[SCM] Samba Shared Repository - branch v4-20-stable updated
Jule Anger
janger at samba.org
Mon Feb 12 19:54:47 UTC 2024
The branch, v4-20-stable has been updated
via 0167b75a5b2 VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc2 release.
via f06a06b7132 WHATSNEW: Add release notes for Samba 4.20.0rc2.
via f8dfce94822 WHATSNEW: Explain new AD DC Claims, authentication policies and Silos
via 4872b0abf6b WHATSNEW: Add some information about new conditional aces feature
via 8e8b8fc0548 WHATSNEW: note "acl_claims evaluation" smb.conf option
via 7f338d6119a ndr: ignore trailing bytes in ndr_pull_security_ace()
via 0f81aec9a19 ndr: ndr_push_security_ace: calculate coda size once
via 4808478685c ndr: avoid object ACE push overhead for non-object ACE
via 276e67fe174 ndr: avoid object ACE pull overhead for non-object ACE
via 5c0f6a20745 ndr: do not push ACE->coda.ignored blob
via d4547daf5ee ndr: mark invalid pull ndr_flags as unlikely
via 5d0d17a92db ndr: skip talloc when pulling empty DATA_BLOB
via e61d447690f ndr: ACE push avoids no-op coda pushes
via e4cf11b1b39 ndr: make security_ace push manual
via c9974e622bf ndr: short-circuit ace coda if no bytes left
via 8787185a6ca ndr: shift ndr_pull_security_ace to manual code
via f8014cae2eb pidl: calculate subcontext_size only once per pull
via b5289d66e9e perftest: ndr_pack runs in none environment
via fb49ce47609 perftest:ndr_pack: spin in do_nothing for a while
via 14edd0fd1ef perftest:ndr_pack: use a valid dummy SID
via 1287f182167 perftest:ndr_pack_performance: remove irrelevant imports, options
via 7f0bdf2b99e perftest:ndr_pack: slightly reduce python overhead
via 66fa6885551 perftest: ndr_pack_performance gets more SD types
via daf5b5f5eb2 perftest:ndr_pack: rename SD tests with object ACEs
via 59365287486 docs-xml: Build and install man page for wspsearch
via 9e946a8ddd3 python:gp: Fix logging with gp
via 7908c00dec2 VERSION: Bump version up to Samba 4.20.0rc2...
from d05af785057 VERSION: Disable GIT_SNAPSHOT for the Samba 4.20.0rc1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 100 +++++++++++++++++-
docs-xml/wscript_build | 1 +
librpc/idl/security.idl | 2 +-
librpc/ndr/libndr.h | 2 +-
librpc/ndr/ndr_basic.c | 6 ++
librpc/ndr/ndr_sec_helper.c | 107 ++++++++++++++++++-
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 5 +-
python/samba/gp/util/logging.py | 5 +-
selftest/perf_tests.py | 4 +-
source4/dsdb/tests/python/ndr_pack_performance.py | 121 ++++++++++------------
11 files changed, 280 insertions(+), 75 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 3fe7a037533..12917e08428 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8158a80288c..de3b0f03d49 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first release candidate of Samba 4.20. This is *not*
+This is the second release candidate of Samba 4.20. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -108,6 +108,90 @@ New options added are:
and all files/directories below.
- '--restore savefile' Restores the stored DACLS to files in directory
+Samba-tool extensions for AD Claims, Authentication Policies and Silos
+----------------------------------------------------------------------
+
+samba-tool now allows users to be associated with claims. In the
+Samba AD DC, claims derive from Active Directory attributes mapped
+into specific names. These claims can be used in rules, which are
+conditional ACEs in a security descriptor, that decide if a user is
+restricted by an authentication policy.
+
+samba-tool also allows the creation and management of authentication
+policies, which are rules about where a user may authenticate from,
+if NTLM is permitted, and what services a user may authenticate to.
+
+Finally, support is added for the creation and management of
+authentication silos, which are helpful in defining network boundaries
+by grouping users and the services they connect to.
+
+Please note: The command line syntax for these tools is not final, and
+may change before the next release, as we gain user feedback. The
+syntax will be locked in once Samba offers 2016 AD Functional Level as
+a default.
+
+AD DC support for Authentication Silos and Authentication Policies
+------------------------------------------------------------------
+
+The Samba AD DC now also honours any existing claims, authentication
+policy and authentication silo configuration previously created (eg
+from an import of a Microsoft AD), as well as new configurations
+created with samba-tool. The use of Microsoft's Powershell based
+client tools is not expected to work.
