#!/usr/bin/env python
# -*- coding: utf-8 -*-
+from __future__ import print_function
import optparse
import sys
import os
import re
import random
-sys.path.append("bin/python")
+sys.path.insert(0, "bin/python")
import samba
-samba.ensure_external_module("testtools", "testtools")
-samba.ensure_external_module("subunit", "subunit/python")
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
import samba.getopt as options
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
-from samba import gensec
+from samba import gensec, sd_utils
from samba.samdb import SamDB
-from samba.credentials import Credentials
+from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.auth import system_session
from samba.dsdb import DS_DOMAIN_FUNCTION_2008
from samba.dcerpc.security import (
SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
-from subunit.run import SubunitTestRunner
import samba.tests
-import unittest
+from samba.tests import delete_force
parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
sambaopts = options.SambaOptions(parser)
# use command line creds if available
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
opts, args = parser.parse_args()
if len(args) < 1:
class DescriptorTests(samba.tests.TestCase):
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def find_configurationdn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["configurationNamingContext"][0]
-
- def find_schemadn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["schemaNamingContext"][0]
-
- def find_domain_sid(self, ldb):
- res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
- return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
-
def get_users_domain_dn(self, name):
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
- def modify_desc(self, _ldb, object_dn, desc, controls=None):
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- mod = """
-dn: """ + object_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-"""
- if isinstance(desc, str):
- mod += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.modify_ldif(mod, controls)
-
- def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
- ldif = """
-dn: """ + ou_dn + """
-ou: """ + ou_dn.split(",")[0][3:] + """
-objectClass: organizationalUnit
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif, controls)
-
- def create_domain_user(self, _ldb, user_dn, desc=None):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-userPassword: samba123@
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_domain_group(self, _ldb, group_dn, desc=None):
- ldif = """
-dn: """ + group_dn + """
-objectClass: group
-sAMAccountName: """ + group_dn.split(",")[0][3:] + """
-groupType: 4
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def get_unique_schema_class_name(self):
+ def create_schema_class(self, _ldb, desc=None):
while True:
- class_name = "test-class%s" % random.randint(1,100000)
+ class_id = random.randint(0, 65535)
+ class_name = "descriptor-test-class%s" % class_id
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
try:
- self.ldb_admin.search(base=class_dn, attrs=["*"])
- except LdbError, (num, _):
+ self.ldb_admin.search(base=class_dn, attrs=["name"])
+ except LdbError as e:
+ (num, _) = e.args
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
- return class_name
+ break
- def create_schema_class(self, _ldb, object_dn, desc=None):
ldif = """
-dn: """ + object_dn + """
+dn: """ + class_dn + """
objectClass: classSchema
objectCategory: CN=Class-Schema,""" + self.schema_dn + """
-defaultObjectCategory: """ + object_dn + """
-distinguishedName: """ + object_dn + """
-governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
+defaultObjectCategory: """ + class_dn + """
+governsId: 1.3.6.1.4.1.7165.4.6.2.3.""" + str(class_id) + """
instanceType: 4
objectClassCategory: 1
subClassOf: organizationalPerson
if isinstance(desc, str):
ldif += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
_ldb.add_ldif(ldif)
+ return class_dn
def create_configuration_container(self, _ldb, object_dn, desc=None):
ldif = """
if isinstance(desc, str):
ldif += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
_ldb.add_ldif(ldif)
def create_configuration_specifier(self, _ldb, object_dn, desc=None):
if isinstance(desc, str):
ldif += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
_ldb.add_ldif(ldif)
- def read_desc(self, object_dn, controls=None):
- res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
- desc = res[0]["nTSecurityDescriptor"][0]
- return ndr_unpack(security.descriptor, desc)
-
- def create_active_user(self, _ldb, user_dn):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
-url: www.example.com
-"""
- _ldb.add_ldif(ldif)
-
- def add_user_to_group(self, _ldb, username, groupname):
- ldif = """
-dn: """ + self.get_users_domain_dn(groupname) + """
-changetype: modify
