[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Sep 29 03:16:01 UTC 2023
The branch, master has been updated
via 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir
via 5ff80465975 libcli/security: fix talloc context for integer values (CID 1545156)
via b2107889332 libcli/security: test_run_condtional_ace: va_end() on errors
via 272f26e3ad0 libcli/security: conditional ACEs check again for NULL/empty claims
via 6af1a71752b netcmd: auth: manpage documentation for conditional ace fields
via 12a98ab4fc7 netcmd: tests: add some tests for valid and invalid SDDL in cli commands
via 645b77342f4 netcmd: auth: add new SDDL fields to create and modify auth policy commands
via 385029fbc67 netcmd: models: add SDDL fields to AuthenticationPolicy model
via 1325e013034 netcmd: models: add SDDL model field
via 83d321e764a netcmd: models: add FieldError subclass which stores the field
via 950a70a190a netcmd: models: field to_db_value needs ldb param
via 27cd5982085 netcmd: tests: modify auth silo cli tests setup their own test data
via 2a333554594 netcmd: tests: modify auth policy cli tests setup their own test data
via c01e9431276 netcmd: tests: modify claim cli tests setup their own test data
via f1d5f93f3d4 netcmd: tests: test that create objects make use of addCleanup
via 91fa5088b56 netcmd: tests: tests tidyup and make use of setUpTestData
via 16c19c470ee netcmd: tests: make _run a classmethod in SambaToolCmdTest
via 71c191ca9fc python: tests: implement setUpTestData overridable class method
via f9d406dca60 netcmd: tests: bugfix: argument -U was already in creds so listed twice
via 7f4db71025e netcmd: tests: avoid the need to create a random command in GetSamDB
from 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 90ba53eee4a3614da81ee562be2a55c01888c2cf
Author: Kacper <kacper at kacper.se>
Date: Wed Aug 30 14:33:49 2023 +0200
samba-tool: Fix for gpo restore not working without --tmpdir
cmd_restore depends on cmd_create but the later cleans up
required temp files for cmd_restore to function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462
RN: Fix for gpo restore not working without --tmpdir
Signed-off-by: Kacper Boström <kacper at kacper.se>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224
commit 5ff804659758e3aae2dc38645d7ab26cefb0c533
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 29 12:35:10 2023 +1300
libcli/security: fix talloc context for integer values (CID 1545156)
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2107889332135fc39c092a8d44ff5b9a0ecdcfb
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 29 12:25:21 2023 +1300
libcli/security: test_run_condtional_ace: va_end() on errors
CID 1545154, CID 1545155.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 272f26e3ad01a6017b52a992123106777ed3aaa3
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 29 12:24:14 2023 +1300
libcli/security: conditional ACEs check again for NULL/empty claims
CID 1545152.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6af1a71752b715120075323dbcd1326c79df7ace
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 21 11:41:02 2023 +1200
netcmd: auth: manpage documentation for conditional ace fields
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12a98ab4fc7765f8b58f115f90ef399c26a2fb77
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 15:33:18 2023 +1300
netcmd: tests: add some tests for valid and invalid SDDL in cli commands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 645b77342f42a55b8693e867ec92da2ea5a3b31c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 20 13:04:14 2023 +1200
netcmd: auth: add new SDDL fields to create and modify auth policy commands
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 385029fbc672cd6e3a37ff6a7ad09dc6ad1eb542
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 20 13:02:21 2023 +1200
netcmd: models: add SDDL fields to AuthenticationPolicy model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1325e01303499b7d94e3b781bee3672c2a94f190
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 20 12:52:31 2023 +1200
netcmd: models: add SDDL model field
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83d321e764a3fc1124ff656a4a7714d262c835e0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 15:22:17 2023 +1300
netcmd: models: add FieldError subclass which stores the field
This is so that errors on the CLI show the field name
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 950a70a190ab986c646a77d14295f6b1697db407
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 20 12:50:15 2023 +1200
netcmd: models: field to_db_value needs ldb param
Required by SDDL field type added in next commit
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 27cd59820859d57e93e8e6595580934c47fe75e8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 17:26:22 2023 +1300
netcmd: tests: modify auth silo cli tests setup their own test data
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a3335545946e3d6c06204912b2a7c8ad03e3de8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 17:13:15 2023 +1300
netcmd: tests: modify auth policy cli tests setup their own test data
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c01e9431276876db7555e58846ac7e2a6b5383c1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 16:41:57 2023 +1300
netcmd: tests: modify claim cli tests setup their own test data
Initially the test data was created in setUp, but it was moved to setUpClass.