+
+To use this feature, the functional level must be set to 2012_R2 or
+later with:
+
+ ad dc functional level = 2016
+
+in the smb.conf.
+
+The smb.conf file on each DC must have 'ad dc functional level = 2016'
+set to have the partially complete feature available. This will also,
+at first startup, update the server's own AD entry with the configured
+functional level.
+
+For new domains, add these parameters to 'samba-tool provision'
+
+--option="ad dc functional level = 2016" --function-level=2016
+
+The second option, setting the overall domain functional level
+indicates that all DCs should be at this functional level.
+
+To raise the domain functional level of an existing domain, after
+updating the smb.conf and restarting Samba run
+samba-tool domain schemaupgrade --schema=2019
+samba-tool domain functionalprep --function-level=2016
+samba-tool domain level raise --domain-level=2016 --forest-level=2016
+
+This support is still new, so is not enabled by default in this
+release. The above instructions are set at 2016, which while not
+complete, matches what our testing environment validates.
+
+Conditional ACEs and Resource Attribute ACEs
+--------------------------------------------
+
+Ordinary Access Control Entries (ACEs) unconditionally allow or deny
+access to a given user or group. Conditional ACEs have an additional
+section that describes conditions under which the ACE applies. If the
+conditional expression is true, the ACE works like an ordinary ACE,
+otherwise it is ignored. The condition terms can refer to claims,
+group memberships, and attributes on the object itself. These
+attributes are described in Resource Attribute ACEs that occur in the
+object's System Access Control List (SACL). Conditional ACEs are
+described in Microsoft documentation.
+
+Conditional ACE evaluation is controlled by the "acl claims
+evaluation" smb.conf option. The default value is "AD DC only" which
+enables them in AD DC settings. The other option is "never", which
+disables them altogether. There is currently no option to enable them
+on the file server (this is likely to change in future releases).
+
+The Security Descriptor Definition Language has extensions for
+conditional ACEs and resource attribute ACEs; these are now supported
+by Samba.
+
+
REMOVED FEATURES
================
@@ -127,6 +211,20 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smb3 unix extensions Per share -
+ acl claims evaluation new AD DC only
+
+
+CHANGES SINCE 4.20.0rc1
+=======================
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 15574: Performance regression for NDR parsing of security descriptors.
+
+o Anoop C S <anoopcs at samba.org>
+ * BUG 15565: Build and install man page for wspsearch client utility.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15558: samba-gpupdate logging doesn't work.
KNOWN ISSUES
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 95ed08ed1d8..434afacaf1e 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -54,6 +54,7 @@ manpages='''
manpages/wbinfo.1
manpages/winbindd.8
manpages/samba-log-parser.1
+ manpages/wspsearch.1
'''
pam_winbind_manpages = '''
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d1552475b63..8783b678157 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -715,7 +715,7 @@ interface security
[default][flag(NDR_REMAINING)] DATA_BLOB ignored;
} security_ace_coda;
- typedef [public,gensize,nosize] struct {
+ typedef [public,gensize,nosize,nopush,nopull] struct {
security_ace_type type; /* SEC_ACE_TYPE_* */
security_ace_flags flags; /* SEC_ACE_FLAG_* */
[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index 70dd01e49a6..03d1aead01a 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -367,7 +367,7 @@ enum ndr_compression_alg {
};
#define NDR_PULL_CHECK_FLAGS(ndr, ndr_flags) do { \
- if ((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS)) { \
+ if (unlikely((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS))) { \
return ndr_pull_error(ndr, NDR_ERR_FLAGS, "Invalid pull struct ndr_flags 0x%"PRI_NDR_FLAGS_TYPE, ndr_flags); \
} \
} while (0)
diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c
index fc8620f28c7..5fd15730a74 100644
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -1453,6 +1453,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_DATA_BLOB(struct ndr_pull *ndr, ndr_flags_ty
} else {
NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &length));
}
+ if (length == 0) {
+ /* skip the talloc for an empty blob */
+ blob->data = NULL;
+ blob->length = 0;
+ return NDR_ERR_SUCCESS;
+ }
NDR_PULL_NEED_BYTES(ndr, length);
*blob = data_blob_talloc(ndr->current_mem_ctx, ndr->data+ndr->offset, length);
ndr->offset += length;
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index d74d31b2823..f870a17aafc 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -64,7 +64,11 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
} else if (ace->type == SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE) {
ret += ndr_size_security_ace_coda(&ace->coda, ace->type, flags);
} else {
- ret += ace->coda.ignored.length;
+ /*
+ * Normal ACEs have a coda.ignored blob that is always or
+ * almost always empty. We aren't going to push it (it is
+ * ignored), so we don't add that length to the size.
