From: Rob van der Linde Date: Mon, 19 Feb 2024 03:09:38 +0000 (+1300) Subject: netcmd: models: gmsa trustees property only looks at allowed aces X-Git-Tag: tdb-1.4.11~1590 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c8857abb740134b63e354169fd21bba48a6b09a7;p=thirdparty%2Fsamba.git netcmd: models: gmsa trustees property only looks at allowed aces Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/python/samba/netcmd/domain/models/user.py b/python/samba/netcmd/domain/models/user.py index 9d1f3afe50f..5523352f435 100644 --- a/python/samba/netcmd/domain/models/user.py +++ b/python/samba/netcmd/domain/models/user.py @@ -22,9 +22,11 @@ from ldb import Dn +from samba.dcerpc import security from samba.dsdb import (DS_GUID_MANAGED_SERVICE_ACCOUNTS_CONTAINER, DS_GUID_USERS_CONTAINER) +from .exceptions import FieldError from .fields import (BinaryField, DnField, EnumField, IntegerField, SDDLField, SIDField, StringField, NtTimeField) from .model import Model @@ -126,7 +128,19 @@ class GroupManagedServiceAccount(User): :return: list of User objects """ - return [str(ace.trustee) for ace in self.group_msa_membership.dacl.aces] + allowed = [] + + # Make sure to exclude DENY aces. + for ace in self.group_msa_membership.dacl.aces: + if ((ace.access_mask & security.SEC_ADS_READ_PROP) + and ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED): + allowed.append(str(ace.trustee)) + else: + raise FieldError( + "Cannot be represented as a simple list (try viewing as SDDL)", + field=GroupManagedServiceAccount.group_msa_membership) + + return allowed @classmethod def find(cls, ldb, name):