The problem with this is tests modifying objects, which could affect the next test.
Create all required data in the test itself for clarity (and also is faster)
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1d5f93f3d4064d0779185a9d380a93c116d3b7c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Sep 28 14:48:09 2023 +1300
netcmd: tests: test that create objects make use of addCleanup
Since the samdb connection is on the class and hangs around between tests, we need to clean up what we created.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 91fa5088b5634320d7d882e474472bc13f076696
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 27 00:20:49 2023 +1300
netcmd: tests: tests tidyup and make use of setUpTestData
Still only load the test data once per test class, but much easier to read.
Made several methods static for creating/deleting claims, policies and silos.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16c19c470eedb914eb1a82406ed3e203a7618d23
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Sep 27 00:01:06 2023 +1300
netcmd: tests: make _run a classmethod in SambaToolCmdTest
So that it can be called from setUpClass as well
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 71c191ca9fc8c836609f579de78678711e1ed034
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Sep 26 21:10:33 2023 +1300
python: tests: implement setUpTestData overridable class method
On Python 3.6 and 3.7 the addClassCleanup method needs to be implemented, and tearDownClass must be called by setupClass if any exception is raised.
On Python 3.8 and higher, unittest already calls tearDownClass, even if it raises an exception in setUpClass.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9d406dca608f99f4d2e07ac0438c8043a7d5669
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Sep 25 13:26:19 2023 +1300
netcmd: tests: bugfix: argument -U was already in creds so listed twice
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f4db71025e5e473ccbc0d03255932ce2dd4b7f9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Sep 25 12:51:19 2023 +1300
netcmd: tests: avoid the need to create a random command in GetSamDB
Also the code that looks over kwargs is somewhat confusing and unnecessary.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 140 ++++++++++++++++
libcli/security/conditional_ace.c | 11 +-
libcli/security/tests/test_run_conditional_ace.c | 2 +
python/samba/netcmd/domain/auth/policy.py | 69 +++++++-
python/samba/netcmd/domain/models/auth_policy.py | 13 +-
python/samba/netcmd/domain/models/exceptions.py | 12 ++
python/samba/netcmd/domain/models/fields.py | 54 ++++--
python/samba/netcmd/domain/models/model.py | 15 +-
python/samba/netcmd/gpo.py | 9 +
python/samba/tests/__init__.py | 54 ++++++
python/samba/tests/samba_tool/base.py | 38 ++---
python/samba/tests/samba_tool/domain_auth_base.py | 116 ++++++-------
.../samba/tests/samba_tool/domain_auth_policy.py | 158 ++++++++++++++----
python/samba/tests/samba_tool/domain_auth_silo.py | 69 +++++---
python/samba/tests/samba_tool/domain_claim.py | 182 ++++++++++-----------
python/samba/tests/samba_tool/domain_models.py | 56 ++++++-
python/samba/tests/samba_tool/visualize.py | 5 +-
.../torture/drs/python/samba_tool_drs_showrepl.py | 6 +-
18 files changed, 739 insertions(+), 270 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 55e714dbed4..83d91bd0af1 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -728,6 +728,34 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-from</term>
+ <listitem>
+ <para>
+ Conditions user is allowed to authenticate from.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions user is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--service-tgt-lifetime</term>
<listitem>
@@ -745,6 +773,34 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-from</term>
+ <listitem>
+ <para>
+ Conditions service is allowed to authenticate from.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions service is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--computer-tgt-lifetime</term>
<listitem>
@@ -753,6 +809,20 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-computer-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions computer is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect3>
@@ -847,6 +917,34 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-from</term>
+ <listitem>
+ <para>
+ Conditions user is allowed to authenticate from.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--user-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions user is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--service-tgt-lifetime</term>
<listitem>
@@ -864,6 +962,34 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-from</term>
+ <listitem>
+ <para>
+ Conditions service is allowed to authenticate from.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--service-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions service is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>--computer-tgt-lifetime</term>
<listitem>
@@ -872,6 +998,20 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-computer-allowed-to-authenticate-to</term>
+ <listitem>
+ <para>
+ Conditions computer is allowed to authenticate to.
