[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Oct 27 00:31:02 UTC 2023
The branch, master has been updated
via 0bb67a3a7e7 python: silos: add support for allowed to authenticate from silo shortcut
via 84916935751 python: add docstring for escaped_claim_id function
via 16d52aa559a python: move method escaped_claim_id from test to samba.sd_utils
via 47f5bc78b88 python: silos: add some missing tests for auth policy command
via 2aa4d67411a python: tests: claims and silo tests make use of unique_name
via 2dd06ae41a2 python: tests: improve comments for auth silo and policy tests
via 95cb6a0bb16 python: tests: qa and developers were not in the correct case
via e87d74066af python: tests: addCleanup is always before create operation
via d19e268221e python: tests: function to generate a unique name from caller
via ed245e28875 netcmd: tests: make use of addCleanup
via 3e9f74a680b netcmd: claims: rename claims and silo tests
via 156887c6d0b netcmd: silo command uses more consistent naming for tgt args
via 15fb8a5f2ef netcmd: silo command uses more consistent naming for policy args
via c22400fd8ef netcmd: silo command remove combined --policy which set all 3
from b6ae5d66819 codespell: Ignore .git
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0bb67a3a7e79a687e7809ab41f056c36629bc19f
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 12 17:08:34 2023 +1300
python: silos: add support for allowed to authenticate from silo shortcut
this avoids the need to write SDDL, the user just needs to give the silo name
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 27 00:30:05 UTC 2023 on atb-devel-224
commit 8491693575115ef651a8320abd699edd3c739758
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Oct 27 12:11:34 2023 +1300
python: add docstring for escaped_claim_id function
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16d52aa559ab60a9e2b1aba71c9f866833bab9f0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 26 13:13:44 2023 +1300
python: move method escaped_claim_id from test to samba.sd_utils
This is so that it can be used in other places too without the need to import or extend the test base class
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 47f5bc78b88b371c40a85b0b716793da771dc6c9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 12 16:59:43 2023 +1300
python: silos: add some missing tests for auth policy command
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2aa4d67411a91d1e135164ddb4857d04d6692a35
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 12 16:55:34 2023 +1300
python: tests: claims and silo tests make use of unique_name
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2dd06ae41a2154db82378587fa662a35bf78c386
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 26 11:18:04 2023 +1300
python: tests: improve comments for auth silo and policy tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 95cb6a0bb1625c2b2099c7374424d595164be2e8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Oct 25 17:25:51 2023 +1300
python: tests: qa and developers were not in the correct case
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e87d74066af3b552333aa28d4180e11b32e465b9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Oct 25 16:02:31 2023 +1300
python: tests: addCleanup is always before create operation
This way if it raises during a create, it will still end up running the cleanup.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d19e268221efca4079469c015f0fe3f2d0719f23
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 12 15:21:08 2023 +1300
python: tests: function to generate a unique name from caller
Uses the caller function to generate a unique name from the test function name.
Unique name is converted to camel case
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed245e288756c34c263c37dd3d64203ee1efdaa5
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 17 18:54:52 2023 +1300
netcmd: tests: make use of addCleanup
Makes self.members redundant and tearDown method can go completely.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3e9f74a680bc1d8c0daa133df3c4f8b84e1addc4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 12 14:53:18 2023 +1300
netcmd: claims: rename claims and silo tests
Rename test function names that were starting to get very long.
They were all prefixed with the test name, stop doing that and use double underscore for better separation.
e.g. AuthPolicyCmdTestCase.test_authentication_policy_list_json
becomes AuthPolicyCmdTestCase.test_list__json
The claim types and value types test cases have been split into two testcases.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 156887c6d0b09795bae98564204e560919d0efa5
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Oct 26 15:12:39 2023 +1300
netcmd: silo command uses more consistent naming for tgt args
The args --user-tgt-lifetime-mins, --service-tgt-lifetime-mins and
--computer-tgt-lifetime-mins suffixed with -mins to be consistent
with Windows tooling.