+ */
}
/* round up to a multiple of 4 (MS-DTYP 2.4.4.1) */
ret = (ret + 3ULL) & ~3ULL;
@@ -75,6 +79,107 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
return ret;
}
+
+static inline enum ndr_err_code ndr_maybe_pull_security_ace_object_ctr(struct ndr_pull *ndr,
+ ndr_flags_type ndr_flags,
+ struct security_ace *r)
+{
+ /*
+ * If this is not an object ACE (as is usually common),
+ * ndr_pull_security_ace_object_ctr() will do nothing.
+ *
+ * By avoiding calling the function in that case, we avoid some
+ * tallocing and ndr token busywork.
+ */
+ bool is_object = sec_ace_object(r->type);
+ if (is_object) {
+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, is_object));
+ NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct security_ace *r)
+{
+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ ssize_t sub_size;
+ NDR_CHECK(ndr_pull_align(ndr, 5));
+ NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
+ NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
+ NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+ sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags);
+ if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) {
+ r->coda.ignored.data = NULL;
+ r->coda.ignored.length = 0;
+ } else {
+ struct ndr_pull *_ndr_coda;
+ NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size));
+ NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, &r->coda, r->type));
+ NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+ NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_coda, 0, sub_size));
+ }
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
+static inline enum ndr_err_code ndr_maybe_push_security_ace_object_ctr(struct ndr_push *ndr,
+ ndr_flags_type ndr_flags,
+ const struct security_ace *r)
+{
+ /*
+ * ndr_push_security_ace_object_ctr() does nothing (except tallocing
+ * and ndr_token fiddling) unless the ACE is an object ACE, which is
+ * usually very unlikely.
+ */
+ bool is_object = sec_ace_object(r->type);
+ if (is_object) {
+ NDR_CHECK(ndr_push_set_switch_value(ndr, &r->object, is_object));
+ NDR_CHECK(ndr_push_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct security_ace *r)
+{
+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 5));
+ NDR_CHECK(ndr_push_security_ace_type(ndr, NDR_SCALARS, r->type));
+ NDR_CHECK(ndr_push_security_ace_flags(ndr, NDR_SCALARS, r->flags));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, ndr_size_security_ace(r, ndr->flags)));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->access_mask));
+ NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+ NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+ if (sec_ace_has_extra_blob(r->type)) {
+ struct ndr_push *_ndr_coda;
+ size_t coda_size = ndr_subcontext_size_of_ace_coda(
+ r,
+ ndr_size_security_ace(r, ndr->flags),
+ ndr->flags);
+ NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_coda, 0, coda_size));
+ NDR_CHECK(ndr_push_set_switch_value(_ndr_coda, &r->coda, r->type));
+ NDR_CHECK(ndr_push_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+ NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_coda, 0, coda_size));
+ }
+ NDR_CHECK(ndr_push_trailer_align(ndr, 5));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
/*
* An ACE coda can't be bigger than the space allowed for by
* ace->size, so we need to check this from the context of the ACE.
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 859da0a914f..d7386d5b2cc 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -603,7 +603,8 @@ sub ParseSubcontextPullStart($$$$$)
$self->pidl("{");
$self->indent;
$self->pidl("struct ndr_pull *$subndr;");
- $self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+ $self->pidl("ssize_t sub_size = $subcontext_size;");
+ $self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, sub_size));");
if (defined $l->{COMPRESSION}) {
$subndr = $self->ParseCompressionPullStart($e, $l, $subndr, $env);
@@ -622,7 +623,7 @@ sub ParseSubcontextPullEnd($$$$$)
$self->ParseCompressionPullEnd($e, $l, $subndr, $env);
}
- $self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+ $self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, sub_size));");
$self->deindent;
$self->pidl("}");
}
diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py
index 9e70891b62c..da085d8d7e6 100644
