From: Rob van der Linde Date: Wed, 20 Sep 2023 01:04:14 +0000 (+1200) Subject: netcmd: auth: add new SDDL fields to create and modify auth policy commands X-Git-Tag: tevent-0.16.0~313 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=645b77342f42a55b8693e867ec92da2ea5a3b31c;p=thirdparty%2Fsamba.git netcmd: auth: add new SDDL fields to create and modify auth policy commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py index 07b21bdf81d..faf81cca616 100644 --- a/python/samba/netcmd/domain/auth/policy.py +++ b/python/samba/netcmd/domain/auth/policy.py @@ -148,6 +148,12 @@ class cmd_domain_auth_policy_create(Command): "is restricted to selected devices.", dest="user_allow_ntlm_auth", action="store_true", default=False), + Option("--user-allowed-to-authenticate-from", + help="Conditions user is allowed to authenticate from.", + dest="user_allowed_to_authenticate_from", type=str, action="store"), + Option("--user-allowed-to-authenticate-to", + help="Conditions user is allowed to authenticate to.", + dest="user_allowed_to_authenticate_to", type=str, action="store"), Option("--service-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for service accounts.", dest="service_tgt_lifetime", type=int, action="store", @@ -157,17 +163,29 @@ class cmd_domain_auth_policy_create(Command): "is restricted to selected devices.", dest="service_allow_ntlm_auth", action="store_true", default=False), + Option("--service-allowed-to-authenticate-from", + help="Conditions service is allowed to authenticate from.", + dest="service_allowed_to_authenticate_from", type=str, action="store"), + Option("--service-allowed-to-authenticate-to", + help="Conditions service is allowed to authenticate to.", + dest="service_allowed_to_authenticate_to", type=str, action="store"), Option("--computer-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for computer accounts.", dest="computer_tgt_lifetime", type=int, action="store", validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]), + Option("--computer-allowed-to-authenticate-to", + help="Conditions computer is allowed to authenticate to.", + dest="computer_allowed_to_authenticate_to", type=str, action="store"), ] def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None, description=None, protect=None, unprotect=None, audit=None, enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None, - user_allow_ntlm_auth=None, service_tgt_lifetime=None, - service_allow_ntlm_auth=None, computer_tgt_lifetime=None): + user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None, + user_allowed_to_authenticate_to=None, service_tgt_lifetime=None, + service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None, + service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None, + computer_allowed_to_authenticate_to=None): if not name: raise CommandError("Argument --name is required.") @@ -194,9 +212,14 @@ class cmd_domain_auth_policy_create(Command): strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()], user_allow_ntlm_auth=user_allow_ntlm_auth, user_tgt_lifetime=user_tgt_lifetime, + user_allowed_to_authenticate_from=user_allowed_to_authenticate_from, + user_allowed_to_authenticate_to=user_allowed_to_authenticate_to, service_allow_ntlm_auth=service_allow_ntlm_auth, service_tgt_lifetime=service_tgt_lifetime, + service_allowed_to_authenticate_from=service_allowed_to_authenticate_from, + service_allowed_to_authenticate_to=service_allowed_to_authenticate_to, computer_tgt_lifetime=computer_tgt_lifetime, + computer_allowed_to_authenticate_to=computer_allowed_to_authenticate_to, ) # Either --enforce will be set or --audit but never both. @@ -262,6 +285,12 @@ class cmd_domain_auth_policy_modify(Command): "is restricted to selected devices.", dest="user_allow_ntlm_auth", action="store_true", default=False), + Option("--user-allowed-to-authenticate-from", + help="Conditions user is allowed to authenticate from.", + dest="user_allowed_to_authenticate_from", type=str, action="store"), + Option("--user-allowed-to-authenticate-to", + help="Conditions user is allowed to authenticate to.", + dest="user_allowed_to_authenticate_to", type=str, action="store"), Option("--service-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for service accounts.", dest="service_tgt_lifetime", type=int, action="store", @@ -271,17 +300,29 @@ class cmd_domain_auth_policy_modify(Command): "is restricted to selected devices.", dest="service_allow_ntlm_auth", action="store_true", default=False), + Option("--service-allowed-to-authenticate-from", + help="Conditions service is allowed to authenticate from.", + dest="service_allowed_to_authenticate_from", type=str, action="store"), + Option("--service-allowed-to-authenticate-to", + help="Conditions service is allowed to authenticate to.", + dest="service_allowed_to_authenticate_to", type=str, action="store"), Option("--computer-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for computer accounts.", dest="computer_tgt_lifetime", type=int, action="store", validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]), + Option("--computer-allowed-to-authenticate-to", + help="Conditions computer is allowed to authenticate to.", + dest="computer_allowed_to_authenticate_to", type=str, action="store"), ] def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None, description=None, protect=None, unprotect=None, audit=None, enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None, - user_allow_ntlm_auth=None, service_tgt_lifetime=None, - service_allow_ntlm_auth=None, computer_tgt_lifetime=None): + user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None, + user_allowed_to_authenticate_to=None, service_tgt_lifetime=None, + service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None, + service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None, + computer_allowed_to_authenticate_to=None): if not name: raise CommandError("Argument --name is required.") @@ -321,18 +362,38 @@ class cmd_domain_auth_policy_modify(Command): if user_tgt_lifetime is not None: policy.user_tgt_lifetime = user_tgt_lifetime + if user_allowed_to_authenticate_from is not None: + policy.user_allowed_to_authenticate_from = \ + user_allowed_to_authenticate_from + + if user_allowed_to_authenticate_to is not None: + policy.user_allowed_to_authenticate_to = \ + user_allowed_to_authenticate_to + # Service sign on ################## if service_tgt_lifetime is not None: policy.service_tgt_lifetime = service_tgt_lifetime + if service_allowed_to_authenticate_from is not None: + policy.service_allowed_to_authenticate_from = \ + service_allowed_to_authenticate_from + + if service_allowed_to_authenticate_to is not None: + policy.service_allowed_to_authenticate_to = \ + service_allowed_to_authenticate_to + # Computer ########### if computer_tgt_lifetime is not None: policy.computer_tgt_lifetime = computer_tgt_lifetime + if computer_allowed_to_authenticate_to is not None: + policy.computer_allowed_to_authenticate_to = \ + computer_allowed_to_authenticate_to + # Update policy. try: policy.save(ldb)