2 # -*- coding: utf-8 -*-
13 sys.path.append("bin/python")
15 import samba.getopt as options
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba.auth import system_session
27 from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \
28 SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL
29 from subunit.run import SubunitTestRunner
32 parser = optparse.OptionParser("sec_descriptor [options] <host>")
33 sambaopts = options.SambaOptions(parser)
34 parser.add_option_group(sambaopts)
35 parser.add_option_group(options.VersionOptions(parser))
37 # use command line creds if available
38 credopts = options.CredentialsOptions(parser)
39 parser.add_option_group(credopts)
40 opts, args = parser.parse_args()
48 lp = sambaopts.get_loadparm()
49 creds = credopts.get_credentials(lp)
55 class DescriptorTests(unittest.TestCase):
57 def delete_force(self, ldb, dn):
60 except LdbError, (num, _):
61 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
63 def find_basedn(self, ldb):
64 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
65 attrs=["defaultNamingContext"])
66 self.assertEquals(len(res), 1)
67 return res[0]["defaultNamingContext"][0]
69 def find_configurationdn(self, ldb):
70 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
71 self.assertEquals(len(res), 1)
72 return res[0]["configurationNamingContext"][0]
74 def find_schemadn(self, ldb):
75 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
76 self.assertEquals(len(res), 1)
77 return res[0]["schemaNamingContext"][0]
79 def find_domain_sid(self, ldb):
80 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
81 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
83 def get_users_domain_dn(self, name):
84 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
86 def modify_desc(self, _ldb, object_dn, desc, controls=None):
87 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
89 dn: """ + object_dn + """
91 replace: nTSecurityDescriptor
93 if isinstance(desc, str):
94 mod += "nTSecurityDescriptor: %s" % desc
95 elif isinstance(desc, security.descriptor):
96 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
97 _ldb.modify_ldif(mod, controls)
99 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
101 dn: """ + ou_dn + """
102 ou: """ + ou_dn.split(",")[0][3:] + """
103 objectClass: organizationalUnit
107 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
108 if isinstance(desc, str):
109 ldif += "nTSecurityDescriptor: %s" % desc
110 elif isinstance(desc, security.descriptor):
111 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
112 _ldb.add_ldif(ldif, controls)
114 def create_domain_user(self, _ldb, user_dn, desc=None):
116 dn: """ + user_dn + """
117 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
119 userPassword: samba123@
123 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
124 if isinstance(desc, str):
125 ldif += "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc, security.descriptor):
127 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
130 def create_domain_group(self, _ldb, group_dn, desc=None):
132 dn: """ + group_dn + """
134 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
139 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
140 if isinstance(desc, str):
141 ldif += "nTSecurityDescriptor: %s" % desc
142 elif isinstance(desc, security.descriptor):
143 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
146 def get_unique_schema_class_name(self):
148 class_name = "test-class%s" % random.randint(1,100000)
149 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
151 self.ldb_admin.search(base=class_dn, attrs=["*"])
152 except LdbError, (num, _):
153 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
156 def create_schema_class(self, _ldb, object_dn, desc=None):
158 dn: """ + object_dn + """
159 objectClass: classSchema
160 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
161 defaultObjectCategory: """ + object_dn + """
162 distinguishedName: """ + object_dn + """
163 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
165 objectClassCategory: 1
166 subClassOf: organizationalPerson
169 systemMustContain: cn
173 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
174 if isinstance(desc, str):
175 ldif += "nTSecurityDescriptor: %s" % desc
176 elif isinstance(desc, security.descriptor):
177 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
180 def create_configuration_container(self, _ldb, object_dn, desc=None):
182 dn: """ + object_dn + """
183 objectClass: container
184 objectCategory: CN=Container,""" + self.schema_dn + """
185 showInAdvancedViewOnly: TRUE
189 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
190 if isinstance(desc, str):
191 ldif += "nTSecurityDescriptor: %s" % desc
192 elif isinstance(desc, security.descriptor):
193 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
196 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
198 dn: """ + object_dn + """
199 objectClass: displaySpecifier
200 showInAdvancedViewOnly: TRUE
203 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
204 if isinstance(desc, str):
205 ldif += "nTSecurityDescriptor: %s" % desc
206 elif isinstance(desc, security.descriptor):
207 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
210 def read_desc(self, object_dn, controls=None):
211 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
212 desc = res[0]["nTSecurityDescriptor"][0]
213 return ndr_unpack(security.descriptor, desc)
215 def enable_account(self, user_dn):
216 """Enable an account.
217 :param user_dn: Dn of the account to enable.
219 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
221 userAccountControl = res[0]["userAccountControl"][0]
222 userAccountControl = int(userAccountControl)
223 if (userAccountControl & 0x2):
224 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
225 if (userAccountControl & 0x20):
226 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
228 dn: """ + user_dn + """
230 replace: userAccountControl
231 userAccountControl: %s""" % userAccountControl
233 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
234 self.ldb_admin.modify_ldif(mod)
236 def get_ldb_connection(self, target_username, target_password):
237 username_save = creds.get_username(); password_save = creds.get_password()
238 creds.set_username(target_username)
239 creds.set_password(target_password)
240 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
241 creds.set_username(username_save); creds.set_password(password_save)
244 def get_object_sid(self, object_dn):
245 res = self.ldb_admin.search(object_dn)
246 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
248 def dacl_add_ace(self, object_dn, ace):
249 desc = self.read_desc( object_dn )
250 desc_sddl = desc.as_sddl( self.domain_sid )
253 if desc_sddl.find("(") >= 0:
254 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
256 desc_sddl = desc_sddl + ace
257 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
259 def get_desc_sddl(self, object_dn, controls=None):
260 """ Return object nTSecutiryDescriptor in SDDL format
262 desc = self.read_desc(object_dn, controls)
263 return desc.as_sddl(self.domain_sid)
267 self.base_dn = self.find_basedn(self.ldb_admin)
268 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
269 self.schema_dn = self.find_schemadn(self.ldb_admin)
270 self.domain_sid = self.find_domain_sid(self.ldb_admin)
271 print "baseDN: %s" % self.base_dn
272 self.SAMBA = False; self.WIN2003 = False
273 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
274 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
279 ################################################################################################
283 # Default descriptor tests #####################################################################
285 class OwnerGroupDescriptorTests(DescriptorTests):
289 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
290 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
291 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
292 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
293 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
294 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
295 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
296 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
298 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
299 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
300 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
301 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
304 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
305 + self.configuration_dn)
306 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
309 DescriptorTests.setUp(self)
314 user_dn = self.get_users_domain_dn("testuser1")
315 self.create_domain_user(self.ldb_admin, user_dn)
316 self.enable_account(user_dn)
318 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
321 member: """ + user_dn
322 self.ldb_admin.modify_ldif(ldif)
324 user_dn = self.get_users_domain_dn("testuser2")
325 self.create_domain_user(self.ldb_admin, user_dn)
326 self.enable_account(user_dn)
328 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
331 member: """ + user_dn
332 self.ldb_admin.modify_ldif(ldif)
334 user_dn = self.get_users_domain_dn("testuser3")
335 self.create_domain_user(self.ldb_admin, user_dn)
336 self.enable_account(user_dn)
338 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
341 member: """ + user_dn
342 self.ldb_admin.modify_ldif(ldif)
344 user_dn = self.get_users_domain_dn("testuser4")
345 self.create_domain_user(self.ldb_admin, user_dn)
346 self.enable_account(user_dn)
348 user_dn = self.get_users_domain_dn("testuser5")
349 self.create_domain_user(self.ldb_admin, user_dn)
350 self.enable_account(user_dn)
352 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
355 member: """ + user_dn + """
357 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
360 member: """ + user_dn
361 self.ldb_admin.modify_ldif(ldif)
363 user_dn = self.get_users_domain_dn("testuser6")
364 self.create_domain_user(self.ldb_admin, user_dn)
365 self.enable_account(user_dn)
367 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
370 member: """ + user_dn + """
372 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
375 member: """ + user_dn + """
377 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
