[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Mar 20 04:54:02 UTC 2024
The branch, master has been updated
via da500249fcf tests: gmsa blackbox tests
via 7dcc06fa88b tests: models: test additional Computer constructor cases
via c004fdd0f34 tests: models: fix username should be account_name
via 87cf1a29378 tests: user: create gmsa with models
via ea3838b6bcc tests: user: fix PEP8 spacing around operator
via 878abe023ed tests: user: gmsa dNSHostName is a required field
via 40e0cb2ccaa tests: samdb: Make use of the domain_sid property
via 3c022f444a1 python: fix json encoder should handle Exception
via 52165b8eada python: models: add Container model
via bda232944cf python: models: add kwargs to __json__ and as_dict methods
via 7fafb268bf9 python: pep8: fix import sorting after move
via f739ef813c0 python: move models out of the netcmd package
via 1f511acc133 python: create domain module to move models into
via e25c4872034 netcmd: gmsa: show viewers also works if SID is not found
via 12adbfc6abf netcmd: gmsa: add and remove don't fetch trustee if it is a SID
via 87d00915e96 netcmd: gmsa: add_trustee and remove_trustee change argument to sid
via 48c0ed76e02 netcmd: gmsa: fix typo if trustee is not found
via a6e79982c90 netcmd: gmsa: create should allow custom SDDL
via 200948c172d netcmd: models: improve Computer constructor adding "$" handling
via bd79c074e2d netcmd: models: allow scope to be overridden in query
via 3e22f8f3034 netcmd: models: add User.get_sid_for_principal helper
via 12f3db0109a netcmd: models: User.find also tries object_sid
via 4f97df7056b python: samdb: Make connecting_user_sid a property
via c221f7080c5 python: samdb: Move get_connecting_user_sid to samdb
from b815abe7799 libcli/security: check again for NULL values
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit da500249fcf52629c8d3da4d608b85b96b43cca6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Mar 1 11:22:03 2024 +1300
tests: gmsa blackbox tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
commit 7dcc06fa88b06cedcaa9165536eb47c6fed27fc4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 6 16:52:53 2024 +1300
tests: models: test additional Computer constructor cases
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c004fdd0f34ec009fa4f24535ffb5773ee506e37
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 6 16:49:21 2024 +1300
tests: models: fix username should be account_name
The reason this didn't fail, is because it doesn't save the Computers.
This gets fixed in the next commit.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87cf1a2937837d268de0339f88f02d4304355f75
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 5 16:39:33 2024 +1300
tests: user: create gmsa with models
It was fetching the GMSA with the models straight after creating it anyway.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea3838b6bcc5a60bbef201f016dfecea0af68b54
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 5 16:20:52 2024 +1300
tests: user: fix PEP8 spacing around operator
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 878abe023ed8cabe3e24a998a9ed870de8f64ee1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 5 12:14:06 2024 +1300
tests: user: gmsa dNSHostName is a required field
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40e0cb2ccaa659d3ee109949044fe006e7a7d2bb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Feb 28 17:00:24 2024 +1300
tests: samdb: Make use of the domain_sid property
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c022f444a1c8644cdd4011475b2a16f834b18ab
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 20 09:50:49 2024 +1300
python: fix json encoder should handle Exception
This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.