--- a/python/samba/gp/util/logging.py
+++ b/python/samba/gp/util/logging.py
@@ -23,9 +23,10 @@ import gettext
import random
import sys
-logger = logging.getLogger()
+logger = logging.getLogger("gp")
+
+
def logger_init(name, log_level):
- logger = logging.getLogger(name)
logger.addHandler(logging.StreamHandler(sys.stdout))
logger.setLevel(logging.CRITICAL)
if log_level == 1:
diff --git a/selftest/perf_tests.py b/selftest/perf_tests.py
index 2aed9deded9..cfbbf0e056e 100644
--- a/selftest/perf_tests.py
+++ b/selftest/perf_tests.py
@@ -26,8 +26,8 @@ plantestsuite_loadlist("samba4.ldap.ad_dc_performance.python(ad_dc_ntvfs)",
'--workgroup=$DOMAIN',
'$LOADLIST', '$LISTOPT'])
-plantestsuite_loadlist("samba4.ndr_pack_performance.python(ad_dc_ntvfs)",
- "ad_dc_ntvfs",
+plantestsuite_loadlist("samba4.ndr_pack_performance.python",
+ "none",
[python, os.path.join(samba4srcdir,
"dsdb/tests/python/ndr_pack_performance.py"),
'$SERVER', '-U"$USERNAME%$PASSWORD"',
diff --git a/source4/dsdb/tests/python/ndr_pack_performance.py b/source4/dsdb/tests/python/ndr_pack_performance.py
index 5defacf19ec..45c1816df39 100644
--- a/source4/dsdb/tests/python/ndr_pack_performance.py
+++ b/source4/dsdb/tests/python/ndr_pack_performance.py
@@ -4,10 +4,7 @@ import optparse
import sys
sys.path.insert(0, 'bin/python')
-import os
import samba
-import samba.getopt as options
-import random
import gzip
# We try to use the test infrastructure of Samba 4.3+, but if it
@@ -16,45 +13,13 @@ import gzip
#
# Don't copy this horror into ordinary tests -- it is special for
# performance tests that want to apply to old versions.
-try:
- from samba.tests.subunitrun import SubunitOptions, TestProgram
- ANCIENT_SAMBA = False
-except ImportError:
- ANCIENT_SAMBA = True
- samba.ensure_external_module("testtools", "testtools")
- samba.ensure_external_module("subunit", "subunit/python")
- from subunit.run import SubunitTestRunner
- import unittest
+
+from samba.tests.subunitrun import TestProgram
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba.dcerpc import drsuapi
-parser = optparse.OptionParser("ndr_pack_performance.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-if not ANCIENT_SAMBA:
- subunitopts = SubunitOptions(parser)
- parser.add_option_group(subunitopts)
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-random.seed(1)
-
BIG_SD_SDDL = ''.join(
"""O:S-1-5-21-3328325300-3937145445-4190589019-512G:S-1-5-2
@@ -130,6 +95,23 @@ IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030
0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d
e6-11d0-a285-00aa003049e2;ED)""".split())
+
+CONDITIONAL_ACE_SDDL = ('O:SYG:SYD:(XA;OICI;CR;;;WD;'
+ '(@USER.ad://ext/AuthenticationSilo == "siloname"))')
+
+NON_OBJECT_SDDL = (
+ "O:S-1-5-21-2212615479-2695158682-2101375468-512"
+ "G:S-1-5-21-2212615479-2695158682-2101375468-513"
+ "D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+ "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
+ "(A;OICIIO;FA;;;CO)"
+ "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+ "(A;OICI;FA;;;SY)"
+ "(A;OICI;0x1200a9;;;AU)"
+ "(A;OICI;0x1200a9;;;ED)")
+
+
+
# set SCALE = 100 for normal test, or 1 for testing the test.
SCALE = 100
@@ -144,57 +126,82 @@ class UserTests(samba.tests.TestCase):
return f.read()
def get_desc(self, sddl):
- dummy_sid = security.dom_sid("S-2-0-0")
+ dummy_sid = security.dom_sid("S-1-2-3")
return security.descriptor.from_sddl(sddl, dummy_sid)
def get_blob(self, sddl):
return ndr_pack(self.get_desc(sddl))
- def test_00_00_do_nothing(self):
+ def test_00_00_do_nothing(self, cycles=10000):
# this gives us an idea of the overhead
- pass
+ for i in range(SCALE * cycles):
+ pass
def _test_pack(self, unpacked, cycles=10000):
+ pack = unpacked.__ndr_pack__
for i in range(SCALE * cycles):
- ndr_pack(unpacked)
+ pack()
def _test_unpack(self, blob, cycles=10000, cls=security.descriptor):
for i in range(SCALE * cycles):
- ndr_unpack(cls, blob)
+ cls().__ndr_unpack__(blob)
def _test_pack_unpack(self, desc, cycles=5000, cls=security.descriptor):
blob2 = ndr_pack(desc)
-
for i in range(SCALE * cycles):
blob = ndr_pack(desc)
desc = ndr_unpack(cls, blob)
self.assertEqual(blob, blob2)
- def test_pack_big_sd(self):
+ def test_pack_big_sd_with_object_aces(self):
--
Samba Shared Repository
More information about the samba-cvs
mailing list