For these, the internal names don't need to change and neither do
the model fields, only the external cli interface has this.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 15fb8a5f2efec250acbd60b2855459c888859e20
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 17 16:31:53 2023 +1300
netcmd: silo command uses more consistent naming for policy args
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c22400fd8ef961e472ce2803cf4a2ec58b778795
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Oct 17 14:30:40 2023 +1300
netcmd: silo command remove combined --policy which set all 3
doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 48 +-
python/samba/netcmd/domain/auth/policy.py | 67 ++-
python/samba/netcmd/domain/auth/silo.py | 120 ++--
python/samba/netcmd/domain/models/auth_silo.py | 12 +-
python/samba/sd_utils.py | 16 +
python/samba/tests/__init__.py | 19 +
python/samba/tests/krb5/conditional_ace_tests.py | 31 +-
python/samba/tests/samba_tool/domain_auth_base.py | 53 +-
.../samba/tests/samba_tool/domain_auth_policy.py | 605 +++++++++++++++------
python/samba/tests/samba_tool/domain_auth_silo.py | 294 +++++-----
python/samba/tests/samba_tool/domain_claim.py | 65 ++-
selftest/knownfail.d/claims-client-tool | 2 +-
selftest/knownfail.d/silo-client-tool | 4 +-
13 files changed, 856 insertions(+), 480 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 83d91bd0af1..6dfe07ea813 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -712,7 +712,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--user-tgt-lifetime</term>
+ <term>--user-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for user accounts.
@@ -757,7 +757,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--service-tgt-lifetime</term>
+ <term>--service-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for service accounts.
@@ -802,7 +802,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--computer-tgt-lifetime</term>
+ <term>--computer-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for computer accounts.
@@ -901,7 +901,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--user-tgt-lifetime</term>
+ <term>--user-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for user accounts.
@@ -946,7 +946,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--service-tgt-lifetime</term>
+ <term>--service-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for service accounts.
@@ -991,7 +991,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>--computer-tgt-lifetime</term>
+ <term>--computer-tgt-lifetime-mins</term>
<listitem>
<para>
Ticket-Granting-Ticket lifetime for computer accounts.
@@ -1101,27 +1101,21 @@
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--policy</term>
+ <term>--user-authentication-policy</term>
<listitem><para>
- Use single policy for all principals in this silo.
+ User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--user-policy</term>
+ <term>--service-authentication-policy</term>
<listitem><para>
- User account policy.
+ Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--service-policy</term>
+ <term>--computer-authentication-policy</term>
<listitem><para>
- Managed Service Account policy.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term>--computer-policy</term>
- <listitem><para>
- Computer Account policy.
+ Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
@@ -1194,27 +1188,21 @@
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--policy</term>
- <listitem><para>
- Use single policy for all principals in this silo.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term>--user-policy</term>
+ <term>--user-authentication-policy</term>
<listitem><para>
- User account policy.
+ User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--service-policy</term>
+ <term>--service-authentication-policy</term>
<listitem><para>
- Managed Service Account policy.
+ Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>--computer-policy</term>
+ <term>--computer-authentication-policy</term>
<listitem><para>
- Computer Account policy.
+ Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py
index 6ee85602907..d0ca96b677a 100644
--- a/python/samba/netcmd/domain/auth/policy.py
+++ b/python/samba/netcmd/domain/auth/policy.py
@@ -22,20 +22,31 @@
import samba.getopt as options
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AuthenticationPolicy
+from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo
from samba.netcmd.domain.models.auth_policy import MIN_TGT_LIFETIME,\
MAX_TGT_LIFETIME, StrongNTLMPolicy
from samba.netcmd.domain.models.exceptions import ModelError
from samba.netcmd.validators import Range
+def check_similar_args(option, args):
+ """Helper method for checking similar mutually exclusive args.
+
+ Example: --user-allowed-to-authenticate-from and
+ --user-allowed-to-authenticate-from-silo
+ """
+ num = sum(arg is not None for arg in args)
+ if num > 1:
+ raise CommandError(f"{option} argument repeated {num} times.")
