help="User is allowed to authenticate from a device in a silo.",
type=str, dest="allowed_to_authenticate_from_device_silo",
action="callback", callback=self.set_option)
+ self.add_option("--user-allowed-to-authenticate-from-device-group",
+ help="User is allowed to authenticate from a device in group.",
+ type=str, dest="allowed_to_authenticate_from_device_group",
+ action="callback", callback=self.set_option)
self.add_option("--user-allowed-to-authenticate-to",
help="Conditions user is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
help="Service is allowed to authenticate from a device in a silo.",
type=str, dest="allowed_to_authenticate_from_device_silo",
action="callback", callback=self.set_option)
+ self.add_option("--service-allowed-to-authenticate-from-device-group",
+ help="Service is allowed to authenticate from a device in group.",
+ type=str, dest="allowed_to_authenticate_from_device_group",
+ action="callback", callback=self.set_option)
self.add_option("--service-allowed-to-authenticate-to",
help="Conditions service is allowed to authenticate to.",
type=str, dest="allowed_to_authenticate_to",
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
+ useropts.allowed_to_authenticate_from_device_group,
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--user-allowed-to-authenticate-to",
[useropts.allowed_to_authenticate_to,
useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
+ serviceopts.allowed_to_authenticate_from_device_group,
serviceopts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-to",
[serviceopts.allowed_to_authenticate_to,
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
+ # Generate SDDL for authenticating users from a device in a group
+ if useropts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_device_group)
+ useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
# Generate SDDL for authenticating users from a device in a silo
if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
ldb, cn=useropts.allowed_to_authenticate_to_by_silo)
useropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating service accounts from a device in a group
+ if serviceopts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_group)
+ serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
# Generate SDDL for authenticating service accounts from a device in a silo
if serviceopts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
+ useropts.allowed_to_authenticate_from_device_group,
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--user-allowed-to-authenticate-to",
[useropts.allowed_to_authenticate_to,
useropts.allowed_to_authenticate_to_by_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
+ serviceopts.allowed_to_authenticate_from_device_group,
serviceopts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-to",
[serviceopts.allowed_to_authenticate_to,
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
+ # Generate SDDL for authenticating users from a device in a group
+ if useropts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=useropts.allowed_to_authenticate_from_device_group)
+ useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
# Generate SDDL for authenticating users from a device in a silo
if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
ldb, cn=useropts.allowed_to_authenticate_to_by_silo)
useropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
+ # Generate SDDL for authenticating users from a device a device in a group
+ if serviceopts.allowed_to_authenticate_from_device_group:
+ group = Group.get(
+ ldb, cn=serviceopts.allowed_to_authenticate_from_device_group)
+ serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl()
+
# Generate SDDL for authenticating service accounts from a device in a silo
if serviceopts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647",
err)
+ def test_create__user_allowed_to_authenticate_from_device_group(self):
+ """Tests the --user-allowed-to-authenticate-from-device-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ result, out, err = self.runcmd("domain", "auth", "policy", "create",
+ "--name", name,
+ "--user-allowed-to-authenticate-from-device-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check policy fields.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+
+ # Check generated SDDL.
+ desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_create__user_allowed_to_authenticate_from_device_silo(self):
"""Tests the --user-allowed-to-authenticate-from-device-silo shortcut."""
name = self.unique_name()
self.assertIn("--service-tgt-lifetime-mins must be between 45 and 2147483647",
err)
+ def test_create__service_allowed_to_authenticate_from_device_group(self):
+ """Tests the --service-allowed-to-authenticate-from-device-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ result, out, err = self.runcmd("domain", "auth", "policy", "create",
+ "--name", name,
+ "--service-allowed-to-authenticate-from-device-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check policy fields.
+ policy = self.get_authentication_policy(name)
+ self.assertEqual(str(policy["cn"]), name)
+
+ # Check generated SDDL.
+ desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_create__service_allowed_to_authenticate_from_device_silo(self):
"""Tests the --service-allowed-to-authenticate-from-device-silo shortcut."""
name = self.unique_name()
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
+ def test_modify__user_allowed_to_authenticate_from_device_group(self):
+ """Test the --user-allowed-to-authenticate-from-device-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a policy to modify for this test.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+
+ # Modify user allowed to authenticate from silo field
+ result, out, err = self.runcmd("domain", "auth", "policy", "modify",
+ "--name", name,
+ "--user-allowed-to-authenticate-from-device-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check generated SDDL.
+ policy = self.get_authentication_policy(name)
+ desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_modify__user_allowed_to_authenticate_from_device_silo(self):
"""Test the --user-allowed-to-authenticate-from-device-silo shortcut."""
name = self.unique_name()
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
+ def test_modify__service_allowed_to_authenticate_from_device_group(self):
+ """Test the --service-allowed-to-authenticate-from-device-group shortcut."""
+ name = self.unique_name()
+ expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
+ self.device_group.object_sid)
+
+ # Create a policy to modify for this test.
+ self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+ self.runcmd("domain", "auth", "policy", "create", "--name", name)
+
+ # Modify user allowed to authenticate from silo field
+ result, out, err = self.runcmd("domain", "auth", "policy", "modify",
+ "--name", name,
+ "--service-allowed-to-authenticate-from-device-group",
+ self.device_group.name)
+ self.assertIsNone(result, msg=err)
+
+ # Check generated SDDL.
+ policy = self.get_authentication_policy(name)
+ desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0]
+ sddl = ndr_unpack(security.descriptor, desc).as_sddl()
+ self.assertEqual(sddl, expected)
+
def test_modify__service_allowed_to_authenticate_from_device_silo(self):
"""Test the --service-allowed-to-authenticate-from-device-silo shortcut."""
name = self.unique_name()
projects / thirdparty / samba.git / commitdiff