This happens in the print_json_status method.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52165b8eada72ac2d2e015faba372af8ae9c7284
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 13 23:07:52 2024 +1300
python: models: add Container model
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bda232944cf7954799792f2587b0ea923545004e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 13 22:20:39 2024 +1300
python: models: add kwargs to __json__ and as_dict methods
Allows passing arguments through
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fafb268bf9553e21fa511eb6f50ab0b61628981
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 13 20:59:27 2024 +1300
python: pep8: fix import sorting after move
Only touch files where samba.domain.models import was moved
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f739ef813c037ebf201dae0af68d5e9276848145
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 16:47:58 2024 +1300
python: move models out of the netcmd package
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f511acc1338412cfd8f513b08c5c21a6d839e0a
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 16:28:07 2024 +1300
python: create domain module to move models into
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e25c48720347daeaf7824c2f7c6b3655d26707d3
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 13:06:31 2024 +1300
netcmd: gmsa: show viewers also works if SID is not found
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12adbfc6abf1dfc4b7d206025f7996bfb5fa86b1
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 12:40:12 2024 +1300
netcmd: gmsa: add and remove don't fetch trustee if it is a SID
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87d00915e9634c2ba3269d8d437bfa3c74ee7724
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 12:38:13 2024 +1300
netcmd: gmsa: add_trustee and remove_trustee change argument to sid
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48c0ed76e02567994c1c7069a83c89aec5825101
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 12:33:30 2024 +1300
netcmd: gmsa: fix typo if trustee is not found
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a6e79982c902fffc8dc1b95c56727e60c73cddeb
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 5 12:04:49 2024 +1300
netcmd: gmsa: create should allow custom SDDL
gMSA update already supported it but not create
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 200948c172d20de75a3598d244de3f47d91d7bc0
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Mar 6 16:47:29 2024 +1300
netcmd: models: improve Computer constructor adding "$" handling
In some cases the previous code would end up creating computers where the account name ended on double "$"
Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd79c074e2ddbf434c70f6d2692dd702917309ce
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 12:13:09 2024 +1300
netcmd: models: allow scope to be overridden in query
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3e22f8f303458efca9bed9a3223d62d2e55aa0a4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 12 12:23:36 2024 +1300
netcmd: models: add User.get_sid_for_principal helper
Unlike User.find, this will not fetch the User if an SID is provided.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12f3db0109a4dbe5e96425bdff73c874f538ef9e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Mar 5 15:30:47 2024 +1300
netcmd: models: User.find also tries object_sid
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f97df7056b800afde180a504d96bb3363394dae
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Feb 28 16:59:06 2024 +1300
python: samdb: Make connecting_user_sid a property
This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c221f7080c505fafe8e44a5aff7b7a72bc60be78
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Feb 28 16:57:40 2024 +1300
python: samdb: Move get_connecting_user_sid to samdb
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../dcerpc.py => python/samba/domain/__init__.py | 9 +-
