[PATCH] Use conn->session_info->security_token in posix_acls.c to make sysvolreset faster (was: Re: [PATCH] improve performance for samba-tool ntacl sysvolreset)
Andrew Bartlett
abartlet at samba.org
Tue Jul 10 00:53:39 UTC 2018
On Fri, 2018-07-06 at 15:12 +1200, joeg--- via samba-technical wrote:
> Hi all:
>
> I created a patch to improve the performance for samba-tool ntacl
> sysvolreset cmd.
>
> The `sysvolreset` cmd was slow with large amount of files.
>
> With perf tool, we figure out the bottle neck is in
> `user_sid_in_group_sid` which is trying to create user token from sid
> all the time while we call `setntacl`.
>
> To avoid that, we pass a `session_info` parameter all the way down to
> the related functions, which has the `security_token` with it. And then
> in `smbd/posix_acls.c:uid_entry_in_group`, we check with the
> security_token if exist.
>
> In our testenv, with 2k files, time for sysvolreset cmd decrease from
> about 155s to 80s.
>
> A Merge Request is also created on GitLab:
>
> https://gitlab.com/samba-team/samba/merge_requests/17
This looks great.
I've pushed it back to that merge request with my review and fixes to a
couple of comments/whitespace. The previous CI (successful) is here:
https://gitlab.com/catalyst-samba/samba/pipelines/25235335
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
sysvolreset time is a major pain point for users of the AD DC, so
getting this in for 4.9 would be great.
Can I get a second team reviewer?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
From 5e9becb031d1d941f1ed2c8b29e16f48c40f0d2e Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 10:05:50 +1200
Subject: [PATCH 01/16] pysmbd: add session_info arg to get_conn_tos
Add session_info arg, so caller can pass it in to reuse authentication info
later. This will improve performance a lot while doing ntacl operations
on large amount of files, e.g.: sysvolreset.
Modification for upstream caller will come in following patches.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
source3/smbd/pysmbd.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index b220fbe691f..faf4565fff9 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -44,7 +44,10 @@ extern const struct generic_mapping file_generic_mapping;
#define DIRECTORY_FLAGS O_RDONLY
#endif
-static connection_struct *get_conn_tos(const char *service)
+
+static connection_struct *get_conn_tos(
+ const char *service,
+ const struct auth_session_info *session_info)
{
struct conn_struct_tos *c = NULL;
int snum = -1;
@@ -66,7 +69,7 @@ static connection_struct *get_conn_tos(const char *service)
status = create_conn_struct_tos(NULL,
snum,
"/",
- NULL,
+ session_info,
&c);
PyErr_NTSTATUS_IS_ERR_RAISE(status);
@@ -410,7 +413,7 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -451,7 +454,7 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
frame = talloc_stackframe();
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -510,7 +513,7 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -576,7 +579,7 @@ static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kw
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -611,7 +614,7 @@ static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kw
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -653,7 +656,7 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -694,7 +697,7 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -739,7 +742,7 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
@@ -792,7 +795,7 @@ static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *k
return NULL;
}
- conn = get_conn_tos(service);
+ conn = get_conn_tos(service, NULL);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
--
2.11.0
From 6df509bb36d5c4f51b780b13c0562c3f7624ce32 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 10:18:30 +1200
Subject: [PATCH 02/16] pysmbd: add session_info arg to py_smbd_set_nt_acl
Add session_info arg as optional and pass it down to get_conn_tos.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
source3/smbd/pysmbd.c | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index faf4565fff9..1431925efd0 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -556,20 +556,26 @@ static PyObject *py_smbd_have_posix_acls(PyObject *self)
*/
static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
{
- const char * const kwnames[] = { "fname", "security_info_sent", "sd", "service", NULL };
+ const char * const kwnames[] = {
+ "fname", "security_info_sent", "sd",
+ "service", "session_info", NULL };
+
NTSTATUS status;
char *fname, *service = NULL;