+
+
class UserOptions(options.OptionGroup):
"""User options used by policy create and policy modify commands."""
def __init__(self, parser):
super().__init__(parser, "User Options")
- self.add_option("--user-tgt-lifetime",
+ self.add_option("--user-tgt-lifetime-mins",
help="Ticket-Granting-Ticket lifetime for user accounts.",
dest="tgt_lifetime", type=int, action="callback",
callback=self.set_option,
@@ -49,6 +60,10 @@ class UserOptions(options.OptionGroup):
help="Conditions user is allowed to authenticate from.",
type=str, dest="allowed_to_authenticate_from",
action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-from-silo",
+ help="User is allowed to authenticate from silo.",
+ type=str, dest="allowed_to_authenticate_from_silo",
+ action="callback", callback=self.set_option)
self.add_option("--user-allowed-to-authenticate-to",
help="Conditions user is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
@@ -61,7 +76,7 @@ class ServiceOptions(options.OptionGroup):
def __init__(self, parser):
super().__init__(parser, "Service Options")
- self.add_option("--service-tgt-lifetime",
+ self.add_option("--service-tgt-lifetime-mins",
help="Ticket-Granting-Ticket lifetime for service accounts.",
dest="tgt_lifetime", type=int, action="callback",
callback=self.set_option,
@@ -75,6 +90,10 @@ class ServiceOptions(options.OptionGroup):
help="Conditions service is allowed to authenticate from.",
type=str, dest="allowed_to_authenticate_from",
action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-from-silo",
+ help="Service is allowed to authenticate from silo.",
+ type=str, dest="allowed_to_authenticate_from_silo",
+ action="callback", callback=self.set_option)
self.add_option("--service-allowed-to-authenticate-to",
help="Conditions service is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
@@ -87,7 +106,7 @@ class ComputerOptions(options.OptionGroup):
def __init__(self, parser):
super().__init__(parser, "Computer Options")
- self.add_option("--computer-tgt-lifetime",
+ self.add_option("--computer-tgt-lifetime-mins",
help="Ticket-Granting-Ticket lifetime for computer accounts.",
dest="tgt_lifetime", type=int, action="callback",
callback=self.set_option,
@@ -217,8 +236,28 @@ class cmd_domain_auth_policy_create(Command):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
+ # Check for repeated, similar arguments.
+ check_similar_args("--user-allowed-to-authenticate-from",
+ [useropts.allowed_to_authenticate_from,
+ useropts.allowed_to_authenticate_from_silo])
+ check_similar_args("--service-allowed-to-authenticate-from",
+ [serviceopts.allowed_to_authenticate_from,
+ serviceopts.allowed_to_authenticate_from_silo])
+
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
+ # Generate SDDL for authenticating users from a silo
+ if useropts.allowed_to_authenticate_from_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_silo)
+ useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts from a silo
+ if serviceopts.allowed_to_authenticate_from_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_silo)
+ serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
@@ -313,8 +352,28 @@ class cmd_domain_auth_policy_modify(Command):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
+ # Check for repeated, similar arguments.