380 member: """ + user_dn
381 self.ldb_admin.modify_ldif(ldif)
383 user_dn = self.get_users_domain_dn("testuser7")
384 self.create_domain_user(self.ldb_admin, user_dn)
385 self.enable_account(user_dn)
387 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
390 member: """ + user_dn + """
392 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
395 member: """ + user_dn
396 self.ldb_admin.modify_ldif(ldif)
398 user_dn = self.get_users_domain_dn("testuser8")
399 self.create_domain_user(self.ldb_admin, user_dn)
400 self.enable_account(user_dn)
402 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
405 member: """ + user_dn + """
407 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
410 member: """ + user_dn
411 self.ldb_admin.modify_ldif(ldif)
413 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
414 "ds_behavior_win2003" : {
464 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
465 "ds_behavior_win2008" : {
516 # Discover 'msDS-Behavior-Version'
517 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
518 attrs=['msDS-Behavior-Version'])
519 res = int(res[0]['msDS-Behavior-Version'][0])
520 if res < DS_DOMAIN_FUNCTION_2008:
521 self.DS_BEHAVIOR = "ds_behavior_win2003"
523 self.DS_BEHAVIOR = "ds_behavior_win2008"
528 def check_user_belongs(self, user_dn, groups=[]):
529 """ Test wether user is member of the expected group(s) """
531 # User is member of at least one additional group
532 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
533 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
536 expected.append(self.get_users_domain_dn(x))
537 expected = [x.upper() for x in sorted(expected)]
538 self.assertEqual(expected, res)
540 # User is not a member of any additional groups but default
541 res = self.ldb_admin.search(user_dn, attrs=["*"])
542 res = [x.upper() for x in res[0].keys()]
543 self.assertFalse( "MEMBEROF" in res)
545 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
547 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
548 if owner_group != "":
549 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
551 self.modify_desc(_ldb, object_dn, "D:" + ace)
552 # Make sure the modify operation has been applied
553 desc_sddl = self.get_desc_sddl(object_dn)
554 self.assertTrue(ace in desc_sddl)
555 # Make sure we have identical result for both "add" and "modify"
556 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
557 print self._testMethodName
558 test_number = self._testMethodName[5:]
559 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
562 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
564 user_name = "testuser1"
565 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
566 # Open Ldb connection with the tested user
567 _ldb = self.get_ldb_connection(user_name, "samba123@")
568 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
569 self.delete_force(self.ldb_admin, object_dn)
570 self.create_domain_group(_ldb, object_dn)
571 desc_sddl = self.get_desc_sddl(object_dn)
572 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
573 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
574 self.check_modify_inheritance(_ldb, object_dn)
577 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
579 user_name = "testuser2"
580 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
581 # Open Ldb connection with the tested user
582 _ldb = self.get_ldb_connection(user_name, "samba123@")
583 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
584 self.delete_force(self.ldb_admin, object_dn)
585 self.create_domain_group(_ldb, object_dn)
586 desc_sddl = self.get_desc_sddl(object_dn)
587 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
589 self.check_modify_inheritance(_ldb, object_dn)
592 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
594 user_name = "testuser3"
595 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
596 # Open Ldb connection with the tested user
597 _ldb = self.get_ldb_connection(user_name, "samba123@")
598 object_dn = "OU=test_domain_ou1," + self.base_dn
599 self.delete_force(self.ldb_admin, object_dn)
600 self.create_domain_ou(self.ldb_admin, object_dn)
601 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
602 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
603 self.dacl_add_ace(object_dn, mod)
604 # Create additional object into the first one
605 object_dn = "CN=test_domain_user1," + object_dn
606 self.delete_force(self.ldb_admin, object_dn)
607 self.create_domain_user(_ldb, object_dn)
608 desc_sddl = self.get_desc_sddl(object_dn)
609 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
610 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
611 # This fails, research why
612 #self.check_modify_inheritance(_ldb, object_dn)
615 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
617 user_name = "testuser4"
618 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
619 # Open Ldb connection with the tested user
620 _ldb = self.get_ldb_connection(user_name, "samba123@")
621 object_dn = "OU=test_domain_ou1," + self.base_dn
622 self.delete_force(self.ldb_admin, object_dn)
623 self.create_domain_ou(self.ldb_admin, object_dn)
624 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
625 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
626 self.dacl_add_ace(object_dn, mod)
627 # Create additional object into the first one
628 object_dn = "CN=test_domain_user1," + object_dn
629 self.delete_force(self.ldb_admin, object_dn)
630 self.create_domain_user(_ldb, object_dn)
631 desc_sddl = self.get_desc_sddl(object_dn)
632 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
633 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
634 #this fails, research why
635 #self.check_modify_inheritance(_ldb, object_dn)
638 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
640 user_name = "testuser5"
641 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
642 # Open Ldb connection with the tested user
643 _ldb = self.get_ldb_connection(user_name, "samba123@")
644 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
645 self.delete_force(self.ldb_admin, object_dn)
646 self.create_domain_group(_ldb, object_dn)
647 desc_sddl = self.get_desc_sddl(object_dn)
648 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
649 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
650 self.check_modify_inheritance(_ldb, object_dn)
653 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
655 user_name = "testuser6"
656 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
657 # Open Ldb connection with the tested user
658 _ldb = self.get_ldb_connection(user_name, "samba123@")
659 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
660 self.delete_force(self.ldb_admin, object_dn)
661 self.create_domain_group(_ldb, object_dn)
662 desc_sddl = self.get_desc_sddl(object_dn)
663 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
664 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
665 self.check_modify_inheritance(_ldb, object_dn)
668 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
670 user_name = "testuser7"
671 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
672 # Open Ldb connection with the tested user
673 _ldb = self.get_ldb_connection(user_name, "samba123@")
674 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
675 self.delete_force(self.ldb_admin, object_dn)
676 self.create_domain_group(_ldb, object_dn)
677 desc_sddl = self.get_desc_sddl(object_dn)
678 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
679 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
680 self.check_modify_inheritance(_ldb, object_dn)
683 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
685 user_name = "testuser8"
686 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
687 # Open Ldb connection with the tested user
688 _ldb = self.get_ldb_connection(user_name, "samba123@")
689 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
690 self.delete_force(self.ldb_admin, object_dn)
691 self.create_domain_group(_ldb, object_dn)
692 desc_sddl = self.get_desc_sddl(object_dn)
693 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
694 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
695 self.check_modify_inheritance(_ldb, object_dn)
697 # Control descriptor tests #####################################################################
700 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
702 user_name = "testuser1"
703 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
704 # Open Ldb connection with the tested user
705 _ldb = self.get_ldb_connection(user_name, "samba123@")
706 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
707 self.delete_force(self.ldb_admin, object_dn)
708 # Create a custom security descriptor
709 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
710 self.create_domain_group(_ldb, object_dn, desc_sddl)
711 desc_sddl = self.get_desc_sddl(object_dn)
712 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
713 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
716 """ Domain admin group member creates object (custom descriptor) in DOMAIN
718 user_name = "testuser2"
719 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
720 # Open Ldb connection with the tested user
721 _ldb = self.get_ldb_connection(user_name, "samba123@")
722 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
723 self.delete_force(self.ldb_admin, object_dn)
724 # Create a custom security descriptor
725 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
726 self.create_domain_group(_ldb, object_dn, desc_sddl)
727 desc_sddl = self.get_desc_sddl(object_dn)
728 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
729 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
732 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
734 user_name = "testuser3"
735 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
736 # Open Ldb connection with the tested user
737 _ldb = self.get_ldb_connection(user_name, "samba123@")
738 object_dn = "OU=test_domain_ou1," + self.base_dn
739 self.delete_force(self.ldb_admin, object_dn)
740 self.create_domain_ou(self.ldb_admin, object_dn)
741 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
742 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
743 self.dacl_add_ace(object_dn, mod)
744 # Create a custom security descriptor
745 # NB! Problematic owner part won't accept DA only <User Sid> !!!
