From: Rob van der Linde Date: Wed, 20 Mar 2024 11:10:11 +0000 (+1300) Subject: netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group X-Git-Tag: tdb-1.4.11~1322 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cbacad82d62c9a952aadbf290b92c8fde564256;p=thirdparty%2Fsamba.git netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py index 257e337d16d..6f7983cfa25 100644 --- a/python/samba/netcmd/domain/auth/policy/policy.py +++ b/python/samba/netcmd/domain/auth/policy/policy.py @@ -116,16 +116,6 @@ class ServiceOptions(options.OptionGroup): type=str, dest="allowed_to_authenticate_to", action="callback", callback=self.set_option, metavar="SDDL") - self.add_option("--service-allowed-to-authenticate-to-by-group", - help="The target service requires the connecting user to be in GROUP", - type=str, dest="allowed_to_authenticate_to_by_group", - action="callback", callback=self.set_option, - metavar="GROUP") - self.add_option("--service-allowed-to-authenticate-to-by-silo", - help="The target service requires the connecting user to be in SILO", - type=str, dest="allowed_to_authenticate_to_by_silo", - action="callback", callback=self.set_option, - metavar="SILO") class ComputerOptions(options.OptionGroup): @@ -272,10 +262,6 @@ class cmd_domain_auth_policy_create(Command): [serviceopts.allowed_to_authenticate_from, serviceopts.allowed_to_authenticate_from_device_group, serviceopts.allowed_to_authenticate_from_device_silo]) - check_similar_args("--service-allowed-to-authenticate-to", - [serviceopts.allowed_to_authenticate_to, - serviceopts.allowed_to_authenticate_to_by_group, - serviceopts.allowed_to_authenticate_to_by_silo]) ldb = self.ldb_connect(hostopts, sambaopts, credopts) @@ -303,18 +289,6 @@ class cmd_domain_auth_policy_create(Command): ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo) serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl() - # Generate SDDL for authenticating service accounts to a group - if serviceopts.allowed_to_authenticate_to_by_group: - group = Group.get( - ldb, cn=serviceopts.allowed_to_authenticate_to_by_group) - serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl() - - # Generate SDDL for authenticating service accounts to a silo - if serviceopts.allowed_to_authenticate_to_by_silo: - silo = AuthenticationSilo.get( - ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo) - serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl() - try: policy = AuthenticationPolicy.get(ldb, cn=name) except ModelError as e: @@ -418,10 +392,6 @@ class cmd_domain_auth_policy_modify(Command): [serviceopts.allowed_to_authenticate_from, serviceopts.allowed_to_authenticate_from_device_group, serviceopts.allowed_to_authenticate_from_device_silo]) - check_similar_args("--service-allowed-to-authenticate-to", - [serviceopts.allowed_to_authenticate_to, - serviceopts.allowed_to_authenticate_to_by_group, - serviceopts.allowed_to_authenticate_to_by_silo]) ldb = self.ldb_connect(hostopts, sambaopts, credopts) @@ -449,18 +419,6 @@ class cmd_domain_auth_policy_modify(Command): ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo) serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl() - # Generate SDDL for authenticating service accounts to a group - if serviceopts.allowed_to_authenticate_to_by_group: - group = Group.get( - ldb, cn=serviceopts.allowed_to_authenticate_to_by_group) - serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl() - - # Generate SDDL for authenticating service accounts to a silo - if serviceopts.allowed_to_authenticate_to_by_silo: - silo = AuthenticationSilo.get( - ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo) - serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl() - try: policy = AuthenticationPolicy.get(ldb, cn=name) except ModelError as e: diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py index bdd7c3d9338..4336cc4cc15 100644 --- a/python/samba/tests/samba_tool/domain_auth_policy.py +++ b/python/samba/tests/samba_tool/domain_auth_policy.py @@ -275,47 +275,6 @@ class AuthPolicyCmdTestCase(SiloTest): sddl, 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))') - def test_create__service_allowed_to_authenticate_to_by_group(self): - """Tests the --service-allowed-to-authenticate-to-by-group shortcut.""" - name = self.unique_name() - expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( - self.device_group.object_sid) - - # Create a user with authenticate to by group attribute. - self.addCleanup(self.delete_authentication_policy, name=name, force=True) - result, out, err = self.runcmd( - "domain", "auth", "policy", "create", "--name", name, - "--service-allowed-to-authenticate-to-by-group", - self.device_group.name) - self.assertIsNone(result, msg=err) - - # Check user allowed to authenticate to field was modified. - policy = self.get_authentication_policy(name) - self.assertEqual(str(policy["cn"]), name) - desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0] - sddl = ndr_unpack(security.descriptor, desc).as_sddl() - self.assertEqual(sddl, expected) - - def test_create__service_allowed_to_authenticate_to_by_silo(self): - """Tests the --service-allowed-to-authenticate-to-by-silo shortcut.""" - name = self.unique_name() - expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/' - 'AuthenticationSilo == "Managers"))') - - # Create a user with authenticate to by silo attribute. - self.addCleanup(self.delete_authentication_policy, name=name, force=True) - result, out, err = self.runcmd( - "domain", "auth", "policy", "create", "--name", name, - "--service-allowed-to-authenticate-to-by-silo", "Managers") - self.assertIsNone(result, msg=err) - - # Check user allowed to authenticate to field was modified. - policy = self.get_authentication_policy(name) - self.assertEqual(str(policy["cn"]), name) - desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0] - sddl = ndr_unpack(security.descriptor, desc).as_sddl() - self.assertEqual(sddl, expected) - def test_create__computer_tgt_lifetime_mins(self): """Test create a new authentication policy with --computer-tgt-lifetime-mins. @@ -648,24 +607,27 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertEqual(result, -1) self.assertIn("--service-allowed-to-authenticate-from argument repeated 2 times.", err) - def test_create__service_allowed_to_authenticate_to_repeated(self): + def test_service_allowed_to_authenticate_to__set_repeated(self): """Test repeating similar arguments doesn't make sense to use together. - --service-allowed-to-authenticate-to - --service-allowed-to-authenticate-to-by-silo + service-allowed-to-authenticate-to set --by-group + service-allowed-to-authenticate-to set --by-silo """ - sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))' name = self.unique_name() - result, out, err = self.runcmd("domain", "auth", "policy", "create", - "--name", name, - "--service-allowed-to-authenticate-to", - sddl, - "--service-allowed-to-authenticate-to-by-silo", + self.runcmd("domain", "auth", "policy", "create", "--name", name) + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + + result, out, err = self.runcmd("domain", "auth", "policy", + "service-allowed-to-authenticate-to", + "set", "--name", name, + "--by-group", + self.device_group.name, + "--by-silo", "QA") self.assertEqual(result, -1) - self.assertIn("--service-allowed-to-authenticate-to argument repeated 2 times.", err) + self.assertIn("Cannot have both --by-group and --by-silo options.", err) def test_computer_allowed_to_authenticate_to__set_repeated(self): """Test repeating similar arguments doesn't make sense to use together. @@ -1086,8 +1048,8 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) - def test_modify__service_allowed_to_authenticate_to_by_group(self): - """Tests the --service-allowed-to-authenticate-to-by-group shortcut.""" + def test_service_allowed_to_authenticate_to__set_by_group(self): + """Tests the service-allowed-to-authenticate-to set --by-group shortcut.""" name = self.unique_name() expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( self.device_group.object_sid) @@ -1097,10 +1059,10 @@ class AuthPolicyCmdTestCase(SiloTest): self.runcmd("domain", "auth", "policy", "create", "--name", name) # Modify user allowed to authenticate to field - result, out, err = self.runcmd("domain", "auth", "policy", "modify", - "--name", name, - "--service-allowed-to-authenticate-to-by-group", - self.device_group.name) + result, out, err = self.runcmd("domain", "auth", "policy", + "service-allowed-to-authenticate-to", + "set", "--name", name, + "--by-group", self.device_group.name) self.assertIsNone(result, msg=err) # Check user allowed to authenticate to field was modified. @@ -1110,8 +1072,8 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) - def test_modify__service_allowed_to_authenticate_to_by_silo(self): - """Tests the --service-allowed-to-authenticate-to-by-silo shortcut.""" + def test_service_allowed_to_authenticate_to__set_by_silo(self): + """Tests the service-allowed-to-authenticate-to set --by-silo shortcut.""" name = self.unique_name() expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/' 'AuthenticationSilo == "QA"))') @@ -1121,10 +1083,10 @@ class AuthPolicyCmdTestCase(SiloTest): self.runcmd("domain", "auth", "policy", "create", "--name", name) # Modify user allowed to authenticate to field - result, out, err = self.runcmd("domain", "auth", "policy", "modify", - "--name", name, - "--service-allowed-to-authenticate-to-by-silo", - "QA") + result, out, err = self.runcmd("domain", "auth", "policy", + "service-allowed-to-authenticate-to", + "set", "--name", name, + "--by-silo", "QA") self.assertIsNone(result, msg=err) # Check user allowed to authenticate to field was modified.