int security_info_sent;
PyObject *py_sd;
struct security_descriptor *sd;
+ PyObject *py_session = Py_None;
+ struct auth_session_info *session_info = NULL;
connection_struct *conn;
TALLOC_CTX *frame;
frame = talloc_stackframe();
- if (!PyArg_ParseTupleAndKeywords(args, kwargs,
- "siO|z", discard_const_p(char *, kwnames),
- &fname, &security_info_sent, &py_sd, &service)) {
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
+ discard_const_p(char *, kwnames),
+ &fname, &security_info_sent, &py_sd,
+ &service, &py_session)) {
TALLOC_FREE(frame);
return NULL;
}
@@ -579,7 +585,24 @@ static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kw
return NULL;
}
- conn = get_conn_tos(service, NULL);
+ if (py_session != Py_None) {
+ if (!py_check_dcerpc_type(py_session,
+ "samba.dcerpc.auth",
+ "session_info")) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ session_info = pytalloc_get_type(py_session,
+ struct auth_session_info);
+ if (!session_info) {
+ PyErr_Format(PyExc_TypeError,
+ "Expected auth_session_info for session_info argument got %s",
+ talloc_get_name(pytalloc_get_ptr(py_session)));
+ return NULL;
+ }
+ }
+
+ conn = get_conn_tos(service, session_info);
if (!conn) {
TALLOC_FREE(frame);
return NULL;
--
2.11.0
From c952f23da21a06ad1f6f180e9d5f4e07c7189222 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 11:03:42 +1200
Subject: [PATCH 03/16] smbd/msdfs: add null check for session_info.unix_info
When a session_info passed down to here, the unix_info could be NULL.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
source3/smbd/msdfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index bac9d8f6bf6..f0ec6b84892 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -307,7 +307,12 @@ static NTSTATUS create_conn_struct_as_root(TALLOC_CTX *ctx,
TALLOC_FREE(conn);
return NT_STATUS_NO_MEMORY;
}
- vfs_user = conn->session_info->unix_info->unix_name;
+ /* unix_info could be NULL in session_info */
+ if (conn->session_info->unix_info != NULL) {
+ vfs_user = conn->session_info->unix_info->unix_name;
+ } else {
+ vfs_user = get_current_username();
+ }
} else {
/* use current authenticated user in absence of session_info */
vfs_user = get_current_username();
--
2.11.0
From eb1bf3ad3a64700bb3c578f8b88eb4973c034ac1 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 11:09:50 +1200
Subject: [PATCH 04/16] smbd/posix_acls: reuse secutiry token from session info
if exist
If session info was passed down from upstream, then try to use it to get
security token, other then creating token every time.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
source3/smbd/posix_acls.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 70834d5fc7d..8cc9cf1f2fc 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1251,12 +1251,38 @@ static void ensure_minimal_owner_ace_perms(const bool is_directory,
static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
{
+ bool is_sid = false;
+ bool has_sid = false;
+ struct security_token *security_token = NULL;
+
/* "Everyone" always matches every uid. */
if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
return True;
/*
+ * if we have session info in conn, we already have the (SID
+ * based) NT token and don't need to do the complex
+ * user_in_group_sid() call
+ */
+ if (conn->session_info) {
+ security_token = conn->session_info->security_token;
+ /* security_token should not be NULL */
+ SMB_ASSERT(security_token);
+ is_sid = security_token_is_sid(security_token,
+ &uid_ace->trustee);
+ if (is_sid) {
+ has_sid = security_token_has_sid(security_token,
+ &group_ace->trustee);
+
+ if (has_sid) {
+ return true;
+ }
+ }
+
+ }
+
+ /*
* if it's the current user, we already have the unix token
* and don't need to do the complex user_in_group_sid() call
*/
--
2.11.0
From d2043897e65195e2781f4a88739b35fbfb231af3 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Tue, 3 Jul 2018 10:20:39 +1200
Subject: [PATCH 05/16] ntacls: reuse predefined SECURITY_SECINFO_FLAGS
Use predefined SECURITY_SECINFO_FLAGS to replace bitwise or operations
on flag list.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/ntacls.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index e5178115f66..dee906acd21 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -114,7 +114,7 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True, servi
elif ntacl.version == 4:
return ntacl.info.sd
else:
- return smbd.get_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, service=service)
+ return smbd.get_nt_acl(file, SECURITY_SECINFO_FLAGS, service=service)