746 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
747 # Create additional object into the first one
748 object_dn = "CN=test_domain_user1," + object_dn
749 self.delete_force(self.ldb_admin, object_dn)
750 self.create_domain_user(_ldb, object_dn, desc_sddl)
751 desc = self.read_desc(object_dn)
752 desc_sddl = self.get_desc_sddl(object_dn)
753 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
754 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
757 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
759 user_name = "testuser4"
760 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
761 # Open Ldb connection with the tested user
762 _ldb = self.get_ldb_connection(user_name, "samba123@")
763 object_dn = "OU=test_domain_ou1," + self.base_dn
764 self.delete_force(self.ldb_admin, object_dn)
765 self.create_domain_ou(self.ldb_admin, object_dn)
766 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
767 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
768 self.dacl_add_ace(object_dn, mod)
769 # Create a custom security descriptor
770 # NB! Problematic owner part won't accept DA only <User Sid> !!!
771 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
772 # Create additional object into the first one
773 object_dn = "CN=test_domain_user1," + object_dn
774 self.delete_force(self.ldb_admin, object_dn)
775 self.create_domain_user(_ldb, object_dn, desc_sddl)
776 desc = self.read_desc(object_dn)
777 desc_sddl = self.get_desc_sddl(object_dn)
778 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
782 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
784 user_name = "testuser5"
785 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
786 # Open Ldb connection with the tested user
787 _ldb = self.get_ldb_connection(user_name, "samba123@")
788 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
789 self.delete_force(self.ldb_admin, object_dn)
790 # Create a custom security descriptor
791 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
792 self.create_domain_group(_ldb, object_dn, desc_sddl)
793 desc_sddl = self.get_desc_sddl(object_dn)
794 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
795 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
798 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
800 user_name = "testuser6"
801 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb = self.get_ldb_connection(user_name, "samba123@")
804 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
805 self.delete_force(self.ldb_admin, object_dn)
806 # Create a custom security descriptor
807 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
808 self.create_domain_group(_ldb, object_dn, desc_sddl)
809 desc_sddl = self.get_desc_sddl(object_dn)
810 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
811 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
816 user_name = "testuser7"
817 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
818 # Open Ldb connection with the tested user
819 _ldb = self.get_ldb_connection(user_name, "samba123@")
820 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
821 self.delete_force(self.ldb_admin, object_dn)
822 # Create a custom security descriptor
823 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
824 self.create_domain_group(_ldb, object_dn, desc_sddl)
825 desc_sddl = self.get_desc_sddl(object_dn)
826 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
827 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
830 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
832 user_name = "testuser8"
833 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
834 # Open Ldb connection with the tested user
835 _ldb = self.get_ldb_connection(user_name, "samba123@")
836 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
837 self.delete_force(self.ldb_admin, object_dn)
838 # Create a custom security descriptor
839 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
840 self.create_domain_group(_ldb, object_dn, desc_sddl)
841 desc_sddl = self.get_desc_sddl(object_dn)
842 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
843 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
846 user_name = "Administrator"
847 object_dn = "OU=test_domain_ou1," + self.base_dn
848 self.delete_force(self.ldb_admin, object_dn)
849 self.create_domain_ou(self.ldb_admin, object_dn)
850 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
851 mod = "(D;CI;WP;;;S-1-3-0)"
853 self.dacl_add_ace(object_dn, mod)
854 desc_sddl = self.get_desc_sddl(object_dn)
855 # Create additional object into the first one
856 object_dn = "OU=test_domain_ou2," + object_dn
857 self.delete_force(self.ldb_admin, object_dn)
858 self.create_domain_ou(self.ldb_admin, object_dn)
859 desc_sddl = self.get_desc_sddl(object_dn)
863 # Defalt descriptor tests ##################################################################
866 user_name = "testuser1"
867 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
868 # Open Ldb connection with the tested user
869 _ldb = self.get_ldb_connection(user_name, "samba123@")
870 # Change Schema partition descriptor
871 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
872 mod = "(A;;WDCC;;;AU)"
873 self.dacl_add_ace(self.schema_dn, mod)
874 # Create example Schema class
875 class_name = self.get_unique_schema_class_name()
876 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
877 self.create_schema_class(_ldb, class_dn)
878 desc_sddl = self.get_desc_sddl(class_dn)
879 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
880 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
881 self.check_modify_inheritance(_ldb, class_dn)
884 user_name = "testuser2"
885 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
886 # Open Ldb connection with the tested user
887 _ldb = self.get_ldb_connection(user_name, "samba123@")
888 # Change Schema partition descriptor
889 mod = "(A;CI;WDCC;;;AU)"
890 self.dacl_add_ace(self.schema_dn, mod)
891 # Create example Schema class
892 class_name = self.get_unique_schema_class_name()
893 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
894 self.create_schema_class(_ldb, class_dn)
895 desc_sddl = self.get_desc_sddl(class_dn)
896 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
897 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
898 self.check_modify_inheritance(_ldb, class_dn)
901 user_name = "testuser3"
902 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
903 # Open Ldb connection with the tested user
904 _ldb = self.get_ldb_connection(user_name, "samba123@")
905 # Change Schema partition descriptor
906 mod = "(A;CI;WDCC;;;AU)"
907 self.dacl_add_ace(self.schema_dn, mod)
908 # Create example Schema class
909 class_name = self.get_unique_schema_class_name()
910 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
911 self.create_schema_class(_ldb, class_dn)
912 desc_sddl = self.get_desc_sddl(class_dn)
913 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
914 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
915 #self.check_modify_inheritance(_ldb, class_dn)
918 user_name = "testuser4"
919 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
920 # Open Ldb connection with the tested user
921 _ldb = self.get_ldb_connection(user_name, "samba123@")
922 #Change Schema partition descriptor
923 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
924 mod = "(A;CI;WDCC;;;AU)"
925 self.dacl_add_ace(self.schema_dn, mod)
926 # Create example Schema class
927 class_name = self.get_unique_schema_class_name()
928 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
929 self.create_schema_class(_ldb, class_dn)
930 desc_sddl = self.get_desc_sddl(class_dn)
931 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
932 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
933 #self.check_modify_inheritance(_ldb, class_dn)
936 user_name = "testuser5"
937 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
938 # Open Ldb connection with the tested user
939 _ldb = self.get_ldb_connection(user_name, "samba123@")
940 #Change Schema partition descriptor
941 mod = "(A;CI;WDCC;;;AU)"
942 self.dacl_add_ace(self.schema_dn, mod)
943 # Create example Schema class
944 class_name = self.get_unique_schema_class_name()
945 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
946 self.create_schema_class(_ldb, class_dn)
947 desc_sddl = self.get_desc_sddl(class_dn)
948 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
949 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
950 self.check_modify_inheritance(_ldb, class_dn)
953 user_name = "testuser6"
954 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