+ check_similar_args("--user-allowed-to-authenticate-from",
+ [useropts.allowed_to_authenticate_from,
+ useropts.allowed_to_authenticate_from_silo])
+ check_similar_args("--service-allowed-to-authenticate-from",
+ [serviceopts.allowed_to_authenticate_from,
+ serviceopts.allowed_to_authenticate_from_silo])
+
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
+ # Generate SDDL for authenticating users from a silo
+ if useropts.allowed_to_authenticate_from_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_silo)
+ useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+
+ # Generate SDDL for authenticating service accounts from a silo
+ if serviceopts.allowed_to_authenticate_from_silo:
+ silo = AuthenticationSilo.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_silo)
+ serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
diff --git a/python/samba/netcmd/domain/auth/silo.py b/python/samba/netcmd/domain/auth/silo.py
index 0c486aeeaff..b1e2ef0a0ae 100644
--- a/python/samba/netcmd/domain/auth/silo.py
+++ b/python/samba/netcmd/domain/auth/silo.py
@@ -115,18 +115,15 @@ class cmd_domain_auth_silo_create(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
- Option("--policy",
- help="Use single policy for all principals in this silo.",
- dest="policy", action="store", type=str),
- Option("--user-policy",
- help="User account policy.",
- dest="user_policy", action="store", type=str),
- Option("--service-policy",
- help="Managed Service Account policy.",
- dest="service_policy", action="store", type=str),
- Option("--computer-policy",
- help="Computer account policy.",
- dest="computer_policy", action="store", type=str),
+ Option("--user-authentication-policy",
+ help="User account authentication policy.",
+ dest="user_authentication_policy", action="store", type=str),
+ Option("--service-authentication-policy",
+ help="Managed service account authentication policy.",
+ dest="service_authentication_policy", action="store", type=str),
+ Option("--computer-authentication-policy",
+ help="Computer authentication policy.",
+ dest="computer_authentication_policy", action="store", type=str),
Option("--protect",
help="Protect authentication silo from accidental deletion.",
dest="protect", action="store_true"),
@@ -153,23 +150,19 @@ class cmd_domain_auth_silo_create(Command):
except (LookupError, ValueError) as e:
raise CommandError(e)
- def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
- description=None, policy=None, user_policy=None,
- service_policy=None, computer_policy=None, protect=None,
- unprotect=None, audit=None, enforce=None):
+ def run(self, hostopts=None, sambaopts=None, credopts=None,
+ name=None, description=None,
+ user_authentication_policy=None,
+ service_authentication_policy=None,
+ computer_authentication_policy=None,
+ protect=None, unprotect=None,
+ audit=None, enforce=None):
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
- # If --policy is present start with that as the base. Then optionally
- # --user-policy, --service-policy, --computer-policy can override this.
- if policy is not None:
- user_policy = user_policy or policy
- service_policy = service_policy or policy
- computer_policy = computer_policy or policy
-
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:
@@ -185,16 +178,19 @@ class cmd_domain_auth_silo_create(Command):
silo = AuthenticationSilo(cn=name, description=description)
# Set user policy
- if user_policy:
- silo.user_policy = self.get_policy(ldb, user_policy).dn
+ if user_authentication_policy:
+ silo.user_authentication_policy = \
+ self.get_policy(ldb, user_authentication_policy).dn
# Set service policy
- if service_policy:
- silo.service_policy = self.get_policy(ldb, service_policy).dn
+ if service_authentication_policy:
+ silo.service_authentication_policy = \
+ self.get_policy(ldb, service_authentication_policy).dn
# Set computer policy
- if computer_policy:
- silo.computer_policy = self.get_policy(ldb, computer_policy).dn
+ if computer_authentication_policy:
+ silo.computer_authentication_policy = \
+ self.get_policy(ldb, computer_authentication_policy).dn
# Either --enforce will be set or --audit but never both.
# The default if both are missing is enforce=True.
@@ -233,18 +229,15 @@ class cmd_domain_auth_silo_modify(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
- Option("--policy",
- help="Set single policy for all principals in this silo.",
- dest="policy", action="store", type=str),
- Option("--user-policy",
- help="Set User account policy.",
- dest="user_policy", action="store", type=str),
- Option("--service-policy",
- help="Set Managed Service Account policy.",
- dest="service_policy", action="store", type=str),
- Option("--computer-policy",
- help="Set Computer Account policy.",
- dest="computer_policy", action="store", type=str),
+ Option("--user-authentication-policy",
+ help="User account authentication policy.",
+ dest="user_authentication_policy", action="store", type=str),
+ Option("--service-authentication-policy",
+ help="Managed service account authentication policy.",
+ dest="service_authentication_policy", action="store", type=str),
+ Option("--computer-authentication-policy",
+ help="Computer authentication policy.",
+ dest="computer_authentication_policy", action="store", type=str),
Option("--protect",
help="Protect authentication silo from accidental deletion.",
dest="protect", action="store_true"),
@@ -271,23 +264,19 @@ class cmd_domain_auth_silo_modify(Command):
except (LookupError, ModelError, ValueError) as e:
raise CommandError(e)
- def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
- description=None, policy=None, user_policy=None,
- service_policy=None, computer_policy=None, protect=None,
- unprotect=None, audit=None, enforce=None):
+ def run(self, hostopts=None, sambaopts=None, credopts=None,
+ name=None, description=None,
+ user_authentication_policy=None,
+ service_authentication_policy=None,
+ computer_authentication_policy=None,
+ protect=None, unprotect=None,
+ audit=None, enforce=None):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
- # If --policy is set then start with that for all policies.