def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None, service=None):
@@ -150,7 +150,7 @@ def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True
sd2 = sd
sd2.owner_sid = administrator
- smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2, service=service)
+ smbd.set_nt_acl(file, SECURITY_SECINFO_FLAGS, sd2, service=service)
# and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set
use_ntvfs = True
@@ -184,7 +184,7 @@ def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True
samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
ndr_pack(ntacl))
else:
- smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
+ smbd.set_nt_acl(file, SECURITY_SECINFO_FLAGS, sd, service=service)
def ldapmask2filemask(ldm):
--
2.11.0
From 3f3e7070c81f6f4f879497efb76d6dcd3874e691 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 10:27:23 +1200
Subject: [PATCH 06/16] ntacls: add session_info arg to setntacl and pass down
to set_nt_acl api
Then underneath code can reuse the authentication info in session to
improve performance.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/ntacls.py | 39 +++++++++++++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index dee906acd21..32ceb54fd1b 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -30,6 +30,7 @@ from samba.samba3 import param as s3param
from samba.dcerpc import security, xattr, idmap
from samba.ndr import ndr_pack, ndr_unpack
from samba.samba3 import smbd
+from samba.auth import admin_session
from samba import smb
# don't include volumes
@@ -117,7 +118,28 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True, servi
return smbd.get_nt_acl(file, SECURITY_SECINFO_FLAGS, service=service)
-def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None, service=None):
+def setntacl(lp, file, sddl, domsid,
+ backend=None, eadbfile=None,
+ use_ntvfs=True, skip_invalid_chown=False,
+ passdb=None, service=None, session_info=None):
+ """
+ A wrapper for smbd set_nt_acl api.
+
+ Args:
+ lp (LoadParam): load param from conf
+ file (str): a path to file or dir
+ sddl (str): ntacl sddl string
+ service (str): name of share service, e.g.: sysvol
+ session_info (auth_session_info): session info for authentication
+
+ Note:
+ Get `session_info` with `samba.auth.user_session`, do not use the
+ `admin_session` api.
+
+ Returns:
+ None
+ """
+
assert(isinstance(domsid, str) or isinstance(domsid, security.dom_sid))
if isinstance(domsid, str):
sid = security.dom_sid(domsid)
@@ -150,7 +172,9 @@ def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True
sd2 = sd
sd2.owner_sid = administrator
- smbd.set_nt_acl(file, SECURITY_SECINFO_FLAGS, sd2, service=service)
+ smbd.set_nt_acl(
+ file, SECURITY_SECINFO_FLAGS, sd2,
+ service=service, session_info=session_info)
# and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set
use_ntvfs = True
@@ -163,7 +187,12 @@ def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True
# This won't work in test environments, as it tries a real (rather than xattr-based fake) chown
os.chown(file, 0, 0)
- smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
+ smbd.set_nt_acl(
+ file,
+ security.SECINFO_GROUP |
+ security.SECINFO_DACL |
+ security.SECINFO_SACL,
+ sd, service=service, session_info=session_info)
if use_ntvfs:
(backend_obj, dbname) = checkset_backend(lp, backend, eadbfile)
@@ -184,7 +213,9 @@ def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True
samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
ndr_pack(ntacl))
else:
- smbd.set_nt_acl(file, SECURITY_SECINFO_FLAGS, sd, service=service)
+ smbd.set_nt_acl(
+ file, SECURITY_SECINFO_FLAGS, sd,
+ service=service, session_info=session_info)
def ldapmask2filemask(ldm):
--
2.11.0
From 5c3b783609ed33ef8bdbe86dbe65e7c5daf4cf4e Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 12:07:25 +1200
Subject: [PATCH 07/16] provision/setsysvolacl: build session_info and pass
down to setntacl
Get the admin session info, and pass it down to setntacl.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/provision/__init__.py | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 8bdb95ccfa8..976503ecc0c 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -46,6 +46,7 @@ import ldb
from samba.auth import system_session, admin_session
import samba
+from samba import auth
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
from samba.dsdb import DS_DOMAIN_FUNCTION_2000
@@ -1687,23 +1688,36 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
else:
canchown = True
+ # use admin sid dn as user dn, since admin should own most of the files,