955 # Open Ldb connection with the tested user
956 _ldb = self.get_ldb_connection(user_name, "samba123@")
957 # Change Schema partition descriptor
958 mod = "(A;CI;WDCC;;;AU)"
959 self.dacl_add_ace(self.schema_dn, mod)
960 # Create example Schema class
961 class_name = self.get_unique_schema_class_name()
962 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
963 self.create_schema_class(_ldb, class_dn)
964 desc_sddl = self.get_desc_sddl(class_dn)
965 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
966 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
967 self.check_modify_inheritance(_ldb, class_dn)
970 user_name = "testuser7"
971 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
972 # Open Ldb connection with the tested user
973 _ldb = self.get_ldb_connection(user_name, "samba123@")
974 # Change Schema partition descriptor
975 mod = "(A;CI;WDCC;;;AU)"
976 self.dacl_add_ace(self.schema_dn, mod)
977 # Create example Schema class
978 class_name = self.get_unique_schema_class_name()
979 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
980 self.create_schema_class(_ldb, class_dn)
981 desc_sddl = self.get_desc_sddl(class_dn)
982 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
983 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
984 self.check_modify_inheritance(_ldb, class_dn)
987 user_name = "testuser8"
988 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
989 # Open Ldb connection with the tested user
990 _ldb = self.get_ldb_connection(user_name, "samba123@")
991 # Change Schema partition descriptor
992 mod = "(A;CI;WDCC;;;AU)"
993 self.dacl_add_ace(self.schema_dn, mod)
994 # Create example Schema class
995 class_name = self.get_unique_schema_class_name()
996 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
997 self.create_schema_class(_ldb, class_dn)
998 desc_sddl = self.get_desc_sddl(class_dn)
999 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1000 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1001 self.check_modify_inheritance(_ldb, class_dn)
1003 # Custom descriptor tests ##################################################################
1006 user_name = "testuser1"
1007 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1008 # Open Ldb connection with the tested user
1009 _ldb = self.get_ldb_connection(user_name, "samba123@")
1010 # Change Schema partition descriptor
1011 mod = "(A;;CC;;;AU)"
1012 self.dacl_add_ace(self.schema_dn, mod)
1013 # Create a custom security descriptor
1014 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1015 # Create example Schema class
1016 class_name = self.get_unique_schema_class_name()
1017 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1018 self.create_schema_class(_ldb, class_dn, desc_sddl)
1019 desc_sddl = self.get_desc_sddl(class_dn)
1020 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1021 self.assertEqual("O:DAG:DA", res)
1024 user_name = "testuser2"
1025 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1026 # Open Ldb connection with the tested user
1027 _ldb = self.get_ldb_connection(user_name, "samba123@")
1028 # Change Schema partition descriptor
1029 mod = "(A;;CC;;;AU)"
1030 self.dacl_add_ace(self.schema_dn, mod)
1031 # Create a custom security descriptor
1032 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1033 # Create example Schema class
1034 class_name = self.get_unique_schema_class_name()
1035 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1036 self.create_schema_class(_ldb, class_dn, desc_sddl)
1037 desc_sddl = self.get_desc_sddl(class_dn)
1038 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1039 self.assertEqual("O:DAG:DA", res)
1042 user_name = "testuser3"
1043 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1044 # Open Ldb connection with the tested user
1045 _ldb = self.get_ldb_connection(user_name, "samba123@")
1046 # Create a custom security descriptor
1047 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1048 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1049 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1050 # Create example Schema class
1051 class_name = self.get_unique_schema_class_name()
1052 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1053 self.create_schema_class(_ldb, class_dn, desc_sddl)
1054 desc_sddl = self.get_desc_sddl(class_dn)
1055 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1056 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1059 user_name = "testuser4"
1060 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1061 # Open Ldb connection with the tested user
1062 _ldb = self.get_ldb_connection(user_name, "samba123@")
1063 # Create a custom security descriptor
1064 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1065 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1066 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1067 # Create example Schema class
1068 class_name = self.get_unique_schema_class_name()
1069 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1070 self.create_schema_class(_ldb, class_dn, desc_sddl)
1071 desc_sddl = self.get_desc_sddl(class_dn)
1072 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1073 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1076 user_name = "testuser5"
1077 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1078 # Open Ldb connection with the tested user
1079 _ldb = self.get_ldb_connection(user_name, "samba123@")
1080 # Change Schema partition descriptor
1081 mod = "(A;;CC;;;AU)"
1082 self.dacl_add_ace(self.schema_dn, mod)
1083 # Create a custom security descriptor
1084 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1085 # Create example Schema class
1086 class_name = self.get_unique_schema_class_name()
1087 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1088 self.create_schema_class(_ldb, class_dn, desc_sddl)
1089 desc_sddl = self.get_desc_sddl(class_dn)
1090 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1091 self.assertEqual("O:DAG:DA", res)
1094 user_name = "testuser6"
1095 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1096 # Open Ldb connection with the tested user
1097 _ldb = self.get_ldb_connection(user_name, "samba123@")
1098 # Change Schema partition descriptor
1099 mod = "(A;;CC;;;AU)"
1100 self.dacl_add_ace(self.schema_dn, mod)
1101 # Create a custom security descriptor
1102 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1103 # Create example Schema class
1104 class_name = self.get_unique_schema_class_name()
1105 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1106 self.create_schema_class(_ldb, class_dn, desc_sddl)
1107 desc_sddl = self.get_desc_sddl(class_dn)
1108 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1109 self.assertEqual("O:DAG:DA", res)
1112 user_name = "testuser7"
1113 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1114 # Open Ldb connection with the tested user
1115 _ldb = self.get_ldb_connection(user_name, "samba123@")
1116 # Change Schema partition descriptor
1117 mod = "(A;;CC;;;AU)"
1118 self.dacl_add_ace(self.schema_dn, mod)
1119 # Create a custom security descriptor
1120 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1121 # Create example Schema class
1122 class_name = self.get_unique_schema_class_name()
1123 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1124 self.create_schema_class(_ldb, class_dn, desc_sddl)
1125 desc_sddl = self.get_desc_sddl(class_dn)
1126 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1127 self.assertEqual("O:DAG:DA", res)
1130 user_name = "testuser8"
1131 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1132 # Open Ldb connection with the tested user
1133 _ldb = self.get_ldb_connection(user_name, "samba123@")
1134 # Change Schema partition descriptor
1135 mod = "(A;;CC;;;AU)"
1136 self.dacl_add_ace(self.schema_dn, mod)
1137 # Create a custom security descriptor
1138 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1139 # Create example Schema class
1140 class_name = self.get_unique_schema_class_name()
1141 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1142 self.create_schema_class(_ldb, class_dn, desc_sddl)
1143 desc_sddl = self.get_desc_sddl(class_dn)
1144 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1145 self.assertEqual("O:DAG:DA", res)
1147 ## Tests for CONFIGURATION
1149 # Defalt descriptor tests ##################################################################
1152 user_name = "testuser1"
1153 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1154 # Open Ldb connection with the tested user
1155 _ldb = self.get_ldb_connection(user_name, "samba123@")