- # They can be individually overridden as well after that.
- if policy is not None:
- user_policy = user_policy or policy
- service_policy = service_policy or policy
- computer_policy = computer_policy or policy
-
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:
@@ -310,22 +299,25 @@ class cmd_domain_auth_silo_modify(Command):
silo.description = description
# Set or unset user policy.
- if user_policy == "":
- silo.user_policy = None
- elif user_policy:
- silo.user_policy = self.get_policy(ldb, user_policy).dn
+ if user_authentication_policy == "":
+ silo.user_authentication_policy = None
+ elif user_authentication_policy:
+ silo.user_authentication_policy = \
+ self.get_policy(ldb, user_authentication_policy).dn
# Set or unset service policy.
- if service_policy == "":
- silo.service_policy = None
- elif service_policy:
- silo.service_policy = self.get_policy(ldb, service_policy).dn
+ if service_authentication_policy == "":
+ silo.service_authentication_policy = None
+ elif service_authentication_policy:
+ silo.service_authentication_policy = \
+ self.get_policy(ldb, service_authentication_policy).dn
# Set or unset computer policy.
- if computer_policy == "":
- silo.computer_policy = None
- elif computer_policy:
- silo.computer_policy = self.get_policy(ldb, computer_policy).dn
+ if computer_authentication_policy == "":
+ silo.computer_authentication_policy = None
+ elif computer_authentication_policy:
+ silo.computer_authentication_policy = \
+ self.get_policy(ldb, computer_authentication_policy).dn
# Update silo
try:
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
index e3228d5607b..28d94e64fa3 100644
--- a/python/samba/netcmd/domain/models/auth_silo.py
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -22,6 +22,8 @@
from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE, LdbError, Message, MessageElement
+from samba.sd_utils import escaped_claim_id
+
from .exceptions import AddMemberError, RemoveMemberError
from .fields import DnField, BooleanField, StringField
from .model import Model
@@ -30,9 +32,9 @@ from .model import Model
class AuthenticationSilo(Model):
description = StringField("description")
enforced = BooleanField("msDS-AuthNPolicySiloEnforced")
- user_policy = DnField("msDS-UserAuthNPolicy")
- service_policy = DnField("msDS-ServiceAuthNPolicy")
- computer_policy = DnField("msDS-ComputerAuthNPolicy")
+ user_authentication_policy = DnField("msDS-UserAuthNPolicy")
+ service_authentication_policy = DnField("msDS-ServiceAuthNPolicy")
+ computer_authentication_policy = DnField("msDS-ComputerAuthNPolicy")
members = DnField("msDS-AuthNPolicySiloMembers", many=True)
@staticmethod
@@ -96,3 +98,7 @@ class AuthenticationSilo(Model):
# If the modify operation was successful refresh members field.
self.refresh(ldb, fields=["members"])
+
+ def get_authentication_sddl(self):
+ return ("O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/"
+ f"AuthenticationSilo/{escaped_claim_id(self.name)}))")
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index 67d89ef29fe..cabbd47b591 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -28,6 +28,22 @@ from samba.ntstatus import (
)
+def escaped_claim_id(claim_id):
+ """Encode claim attribute names according to [MS-DTYP] 2.5.1 ("attr-char2")
+
+ Some characters must be encoded as %hhhh, while others must not be.
+ Of the optional ones, we encode some control characters.
+
+ The \x00 byte is also encoded, which is useful for tests, but it
+ is forbidden in either form.
+ """
+ escapes = '\x00\t\n\x0b\x0c\r !"%&()<=>|'
--
Samba Shared Repository
More information about the samba-cvs
mailing list