-add: member
-member: """ + self.get_users_domain_dn(username)
- _ldb.modify_ldif(ldif)
-
def get_ldb_connection(self, target_username, target_password):
creds_tmp = Credentials()
creds_tmp.set_username(target_username)
creds_tmp.set_workstation(creds.get_workstation())
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
| gensec.FEATURE_SEAL)
+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
return ldb_target
- def get_object_sid(self, object_dn):
- res = self.ldb_admin.search(object_dn)
- return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
-
- def dacl_add_ace(self, object_dn, ace):
- desc = self.read_desc( object_dn )
- desc_sddl = desc.as_sddl( self.domain_sid )
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
- else:
- desc_sddl = desc_sddl + ace
- self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
-
- def get_desc_sddl(self, object_dn, controls=None):
- """ Return object nTSecutiryDescriptor in SDDL format
- """
- desc = self.read_desc(object_dn, controls)
- return desc.as_sddl(self.domain_sid)
-
- def create_enable_user(self, username):
- user_dn = self.get_users_domain_dn(username)
- self.create_active_user(self.ldb_admin, user_dn)
- self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
-
def setUp(self):
super(DescriptorTests, self).setUp()
- self.ldb_admin = ldb
- self.base_dn = self.find_basedn(self.ldb_admin)
- self.configuration_dn = self.find_configurationdn(self.ldb_admin)
- self.schema_dn = self.find_schemadn(self.ldb_admin)
- self.domain_sid = self.find_domain_sid(self.ldb_admin)
- print "baseDN: %s" % self.base_dn
+ self.ldb_admin = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp,
+ options=ldb_options)
+ self.base_dn = self.ldb_admin.domain_dn()
+ self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
+ self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
+ self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
+ self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
+ self.addCleanup(self.delete_admin_connection)
+ print("baseDN: %s" % self.base_dn)
+
+ def delete_admin_connection(self):
+ del self.sd_utils
+ del self.ldb_admin
################################################################################################
- ## Tests for DOMAIN
+ # Tests for DOMAIN
# Default descriptor tests #####################################################################
class OwnerGroupDescriptorTests(DescriptorTests):
def deleteAll(self):
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
# DOMAIN
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
- self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
+ delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
+ delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
# SCHEMA
# CONFIGURATION
- self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
- + self.configuration_dn)
- self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
+ delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
+ + self.configuration_dn)
+ delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
def setUp(self):
super(OwnerGroupDescriptorTests, self).setUp()
self.deleteAll()
- ### Create users
- # User 1
- self.create_enable_user("testuser1")
- self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins")
- # User 2
- self.create_enable_user("testuser2")
- self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins")
- # User 3
- self.create_enable_user("testuser3")
- self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins")
- # User 4
- self.create_enable_user("testuser4")
- # User 5
- self.create_enable_user("testuser5")
- self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins")
- # User 6
- self.create_enable_user("testuser6")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins")
- # User 7
- self.create_enable_user("testuser7")
- self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins")
- self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins")
- # User 8
- self.create_enable_user("testuser8")
- self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins")
+ # Create users
+ # User 1 - Enterprise Admins
+ self.ldb_admin.newuser("testuser1", "samba123@")
+ # User 2 - Domain Admins
+ self.ldb_admin.newuser("testuser2", "samba123@")
+ # User 3 - Schema Admins
+ self.ldb_admin.newuser("testuser3", "samba123@")
+ # User 4 - regular user
+ self.ldb_admin.newuser("testuser4", "samba123@")
+ # User 5 - Enterprise Admins and Domain Admins
+ self.ldb_admin.newuser("testuser5", "samba123@")
+ # User 6 - Enterprise Admins, Domain Admins, Schema Admins
+ self.ldb_admin.newuser("testuser6", "samba123@")
+ # User 7 - Domain Admins and Schema Admins
+ self.ldb_admin.newuser("testuser7", "samba123@")
+ # User 5 - Enterprise Admins and Schema Admins
+ self.ldb_admin.newuser("testuser8", "samba123@")
+