1156 # Create example Configuration container
1157 container_name = "test-container1"
1158 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1159 self.delete_force(self.ldb_admin, object_dn)
1160 self.create_configuration_container(_ldb, object_dn, )
1161 desc_sddl = self.get_desc_sddl(object_dn)
1162 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1163 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1164 self.check_modify_inheritance(_ldb, object_dn)
1167 user_name = "testuser2"
1168 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1169 # Open Ldb connection with the tested user
1170 _ldb = self.get_ldb_connection(user_name, "samba123@")
1171 # Create example Configuration container
1172 container_name = "test-container1"
1173 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1174 self.delete_force(self.ldb_admin, object_dn)
1175 self.create_configuration_container(_ldb, object_dn, )
1176 desc_sddl = self.get_desc_sddl(object_dn)
1177 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1178 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1179 self.check_modify_inheritance(_ldb, object_dn)
1182 user_name = "testuser3"
1183 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1184 # Open Ldb connection with the tested user
1185 _ldb = self.get_ldb_connection(user_name, "samba123@")
1186 # Create example Configuration container
1187 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1188 self.delete_force(self.ldb_admin, object_dn)
1189 self.create_configuration_container(self.ldb_admin, object_dn, )
1190 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1191 mod = "(A;;WDCC;;;AU)"
1192 self.dacl_add_ace(object_dn, mod)
1193 # Create child object with user's credentials
1194 object_dn = "CN=test-specifier1," + object_dn
1195 self.delete_force(self.ldb_admin, object_dn)
1196 self.create_configuration_specifier(_ldb, object_dn)
1197 desc_sddl = self.get_desc_sddl(object_dn)
1198 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1199 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1200 #self.check_modify_inheritance(_ldb, object_dn)
1203 user_name = "testuser4"
1204 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1205 # Open Ldb connection with the tested user
1206 _ldb = self.get_ldb_connection(user_name, "samba123@")
1207 # Create example Configuration container
1208 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1209 self.delete_force(self.ldb_admin, object_dn)
1210 self.create_configuration_container(self.ldb_admin, object_dn, )
1211 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1212 mod = "(A;CI;WDCC;;;AU)"
1213 self.dacl_add_ace(object_dn, mod)
1214 # Create child object with user's credentials
1215 object_dn = "CN=test-specifier1," + object_dn
1216 self.delete_force(self.ldb_admin, object_dn)
1217 self.create_configuration_specifier(_ldb, object_dn)
1218 desc_sddl = self.get_desc_sddl(object_dn)
1219 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1220 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1221 #self.check_modify_inheritance(_ldb, object_dn)
1224 user_name = "testuser5"
1225 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1226 # Open Ldb connection with the tested user
1227 _ldb = self.get_ldb_connection(user_name, "samba123@")
1228 # Create example Configuration container
1229 container_name = "test-container1"
1230 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1231 self.delete_force(self.ldb_admin, object_dn)
1232 self.create_configuration_container(_ldb, object_dn, )
1233 desc_sddl = self.get_desc_sddl(object_dn)
1234 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1235 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1236 self.check_modify_inheritance(_ldb, object_dn)
1239 user_name = "testuser6"
1240 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1241 # Open Ldb connection with the tested user
1242 _ldb = self.get_ldb_connection(user_name, "samba123@")
1243 # Create example Configuration container
1244 container_name = "test-container1"
1245 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1246 self.delete_force(self.ldb_admin, object_dn)
1247 self.create_configuration_container(_ldb, object_dn, )
1248 desc_sddl = self.get_desc_sddl(object_dn)
1249 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1250 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1251 self.check_modify_inheritance(_ldb, object_dn)
1254 user_name = "testuser7"
1255 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1256 # Open Ldb connection with the tested user
1257 _ldb = self.get_ldb_connection(user_name, "samba123@")
1258 # Create example Configuration container
1259 container_name = "test-container1"
1260 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1261 self.delete_force(self.ldb_admin, object_dn)
1262 self.create_configuration_container(_ldb, object_dn, )
1263 desc_sddl = self.get_desc_sddl(object_dn)
1264 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1265 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1266 self.check_modify_inheritance(_ldb, object_dn)
1269 user_name = "testuser8"
1270 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1271 # Open Ldb connection with the tested user
1272 _ldb = self.get_ldb_connection(user_name, "samba123@")
1273 # Create example Configuration container
1274 container_name = "test-container1"
1275 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1276 self.delete_force(self.ldb_admin, object_dn)
1277 self.create_configuration_container(_ldb, object_dn, )
1278 desc_sddl = self.get_desc_sddl(object_dn)
1279 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1280 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1281 self.check_modify_inheritance(_ldb, object_dn)
1283 # Custom descriptor tests ##################################################################
1286 user_name = "testuser1"
1287 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1288 # Open Ldb connection with the tested user
1289 _ldb = self.get_ldb_connection(user_name, "samba123@")
1290 # Create example Configuration container
1291 container_name = "test-container1"
1292 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1293 self.delete_force(self.ldb_admin, object_dn)
1294 # Create a custom security descriptor
1295 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1296 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1297 desc_sddl = self.get_desc_sddl(object_dn)
1298 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1299 self.assertEqual("O:DAG:DA", res)
1302 user_name = "testuser2"
1303 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1304 # Open Ldb connection with the tested user
1305 _ldb = self.get_ldb_connection(user_name, "samba123@")
1306 # Create example Configuration container
1307 container_name = "test-container1"
1308 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1309 self.delete_force(self.ldb_admin, object_dn)
1310 # Create a custom security descriptor
1311 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1312 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1313 desc_sddl = self.get_desc_sddl(object_dn)
1314 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1315 self.assertEqual("O:DAG:DA", res)
1318 user_name = "testuser3"
1319 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1320 # Open Ldb connection with the tested user
1321 _ldb = self.get_ldb_connection(user_name, "samba123@")
1322 # Create example Configuration container
1323 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1324 self.delete_force(self.ldb_admin, object_dn)
1325 self.create_configuration_container(self.ldb_admin, object_dn, )
1326 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1327 mod = "(A;;CC;;;AU)"
1328 self.dacl_add_ace(object_dn, mod)
1329 # Create child object with user's credentials
1330 object_dn = "CN=test-specifier1," + object_dn
1331 self.delete_force(self.ldb_admin, object_dn)
1332 # Create a custom security descriptor
1333 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1334 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1335 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1336 desc_sddl = self.get_desc_sddl(object_dn)
1337 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1338 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1341 user_name = "testuser4"
1342 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1343 # Open Ldb connection with the tested user
1344 _ldb = self.get_ldb_connection(user_name, "samba123@")
1345 # Create example Configuration container