+ # the operation will be much faster
+ userdn = '<SID={}-{}>'.format(domainsid, security.DOMAIN_RID_ADMINISTRATOR)
+
+ flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ auth.AUTH_SESSION_INFO_AUTHENTICATED |
+ auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+
+ session_info = auth.user_session(samdb, lp_ctx=lp, dn=userdn,
+ session_info_flags=flags)
+
# Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=s4_passdb,
- service=SYSVOL_SERVICE)
+ service=SYSVOL_SERVICE, session_info=session_info)
for root, dirs, files in os.walk(sysvol, topdown=False):
for name in files:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
use_ntvfs=use_ntvfs, skip_invalid_chown=True,
- passdb=s4_passdb, service=SYSVOL_SERVICE)
+ passdb=s4_passdb, service=SYSVOL_SERVICE,
+ session_info=session_info)
for name in dirs:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
use_ntvfs=use_ntvfs, skip_invalid_chown=True,
- passdb=s4_passdb, service=SYSVOL_SERVICE)
+ passdb=s4_passdb, service=SYSVOL_SERVICE,
+ session_info=session_info)
# Set acls on Policy folder and policies folders
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
--
2.11.0
From abc1fda22e20ec3762d5085a3d8ed3d01e7f1f31 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 13:03:44 +1200
Subject: [PATCH 08/16] provision/setsysvolacl: create helper function to
simplify code
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/provision/__init__.py | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 976503ecc0c..066411ab8d7 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1699,25 +1699,24 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
session_info = auth.user_session(samdb, lp_ctx=lp, dn=userdn,
session_info_flags=flags)
+ def _setntacl(path):
+ """A helper to reuse args"""
+ return setntacl(
+ lp, path, SYSVOL_ACL, str(domainsid),
+ use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb,
+ service=SYSVOL_SERVICE, session_info=session_info)
+
# Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
- setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs,
- skip_invalid_chown=True, passdb=s4_passdb,
- service=SYSVOL_SERVICE, session_info=session_info)
+ _setntacl(sysvol)
for root, dirs, files in os.walk(sysvol, topdown=False):
for name in files:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
- setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
- use_ntvfs=use_ntvfs, skip_invalid_chown=True,
- passdb=s4_passdb, service=SYSVOL_SERVICE,
- session_info=session_info)
+ _setntacl(os.path.join(root, name))
for name in dirs:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
- setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
- use_ntvfs=use_ntvfs, skip_invalid_chown=True,
- passdb=s4_passdb, service=SYSVOL_SERVICE,
- session_info=session_info)
+ _setntacl(os.path.join(root, name))
# Set acls on Policy folder and policies folders
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
--
2.11.0
From fc2ae9e83618376a07af3d1f48c205bdfd112660 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 14:52:02 +1200
Subject: [PATCH 09/16] tests/posixacl: rm commented code
The example is already in code, no need to keep it here.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 8 --------
1 file changed, 8 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 74cabf1bb70..38f578e0d35 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -28,14 +28,6 @@ import os
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
-# To print a posix ACL use:
-# for entry in posix_acl.acl:
-# print "a_type: %d" % entry.a_type
-# print "a_perm: %o" % entry.a_perm
-# if entry.a_type == smb_acl.SMB_ACL_USER:
-# print "uid: %d" % entry.uid
-# if entry.a_type == smb_acl.SMB_ACL_GROUP:
-# print "gid: %d" % entry.gid
class PosixAclMappingTests(TestCaseInTempDir):
--
2.11.0
From a00a510bbe035dd986dab521daaae2a62c6c6792 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 15:18:26 +1200
Subject: [PATCH 10/16] tests/posixacl: define global DOM_SID to make code DRY
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 38f578e0d35..462ee7ef12d 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -28,6 +28,8 @@ import os
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
+DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
+
class PosixAclMappingTests(TestCaseInTempDir):
@@ -44,18 +46,18 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
def test_setntacl_smbd_getntacl(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_setposixacl_getntacl(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