.../samba/{netcmd => }/domain/models/__init__.py | 1 +
.../{netcmd => }/domain/models/auth_policy.py | 0
.../samba/{netcmd => }/domain/models/auth_silo.py | 0
.../samba/{netcmd => }/domain/models/claim_type.py | 0
.../samba/{netcmd => }/domain/models/computer.py | 37 +++-
.../samba/{netcmd => }/domain/models/constants.py | 0
.../constants.py => domain/models/container.py} | 18 +-
.../samba/{netcmd => }/domain/models/exceptions.py | 0
python/samba/{netcmd => }/domain/models/fields.py | 0
python/samba/{netcmd => }/domain/models/gmsa.py | 13 +-
python/samba/{netcmd => }/domain/models/group.py | 0
python/samba/{netcmd => }/domain/models/model.py | 12 +-
python/samba/{netcmd => }/domain/models/person.py | 0
python/samba/{netcmd => }/domain/models/query.py | 0
python/samba/{netcmd => }/domain/models/schema.py | 0
python/samba/{netcmd => }/domain/models/site.py | 0
python/samba/{netcmd => }/domain/models/subnet.py | 0
python/samba/{netcmd => }/domain/models/types.py | 0
python/samba/{netcmd => }/domain/models/user.py | 27 ++-
.../samba/{netcmd => }/domain/models/value_type.py | 0
python/samba/netcmd/domain/auth/policy.py | 9 +-
python/samba/netcmd/domain/auth/silo.py | 4 +-
python/samba/netcmd/domain/auth/silo_member.py | 4 +-
python/samba/netcmd/domain/claim/claim_type.py | 5 +-
python/samba/netcmd/domain/claim/value_type.py | 4 +-
python/samba/netcmd/encoders.py | 2 +-
.../netcmd/service_account/group_msa_membership.py | 34 ++--
.../netcmd/service_account/service_account.py | 15 +-
python/samba/netcmd/shell.py | 2 +-
python/samba/netcmd/sites.py | 13 +-
python/samba/netcmd/user/auth/policy.py | 4 +-
python/samba/netcmd/user/auth/silo.py | 4 +-
python/samba/samdb.py | 8 +
python/samba/tests/blackbox/gmsa.py | 202 +++++++++++++++++++++
python/samba/tests/krb5/authn_policy_tests.py | 19 +-
python/samba/tests/krb5/kdc_base_test.py | 33 ++--
.../samba/tests/samba_tool/domain_auth_policy.py | 2 +-
python/samba/tests/samba_tool/domain_auth_silo.py | 2 +-
python/samba/tests/samba_tool/domain_models.py | 34 +++-
python/samba/tests/samba_tool/service_account.py | 4 +-
python/samba/tests/samba_tool/silo_base.py | 2 +-
python/samba/tests/samba_tool/user_auth_policy.py | 2 +-
python/samba/tests/samba_tool/user_auth_silo.py | 2 +-
.../tests/samba_tool/user_get_kerberos_ticket.py | 13 +-
.../tests/samba_tool/user_getpassword_gmsa.py | 64 +++----
selftest/knownfail.d/gmsa | 3 +-
source4/selftest/tests.py | 2 +
48 files changed, 435 insertions(+), 174 deletions(-)
copy source4/librpc/rpc/dcerpc.py => python/samba/domain/__init__.py (85%)
rename python/samba/{netcmd => }/domain/models/__init__.py (97%)
rename python/samba/{netcmd => }/domain/models/auth_policy.py (100%)
rename python/samba/{netcmd => }/domain/models/auth_silo.py (100%)
rename python/samba/{netcmd => }/domain/models/claim_type.py (100%)
rename python/samba/{netcmd => }/domain/models/computer.py (64%)
copy python/samba/{netcmd => }/domain/models/constants.py (100%)
rename python/samba/{netcmd/domain/models/constants.py => domain/models/container.py} (70%)
rename python/samba/{netcmd => }/domain/models/exceptions.py (100%)
rename python/samba/{netcmd => }/domain/models/fields.py (100%)
rename python/samba/{netcmd => }/domain/models/gmsa.py (93%)
rename python/samba/{netcmd => }/domain/models/group.py (100%)
rename python/samba/{netcmd => }/domain/models/model.py (97%)
rename python/samba/{netcmd => }/domain/models/person.py (100%)
rename python/samba/{netcmd => }/domain/models/query.py (100%)
rename python/samba/{netcmd => }/domain/models/schema.py (100%)
rename python/samba/{netcmd => }/domain/models/site.py (100%)
rename python/samba/{netcmd => }/domain/models/subnet.py (100%)
rename python/samba/{netcmd => }/domain/models/types.py (100%)
rename python/samba/{netcmd => }/domain/models/user.py (75%)
rename python/samba/{netcmd => }/domain/models/value_type.py (100%)
create mode 100644 python/samba/tests/blackbox/gmsa.py
Changeset truncated at 500 lines:
diff --git a/source4/librpc/rpc/dcerpc.py b/python/samba/domain/__init__.py
similarity index 85%
copy from source4/librpc/rpc/dcerpc.py
copy to python/samba/domain/__init__.py
index 64dd6e3a433..40ffa8948b3 100644
--- a/source4/librpc/rpc/dcerpc.py
+++ b/python/samba/domain/__init__.py
@@ -1,5 +1,10 @@
# Unix SMB/CIFS implementation.
-# Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2008
+#
+# Domain support
+#
+# Copyright (C) Catalyst.Net Ltd. 2024
+#
+# Written by Rob van der Linde <rob at catalyst.net.nz>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -14,5 +19,3 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-
-from samba.dcerpc.base import *
diff --git a/python/samba/netcmd/domain/models/__init__.py b/python/samba/domain/models/__init__.py
similarity index 97%
rename from python/samba/netcmd/domain/models/__init__.py
rename to python/samba/domain/models/__init__.py
index 4e100574aaf..fe05bac1482 100644
--- a/python/samba/netcmd/domain/models/__init__.py
+++ b/python/samba/domain/models/__init__.py
@@ -26,6 +26,7 @@ from .auth_silo import AuthenticationSilo
from .claim_type import ClaimType
from .computer import Computer
from .constants import MODELS
+from .container import Container
from .gmsa import GroupManagedServiceAccount
from .group import Group
from .model import Model
diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/domain/models/auth_policy.py
similarity index 100%
rename from python/samba/netcmd/domain/models/auth_policy.py
rename to python/samba/domain/models/auth_policy.py
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/domain/models/auth_silo.py
similarity index 100%
rename from python/samba/netcmd/domain/models/auth_silo.py
rename to python/samba/domain/models/auth_silo.py
diff --git a/python/samba/netcmd/domain/models/claim_type.py b/python/samba/domain/models/claim_type.py
similarity index 100%
rename from python/samba/netcmd/domain/models/claim_type.py
rename to python/samba/domain/models/claim_type.py
diff --git a/python/samba/netcmd/domain/models/computer.py b/python/samba/domain/models/computer.py
similarity index 64%
rename from python/samba/netcmd/domain/models/computer.py
rename to python/samba/domain/models/computer.py
index c9e034a530f..84dddb16a9b 100644
--- a/python/samba/netcmd/domain/models/computer.py
+++ b/python/samba/domain/models/computer.py
@@ -33,18 +33,39 @@ class Computer(User):
def __init__(self, **kwargs):
"""Computer constructor automatically adds "$" to account_name.
- Also applies to GroupManagedServiceAccount subclass.
- """
- name = kwargs.get("name", kwargs.get("cn"))
+ The various ways a Computer can be constructed:
+
+ >>> Computer(name="pc")
+ >>> Computer(account_name="pc$")
+ >>> Computer(cn="pc")
+ >>> Computer(account_name="pc$", name="pc")
+
+ In each case the constructor does its best to ensure the
+ account name ends with a "$" and the name doesn't.
+
+ Also applies to GroupManagedServiceAccount subclass."""
+ name = kwargs.get("name", kwargs.pop("cn", None))
account_name = kwargs.get("account_name")
- # If account_name is missing, use name or cn and add a "$".
- # If account_name is present but lacking "$", add it automatically.
+ # First make sure the account_name always has a "$".
+ if account_name and not account_name.endswith("$"):
+ account_name += "$"
+
+ # The name is present but not account name.
+ # If the name already has a "$" don't add two.
if name and not account_name:
- kwargs["account_name"] = name + "$"
- elif account_name and not account_name.endswith("$"):
- kwargs["account_name"] = account_name + "$"
+ if name.endswith("$"):
+ account_name = name
+ else:
+ account_name = name + "$"
+
+ # The account name is present but not the name.
+ # Use the account name, stripping the "$" character.
+ elif account_name and not name:
+ name = account_name.rstrip("$")
+ kwargs["name"] = name
+ kwargs["account_name"] = account_name
super().__init__(**kwargs)
@staticmethod
diff --git a/python/samba/netcmd/domain/models/constants.py b/python/samba/domain/models/constants.py
similarity index 100%
copy from python/samba/netcmd/domain/models/constants.py
copy to python/samba/domain/models/constants.py
diff --git a/python/samba/netcmd/domain/models/constants.py b/python/samba/domain/models/container.py
similarity index 70%
rename from python/samba/netcmd/domain/models/constants.py
rename to python/samba/domain/models/container.py
index aa1b0307445..5d3a0b247a4 100644
--- a/python/samba/netcmd/domain/models/constants.py
+++ b/python/samba/domain/models/container.py
@@ -1,8 +1,8 @@
# Unix SMB/CIFS implementation.
#
-# Model constants
+# Container model.