1346 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1347 self.delete_force(self.ldb_admin, object_dn)
1348 self.create_configuration_container(self.ldb_admin, object_dn, )
1349 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1350 mod = "(A;;CC;;;AU)"
1351 self.dacl_add_ace(object_dn, mod)
1352 # Create child object with user's credentials
1353 object_dn = "CN=test-specifier1," + object_dn
1354 self.delete_force(self.ldb_admin, object_dn)
1355 # Create a custom security descriptor
1356 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1357 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1358 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1359 desc_sddl = self.get_desc_sddl(object_dn)
1360 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1361 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1364 user_name = "testuser5"
1365 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1366 # Open Ldb connection with the tested user
1367 _ldb = self.get_ldb_connection(user_name, "samba123@")
1368 # Create example Configuration container
1369 container_name = "test-container1"
1370 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1371 self.delete_force(self.ldb_admin, object_dn)
1372 # Create a custom security descriptor
1373 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1374 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1375 desc_sddl = self.get_desc_sddl(object_dn)
1376 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1377 self.assertEqual("O:DAG:DA", res)
1380 user_name = "testuser6"
1381 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1382 # Open Ldb connection with the tested user
1383 _ldb = self.get_ldb_connection(user_name, "samba123@")
1384 # Create example Configuration container
1385 container_name = "test-container1"
1386 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1387 self.delete_force(self.ldb_admin, object_dn)
1388 # Create a custom security descriptor
1389 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1390 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1391 desc_sddl = self.get_desc_sddl(object_dn)
1392 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1393 self.assertEqual("O:DAG:DA", res)
1396 user_name = "testuser7"
1397 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1398 # Open Ldb connection with the tested user
1399 _ldb = self.get_ldb_connection(user_name, "samba123@")
1400 # Create example Configuration container
1401 container_name = "test-container1"
1402 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1403 self.delete_force(self.ldb_admin, object_dn)
1404 # Create a custom security descriptor
1405 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1406 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1407 desc_sddl = self.get_desc_sddl(object_dn)
1408 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1409 self.assertEqual("O:DAG:DA", res)
1412 user_name = "testuser8"
1413 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1414 # Open Ldb connection with the tested user
1415 _ldb = self.get_ldb_connection(user_name, "samba123@")
1416 # Create example Configuration container
1417 container_name = "test-container1"
1418 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1419 self.delete_force(self.ldb_admin, object_dn)
1420 # Create a custom security descriptor
1421 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1422 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1423 desc_sddl = self.get_desc_sddl(object_dn)
1424 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1425 self.assertEqual("O:DAG:DA", res)
1427 ########################################################################################
1428 # Inharitance tests for DACL
1430 class DaclDescriptorTests(DescriptorTests):
1432 def deleteAll(self):
1433 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1434 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1437 DescriptorTests.setUp(self)
1443 def create_clean_ou(self, object_dn):
1444 """ Base repeating setup for unittests to follow """
1445 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1446 expression="distinguishedName=%s" % object_dn)
1447 # Make sure top testing OU has been deleted before starting the test
1448 self.assertEqual(res, [])
1449 self.create_domain_ou(self.ldb_admin, object_dn)
1450 desc_sddl = self.get_desc_sddl(object_dn)
1451 # Make sure there are inheritable ACEs initially
1452 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1453 # Find and remove all inherit ACEs
1454 res = re.findall("\(.*?\)", desc_sddl)
1455 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1457 desc_sddl = desc_sddl.replace(x, "")
1458 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1459 # can propagate from above
1460 # remove SACL, we are not interested
1461 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1462 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1463 # Verify all inheritable ACEs are gone
1464 desc_sddl = self.get_desc_sddl(object_dn)
1465 self.assertFalse("CI" in desc_sddl)
1466 self.assertFalse("OI" in desc_sddl)
1469 """ OU with protected flag and child group. See if the group has inherit ACEs.
1471 ou_dn = "OU=test_inherit_ou," + self.base_dn
1472 group_dn = "CN=test_inherit_group," + ou_dn
1473 # Create inheritable-free OU
1474 self.create_clean_ou(ou_dn)
1475 # Create group child object
1476 self.create_domain_group(self.ldb_admin, group_dn)
1477 # Make sure created group object contains NO inherit ACEs
1478 desc_sddl = self.get_desc_sddl(group_dn)
1479 self.assertFalse("ID" in desc_sddl)
1482 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1483 Verify group has custom and default ACEs only.
1485 ou_dn = "OU=test_inherit_ou," + self.base_dn
1486 group_dn = "CN=test_inherit_group," + ou_dn
1487 # Create inheritable-free OU
1488 self.create_clean_ou(ou_dn)
1489 # Create group child object using custom security descriptor
1490 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1491 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1492 # Make sure created group descriptor has NO additional ACEs
1493 desc_sddl = self.get_desc_sddl(group_dn)
1494 self.assertEqual(desc_sddl, sddl)
1495 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1496 self.modify_desc(self.ldb_admin, group_dn, sddl)
1497 desc_sddl = self.get_desc_sddl(group_dn)
1498 self.assertEqual(desc_sddl, sddl)
1501 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1502 See if the group has any of the added ACEs.
1504 ou_dn = "OU=test_inherit_ou," + self.base_dn
1505 group_dn = "CN=test_inherit_group," + ou_dn
1506 # Create inheritable-free OU
1507 self.create_clean_ou(ou_dn)
1508 # Add some custom non-inheritable ACEs
1509 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1510 moded = "(D;;CC;;;LG)"
1511 self.dacl_add_ace(ou_dn, mod)
1512 # Verify all inheritable ACEs are gone
1513 desc_sddl = self.get_desc_sddl(ou_dn)
1514 # Create group child object
1515 self.create_domain_group(self.ldb_admin, group_dn)
1516 # Make sure created group object contains NO inherit ACEs
1517 # also make sure the added above non-inheritable ACEs are absent too
1518 desc_sddl = self.get_desc_sddl(group_dn)
1519 self.assertFalse("ID" in desc_sddl)
1520 for x in re.findall("\(.*?\)", mod):
1521 self.assertFalse(x in desc_sddl)
1522 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1523 desc_sddl = self.get_desc_sddl(group_dn)
1524 self.assertFalse("ID" in desc_sddl)
1525 for x in re.findall("\(.*?\)", mod):
1526 self.assertFalse(x in desc_sddl)
1529 """ OU with protected flag and add 'CI' ACE, child group.
1530 See if the group has the added inherited ACE.
1532 ou_dn = "OU=test_inherit_ou," + self.base_dn
1533 group_dn = "CN=test_inherit_group," + ou_dn
1534 # Create inheritable-free OU
1535 self.create_clean_ou(ou_dn)
1536 # Add some custom 'CI' ACE
1537 mod = "(D;CI;WP;;;DU)"
1538 moded = "(D;;CC;;;LG)"
1539 self.dacl_add_ace(ou_dn, mod)
1540 desc_sddl = self.get_desc_sddl(ou_dn)
1541 # Create group child object
1542 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1543 # Make sure created group object contains only the above inherited ACE
1544 # that we've added manually
1545 desc_sddl = self.get_desc_sddl(group_dn)
1546 mod = mod.replace(";CI;", ";CIID;")
1547 self.assertTrue(mod in desc_sddl)
1548 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1549 desc_sddl = self.get_desc_sddl(group_dn)
1550 self.assertTrue(moded in desc_sddl)
1551 self.assertTrue(mod in desc_sddl)
1554 """ OU with protected flag and add 'OI' ACE, child group.