# This will invalidate the ACL, as we have a hook!
smbd.set_simple_acl(self.tempf, 0o640)
@@ -69,7 +71,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_invalidate_getntacl(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -83,7 +85,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_invalidate_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -99,7 +101,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
os.chmod(self.tempf, 0o750)
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -113,14 +115,14 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
@@ -128,7 +130,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
smbd.set_simple_acl(self.tempf, 0o640)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
@@ -139,7 +141,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
@@ -152,14 +154,14 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_smbd_getntacl_smbd_gpo(self):
acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
- domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
+ domsid = security.dom_sid(DOM_SID)
self.assertEquals(facl.as_sddl(domsid),acl)
def test_setntacl_getposixacl(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
--
2.11.0
From 4071de88dc3fc83450af3ae974ff7d51dc2e03d8 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 15:25:56 +1200
Subject: [PATCH 11/16] tests/posixacl: define global ACL to make code DRY
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 462ee7ef12d..982861c824c 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -29,6 +29,7 @@ from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
+ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
class PosixAclMappingTests(TestCaseInTempDir):
@@ -45,18 +46,18 @@ class PosixAclMappingTests(TestCaseInTempDir):
return aclstr
def test_setntacl(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
def test_setntacl_smbd_getntacl(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_setposixacl_getntacl(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
# This will invalidate the ACL, as we have a hook!
@@ -70,7 +71,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
pass
def test_setntacl_invalidate_getntacl(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
# This should invalidate the ACL, as we include the posix ACL in the hash
@@ -84,7 +85,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(acl, facl.as_sddl(anysid))
def test_setntacl_invalidate_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the hash
@@ -98,7 +99,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(acl, facl.as_sddl(anysid))
def test_setntacl_smbd_invalidate_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
os.chmod(self.tempf, 0o750)
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
@@ -114,21 +115,21 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
def test_setntacl_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
@@ -138,7 +139,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
@@ -160,7 +161,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(facl.as_sddl(domsid),acl)
def test_setntacl_getposixacl(self):
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
--
2.11.0
From 4d8fd1506b86a0cbc0d9cae984f5c0525cab14a1 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 15:28:16 +1200
Subject: [PATCH 12/16] tests/posixacl: remove unused imports
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 982861c824c..b01234d239d 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -19,11 +19,9 @@
"""Tests for the Samba3 NT -> posix ACL layer"""
from samba.ntacls import setntacl, getntacl, checkset_backend
-from samba.dcerpc import xattr, security, smb_acl, idmap
-from samba.param import LoadParm
+from samba.dcerpc import security, smb_acl, idmap
from samba.tests import TestCaseInTempDir
from samba import provision
-import random
import os
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
--
2.11.0
From e8b28de1773e56844fe3c2a36b6a9390451f7438 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 15:35:14 +1200
Subject: [PATCH 13/16] tests/posixacl: use assertRaises to simplify code
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index b01234d239d..72059bc8f84 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -62,11 +62,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
smbd.set_simple_acl(self.tempf, 0o640)
# However, this only asks the xattr
- try:
- facl = getntacl(self.lp, self.tempf, direct_db_access=True)
- self.assertTrue(False)
- except TypeError:
- pass
+ self.assertRaises(
+ TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
def test_setntacl_invalidate_getntacl(self):
acl = ACL
@@ -184,14 +181,9 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[3].a_perm, 6)
def test_setposixacl_getntacl(self):
- acl = ""
smbd.set_simple_acl(self.tempf, 0o750)
- try:
- facl = getntacl(self.lp, self.tempf)
- self.assertTrue(False)
- except TypeError:
- # We don't expect the xattr to be filled in in this case
- pass
+ # We don't expect the xattr to be filled in in this case
+ self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
def test_setposixacl_getntacl_smbd(self):
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
--
2.11.0
From 137db4d5fb9d4f06cbcabbe350917b4fc5a8eb31 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Wed, 4 Jul 2018 15:50:40 +1200
Subject: [PATCH 14/16] tests/posixacl: rm duplicated test
There are 2 copy of `test_setposixacl_getposixacl`, this patch removed
the first copy, which was overwritten by the second one.