#
-# Copyright (C) Catalyst.Net Ltd. 2023
+# Copyright (C) Catalyst.Net Ltd. 2024
#
# Written by Rob van der Linde <rob at catalyst.net.nz>
#
@@ -20,9 +20,13 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-# Keeps track of registered models.
-# This gets populated by the ModelMeta class.
-MODELS = {}
+from .fields import DnField
+from .model import Model
-# Default SDDL for GroupManagedServiceAccount msDS-GroupMSAMembership field.
-GROUP_MSA_MEMBERSHIP_DEFAULT = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"
+
+class Container(Model):
+ object_reference = DnField("msDS-ObjectReference")
+
+ @staticmethod
+ def get_object_class():
+ return "container"
diff --git a/python/samba/netcmd/domain/models/exceptions.py b/python/samba/domain/models/exceptions.py
similarity index 100%
rename from python/samba/netcmd/domain/models/exceptions.py
rename to python/samba/domain/models/exceptions.py
diff --git a/python/samba/netcmd/domain/models/fields.py b/python/samba/domain/models/fields.py
similarity index 100%
rename from python/samba/netcmd/domain/models/fields.py
rename to python/samba/domain/models/fields.py
diff --git a/python/samba/netcmd/domain/models/gmsa.py b/python/samba/domain/models/gmsa.py
similarity index 93%
rename from python/samba/netcmd/domain/models/gmsa.py
rename to python/samba/domain/models/gmsa.py
index c5c27e3cf51..e13711f22d7 100644
--- a/python/samba/netcmd/domain/models/gmsa.py
+++ b/python/samba/domain/models/gmsa.py
@@ -28,7 +28,6 @@ from .constants import GROUP_MSA_MEMBERSHIP_DEFAULT
from .exceptions import FieldError
from .fields import BinaryField, EnumField, IntegerField, SDDLField, StringField
from .types import SupportedEncryptionTypes
-from .user import User
class GroupManagedServiceAccount(Computer):
@@ -79,17 +78,19 @@ class GroupManagedServiceAccount(Computer):
return allowed
- def add_trustee(self, trustee: User):
+ def add_trustee(self, trustee: str):
"""Adds the User `trustee` to group_msa_membership.
Checking if the trustee already has access is the responsibility
of the caller.
+
+ :param trustee: SID of trustee to add
"""
aces = self.group_msa_membership.dacl.aces
ace = security.ace()
ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
- ace.trustee = security.dom_sid(trustee.object_sid)
+ ace.trustee = security.dom_sid(trustee)
ace.access_mask = security.SEC_ADS_GENERIC_ALL
aces.append(ace)
@@ -97,14 +98,16 @@ class GroupManagedServiceAccount(Computer):
self.group_msa_membership.dacl.aces = aces
self.group_msa_membership.dacl.num_aces = len(aces)
- def remove_trustee(self, trustee: User):
+ def remove_trustee(self, trustee: str):
"""Removes the User 'trustee' from group_msa_membership.
If the trustee doesn't have access already then do nothing.
+
+ :param trustee: SID of trustee to remove
"""
aces = self.group_msa_membership.dacl.aces
for ace in aces:
- if trustee.object_sid == str(ace.trustee):
+ if trustee == str(ace.trustee):
self.group_msa_membership.dacl_del_ace(ace)
break
diff --git a/python/samba/netcmd/domain/models/group.py b/python/samba/domain/models/group.py
similarity index 100%
rename from python/samba/netcmd/domain/models/group.py
rename to python/samba/domain/models/group.py
diff --git a/python/samba/netcmd/domain/models/model.py b/python/samba/domain/models/model.py
similarity index 97%
rename from python/samba/netcmd/domain/models/model.py
rename to python/samba/domain/models/model.py
index a9b10a7b53e..55cada972b6 100644
--- a/python/samba/netcmd/domain/models/model.py
+++ b/python/samba/domain/models/model.py
@@ -110,9 +110,9 @@ class Model(metaclass=ModelMeta):
else:
return self.dn == other.dn
- def __json__(self):
+ def __json__(self, **kwargs):
"""Automatically called by custom JSONEncoder class."""