+ self.ldb_admin.add_remove_group_members("Enterprise Admins",
+ ["testuser1", "testuser5", "testuser6", "testuser8"],
+ add_members_operation=True)
+ self.ldb_admin.add_remove_group_members("Domain Admins",
+ ["testuser2", "testuser5", "testuser6", "testuser7"],
+ add_members_operation=True)
+ self.ldb_admin.add_remove_group_members("Schema Admins",
+ ["testuser3", "testuser6", "testuser7", "testuser8"],
+ add_members_operation=True)
self.results = {
# msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
- "ds_behavior_win2003" : {
- "100" : "O:EAG:DU",
- "101" : "O:DAG:DU",
- "102" : "O:%sG:DU",
- "103" : "O:%sG:DU",
- "104" : "O:DAG:DU",
- "105" : "O:DAG:DU",
- "106" : "O:DAG:DU",
- "107" : "O:EAG:DU",
- "108" : "O:DAG:DA",
- "109" : "O:DAG:DA",
- "110" : "O:%sG:DA",
- "111" : "O:%sG:DA",
- "112" : "O:DAG:DA",
- "113" : "O:DAG:DA",
- "114" : "O:DAG:DA",
- "115" : "O:DAG:DA",
- "130" : "O:EAG:DU",
- "131" : "O:DAG:DU",
- "132" : "O:SAG:DU",
- "133" : "O:%sG:DU",
- "134" : "O:EAG:DU",
- "135" : "O:SAG:DU",
- "136" : "O:SAG:DU",
- "137" : "O:SAG:DU",
- "138" : "O:DAG:DA",
- "139" : "O:DAG:DA",
- "140" : "O:%sG:DA",
- "141" : "O:%sG:DA",
- "142" : "O:DAG:DA",
- "143" : "O:DAG:DA",
- "144" : "O:DAG:DA",
- "145" : "O:DAG:DA",
- "160" : "O:EAG:DU",
- "161" : "O:DAG:DU",
- "162" : "O:%sG:DU",
- "163" : "O:%sG:DU",
- "164" : "O:EAG:DU",
- "165" : "O:EAG:DU",
- "166" : "O:DAG:DU",
- "167" : "O:EAG:DU",
- "168" : "O:DAG:DA",
- "169" : "O:DAG:DA",
- "170" : "O:%sG:DA",
- "171" : "O:%sG:DA",
- "172" : "O:DAG:DA",
- "173" : "O:DAG:DA",
- "174" : "O:DAG:DA",
- "175" : "O:DAG:DA",
+ "ds_behavior_win2003": {
+ "100": "O:EAG:DU",
+ "101": "O:DAG:DU",
+ "102": "O:%sG:DU",
+ "103": "O:%sG:DU",
+ "104": "O:DAG:DU",
+ "105": "O:DAG:DU",
+ "106": "O:DAG:DU",
+ "107": "O:EAG:DU",
+ "108": "O:DAG:DA",
+ "109": "O:DAG:DA",
+ "110": "O:%sG:DA",
+ "111": "O:%sG:DA",
+ "112": "O:DAG:DA",
+ "113": "O:DAG:DA",
+ "114": "O:DAG:DA",
+ "115": "O:DAG:DA",
+ "130": "O:EAG:DU",
+ "131": "O:DAG:DU",
+ "132": "O:SAG:DU",
+ "133": "O:%sG:DU",
+ "134": "O:EAG:DU",
+ "135": "O:SAG:DU",
+ "136": "O:SAG:DU",
+ "137": "O:SAG:DU",
+ "138": "O:DAG:DA",
+ "139": "O:DAG:DA",
+ "140": "O:%sG:DA",
+ "141": "O:%sG:DA",
+ "142": "O:DAG:DA",
+ "143": "O:DAG:DA",
+ "144": "O:DAG:DA",
+ "145": "O:DAG:DA",
+ "160": "O:EAG:DU",
+ "161": "O:DAG:DU",
+ "162": "O:%sG:DU",
+ "163": "O:%sG:DU",
+ "164": "O:EAG:DU",
+ "165": "O:EAG:DU",
+ "166": "O:DAG:DU",
+ "167": "O:EAG:DU",
+ "168": "O:DAG:DA",
+ "169": "O:DAG:DA",
+ "170": "O:%sG:DA",
+ "171": "O:%sG:DA",
+ "172": "O:DAG:DA",
+ "173": "O:DAG:DA",
+ "174": "O:DAG:DA",
+ "175": "O:DAG:DA",
},
# msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
- "ds_behavior_win2008" : {
- "100" : "O:EAG:EA",
- "101" : "O:DAG:DA",
- "102" : "O:%sG:DU",
- "103" : "O:%sG:DU",
- "104" : "O:DAG:DA",
- "105" : "O:DAG:DA",
- "106" : "O:DAG:DA",
- "107" : "O:EAG:EA",
- "108" : "O:DAG:DA",
- "109" : "O:DAG:DA",
- "110" : "O:%sG:DA",
- "111" : "O:%sG:DA",
- "112" : "O:DAG:DA",
- "113" : "O:DAG:DA",
- "114" : "O:DAG:DA",
- "115" : "O:DAG:DA",
- "130" : "O:EAG:EA",
- "131" : "O:DAG:DA",
- "132" : "O:SAG:SA",
- "133" : "O:%sG:DU",
- "134" : "O:EAG:EA",
- "135" : "O:SAG:SA",
- "136" : "O:SAG:SA",
- "137" : "O:SAG:SA",
- "138" : "",
- "139" : "",
- "140" : "O:%sG:DA",
- "141" : "O:%sG:DA",
- "142" : "",
- "143" : "",
- "144" : "",
- "145" : "",
- "160" : "O:EAG:EA",
- "161" : "O:DAG:DA",
- "162" : "O:%sG:DU",
- "163" : "O:%sG:DU",
- "164" : "O:EAG:EA",
- "165" : "O:EAG:EA",
- "166" : "O:DAG:DA",
- "167" : "O:EAG:EA",
- "168" : "O:DAG:DA",
- "169" : "O:DAG:DA",
- "170" : "O:%sG:DA",
- "171" : "O:%sG:DA",
- "172" : "O:DAG:DA",
- "173" : "O:DAG:DA",
- "174" : "O:DAG:DA",
- "175" : "O:DAG:DA",
+ "ds_behavior_win2008": {
+ "100": "O:EAG:EA",
+ "101": "O:DAG:DA",
+ "102": "O:%sG:DU",
+ "103": "O:%sG:DU",
+ "104": "O:DAG:DA",
+ "105": "O:DAG:DA",
+ "106": "O:DAG:DA",
+ "107": "O:EAG:EA",
+ "108": "O:DAG:DA",
+ "109": "O:DAG:DA",
+ "110": "O:%sG:DA",
+ "111": "O:%sG:DA",
+ "112": "O:DAG:DA",
+ "113": "O:DAG:DA",
+ "114": "O:DAG:DA",
+ "115": "O:DAG:DA",
+ "130": "O:EAG:EA",
+ "131": "O:DAG:DA",
+ "132": "O:SAG:SA",
+ "133": "O:%sG:DU",
+ "134": "O:EAG:EA",
+ "135": "O:SAG:SA",
+ "136": "O:SAG:SA",
+ "137": "O:SAG:SA",
+ "138": "",
+ "139": "",
+ "140": "O:%sG:DA",
+ "141": "O:%sG:DA",
+ "142": "",
+ "143": "",
+ "144": "",
+ "145": "",
+ "160": "O:EAG:EA",
+ "161": "O:DAG:DA",
+ "162": "O:%sG:DU",
+ "163": "O:%sG:DU",
+ "164": "O:EAG:EA",
+ "165": "O:EAG:EA",
+ "166": "O:DAG:DA",
+ "167": "O:EAG:EA",
+ "168": "O:DAG:DA",
+ "169": "O:DAG:DA",
+ "170": "O:%sG:DA",
+ "171": "O:%sG:DA",
+ "172": "O:DAG:DA",
+ "173": "O:DAG:DA",
+ "174": "O:DAG:DA",
+ "175": "O:DAG:DA",
},
}
- # Discover 'msDS-Behavior-Version'
- res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