They are 99% the same except in the last line a_perm is 6 vs 7, and 7 is
the correct number.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 17 -----------------
1 file changed, 17 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 72059bc8f84..5c4cdad9d31 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -163,23 +163,6 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(facl.as_sddl(anysid),acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
- def test_setposixacl_getposixacl(self):
- smbd.set_simple_acl(self.tempf, 0o640)
- posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
- self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
-
- self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
- self.assertEquals(posix_acl.acl[0].a_perm, 6)
-
- self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
- self.assertEquals(posix_acl.acl[1].a_perm, 4)
-
- self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
- self.assertEquals(posix_acl.acl[2].a_perm, 0)
-
- self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
- self.assertEquals(posix_acl.acl[3].a_perm, 6)
-
def test_setposixacl_getntacl(self):
smbd.set_simple_acl(self.tempf, 0o750)
# We don't expect the xattr to be filled in in this case
--
2.11.0
From c4b9bde9d3863868a501b023bfaf158bab220d97 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Fri, 6 Jul 2018 10:32:17 +1200
Subject: [PATCH 15/16] tests/posixacl: move setUp and tearDown to top
Make it clear to find out what we have in test.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 5c4cdad9d31..175fcb2c177 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -32,6 +32,20 @@ ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695
class PosixAclMappingTests(TestCaseInTempDir):
+ def setUp(self):
+ super(PosixAclMappingTests, self).setUp()
+ s3conf = s3param.get_context()
+ s3conf.load(self.get_loadparm().configfile)
+ s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
+ self.lp = s3conf
+ self.tempf = os.path.join(self.tempdir, "test")
+ open(self.tempf, 'w').write("empty")
+
+ def tearDown(self):
+ smbd.unlink(self.tempf)
+ os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
+ super(PosixAclMappingTests, self).tearDown()
+
def print_posix_acl(self, posix_acl):
aclstr = ""
for entry in posix_acl.acl:
@@ -774,19 +788,3 @@ class PosixAclMappingTests(TestCaseInTempDir):
# a_perm: 7
# uid: -1
# gid: -1
-
-#
-
- def setUp(self):
- super(PosixAclMappingTests, self).setUp()
- s3conf = s3param.get_context()
- s3conf.load(self.get_loadparm().configfile)
- s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
- self.lp = s3conf
- self.tempf = os.path.join(self.tempdir, "test")
- open(self.tempf, 'w').write("empty")
-
- def tearDown(self):
- smbd.unlink(self.tempf)
- os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
- super(PosixAclMappingTests, self).tearDown()
--
2.11.0
From c9ce1dc70704937ac6b3b157ca94e32c2c98b7a1 Mon Sep 17 00:00:00 2001
From: Joe Guo <joeg at catalyst.net.nz>
Date: Fri, 6 Jul 2018 10:36:54 +1200
Subject: [PATCH 16/16] tests/posixacl: derive a new testcase to run same tests
with session
1. existing tests still run with session_info=None
2. new class override `get_session_info` to return a session, so same
set of tests will run again, but with session.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/tests/posixacl.py | 92 +++++++++++++++++++++++++++++++++---------
1 file changed, 72 insertions(+), 20 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 175fcb2c177..4261ef36544 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -25,6 +25,8 @@ from samba import provision
import os
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
+from samba import auth
+from samba.samdb import SamDB
DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
@@ -40,12 +42,22 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.lp = s3conf
self.tempf = os.path.join(self.tempdir, "test")
open(self.tempf, 'w').write("empty")
+ self.samdb = SamDB(lp=self.lp, session_info=auth.system_session())
def tearDown(self):
smbd.unlink(self.tempf)
os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
super(PosixAclMappingTests, self).tearDown()
+ def get_session_info(self, domsid=DOM_SID):
+ """
+ Get session_info for setntacl.
+
+ This test case always return None, to run tests without session_info
+ like before. To be overrided in derived class.
