From 0ce9b7532553194da7560e122b68def34b445c81 Mon Sep 17 00:00:00 2001 From: Rob van der Linde Date: Mon, 13 Nov 2023 23:46:57 +1300 Subject: [PATCH] netcmd: models: use correct SDDL for authentication silos Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- python/samba/netcmd/domain/models/auth_silo.py | 4 ++-- python/samba/tests/samba_tool/domain_auth_policy.py | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py index f09b6a6654a..9747671e4c5 100644 --- a/python/samba/netcmd/domain/models/auth_silo.py +++ b/python/samba/netcmd/domain/models/auth_silo.py @@ -100,5 +100,5 @@ class AuthenticationSilo(Model): self.refresh(ldb, fields=["members"]) def get_authentication_sddl(self): - return ("O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/" - f"AuthenticationSilo/{escaped_claim_id(self.name)}))") + return ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/' + f'AuthenticationSilo == "{escaped_claim_id(self.name)}"))') diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py index 21d75591a62..6d7804dd4f3 100644 --- a/python/samba/tests/samba_tool/domain_auth_policy.py +++ b/python/samba/tests/samba_tool/domain_auth_policy.py @@ -173,7 +173,7 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual( sddl, - "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))") + 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))') def test_create__service_tgt_lifetime_mins(self): """Test create a new authentication policy with --service-tgt-lifetime-mins. @@ -229,7 +229,7 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual( sddl, - "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Managers))") + 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))') def test_create__computer_tgt_lifetime_mins(self): """Test create a new authentication policy with --computer-tgt-lifetime-mins. @@ -509,7 +509,7 @@ class AuthPolicyCmdTestCase(SiloTest): --user-allowed-to-authenticate-from --user-allowed-to-authenticate-from-silo """ - sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))" + sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))' name = self.unique_name() result, out, err = self.runcmd("domain", "auth", "policy", "create", @@ -528,7 +528,7 @@ class AuthPolicyCmdTestCase(SiloTest): --service-allowed-to-authenticate-from --service-allowed-to-authenticate-from-silo """ - sddl = "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Managers))" + sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))' name = self.unique_name() result, out, err = self.runcmd("domain", "auth", "policy", "create", @@ -750,7 +750,7 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual( sddl, - "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/QA))") + 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "QA"))') def test_modify__user_allowed_to_authenticate_to(self): """Modify authentication policy user allowed to authenticate to.""" @@ -819,7 +819,7 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual( sddl, - "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo/Developers))") + 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))') def test_modify__service_allowed_to_authenticate_to(self): """Modify authentication policy service allowed to authenticate to.""" -- 2.47.3