1555 See if the group has the added inherited ACE.
1557 ou_dn = "OU=test_inherit_ou," + self.base_dn
1558 group_dn = "CN=test_inherit_group," + ou_dn
1559 # Create inheritable-free OU
1560 self.create_clean_ou(ou_dn)
1561 # Add some custom 'CI' ACE
1562 mod = "(D;OI;WP;;;DU)"
1563 moded = "(D;;CC;;;LG)"
1564 self.dacl_add_ace(ou_dn, mod)
1565 desc_sddl = self.get_desc_sddl(ou_dn)
1566 # Create group child object
1567 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1568 # Make sure created group object contains only the above inherited ACE
1569 # that we've added manually
1570 desc_sddl = self.get_desc_sddl(group_dn)
1571 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1572 self.assertTrue(mod in desc_sddl)
1573 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1574 desc_sddl = self.get_desc_sddl(group_dn)
1575 self.assertTrue(moded in desc_sddl)
1576 self.assertTrue(mod in desc_sddl)
1579 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1580 See if the group has the added inherited ACE.
1582 ou_dn = "OU=test_inherit_ou," + self.base_dn
1583 group_dn = "CN=test_inherit_group," + ou_dn
1584 # Create inheritable-free OU
1585 self.create_clean_ou(ou_dn)
1586 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1587 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1588 moded = "(D;;CC;;;LG)"
1589 self.dacl_add_ace(ou_dn, mod)
1590 desc_sddl = self.get_desc_sddl(ou_dn)
1591 # Create group child object
1592 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1593 # Make sure created group object contains only the above inherited ACE
1594 # that we've added manually
1595 desc_sddl = self.get_desc_sddl(group_dn)
1596 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1597 self.assertTrue(mod in desc_sddl)
1598 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1599 desc_sddl = self.get_desc_sddl(group_dn)
1600 self.assertTrue(moded in desc_sddl)
1601 self.assertTrue(mod in desc_sddl)
1604 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1605 See if the group has the added inherited ACE.
1607 ou_dn = "OU=test_inherit_ou," + self.base_dn
1608 group_dn = "CN=test_inherit_group," + ou_dn
1609 # Create inheritable-free OU
1610 self.create_clean_ou(ou_dn)
1611 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1612 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1613 moded = "(D;;CC;;;LG)"
1614 self.dacl_add_ace(ou_dn, mod)
1615 desc_sddl = self.get_desc_sddl(ou_dn)
1616 # Create group child object
1617 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1618 # Make sure created group object contains only the above inherited ACE
1619 # that we've added manually
1620 desc_sddl = self.get_desc_sddl(group_dn)
1621 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1622 self.assertTrue(mod in desc_sddl)
1623 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1624 desc_sddl = self.get_desc_sddl(group_dn)
1625 self.assertTrue(moded in desc_sddl)
1626 self.assertTrue(mod in desc_sddl)
1629 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1630 See if the group has the added inherited ACE.
1632 ou_dn = "OU=test_inherit_ou," + self.base_dn
1633 group_dn = "CN=test_inherit_group," + ou_dn
1634 # Create inheritable-free OU
1635 self.create_clean_ou(ou_dn)
1636 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1637 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1638 moded = "(D;;CC;;;LG)"
1639 self.dacl_add_ace(ou_dn, mod)
1640 desc_sddl = self.get_desc_sddl(ou_dn)
1641 # Create group child object
1642 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1643 # Make sure created group object contains only the above inherited ACE
1644 # that we've added manually
1645 desc_sddl = self.get_desc_sddl(group_dn)
1646 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1647 self.assertTrue(mod in desc_sddl)
1648 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1649 desc_sddl = self.get_desc_sddl(group_dn)
1650 self.assertTrue(moded in desc_sddl)
1651 self.assertTrue(mod in desc_sddl)
1654 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1655 See if the group has the added inherited ACE.
1657 ou_dn = "OU=test_inherit_ou," + self.base_dn
1658 group_dn = "CN=test_inherit_group," + ou_dn
1659 # Create inheritable-free OU
1660 self.create_clean_ou(ou_dn)
1661 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1662 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1663 moded = "(D;;CC;;;LG)"
1664 self.dacl_add_ace(ou_dn, mod)
1665 desc_sddl = self.get_desc_sddl(ou_dn)
1666 # Create group child object
1667 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1668 # Make sure created group object contains only the above inherited ACE
1669 # that we've added manually
1670 desc_sddl = self.get_desc_sddl(group_dn)
1671 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1672 self.assertTrue(mod in desc_sddl)
1673 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1674 desc_sddl = self.get_desc_sddl(group_dn)
1675 self.assertTrue(moded in desc_sddl)
1676 self.assertTrue(mod in desc_sddl)
1679 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1680 See if the group has the added inherited ACE.
1682 ou_dn = "OU=test_inherit_ou," + self.base_dn
1683 group_dn = "CN=test_inherit_group," + ou_dn
1684 # Create inheritable-free OU
1685 self.create_clean_ou(ou_dn)
1686 # Add some custom 'CI' ACE
1687 mod = "(D;CI;WP;;;CO)"
1688 moded = "(D;;CC;;;LG)"
1689 self.dacl_add_ace(ou_dn, mod)
1690 desc_sddl = self.get_desc_sddl(ou_dn)
1691 # Create group child object
1692 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1693 # Make sure created group object contains only the above inherited ACE(s)
1694 # that we've added manually
1695 desc_sddl = self.get_desc_sddl(group_dn)
1696 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1697 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1698 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1699 desc_sddl = self.get_desc_sddl(group_dn)
1700 self.assertTrue(moded in desc_sddl)
1701 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1702 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1704 ########################################################################################
1707 class SdFlagsDescriptorTests(DescriptorTests):
1708 def deleteAll(self):
1709 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1712 DescriptorTests.setUp(self)
1713 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1720 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1721 See that only the owner has been changed.
1723 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1724 self.create_domain_ou(self.ldb_admin, ou_dn)
1725 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1726 desc_sddl = self.get_desc_sddl(ou_dn)
1727 # make sure we have modified the owner
1728 self.assertTrue("O:AU" in desc_sddl)
1729 # make sure nothing else has been modified
1730 self.assertFalse("G:AU" in desc_sddl)
1731 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1732 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1735 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1736 See that only the owner has been changed.
1738 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1739 self.create_domain_ou(self.ldb_admin, ou_dn)
1740 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1741 desc_sddl = self.get_desc_sddl(ou_dn)
1742 # make sure we have modified the group
1743 self.assertTrue("G:AU" in desc_sddl)
1744 # make sure nothing else has been modified
1745 self.assertFalse("O:AU" in desc_sddl)
1746 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1747 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1750 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1751 See that only the owner has been changed.
1753 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1754 self.create_domain_ou(self.ldb_admin, ou_dn)
1755 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1756 desc_sddl = self.get_desc_sddl(ou_dn)
1757 # make sure we have modified the DACL
1758 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1759 # make sure nothing else has been modified
1760 self.assertFalse("O:AU" in desc_sddl)
1761 self.assertFalse("G:AU" in desc_sddl)
1762 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1765 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1766 See that only the owner has been changed.