- attrs=['msDS-Behavior-Version'])
- res = int(res[0]['msDS-Behavior-Version'][0])
+ # Discover 'domainControllerFunctionality'
+ res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
+ attrs=['domainControllerFunctionality'])
+ res = int(res[0]['domainControllerFunctionality'][0])
if res < DS_DOMAIN_FUNCTION_2008:
self.DS_BEHAVIOR = "ds_behavior_win2003"
else:
# User is not a member of any additional groups but default
res = self.ldb_admin.search(user_dn, attrs=["*"])
res = [x.upper() for x in res[0].keys()]
- self.assertFalse( "MEMBEROF" in res)
+ self.assertFalse("MEMBEROF" in res)
def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
# Modify
- ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
+ sd_user_utils = sd_utils.SDUtils(_ldb)
+ ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
if owner_group != "":
- self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
+ sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
else:
- self.modify_desc(_ldb, object_dn, "D:" + ace)
+ sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
# Make sure the modify operation has been applied
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
self.assertTrue(ace in desc_sddl)
# Make sure we have identical result for both "add" and "modify"
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- print self._testMethodName
+ print(self._testMethodName)
test_number = self._testMethodName[5:]
self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newuser("test_domain_user1", "samba123@",
+ userou="OU=test_domain_ou1", setpassword=False)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
# This fails, research why
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newuser("test_domain_user1", "samba123@",
+ userou="OU=test_domain_ou1", setpassword=False)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- #this fails, research why
+ # this fails, research why
#self.check_modify_inheritance(_ldb, object_dn)
def test_104(self):
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newgroup("test_domain_group1", grouptype=4)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn, desc_sddl)
- desc = self.read_desc(object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newuser("test_domain_user1", "samba123@",
+ userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
+ desc = self.sd_utils.read_sd_on_dn(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn, desc_sddl)
- desc = self.read_desc(object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ _ldb.newuser("test_domain_user1", "samba123@",
+ userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
+ desc = self.sd_utils.read_sd_on_dn(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_999(self):
user_name = "Administrator"
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(D;CI;WP;;;S-1-3-0)"
#mod = ""
- self.dacl_add_ace(object_dn, mod)
- desc_sddl = self.get_desc_sddl(object_dn)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
# Create additional object into the first one
object_dn = "OU=test_domain_ou2," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
- ## Tests for SCHEMA
+ # Tests for SCHEMA
# Defalt descriptor tests ##################################################################
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
#self.check_modify_inheritance(_ldb, class_dn)
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- #Change Schema partition descriptor
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ # Change Schema partition descriptor
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
#self.check_modify_inheritance(_ldb, class_dn)
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- #Change Schema partition descriptor
+ # Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, class_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
+ self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
# Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
+ class_dn = self.create_schema_class(_ldb, desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
- ## Tests for CONFIGURATION
+ # Tests for CONFIGURATION
# Defalt descriptor tests ##################################################################
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create example Configuration container
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;WDCC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_specifier(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
#self.check_modify_inheritance(_ldb, object_dn)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create example Configuration container
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_specifier(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
#self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
