Python and Samba and LDAP and ntSecurityDescriptor

Zahari Zahariev zahari.zahariev at postpath.com
Mon Feb 23 04:42:22 MST 2009 

This is the unittest file that can verity my point. It tests in case that ndr_unpack() works fine and in case it exits with an error:

***
#!/usr/bin/python
# -*- coding: utf-8 -*-
# This is unit with PPD tests

import getopt
import optparse
import sys

sys.path.append("bin/python")
sys.path.append("../lib/subunit/python")

import samba.getopt as options

# Some error messages that are being tested
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX

# For running the test unit
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security

from samba.auth import system_session
from samba import Ldb
from subunit import SubunitTestRunner
import unittest

parser = optparse.OptionParser("ldap [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))

# use command line creds if available
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
opts, args = parser.parse_args()

if len(args) < 1:
    parser.print_usage()
    sys.exit(1)

host = args[0]

lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)

#
# Tests start here
#

class AclTests(unittest.TestCase):

    def delete_force(self, ldb, dn):
        try:
            ldb.delete(dn)
        except LdbError, (num, _):
            self.assertEquals(num, ERR_NO_SUCH_OBJECT)

    def find_basedn(self, ldb):
        res = ldb.search(base="", expression="", scope=SCOPE_BASE,
                         attrs=["defaultNamingContext"])
        self.assertEquals(len(res), 1)
        return res[0]["defaultNamingContext"][0]

    def setUp(self):
        self.ldb = ldb
        self.base_dn = self.find_basedn(self.ldb)
        self.user1Name = "ACLUser1"
        self.user1Dn = "CN=%s,CN=Users," % self.user1Name + self.base_dn
        self.user2Name = "ACLUser2"
        self.user2Dn = "CN=%s,CN=Users," % self.user2Name + self.base_dn
        print "baseDN: %s\n" % self.base_dn

    def test_acl_read(self):
        """Testing ACL read permissions"""
        # Creating a regular user in group 'Users'
        sddl = '''O:S-1-5-21-3057987782-846766930-1257911302-500G:S-1-5-21-3057987782-846766930-1257911302-513D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057987782-846766930-1257911302-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;LCRPLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-32-553)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-32-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-32-553)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-32-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057987782-846766930-1257911302-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)'''
        x = security.descriptor.from_sddl( sddl, security.dom_sid('S-1-5-21') )

        xPacked = ndr_pack(x)
        #print '*** xPacked:', repr(xPacked)
        xUnpacked = ndr_unpack( security.descriptor, xPacked )
        #print '*** xUnpacked.as_sddl():', xUnpacked.as_sddl( security.dom_sid('S-1-5-21') )

        # Creating User1
        self.delete_force(self.ldb, self.user1Dn)
        self.ldb.add({
            "dn": self.user1Dn,
            "objectclass": "user",
            "sAMAccountName": self.user1Name,
            "userPassword": 'acltest',
            #"ntSecurityDescriptor" : ndr_pack(x),
        })

        # Creating User2
        self.delete_force(self.ldb, self.user2Dn)
        self.ldb.add({
            "dn": self.user2Dn,
            "objectclass": "user",
            "sAMAccountName": self.user2Name,
            "userPassword": 'acltest',
            "ntSecurityDescriptor" : ndr_pack(x),
        })

        try:
            # Reading and unpacking Samba4 generated descriptor
            res = self.ldb.search( self.base_dn, expression="(cn=%s)" % self.user1Name )
            xUnpacked = ndr_unpack( security.descriptor, res[0]["nTSecurityDescriptor"][0] )
            self.assertTrue( len( xUnpacked.as_sddl( security.dom_sid('S-1-5-21') ) ) > 0 )

            # Reading LDAP written descriptor (fails)
            res = self.ldb.search( self.base_dn, expression="(cn=%s)" % self.user2Name )
            xUnpacked = ndr_unpack( security.descriptor, res[0]["nTSecurityDescriptor"][0] )
            self.assertTrue( len( xUnpacked.as_sddl( security.dom_sid('S-1-5-21') ) ) > 0 )
        except LdbError:
            self.fail()
        self.delete_force(self.ldb, self.user1Dn)
        self.delete_force(self.ldb, self.user2Dn)

#
# Important unit running information
#

if not "://" in host:
    host = "ldap://%s" % host

ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)

runner = SubunitTestRunner()
rc = 0
if not runner.run(unittest.makeSuite(AclTests)).wasSuccessful():
    rc = 1

sys.exit(rc)

***

It is located in source4/lib/ldb/tests/python/acl-test.py in my setup. The error I get is:

---
error: Testing ACL read permissions [
Traceback (most recent call last):
  File "./selftest/../lib/ldb/tests/python/acl-test.py", line 112, in test_acl_read
    xUnpacked = ndr_unpack( security.descriptor, res[0]["nTSecurityDescriptor"][0] )
  File "bin/python/samba/ndr.py", line 27, in ndr_unpack
    object.__ndr_unpack__(data)
RuntimeError: (11, 'Buffer Size Error')
]
UNEXPECTED(error): Testing ACL read permissions (samba4.acl-test.python (dc).Testing ACL read permissions)
CMD: /usr/bin/python ./selftest/../lib/ldb/tests/python/acl-test.py --configfile=$SMB_CONF_PATH $SERVER -U$USERNAME%$PASSWORD -W $DOMAIN
ERROR: Exit code was 1


A summary with detailed information can be found in:
  ./st/summary

FAILED (0 failures and 1 errors in 1 testsuites)
make: *** [test] Error 1
---

Hope did not miss anything valuble.

-Zahari

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, February 22, 2009 2:03 PM
To: Zahari Zahariev
Cc: 'samba-technical at lists.samba.org'
Subject: Re: Python and Samba and LDAP and ntSecurityDescriptor

 On Fri, 2009-02-20 at 16:25 +0200, Zahari Zahariev wrote: 
> Hello Samba4 & Andrew,
> 
> I have a problem with setting a custom ntSecurityDescriptor to a user 
> I create within a unittest similar to those in 
> source4/lib/ldb/tests/python/ldap.py.

I'm sorry, the crystal ball is a little foggy today:
 
Can you perhaps post the script you are using?  Without it I'm really having trouble understanding what your problems are.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

More information about the samba-technical mailing list