1768 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1769 self.create_domain_ou(self.ldb_admin, ou_dn)
1770 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1771 desc_sddl = self.get_desc_sddl(ou_dn)
1772 # make sure we have modified the DACL
1773 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1774 # make sure nothing else has been modified
1775 self.assertFalse("O:AU" in desc_sddl)
1776 self.assertFalse("G:AU" in desc_sddl)
1777 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1780 """ Modify a descriptor with 0x0 set.
1781 Contrary to logic this is interpreted as no control,
1782 which is the same as 0xF
1784 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1785 self.create_domain_ou(self.ldb_admin, ou_dn)
1786 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1787 desc_sddl = self.get_desc_sddl(ou_dn)
1788 # make sure we have modified the DACL
1789 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1790 # make sure nothing else has been modified
1791 self.assertTrue("O:AU" in desc_sddl)
1792 self.assertTrue("G:AU" in desc_sddl)
1793 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1796 """ Modify a descriptor with 0xF set.
1798 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1799 self.create_domain_ou(self.ldb_admin, ou_dn)
1800 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1801 desc_sddl = self.get_desc_sddl(ou_dn)
1802 # make sure we have modified the DACL
1803 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1804 # make sure nothing else has been modified
1805 self.assertTrue("O:AU" in desc_sddl)
1806 self.assertTrue("G:AU" in desc_sddl)
1807 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1810 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1811 Only the owner part should be returned.
1813 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1814 self.create_domain_ou(self.ldb_admin, ou_dn)
1815 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1816 # make sure we have read the owner
1817 self.assertTrue("O:" in desc_sddl)
1818 # make sure we have read nothing else
1819 self.assertFalse("G:" in desc_sddl)
1820 self.assertFalse("D:" in desc_sddl)
1821 self.assertFalse("S:" in desc_sddl)
1824 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1825 Only the group part should be returned.
1827 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1828 self.create_domain_ou(self.ldb_admin, ou_dn)
1829 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1830 # make sure we have read the owner
1831 self.assertTrue("G:" in desc_sddl)
1832 # make sure we have read nothing else
1833 self.assertFalse("O:" in desc_sddl)
1834 self.assertFalse("D:" in desc_sddl)
1835 self.assertFalse("S:" in desc_sddl)
1838 """ Read a descriptor with SACL_SECURITY_INFORMATION
1839 Only the sacl part should be returned.
1841 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1842 self.create_domain_ou(self.ldb_admin, ou_dn)
1843 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1844 # make sure we have read the owner
1845 self.assertTrue("S:" in desc_sddl)
1846 # make sure we have read nothing else
1847 self.assertFalse("O:" in desc_sddl)
1848 self.assertFalse("D:" in desc_sddl)
1849 self.assertFalse("G:" in desc_sddl)
1852 """ Read a descriptor with DACL_SECURITY_INFORMATION
1853 Only the dacl part should be returned.
1855 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1856 self.create_domain_ou(self.ldb_admin, ou_dn)
1857 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1858 # make sure we have read the owner
1859 self.assertTrue("D:" in desc_sddl)
1860 # make sure we have read nothing else
1861 self.assertFalse("O:" in desc_sddl)
1862 self.assertFalse("S:" in desc_sddl)
1863 self.assertFalse("G:" in desc_sddl)
1865 class RightsAttributesTests(DescriptorTests):
1867 def deleteAll(self):
1869 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1870 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1872 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1875 DescriptorTests.setUp(self)
1880 user_dn = self.get_users_domain_dn("testuser_attr")
1881 self.create_domain_user(self.ldb_admin, user_dn)
1882 self.enable_account(user_dn)
1883 # User 2, Domain Admins
1884 user_dn = self.get_users_domain_dn("testuser_attr2")
1885 self.create_domain_user(self.ldb_admin, user_dn)
1886 self.enable_account(user_dn)
1888 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
1891 member: """ + user_dn
1892 self.ldb_admin.modify_ldif(ldif)
1897 def test_sDRightsEffective(self):
1898 object_dn = "OU=test_domain_ou1," + self.base_dn
1899 self.delete_force(self.ldb_admin, object_dn)
1900 self.create_domain_ou(self.ldb_admin, object_dn)
1901 print self.get_users_domain_dn("testuser_attr")
1902 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1903 #give testuser1 read access so attributes can be retrieved
1904 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1905 self.dacl_add_ace(object_dn, mod)
1906 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1907 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1908 attrs=["sDRightsEffective"])
1909 #user whould have no rights at all
1910 self.assertEquals(len(res), 1)
1911 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1912 #give the user Write DACL and see what happens
1913 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1914 self.dacl_add_ace(object_dn, mod)
1915 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1916 attrs=["sDRightsEffective"])
1917 #user whould have DACL_SECURITY_INFORMATION
1918 self.assertEquals(len(res), 1)
1919 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1920 #give the user Write Owners and see what happens
1921 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1922 self.dacl_add_ace(object_dn, mod)
1923 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1924 attrs=["sDRightsEffective"])
1925 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1926 self.assertEquals(len(res), 1)
1927 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1928 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1929 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1930 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1931 attrs=["sDRightsEffective"])
1932 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1933 self.assertEquals(len(res), 1)
1934 self.assertEquals(res[0]["sDRightsEffective"][0], \
1935 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1937 def test_allowedChildClassesEffective(self):
1938 object_dn = "OU=test_domain_ou1," + self.base_dn
1939 self.delete_force(self.ldb_admin, object_dn)
1940 self.create_domain_ou(self.ldb_admin, object_dn)
1941 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1942 #give testuser1 read access so attributes can be retrieved
1943 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1944 self.dacl_add_ace(object_dn, mod)
1945 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1946 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1947 attrs=["allowedChildClassesEffective"])
1948 #there should be no allowed child classes
1949 self.assertEquals(len(res), 1)
1950 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1951 #give the user the right to create children of type user
1952 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1953 self.dacl_add_ace(object_dn, mod)
1954 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1955 attrs=["allowedChildClassesEffective"])
1956 # allowedChildClassesEffective should only have one value, user
1957 self.assertEquals(len(res), 1)
1958 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1959 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1961 def test_allowedAttributesEffective(self):
1962 object_dn = "OU=test_domain_ou1," + self.base_dn
1963 self.delete_force(self.ldb_admin, object_dn)
1964 self.create_domain_ou(self.ldb_admin, object_dn)
1965 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1966 #give testuser1 read access so attributes can be retrieved
1967 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1968 self.dacl_add_ace(object_dn, mod)
1969 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1970 #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1971 # attrs=["allowedAttributes"])
1973 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1974 attrs=["allowedAttributesEffective"])
1975 #there should be no allowed attributes
1976 self.assertEquals(len(res), 1)
1977 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1978 #give the user the right to write displayName and managedBy
1979 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1980 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1981 # also rights to modify an read only attribute, fromEntry
1982 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1983 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1984 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1985 attrs=["allowedAttributesEffective"])
1986 # value should only contain user and managedBy
1988 self.assertEquals(len(res), 1)
1989 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1990 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1991 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1993 if not "://" in host:
1994 if os.path.isfile(host):
1995 host = "tdb://%s" % host
1997 host = "ldap://%s" % host
1999 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
2001 runner = SubunitTestRunner()
2003 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
2005 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
2007 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
2009 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():