- return self.as_dict()
+ return self.as_dict(**kwargs)
@staticmethod
def get_base_dn(ldb):
@@ -182,7 +182,7 @@ class Model(metaclass=ModelMeta):
self._apply(ldb, res[0])
- def as_dict(self, include_hidden=False):
+ def as_dict(self, include_hidden=False, **kwargs):
"""Returns a dict representation of the model.
:param include_hidden: Include fields with hidden=True when set
@@ -225,7 +225,8 @@ class Model(metaclass=ModelMeta):
return expression
@classmethod
- def query(cls, ldb, polymorphic=False, base_dn=None, **kwargs):
+ def query(cls, ldb, polymorphic=False, base_dn=None, scope=SCOPE_SUBTREE,
+ **kwargs):
"""Returns a search query for this model.
NOTE: If polymorphic is enabled then querying will return instances
@@ -238,6 +239,7 @@ class Model(metaclass=ModelMeta):
:param ldb: Ldb connection
:param polymorphic: If true enables polymorphic querying (see note)
:param base_dn: Optional provide base dn for searching or use the model
+ :param scope: Ldb search scope (default SCOPE_SUBTREE)
:param kwargs: Search criteria as keyword args
"""
if base_dn is None:
@@ -246,7 +248,7 @@ class Model(metaclass=ModelMeta):
# If the container does not exist produce a friendly error message.
try:
result = ldb.search(base_dn,
- scope=SCOPE_SUBTREE,
+ scope=scope,
expression=cls.build_expression(**kwargs))
except LdbError as e:
if e.args[0] == ERR_NO_SUCH_OBJECT:
diff --git a/python/samba/netcmd/domain/models/person.py b/python/samba/domain/models/person.py
similarity index 100%
rename from python/samba/netcmd/domain/models/person.py
rename to python/samba/domain/models/person.py
diff --git a/python/samba/netcmd/domain/models/query.py b/python/samba/domain/models/query.py
similarity index 100%
rename from python/samba/netcmd/domain/models/query.py
rename to python/samba/domain/models/query.py
diff --git a/python/samba/netcmd/domain/models/schema.py b/python/samba/domain/models/schema.py
similarity index 100%
rename from python/samba/netcmd/domain/models/schema.py
rename to python/samba/domain/models/schema.py
diff --git a/python/samba/netcmd/domain/models/site.py b/python/samba/domain/models/site.py
similarity index 100%
rename from python/samba/netcmd/domain/models/site.py
rename to python/samba/domain/models/site.py
diff --git a/python/samba/netcmd/domain/models/subnet.py b/python/samba/domain/models/subnet.py
similarity index 100%
rename from python/samba/netcmd/domain/models/subnet.py
rename to python/samba/domain/models/subnet.py
diff --git a/python/samba/netcmd/domain/models/types.py b/python/samba/domain/models/types.py
similarity index 100%
rename from python/samba/netcmd/domain/models/types.py
rename to python/samba/domain/models/types.py
diff --git a/python/samba/netcmd/domain/models/user.py b/python/samba/domain/models/user.py
similarity index 75%
rename from python/samba/netcmd/domain/models/user.py
rename to python/samba/domain/models/user.py
index 79a8ecce477..48fcd80a7e1 100644
--- a/python/samba/netcmd/domain/models/user.py
+++ b/python/samba/domain/models/user.py
@@ -22,8 +22,10 @@
from ldb import Dn
+from samba.dcerpc.security import dom_sid
from samba.dsdb import DS_GUID_USERS_CONTAINER
+from .exceptions import NotFound
from .fields import DnField, EnumField, IntegerField, NtTimeField, StringField
from .person import OrganizationalPerson
from .types import AccountType, UserAccountControl
@@ -75,13 +77,32 @@ class User(OrganizationalPerson):
@classmethod
def find(cls, ldb, name):
- """Helper function to find a user first by Dn then sAMAccountName.
