts.allowed_to_authenticate_to_by_silo])
+ check_similar_args("--computer-allowed-to-authenticate-to",
+ [computeropts.allowed_to_authenticate_to,
+ computeropts.allowed_to_authenticate_to_by_group,
+ computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
- # Generate SDDL for authenticating users from a silo
- if useropts.allowed_to_authenticate_from_silo:
+ # Generate SDDL for authenticating users from a device in a group
+ if useropts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_device_group)
+ useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating users from a device in a silo
+ if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
- ldb, cn=useropts.allowed_to_authenticate_from_silo)
+ ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
- # Generate SDDL for authenticating service accounts from a silo
- if serviceopts.allowed_to_authenticate_from_silo:
+ # Generate SDDL for authenticating user accounts to a group
+ if useropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_to_by_group)
+ useropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating user accounts to a silo
+ if useropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
- ldb, cn=serviceopts.allowed_to_authenticate_from_silo)
+ ldb, cn=useropts.allowed_to_authenticate_to_by_silo)
+ useropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts from a device in a group
+ if serviceopts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_group)
+ serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts from a device in a silo
+ if serviceopts.allowed_to_authenticate_from_device_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating service accounts to a group
+ if serviceopts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
+ serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts to a silo
+ if serviceopts.allowed_to_authenticate_to_by_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
+ serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating computer accounts to a group
+ if computeropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
+ computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating computer accounts to a silo
+ if computeropts.allowed_to_authenticate_to_by_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
+ computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
@@ -355,25 +450,87 @@ class cmd_domain_auth_policy_modify(Command):
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
- useropts.allowed_to_authenticate_from_silo])
+ useropts.allowed_to_authenticate_from_device_group,
+ useropts.allowed_to_authenticate_from_device_silo])
+ check_similar_args("--user-allowed-to-authenticate-to",
+ [useropts.allowed_to_authenticate_to,
+ useropts.allowed_to_authenticate_to_by_group,
+ useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
- serviceopts.allowed_to_authenticate_from_silo])
+ serviceopts.allowed_to_authenticate_from_device_group,
+ serviceopts.allowed_to_authenticate_from_device_silo])
+ check_similar_args("--service-allowed-to-authenticate-to",
+ [serviceopts.allowed_to_authenticate_to,
+ serviceopts.allowed_to_authenticate_to_by_group,
+ serviceopts.allowed_to_authenticate_to_by_silo])
+ check_similar_args("--computer-allowed-to-authenticate-to",
+ [computeropts.allowed_to_authenticate_to,
+ computeropts.allowed_to_authenticate_to_by_group,
+ computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
- # Generate SDDL for authenticating users from a silo
- if useropts.allowed_to_authenticate_from_silo:
+ # Generate SDDL for authenticating users from a device in a group
+ if useropts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_device_group)
+ useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating users from a device in a silo
+ if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
- ldb, cn=useropts.allowed_to_authenticate_from_silo)
+ ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
- # Generate SDDL for authenticating service accounts from a silo
- if serviceopts.allowed_to_authenticate_from_silo:
+ # Generate SDDL for authenticating user accounts to a group
+ if useropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_to_by_group)
+ useropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating user accounts to a silo
+ if useropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
- ldb, cn=serviceopts.allowed_to_authenticate_from_silo)
+ ldb, cn=useropts.allowed_to_authenticate_to_by_silo)
+ useropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating users from a device a device in a group