+ </para>
+ <para>
+ Must be a valid SDDL string.
+ </para>
+ <para>
+ Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect3>
diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 50935a20a53..2f15b873dd3 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -586,7 +586,7 @@ struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx,
case CONDITIONAL_ACE_TOKEN_INT16:
case CONDITIONAL_ACE_TOKEN_INT32:
case CONDITIONAL_ACE_TOKEN_INT64:
- consumed = pull_integer(mem_ctx,
+ consumed = pull_integer(program,
tok_data,
available,
&tok->data.int64);
@@ -830,6 +830,15 @@ static bool token_claim_lookup(
return false;
}
+ if (num_claims == 0) {
+ DBG_NOTICE("There are no type %u claims\n", op->type);
+ return false;
+ }
+ if (claims == NULL) {
+ DBG_ERR("Type %u claim list unexpectedly NULL!\n", op->type);
+ result->type = CONDITIONAL_ACE_SAMBA_RESULT_ERROR;
+ return false;
+ }
/*
* Loop backwards: a later claim will override an earlier one with the
* same name.
diff --git a/libcli/security/tests/test_run_conditional_ace.c b/libcli/security/tests/test_run_conditional_ace.c
index f8500275148..c538b7cb55e 100644
--- a/libcli/security/tests/test_run_conditional_ace.c
+++ b/libcli/security/tests/test_run_conditional_ace.c
@@ -77,6 +77,7 @@ static bool fill_token_claims(TALLOC_CTX *mem_ctx,
name,
str);
if (claim == NULL) {
+ va_end(args);
debug_fail("bad claim: %s\n", str);
return false;
}
@@ -117,6 +118,7 @@ static bool fill_token_sids(TALLOC_CTX *mem_ctx,
sid = sddl_decode_sid(mem_ctx, &str, NULL);
if (sid == NULL) {
debug_fail("bad SID: %s\n", str);
+ va_end(args);
return false;
}
add_sid_to_array(mem_ctx, sid, list, n);
diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py
index 07b21bdf81d..faf81cca616 100644
--- a/python/samba/netcmd/domain/auth/policy.py
+++ b/python/samba/netcmd/domain/auth/policy.py
@@ -148,6 +148,12 @@ class cmd_domain_auth_policy_create(Command):
"is restricted to selected devices.",
dest="user_allow_ntlm_auth", action="store_true",
default=False),
+ Option("--user-allowed-to-authenticate-from",
+ help="Conditions user is allowed to authenticate from.",
+ dest="user_allowed_to_authenticate_from", type=str, action="store"),
+ Option("--user-allowed-to-authenticate-to",
+ help="Conditions user is allowed to authenticate to.",
+ dest="user_allowed_to_authenticate_to", type=str, action="store"),
Option("--service-tgt-lifetime",
help="Ticket-Granting-Ticket lifetime for service accounts.",
dest="service_tgt_lifetime", type=int, action="store",
@@ -157,17 +163,29 @@ class cmd_domain_auth_policy_create(Command):
"is restricted to selected devices.",
dest="service_allow_ntlm_auth", action="store_true",
default=False),
+ Option("--service-allowed-to-authenticate-from",
+ help="Conditions service is allowed to authenticate from.",
+ dest="service_allowed_to_authenticate_from", type=str, action="store"),
+ Option("--service-allowed-to-authenticate-to",
+ help="Conditions service is allowed to authenticate to.",
+ dest="service_allowed_to_authenticate_to", type=str, action="store"),
Option("--computer-tgt-lifetime",
help="Ticket-Granting-Ticket lifetime for computer accounts.",
dest="computer_tgt_lifetime", type=int, action="store",
validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]),
+ Option("--computer-allowed-to-authenticate-to",
+ help="Conditions computer is allowed to authenticate to.",
+ dest="computer_allowed_to_authenticate_to", type=str, action="store"),
]
def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None,
description=None, protect=None, unprotect=None, audit=None,
enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None,
- user_allow_ntlm_auth=None, service_tgt_lifetime=None,
- service_allow_ntlm_auth=None, computer_tgt_lifetime=None):
+ user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None,
+ user_allowed_to_authenticate_to=None, service_tgt_lifetime=None,
+ service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None,
+ service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None,
+ computer_allowed_to_authenticate_to=None):
if not name:
raise CommandError("Argument --name is required.")