+ """Helper function to find a user by Dn, objectSid, or sAMAccountName.
- If the Dn can't be parsed, use sAMAccountName instead.
+ If the Dn or Sid can't be parsed, use sAMAccountName instead.
"""
try:
query = {"dn": Dn(ldb, name)}
except ValueError:
- query = {"account_name": name}
+ try:
+ query = {"object_sid": dom_sid(name)}
+ except ValueError:
+ query = {"account_name": name}
return cls.get(ldb, **query)
+
+ @classmethod
+ def get_sid_for_principal(cls, ldb, principal) -> str:
+ """Return object_sid for the provided principal.
+
+ If principal is already an object sid then return without fetching,
+ this is different to `User.find` which must fetch the User.
+ """
+ try:
+ return str(dom_sid(principal))
+ except ValueError:
+ user = cls.find(ldb, principal)
+ if user:
+ return user.object_sid
+ else:
+ raise NotFound(f"Principal {principal} not found.")
diff --git a/python/samba/netcmd/domain/models/value_type.py b/python/samba/domain/models/value_type.py
similarity index 100%
rename from python/samba/netcmd/domain/models/value_type.py
rename to python/samba/domain/models/value_type.py
diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py
index d7156510a1c..8cc6598f3fa 100644
--- a/python/samba/netcmd/domain/auth/policy.py
+++ b/python/samba/netcmd/domain/auth/policy.py
@@ -21,12 +21,11 @@
#
import samba.getopt as options
+from samba.domain.models import (MAX_TGT_LIFETIME, MIN_TGT_LIFETIME,
+ AuthenticationPolicy, AuthenticationSilo,
+ Group, StrongNTLMPolicy)
+from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import (AuthenticationPolicy,
- AuthenticationSilo, Group,
- MAX_TGT_LIFETIME, MIN_TGT_LIFETIME,
- StrongNTLMPolicy)
-from samba.netcmd.domain.models.exceptions import ModelError
from samba.netcmd.validators import Range
diff --git a/python/samba/netcmd/domain/auth/silo.py b/python/samba/netcmd/domain/auth/silo.py
index f792e8a8542..861f47c8e7c 100644
--- a/python/samba/netcmd/domain/auth/silo.py
+++ b/python/samba/netcmd/domain/auth/silo.py
@@ -21,9 +21,9 @@
#
import samba.getopt as options
+from samba.domain.models import AuthenticationPolicy, AuthenticationSilo
+from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo
-from samba.netcmd.domain.models.exceptions import ModelError
from .silo_member import cmd_domain_auth_silo_member
diff --git a/python/samba/netcmd/domain/auth/silo_member.py b/python/samba/netcmd/domain/auth/silo_member.py
index 9b414006e74..02e5cd53163 100644
--- a/python/samba/netcmd/domain/auth/silo_member.py
+++ b/python/samba/netcmd/domain/auth/silo_member.py
@@ -21,9 +21,9 @@
#
import samba.getopt as options
+from samba.domain.models import AuthenticationSilo, User
+from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AuthenticationSilo, User
-from samba.netcmd.domain.models.exceptions import ModelError
class cmd_domain_auth_silo_member_grant(Command):
diff --git a/python/samba/netcmd/domain/claim/claim_type.py b/python/samba/netcmd/domain/claim/claim_type.py
index 0801f0fd0db..312742fede6 100644
--- a/python/samba/netcmd/domain/claim/claim_type.py
+++ b/python/samba/netcmd/domain/claim/claim_type.py
@@ -21,10 +21,9 @@
#
import samba.getopt as options
+from samba.domain.models import AttributeSchema, ClaimType, ClassSchema, ValueType