+ """
+ return None
+
def print_posix_acl(self, posix_acl):
aclstr = ""
for entry in posix_acl.acl:
@@ -59,18 +71,21 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
def test_setntacl_smbd_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
+ session_info=self.get_session_info())
facl = getntacl(self.lp, self.tempf, direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_setposixacl_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
+ session_info=self.get_session_info())
# This will invalidate the ACL, as we have a hook!
smbd.set_simple_acl(self.tempf, 0o640)
@@ -81,7 +96,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_invalidate_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
+ session_info=self.get_session_info())
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -95,7 +111,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_invalidate_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -111,7 +128,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
os.chmod(self.tempf, 0o750)
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
@@ -125,14 +143,16 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
+ session_info=self.get_session_info())
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
def test_setntacl_smbd_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
@@ -140,7 +160,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
smbd.set_simple_acl(self.tempf, 0o640)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
@@ -151,7 +172,8 @@ class PosixAclMappingTests(TestCaseInTempDir):
acl = ACL
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
@@ -164,14 +186,16 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_smbd_getntacl_smbd_gpo(self):
acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
domsid = security.dom_sid(DOM_SID)
self.assertEquals(facl.as_sddl(domsid),acl)
def test_setntacl_getposixacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
+ setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
+ session_info=self.get_session_info())
facl = getntacl(self.lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid),acl)
@@ -287,7 +311,9 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_sysvol_check_getposixacl(self):
acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
- setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
+ session_info = self.get_session_info(domsid)
+ setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
+ session_info=session_info)
facl = getntacl(self.lp, self.tempf)
self.assertEquals(facl.as_sddl(domsid),acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
@@ -327,7 +353,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
- if nwrap_winbind_active:
+ if nwrap_winbind_active or session_info:
self.assertEquals(posix_acl.acl[1].a_perm, 7)
else:
self.assertEquals(posix_acl.acl[1].a_perm, 6)
@@ -337,7 +363,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[2].a_perm, 0)
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
- if nwrap_winbind_active:
+ if nwrap_winbind_active or session_info:
self.assertEquals(posix_acl.acl[3].a_perm, 7)
else:
self.assertEquals(posix_acl.acl[3].a_perm, 6)
@@ -433,7 +459,9 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_sysvol_dir_check_getposixacl(self):
acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
- setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
+ session_info = self.get_session_info(domsid)
+ setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
+ session_info=session_info)
facl = getntacl(self.lp, self.tempdir)
self.assertEquals(facl.as_sddl(domsid),acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
@@ -526,7 +554,9 @@ class PosixAclMappingTests(TestCaseInTempDir):
def test_setntacl_policies_dir_check_getposixacl(self):
acl = provision.POLICIES_ACL
domsid = passdb.get_global_sam_sid()
- setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
+ session_info = self.get_session_info(domsid)
+ setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
+ session_info=session_info)
facl = getntacl(self.lp, self.tempdir)
self.assertEquals(facl.as_sddl(domsid),acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
@@ -633,7 +663,9 @@ class PosixAclMappingTests(TestCaseInTempDir):
acl = provision.POLICIES_ACL
domsid = passdb.get_global_sam_sid()
- setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
+ session_info = self.get_session_info(domsid)
+ setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
+ session_info=session_info)
facl = getntacl(self.lp, self.tempf)
self.assertEquals(facl.as_sddl(domsid),acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
@@ -676,7 +708,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
- if nwrap_winbind_active:
+ if nwrap_winbind_active or session_info:
self.assertEquals(posix_acl.acl[1].a_perm, 7)
else:
self.assertEquals(posix_acl.acl[1].a_perm, 6)
@@ -686,7 +718,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[2].a_perm, 0)
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
- if nwrap_winbind_active:
+ if nwrap_winbind_active or session_info:
self.assertEquals(posix_acl.acl[3].a_perm, 7)
else:
self.assertEquals(posix_acl.acl[3].a_perm, 6)
@@ -788,3 +820,23 @@ class PosixAclMappingTests(TestCaseInTempDir):
# a_perm: 7
# uid: -1
# gid: -1
+
+class SessionedPosixAclMappingTests(PosixAclMappingTests):
+ """
+ Run same test suite with session enabled.
+ """
+
+ def get_session_info(self, domsid=DOM_SID):
+ """
+ Get session_info for setntacl.
+ """
+ if str(domsid) != str(self.samdb.get_domain_sid()):
+ # fake it with admin session as domsid is not in local db
+ return auth.admin_session(self.lp, str(domsid))
+
+ dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
+ flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ auth.AUTH_SESSION_INFO_AUTHENTICATED |
+ auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+ return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
+ session_info_flags=flags)
--
2.11.0
More information about the samba-technical
mailing list