self.check_modify_inheritance(_ldb, object_dn)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create example Configuration container
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Create example Configuration container
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
# Create example Configuration container
container_name = "test-container1"
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
+ delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
self.assertEqual("O:DAG:DA", res)
########################################################################################
- # Inharitance tests for DACL
+ # Inheritance tests for DACL
class DaclDescriptorTests(DescriptorTests):
def deleteAll(self):
- self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
+ delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
def setUp(self):
super(DaclDescriptorTests, self).setUp()
def create_clean_ou(self, object_dn):
""" Base repeating setup for unittests to follow """
res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
- expression="distinguishedName=%s" % object_dn)
+ expression="distinguishedName=%s" % object_dn)
# Make sure top testing OU has been deleted before starting the test
- self.assertEqual(res, [])
- self.create_domain_ou(self.ldb_admin, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ self.assertEqual(len(res), 0)
+ self.ldb_admin.create_ou(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
# Make sure there are inheritable ACEs initially
self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
# Find and remove all inherit ACEs
# can propagate from above
# remove SACL, we are not interested
desc_sddl = desc_sddl.replace(":AI", ":AIP")
- self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
+ self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
# Verify all inheritable ACEs are gone
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
self.assertFalse("CI" in desc_sddl)
self.assertFalse("OI" in desc_sddl)
# Create inheritable-free OU
self.create_clean_ou(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
# Make sure created group object contains NO inherit ACEs
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("ID" in desc_sddl)
def test_201(self):
self.create_clean_ou(ou_dn)
# Create group child object using custom security descriptor
sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
- self.create_domain_group(self.ldb_admin, group_dn, sddl)
+ tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group descriptor has NO additional ACEs
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertEqual(desc_sddl, sddl)
sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
- self.modify_desc(self.ldb_admin, group_dn, sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertEqual(desc_sddl, sddl)
def test_202(self):
# Add some custom non-inheritable ACEs
mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
# Verify all inheritable ACEs are gone
- desc_sddl = self.get_desc_sddl(ou_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
# Make sure created group object contains NO inherit ACEs
# also make sure the added above non-inheritable ACEs are absent too
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("ID" in desc_sddl)
for x in re.findall("\(.*?\)", mod):
self.assertFalse(x in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("ID" in desc_sddl)
for x in re.findall("\(.*?\)", mod):
self.assertFalse(x in desc_sddl)
# Add some custom 'CI' ACE
mod = "(D;CI;WP;;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
mod = mod.replace(";CI;", ";CIID;")
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'CI' ACE
mod = "(D;OI;WP;;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'OA' for 'name' attribute & 'CI' ACE
mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'OA' for 'name' attribute & 'OI' ACE
mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue(mod in desc_sddl)
# Add some custom 'CI' ACE
mod = "(D;CI;WP;;;CO)"
moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue(moded in desc_sddl)
self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
self.create_clean_ou(ou_dn)
# Add some custom ACE
mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object does not contain the ID ace
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
def test_211(self):
self.create_clean_ou(ou_dn)
# Add some custom 'CI' ACE
mod = "D:(D;CI;WP;;;CO)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
+ self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
def test_212(self):
""" Provide ACE with IO flag, should be ignored
self.create_clean_ou(ou_dn)
# Add some custom 'CI' ACE
mod = "D:(D;CIIO;WP;;;CO)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
# Create inheritable-free OU
self.create_clean_ou(ou_dn)
mod = "D:(D;IO;WP;;;DA)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
+ def test_214(self):