@@ -194,9 +212,14 @@ class cmd_domain_auth_policy_create(Command):
strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()],
user_allow_ntlm_auth=user_allow_ntlm_auth,
user_tgt_lifetime=user_tgt_lifetime,
+ user_allowed_to_authenticate_from=user_allowed_to_authenticate_from,
+ user_allowed_to_authenticate_to=user_allowed_to_authenticate_to,
service_allow_ntlm_auth=service_allow_ntlm_auth,
service_tgt_lifetime=service_tgt_lifetime,
+ service_allowed_to_authenticate_from=service_allowed_to_authenticate_from,
+ service_allowed_to_authenticate_to=service_allowed_to_authenticate_to,
computer_tgt_lifetime=computer_tgt_lifetime,
+ computer_allowed_to_authenticate_to=computer_allowed_to_authenticate_to,
)
# Either --enforce will be set or --audit but never both.
@@ -262,6 +285,12 @@ class cmd_domain_auth_policy_modify(Command):
"is restricted to selected devices.",
dest="user_allow_ntlm_auth", action="store_true",
default=False),
+ Option("--user-allowed-to-authenticate-from",
+ help="Conditions user is allowed to authenticate from.",
+ dest="user_allowed_to_authenticate_from", type=str, action="store"),
+ Option("--user-allowed-to-authenticate-to",
+ help="Conditions user is allowed to authenticate to.",
+ dest="user_allowed_to_authenticate_to", type=str, action="store"),
Option("--service-tgt-lifetime",
help="Ticket-Granting-Ticket lifetime for service accounts.",
dest="service_tgt_lifetime", type=int, action="store",
@@ -271,17 +300,29 @@ class cmd_domain_auth_policy_modify(Command):
"is restricted to selected devices.",
dest="service_allow_ntlm_auth", action="store_true",
default=False),
+ Option("--service-allowed-to-authenticate-from",
+ help="Conditions service is allowed to authenticate from.",
+ dest="service_allowed_to_authenticate_from", type=str, action="store"),
+ Option("--service-allowed-to-authenticate-to",
+ help="Conditions service is allowed to authenticate to.",
+ dest="service_allowed_to_authenticate_to", type=str, action="store"),
Option("--computer-tgt-lifetime",
help="Ticket-Granting-Ticket lifetime for computer accounts.",
dest="computer_tgt_lifetime", type=int, action="store",
validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]),
+ Option("--computer-allowed-to-authenticate-to",
+ help="Conditions computer is allowed to authenticate to.",
+ dest="computer_allowed_to_authenticate_to", type=str, action="store"),
]
def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None,
description=None, protect=None, unprotect=None, audit=None,
enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None,
- user_allow_ntlm_auth=None, service_tgt_lifetime=None,
- service_allow_ntlm_auth=None, computer_tgt_lifetime=None):
+ user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None,
+ user_allowed_to_authenticate_to=None, service_tgt_lifetime=None,
+ service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None,
+ service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None,
+ computer_allowed_to_authenticate_to=None):
if not name:
raise CommandError("Argument --name is required.")
@@ -321,18 +362,38 @@ class cmd_domain_auth_policy_modify(Command):
if user_tgt_lifetime is not None:
policy.user_tgt_lifetime = user_tgt_lifetime
+ if user_allowed_to_authenticate_from is not None:
+ policy.user_allowed_to_authenticate_from = \
+ user_allowed_to_authenticate_from
+
+ if user_allowed_to_authenticate_to is not None:
+ policy.user_allowed_to_authenticate_to = \
+ user_allowed_to_authenticate_to
+
# Service sign on
##################
if service_tgt_lifetime is not None:
policy.service_tgt_lifetime = service_tgt_lifetime
+ if service_allowed_to_authenticate_from is not None:
+ policy.service_allowed_to_authenticate_from = \
+ service_allowed_to_authenticate_from
+
+ if service_allowed_to_authenticate_to is not None:
+ policy.service_allowed_to_authenticate_to = \
+ service_allowed_to_authenticate_to
+
# Computer
###########
if computer_tgt_lifetime is not None:
policy.computer_tgt_lifetime = computer_tgt_lifetime
+ if computer_allowed_to_authenticate_to is not None:
+ policy.computer_allowed_to_authenticate_to = \
+ computer_allowed_to_authenticate_to
+
# Update policy.
try:
policy.save(ldb)
diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/netcmd/domain/models/auth_policy.py
index dec8bb26190..df9f936ffa8 100644
--- a/python/samba/netcmd/domain/models/auth_policy.py
+++ b/python/samba/netcmd/domain/models/auth_policy.py
@@ -23,7 +23,8 @@
from enum import IntEnum
from ldb import Dn
-from .fields import BooleanField, EnumField, IntegerField, StringField
+from .fields import (BooleanField, EnumField, IntegerField, SDDLField,
+ StringField)
