import samba.getopt as options
from samba.netcmd import Command, CommandError, Option, SuperCommand
-from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo
+from samba.netcmd.domain.models import AuthenticationPolicy,\
+ AuthenticationSilo, Group
from samba.netcmd.domain.models.auth_policy import MIN_TGT_LIFETIME,\
MAX_TGT_LIFETIME, StrongNTLMPolicy
from samba.netcmd.domain.models.exceptions import ModelError
help="Conditions user is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-to-by-group",
+ help="User is allowed to authenticate to by group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
self.add_option("--user-allowed-to-authenticate-to-by-silo",
help="User is allowed to authenticate to by silo.",
type=str, dest="allowed_to_authenticate_to_by_silo",
help="Conditions service is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-to-by-group",
+ help="Service is allowed to authenticate to by group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
self.add_option("--service-allowed-to-authenticate-to-by-silo",
help="Service is allowed to authenticate to by silo.",
type=str, dest="allowed_to_authenticate_to_by_silo",
help="Conditions computer is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option)
+ self.add_option("--computer-allowed-to-authenticate-to-by-group",
+ help="Computer is allowed to authenticate to group.",
+ type=str, dest="allowed_to_authenticate_to_by_group",
+ action="callback", callback=self.set_option)
self.add_option("--computer-allowed-to-authenticate-to-by-silo",
help="Computer is allowed to authenticate to silo.",
type=str, dest="allowed_to_authenticate_to_by_silo",
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--user-allowed-to-authenticate-to",
[useropts.allowed_to_authenticate_to,
+ useropts.allowed_to_authenticate_to_by_group,
useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
serviceopts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-to",
[serviceopts.allowed_to_authenticate_to,
+ serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
check_similar_args("--computer-allowed-to-authenticate-to",
[computeropts.allowed_to_authenticate_to,
+ computeropts.allowed_to_authenticate_to_by_group,
computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating user accounts to a group
+ if useropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_to_by_group)
+ useropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating user accounts to a silo
if useropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating service accounts to a group
+ if serviceopts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
+ serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating service accounts to a silo
if serviceopts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating computer accounts to a group
+ if computeropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
+ computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating computer accounts to a silo
if computeropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--user-allowed-to-authenticate-to",
[useropts.allowed_to_authenticate_to,
+ useropts.allowed_to_authenticate_to_by_group,
useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
serviceopts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-to",
[serviceopts.allowed_to_authenticate_to,
+ serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
check_similar_args("--computer-allowed-to-authenticate-to",
[computeropts.allowed_to_authenticate_to,
+ computeropts.allowed_to_authenticate_to_by_group,
computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating user accounts to a group
+ if useropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_to_by_group)
+ useropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating user accounts to a silo
if useropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating service accounts to a group
+ if serviceopts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
+ serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating service accounts to a silo
if serviceopts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating computer accounts to a group
+ if computeropts.allowed_to_authenticate_to_by_group:
+ group = Group.get(
+ ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
+ computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
+
# Generate SDDL for authenticating computer accounts to a silo
if computeropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
sddl,
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
+ def test_create__user_allowed_to_authenticate_to_by_group(self):
+ """Tests the --user-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a user with authenticate to by group attribute.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ result, out, err = self.runcmd(
+ "domain", "auth", "policy", "create", "--name", name,
+ "--user-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-UserAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_create__user_allowed_to_authenticate_to_by_silo(self):
"""Tests the --user-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
sddl,
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))')
+ def test_create__service_allowed_to_authenticate_to_by_group(self):
+ """Tests the --service-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a user with authenticate to by group attribute.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ result, out, err = self.runcmd(
+ "domain", "auth", "policy", "create", "--name", name,
+ "--service-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_create__service_allowed_to_authenticate_to_by_silo(self):
"""Tests the --service-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
self.assertIn("--computer-tgt-lifetime-mins must be between 45 and 2147483647",
err)
+ def test_create__computer_allowed_to_authenticate_to_by_group(self):
+ """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a user with authenticate to by group attribute.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ result, out, err = self.runcmd(
+ "domain", "auth", "policy", "create", "--name", name,
+ "--computer-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_create__computer_allowed_to_authenticate_to_by_silo(self):
"""Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
+ def test_modify__user_allowed_to_authenticate_to_by_group(self):
+ """Tests the --user-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a policy to modify for this test.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+
+ # Modify user allowed to authenticate to field
+ result, out, err = self.runcmd("domain", "auth", "policy", "modify",
+ "--name", name,
+ "--user-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-UserAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_modify__user_allowed_to_authenticate_to_by_silo(self):
"""Tests the --user-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
+ def test_modify__service_allowed_to_authenticate_to_by_group(self):
+ """Tests the --service-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a policy to modify for this test.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+
+ # Modify user allowed to authenticate to field
+ result, out, err = self.runcmd("domain", "auth", "policy", "modify",
+ "--name", name,
+ "--service-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_modify__service_allowed_to_authenticate_to_by_silo(self):
"""Tests the --service-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
+ def test_modify__computer_allowed_to_authenticate_to_by_group(self):
+ """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a policy to modify for this test.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+
+ # Modify user allowed to authenticate to field
+ result, out, err = self.runcmd("domain", "auth", "policy", "modify",
+ "--name", name,
+ "--computer-allowed-to-authenticate-to-by-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check user allowed to authenticate to field was modified.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+ desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_modify__computer_allowed_to_authenticate_to_by_silo(self):
"""Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
projects / thirdparty / samba.git / commitdiff