+ """ Test behavior of ACEs containing generic rights
+ """
+ ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+ ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+ ou_dn2 = "OU=test_inherit_ou2," + ou_dn
+ ou_dn3 = "OU=test_inherit_ou3," + ou_dn
+ ou_dn4 = "OU=test_inherit_ou4," + ou_dn
+ ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+ ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
+ # Create inheritable-free OU
+ mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ mod = "D:(A;CI;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+ mod = "D:(A;CIIO;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
+ mod = "D:(A;;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
+ mod = "D:(A;IO;GA;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
+
+ self.ldb_admin.create_ou(ou_dn5)
+ self.ldb_admin.create_ou(ou_dn6)
+
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
+ self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
+ self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
+ self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
+ self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+ self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
+ self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
+ self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
+
+ def test_215(self):
+ """ Make sure IO flag is removed in child objects
+ """
+ ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+ ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+ ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+ # Create inheritable-free OU
+ mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ mod = "D:(A;CIIO;WP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+ self.ldb_admin.create_ou(ou_dn5)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+ self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
+
+ def test_216(self):
+ """ Make sure ID ACES provided by user are ignored
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:(D;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
+
+ def test_217(self):
+ """ Make sure ID ACES provided by user are not ignored if P flag is set
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:P(A;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
+
########################################################################################
class SdFlagsDescriptorTests(DescriptorTests):
def deleteAll(self):
- self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
+ delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
def setUp(self):
super(SdFlagsDescriptorTests, self).setUp()
See that only the owner has been changed.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the owner
self.assertTrue("O:AU" in desc_sddl)
# make sure nothing else has been modified
See that only the owner has been changed.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the group
self.assertTrue("G:AU" in desc_sddl)
# make sure nothing else has been modified
See that only the owner has been changed.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the DACL
self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
# make sure nothing else has been modified
See that only the owner has been changed.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the DACL
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
# make sure nothing else has been modified
which is the same as 0xF
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the DACL
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
# make sure nothing else has been modified
""" Modify a descriptor with 0xF set.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
- desc_sddl = self.get_desc_sddl(ou_dn)
+ self.ldb_admin.create_ou(ou_dn)
+ self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
# make sure we have modified the DACL
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
# make sure nothing else has been modified
Only the owner part should be returned.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
+ self.ldb_admin.create_ou(ou_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
# make sure we have read the owner
self.assertTrue("O:" in desc_sddl)
# make sure we have read nothing else
Only the group part should be returned.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
+ self.ldb_admin.create_ou(ou_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
# make sure we have read the owner
self.assertTrue("G:" in desc_sddl)
# make sure we have read nothing else
Only the sacl part should be returned.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
+ self.ldb_admin.create_ou(ou_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
# make sure we have read the owner
self.assertTrue("S:" in desc_sddl)
# make sure we have read nothing else
Only the dacl part should be returned.
