netcmd: models: use correct SDDL for authentication silos

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
index f09b6a6654a4246484d44fb4368f04d897c7bc30..9747671e4c5ff7b3aa61e83a097a3180ae5b7843 100644 (file)
--- a/python/samba/netcmd/domain/models/auth_silo.py
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -100,5 +100,5 @@ class AuthenticationSilo(Model):
         self.refresh(ldb, fields=["members"])
 
     def get_authentication_sddl(self):
-        return ("O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/"
-                f"AuthenticationSilo/{escaped_claim_id(self.name)}))")
+        return ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
+                f'AuthenticationSilo == "{escaped_claim_id(self.name)}"))')

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 21d75591a6257c20499c8af1d1dc1ee815d0ded7..6d7804dd4f334de40d72989dce34cc4af9e2e8c9 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -173,7 +173,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(
             sddl,
-            "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))")
+            'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
 
     def test_create__service_tgt_lifetime_mins(self):
         """Test create a new authentication policy with --service-tgt-lifetime-mins.
@@ -229,7 +229,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(
             sddl,
-            "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Managers))")
+            'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))')
 
     def test_create__computer_tgt_lifetime_mins(self):
         """Test create a new authentication policy with --computer-tgt-lifetime-mins.
@@ -509,7 +509,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         --user-allowed-to-authenticate-from
         --user-allowed-to-authenticate-from-silo
         """
-        sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))"
+        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))'
         name = self.unique_name()
 
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -528,7 +528,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         --service-allowed-to-authenticate-from
         --service-allowed-to-authenticate-from-silo
         """
-        sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Managers))"
+        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))'
         name = self.unique_name()
 
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -750,7 +750,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(
             sddl,
-            "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/QA))")
+            'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "QA"))')
 
     def test_modify__user_allowed_to_authenticate_to(self):
         """Modify authentication policy user allowed to authenticate to."""
@@ -819,7 +819,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(
             sddl,
-            "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))")
+            'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
 
     def test_modify__service_allowed_to_authenticate_to(self):
         """Modify authentication policy service allowed to authenticate to."""