+ if serviceopts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_group)
+ serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts from a device in a silo
+ if serviceopts.allowed_to_authenticate_from_device_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating service accounts to a group
+ if serviceopts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
+ serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts to a silo
+ if serviceopts.allowed_to_authenticate_to_by_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
+ serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating computer accounts to a group
+ if computeropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
+ computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
+ # Generate SDDL for authenticating computer accounts to a silo
+ if computeropts.allowed_to_authenticate_to_by_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
+ computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
diff --git a/python/samba/netcmd/domain/models/__init__.py b/python/samba/netcmd/domain/models/__init__.py
index 165f03fe802..8a6b254c70a 100644
--- a/python/samba/netcmd/domain/models/__init__.py
+++ b/python/samba/netcmd/domain/models/__init__.py
@@ -23,6 +23,7 @@
from .auth_policy import AuthenticationPolicy
from .auth_silo import AuthenticationSilo
from .claim_type import ClaimType
+from .group import Group
from .model import MODELS
from .schema import AttributeSchema, ClassSchema
from .site import Site
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
index f09b6a6654a..9747671e4c5 100644
--- a/python/samba/netcmd/domain/models/auth_silo.py
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -100,5 +100,5 @@ class AuthenticationSilo(Model):
self.refresh(ldb, fields=["members"])
def get_authentication_sddl(self):
- return ("O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/"
- f"AuthenticationSilo/{escaped_claim_id(self.name)}))")
+ return ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
+ f'AuthenticationSilo == "{escaped_claim_id(self.name)}"))')
diff --git a/python/samba/netcmd/domain/models/fields.py b/python/samba/netcmd/domain/models/fields.py
index 52f288c6d60..0b7e1eb83e4 100644
--- a/python/samba/netcmd/domain/models/fields.py
+++ b/python/samba/netcmd/domain/models/fields.py
@@ -45,17 +45,20 @@ class Field(metaclass=ABCMeta):
but really any field can be a list or single value.
"""
- def __init__(self, name, many=False, default=None, hidden=False):
+ def __init__(self, name, many=False, default=None, hidden=False,
+ readonly=False):
"""Creates a new field, should be subclassed.
:param name: Ldb field name.
:param many: If true always convert field to a list when loaded.
:param default: Default value or callback method (obj is first argument)
:param hidden: If this is True, exclude the field when calling as_dict()
+ :param readonly: If true don't write this value when calling save.
"""
self.name = name
self.many = many
self.hidden = hidden
+ self.readonly = readonly
# This ensures that fields with many=True are always lists.
# If this is inconsistent anywhere, it isn't so great to use.
@@ -312,6 +315,31 @@ class GUIDField(Field):
return MessageElement(ndr_pack(GUID(value)), flags, self.name)
+class SIDField(Field):
+ """A SID field encodes and decodes SID data."""
+
+ def from_db_value(self, ldb, value):
+ """Convert MessageElement with a GUID into a str or list of str."""
+ if value is None:
+ return
+ elif len(value) > 1 or self.many:
+ return [str(ndr_unpack(security.dom_sid, item)) for item in value]
+ else:
+ return str(ndr_unpack(security.dom_sid, value[0]))
+
+ def to_db_value(self, ldb, value, flags):
+ """Convert str with GUID into MessageElement."""
+ if value is None:
+ return
+ elif isinstance(value, list):
+ return MessageElement(
+ [ndr_pack(security.dom_sid(item)) for item in value],
+ flags, self.name)
+ else:
+ return MessageElement(ndr_pack(security.dom_sid(value)),
+ flags, self.name)
+
+
class SDDLField(Field):
"""A SDDL field encodes and decodes SDDL data."""
diff --git a/python/samba/netcmd/domain/models/site.py b/python/samba/netcmd/domain/models/group.py
similarity index 59%
copy from python/samba/netcmd/domain/models/site.py
copy to python/samba/netcmd/domain/models/group.py
index 53db6e2c3b1..947312783c0 100644
--- a/python/samba/netcmd/domain/models/site.py
+++ b/python/samba/netcmd/domain/models/group.py
@@ -1,6 +1,6 @@
# Unix SMB/CIFS implementation.
#
-# Site model.
+# Group model.
#
# Copyright (C) Catalyst.Net Ltd. 2023
#
@@ -20,26 +20,23 @@
--
Samba Shared Repository
More information about the samba-cvs
mailing list