"""
ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
+ self.ldb_admin.create_ou(ou_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
# make sure we have read the owner
self.assertTrue("D:" in desc_sddl)
# make sure we have read nothing else
self.assertFalse("S:" in desc_sddl)
self.assertFalse("G:" in desc_sddl)
+ def test_311(self):
+ sd_flags = (SECINFO_OWNER |
+ SECINFO_GROUP |
+ SECINFO_DACL |
+ SECINFO_SACL)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ [], controls=None)
+ self.assertFalse("nTSecurityDescriptor" in res[0])
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["name"], controls=None)
+ self.assertFalse("nTSecurityDescriptor" in res[0])
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertFalse("nTSecurityDescriptor" in res[0])
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ [], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["nTSecurityDescriptor"], controls=None)
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["name", "nTSecurityDescriptor"], controls=None)
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
+ ["nTSecurityDescriptor", "name"], controls=None)
+ self.assertTrue("nTSecurityDescriptor" in res[0])
+ tmp = res[0]["nTSecurityDescriptor"][0]
+ sd = ndr_unpack(security.descriptor, tmp)
+ sddl = sd.as_sddl(self.sd_utils.domain_sid)
+ self.assertTrue("O:" in sddl)
+ self.assertTrue("G:" in sddl)
+ self.assertTrue("D:" in sddl)
+ self.assertTrue("S:" in sddl)
+
+ def test_312(self):
+ """This search is done by the windows dc join..."""
+
+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
+ controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
+ self.assertFalse("nTSecurityDescriptor" in res[0])
class RightsAttributesTests(DescriptorTests):
def deleteAll(self):
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
- self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
+ delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
+ delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
def setUp(self):
super(RightsAttributesTests, self).setUp()
self.deleteAll()
- ### Create users
- # User 1
- self.create_enable_user("testuser_attr")
+ # Create users
+ # User 1
+ self.ldb_admin.newuser("testuser_attr", "samba123@")
# User 2, Domain Admins
- self.create_enable_user("testuser_attr2")
- self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins")
+ self.ldb_admin.newuser("testuser_attr2", "samba123@")
+ self.ldb_admin.add_remove_group_members("Domain Admins",
+ ["testuser_attr2"],
+ add_members_operation=True)
def test_sDRightsEffective(self):
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- print self.get_users_domain_dn("testuser_attr")
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ print(self.get_users_domain_dn("testuser_attr"))
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
+ # give testuser1 read access so attributes can be retrieved
mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have no rights at all
+ attrs=["sDRightsEffective"])
+ # user whould have no rights at all
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["sDRightsEffective"][0], "0")
- #give the user Write DACL and see what happens
+ # give the user Write DACL and see what happens
mod = "(A;CI;WD;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION
+ attrs=["sDRightsEffective"])
+ # user whould have DACL_SECURITY_INFORMATION
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
- #give the user Write Owners and see what happens
+ # give the user Write Owners and see what happens
mod = "(A;CI;WO;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
+ attrs=["sDRightsEffective"])
+ # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
- #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
+ # no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
_ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
+ attrs=["sDRightsEffective"])
+ # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["sDRightsEffective"][0], \
("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
def test_allowedChildClassesEffective(self):
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
+ # give testuser1 read access so attributes can be retrieved
mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedChildClassesEffective"])
- #there should be no allowed child classes
+ attrs=["allowedChildClassesEffective"])
+ # there should be no allowed child classes
self.assertEquals(len(res), 1)
self.assertFalse("allowedChildClassesEffective" in res[0].keys())
- #give the user the right to create children of type user
+ # give the user the right to create children of type user
mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedChildClassesEffective"])
+ attrs=["allowedChildClassesEffective"])
# allowedChildClassesEffective should only have one value, user
self.assertEquals(len(res), 1)
self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
def test_allowedAttributesEffective(self):
object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
+ delete_force(self.ldb_admin, object_dn)
+ self.ldb_admin.create_ou(object_dn)
+ user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
+ # give testuser1 read access so attributes can be retrieved
mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
+ self.sd_utils.dacl_add_ace(object_dn, mod)
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedAttributesEffective"])
- #there should be no allowed attributes
+ attrs=["allowedAttributesEffective"])
+ # there should be no allowed attributes
self.assertEquals(len(res), 1)
self.assertFalse("allowedAttributesEffective" in res[0].keys())
- #give the user the right to write displayName and managedBy
+ # give the user the right to write displayName and managedBy
mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
# also rights to modify an read only attribute, fromEntry
mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod + mod2 + mod3)
+ self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedAttributesEffective"])
+ attrs=["allowedAttributesEffective"])
# value should only contain user and managedBy
self.assertEquals(len(res), 1)
self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
+class SdAutoInheritTests(DescriptorTests):
+ def deleteAll(self):
+ delete_force(self.ldb_admin, self.sub_dn)
+ delete_force(self.ldb_admin, self.ou_dn)
+
+ def setUp(self):
+ super(SdAutoInheritTests, self).setUp()
+ self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
+ self.sub_dn = "OU=test_sub," + self.ou_dn
+ self.deleteAll()
+
+ def test_301(self):
+ """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
+ See that only the owner has been changed.
+ """
+ attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
+ controls = ["sd_flags:1:%d" % (SECINFO_DACL)]
+ ace = "(A;CI;CC;;;NU)"
+ sub_ace = "(A;CIID;CC;;;NU)"
+ sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
+ sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
+
+ self.ldb_admin.create_ou(self.ou_dn, sd=sd)
+ self.ldb_admin.create_ou(self.sub_dn)
+
+ ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
+ None, attrs, controls=controls)
+ sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
+ None, attrs, controls=controls)
+
+ ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
+ sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
+
+ ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
+ sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
+
+ self.assertFalse(ace in ou_sddl0)
+ self.assertFalse(ace in sub_sddl0)
+
+ ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
+ ou_sddl0[ou_sddl0.index("("):])
+
+ sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
+ sub_sddl0[sub_sddl0.index("("):])
+
+ self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
+
+ sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
+ None, attrs, controls=controls)
+ ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
+ None, attrs, controls=controls)
+
+ ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
+ sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
+
+ ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
+ sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
+
+ self.assertFalse(ou_sddl2 == ou_sddl0)
+ self.assertFalse(sub_sddl2 == sub_sddl0)
+
+ if ace not in ou_sddl2:
+ print("ou0: %s" % ou_sddl0)
+ print("ou2: %s" % ou_sddl2)
+
+ if sub_ace not in sub_sddl2:
+ print("sub0: %s" % sub_sddl0)
+ print("sub2: %s" % sub_sddl2)
+
+ self.assertTrue(ace in ou_sddl2)
+ self.assertTrue(sub_ace in sub_sddl2)
+
+ ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
+ ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
+ self.assertTrue(ou_usn2 > ou_usn0)
+
+ sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
+ sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
+ self.assertTrue(sub_usn2 == sub_usn0)
+
if not "://" in host:
if os.path.isfile(host):
host = "tdb://%s" % host
if host.lower().startswith("ldap://"):
ldb_options = ["modules:paged_searches"]
-ldb = SamDB(host,
- credentials=creds,
- session_info=system_session(),
- lp=lp,
- options=ldb_options)
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
- rc = 1
-sys.exit(rc)
+TestProgram(module=__name__, opts=subunitopts)