from .model import Model
# Ticket-Granting-Ticket lifetimes.
@@ -56,6 +57,16 @@ class AuthenticationPolicy(Model):
"msDS-ServiceAllowedNTLMNetworkAuthentication")
service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime")
computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime")
+ user_allowed_to_authenticate_from = SDDLField(
+ "msDS-UserAllowedToAuthenticateFrom")
+ user_allowed_to_authenticate_to = SDDLField(
+ "msDS-UserAllowedToAuthenticateTo")
+ service_allowed_to_authenticate_from = SDDLField(
+ "msDS-ServiceAllowedToAuthenticateFrom")
+ service_allowed_to_authenticate_to = SDDLField(
+ "msDS-ServiceAllowedToAuthenticateTo")
+ computer_allowed_to_authenticate_to = SDDLField(
+ "msDS-ComputerAllowedToAuthenticateTo")
@staticmethod
def get_base_dn(ldb):
diff --git a/python/samba/netcmd/domain/models/exceptions.py b/python/samba/netcmd/domain/models/exceptions.py
index 805c7a221b7..b28b423f64d 100644
--- a/python/samba/netcmd/domain/models/exceptions.py
+++ b/python/samba/netcmd/domain/models/exceptions.py
@@ -24,6 +24,18 @@ class ModelError(Exception):
pass
+class FieldError(ModelError):
+ """A ModelError on a specific field."""
+
+ def __init__(self, *args, field=None):
+ self.field = field
+ super().__init__(*args)
+
+ def __str__(self):
+ message = super().__str__()
+ return f"{self.field.name}: {message}"
+
+
class MultipleObjectsReturned(ModelError):
pass
diff --git a/python/samba/netcmd/domain/models/fields.py b/python/samba/netcmd/domain/models/fields.py
index 523b7d69d57..845b34d10ab 100644
--- a/python/samba/netcmd/domain/models/fields.py
+++ b/python/samba/netcmd/domain/models/fields.py
@@ -28,6 +28,7 @@ from datetime import datetime
from xml.etree import ElementTree
from ldb import Dn, MessageElement, string_to_time, timestring
+from samba.dcerpc import security
from samba.dcerpc.misc import GUID
from samba.ndr import ndr_pack, ndr_unpack
@@ -74,12 +75,13 @@ class Field(metaclass=ABCMeta):
pass
@abstractmethod
- def to_db_value(self, value, flags):
+ def to_db_value(self, ldb, value, flags):
"""Converts value to database value.
This should return a MessageElement or None, where None means
the field will be unset on the next save.
+ :param ldb: Ldb connection
:param value: Input value from Python field
:param flags: MessageElement flags
:returns: MessageElement or None
@@ -99,7 +101,7 @@ class IntegerField(Field):
else:
return int(value[0])
- def to_db_value(self, value, flags):
+ def to_db_value(self, ldb, value, flags):
"""Convert int or list of int to MessageElement."""
if value is None:
return
@@ -129,7 +131,7 @@ class BinaryField(Field):
else:
return bytes(value[0])
- def to_db_value(self, value, flags):
+ def to_db_value(self, ldb, value, flags):
"""Convert bytes or list of bytes to MessageElement."""
if value is None:
return
@@ -152,7 +154,7 @@ class StringField(Field):
else:
return str(value)
- def to_db_value(self, value, flags):
+ def to_db_value(self, ldb, value, flags):
"""Convert str or list of str to MessageElement."""
if value is None:
return
@@ -190,7 +192,7 @@ class EnumField(Field):
else:
return self.enum_from_value(value)
- def to_db_value(self, value, flags):
+ def to_db_value(self, ldb, value, flags):
"""Convert enum or list of enum to MessageElement."""
if value is None:
return
--
Samba Shared Repository
More information about the samba-cvs
mailing list