-samba4.priv_attrs.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_WP_computer
-samba4.priv_attrs.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_WP_user
-samba4.priv_attrs.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_default_computer
-samba4.priv_attrs.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_default_user
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_WP_computer
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_WP_user
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_default_computer
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-RODC_add_CC_default_user
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-computer_add_CC_WP_user
samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-computer_add_CC_default_user
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_WP_computer
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_WP_user
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_default_computer
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_default_user
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_WP_computer
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_WP_user
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_default_computer
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_admin-add_default_user
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_mod-del-add_CC_default_computer
-samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_mod-replace_CC_default_computer
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-computer_add_CC_WP_user
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-computer_add_CC_default_user
{"value": ndr_pack(security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)),
"priv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
- "msDS-AllowedToDelegateTo":
+
+ "msDS-AllowedToDelegateTo":
{"value": f"host/{host}",
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
- "userAccountControl-a2d-user":
+
+ "userAccountControl-a2d-user":
{"attr": "userAccountControl",
- "value": str(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION|UF_NORMAL_ACCOUNT),
- "priv-error": ldb.ERR_UNWILLING_TO_PERFORM,
- "unpriv-add-error": ldb.ERR_UNWILLING_TO_PERFORM,
+ "value": str(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION|UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
- "userAccountControl-a2d-computer":
+
+ "userAccountControl-a2d-computer":
{"attr": "userAccountControl",
"value": str(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION|UF_WORKSTATION_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-1": "computer"},
- "userAccountControl-DC":
+
+ # This flag makes many legitimate authenticated clients
+ # send a forwardable ticket-granting-ticket to the server
+ "userAccountControl-t4d-user":
+ {"attr": "userAccountControl",
+ "value": str(UF_TRUSTED_FOR_DELEGATION|UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
+ "unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
+
+ "userAccountControl-t4d-computer":
+ {"attr": "userAccountControl",
+ "value": str(UF_TRUSTED_FOR_DELEGATION|UF_WORKSTATION_TRUST_ACCOUNT),
+ "unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ "only-1": "computer"},
+
+ "userAccountControl-DC":
{"attr": "userAccountControl",
"value": str(UF_SERVER_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-2": "computer"},
- "userAccountControl-RODC":
+
+ "userAccountControl-RODC":
{"attr": "userAccountControl",
"value": str(UF_PARTIAL_SECRETS_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-1": "computer"},
+
"msDS-SecondaryKrbTgtNumber":
{"value": "65536",
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
self.fail(f"{test_name}: Unexpectedly able to set {attr} on {m.dn}")
except LdbError as e5:
(enum, estr) = e5.args
- if attr == "userAccountControl" and sd == "default":
- # We get a different error if we try and swap between
- # being a computer back to being a user when created with "Create child" permissions
- if (int(attrs[test_name]["value"]) & UF_NORMAL_ACCOUNT) \
- and objectclass == "computer" and permission == "CC":
- self.assertGotLdbError(ldb.ERR_UNWILLING_TO_PERFORM, enum)
- return
self.assertGotLdbError(attrs[test_name]["unpriv-error"], enum)
projects / thirdparty / samba.git / commitdiff