+from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AttributeSchema, ClassSchema,\
- ClaimType, ValueType
-from samba.netcmd.domain.models.exceptions import ModelError
class cmd_domain_claim_claim_type_create(Command):
diff --git a/python/samba/netcmd/domain/claim/value_type.py b/python/samba/netcmd/domain/claim/value_type.py
index ca30bd68904..b7f92947f58 100644
--- a/python/samba/netcmd/domain/claim/value_type.py
+++ b/python/samba/netcmd/domain/claim/value_type.py
@@ -21,9 +21,9 @@
#
import samba.getopt as options
+from samba.domain.models import ValueType
+from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import ValueType
-from samba.netcmd.domain.models.exceptions import ModelError
class cmd_domain_claim_value_type_list(Command):
diff --git a/python/samba/netcmd/encoders.py b/python/samba/netcmd/encoders.py
index 230309f74d9..87f90a57a5d 100644
--- a/python/samba/netcmd/encoders.py
+++ b/python/samba/netcmd/encoders.py
@@ -40,7 +40,7 @@ class JSONEncoder(json.JSONEncoder):
"""
def default(self, obj):
- if isinstance(obj, (Decimal, Dn, MessageElement)):
+ if isinstance(obj, (Decimal, Dn, Exception, MessageElement)):
return str(obj)
if isinstance(obj, Result):
return obj.msgs
diff --git a/python/samba/netcmd/service_account/group_msa_membership.py b/python/samba/netcmd/service_account/group_msa_membership.py
index da3f950f4e8..34e7fa45b59 100644
--- a/python/samba/netcmd/service_account/group_msa_membership.py
+++ b/python/samba/netcmd/service_account/group_msa_membership.py
@@ -19,11 +19,10 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from samba.domain.models import Group, GroupManagedServiceAccount, Model, User
+from samba.domain.models.exceptions import ModelError
from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions
from samba.netcmd import Command, CommandError, SuperCommand
-from samba.netcmd.domain.models import (Group, GroupManagedServiceAccount,
- Model, User)
-from samba.netcmd.domain.models.exceptions import ModelError
class cmd_service_account_group_msa_membership_show(Command):
@@ -59,14 +58,14 @@ class cmd_service_account_group_msa_membership_show(Command):
raise CommandError(f"Group managed service account {name} not found.")
try:
- trustees = [Model.get(ldb, object_sid=sid, polymorphic=True) for sid in gmsa.trustees]
+ trustees = {sid: Model.get(ldb, object_sid=sid, polymorphic=True) for sid in gmsa.trustees}
except ModelError as e:
raise CommandError(e)
if output_format == "json":
self.print_json({
"dn": gmsa.dn,
- "trustees": [trustee.dn for trustee in trustees]
+ "trustees": [trustee.dn if trustee else f"<SID={sid}>" for sid, trustee in trustees.items()]
})
else:
print(f"Account-DN: {gmsa.dn}", file=self.outf)
@@ -74,8 +73,9 @@ class cmd_service_account_group_msa_membership_show(Command):
print("Accounts or groups that are able to retrieve this group managed service account password:",
file=self.outf)
- for trustee in trustees:
- print(f" {trustee.dn}", file=self.outf)
+ for sid, trustee in trustees.items():
+ dn = trustee.dn if trustee else f"<SID={sid}>"
+ print(f" {dn}", file=self.outf)
class cmd_service_account_group_msa_membership_add(Command):
@@ -114,20 +114,20 @@ class cmd_service_account_group_msa_membership_add(Command):
--
Samba Shared Repository
More information about the samba-cvs
mailing list