From: Rob van der Linde <rob@catalyst.net.nz>
Date: Mon, 11 Mar 2024 23:38:13 +0000 (+1300)
Subject: netcmd: gmsa: add_trustee and remove_trustee change argument to sid
X-Git-Tag: tdb-1.4.11~1432
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87d00915e9634c2ba3269d8d437bfa3c74ee7724;p=thirdparty%2Fsamba.git

netcmd: gmsa: add_trustee and remove_trustee change argument to sid

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/netcmd/domain/models/gmsa.py b/python/samba/netcmd/domain/models/gmsa.py
index c5c27e3cf51..e13711f22d7 100644
--- a/python/samba/netcmd/domain/models/gmsa.py
+++ b/python/samba/netcmd/domain/models/gmsa.py
@@ -28,7 +28,6 @@ from .constants import GROUP_MSA_MEMBERSHIP_DEFAULT
 from .exceptions import FieldError
 from .fields import BinaryField, EnumField, IntegerField, SDDLField, StringField
 from .types import SupportedEncryptionTypes
-from .user import User
 
 
 class GroupManagedServiceAccount(Computer):
@@ -79,17 +78,19 @@ class GroupManagedServiceAccount(Computer):
 
         return allowed
 
-    def add_trustee(self, trustee: User):
+    def add_trustee(self, trustee: str):
         """Adds the User `trustee` to group_msa_membership.
 
         Checking if the trustee already has access is the responsibility
         of the caller.
+
+        :param trustee: SID of trustee to add
         """
         aces = self.group_msa_membership.dacl.aces
 
         ace = security.ace()
         ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
-        ace.trustee = security.dom_sid(trustee.object_sid)
+        ace.trustee = security.dom_sid(trustee)
         ace.access_mask = security.SEC_ADS_GENERIC_ALL
         aces.append(ace)
 
@@ -97,14 +98,16 @@ class GroupManagedServiceAccount(Computer):
         self.group_msa_membership.dacl.aces = aces
         self.group_msa_membership.dacl.num_aces = len(aces)
 
-    def remove_trustee(self, trustee: User):
+    def remove_trustee(self, trustee: str):
         """Removes the User 'trustee' from group_msa_membership.
 
         If the trustee doesn't have access already then do nothing.
+
+        :param trustee: SID of trustee to remove
         """
         aces = self.group_msa_membership.dacl.aces
 
         for ace in aces:
-            if trustee.object_sid == str(ace.trustee):
+            if trustee == str(ace.trustee):
                 self.group_msa_membership.dacl_del_ace(ace)
                 break
diff --git a/python/samba/netcmd/service_account/group_msa_membership.py b/python/samba/netcmd/service_account/group_msa_membership.py
index 099d5de21b4..d90dbf29fab 100644
--- a/python/samba/netcmd/service_account/group_msa_membership.py
+++ b/python/samba/netcmd/service_account/group_msa_membership.py
@@ -130,7 +130,7 @@ class cmd_service_account_group_msa_membership_add(Command):
             print(f"Trustee '{trustee}' is already allowed to show managed passwords for: {gmsa}",
                   file=self.outf)
         else:
-            gmsa.add_trustee(trustee)
+            gmsa.add_trustee(trustee.object_sid)
 
             try:
                 gmsa.save(ldb)
@@ -193,7 +193,7 @@ class cmd_service_account_group_msa_membership_remove(Command):
             print(f"Trustee '{trustee}' cannot currently show managed passwords for: {gmsa}",
                   file=self.outf)
         else:
-            gmsa.remove_trustee(trustee)
+            gmsa.remove_trustee(trustee.object_sid)
 
             try:
                 gmsa.save(ldb)