from samba.credentials import MUST_USE_KERBEROS
from samba.dcerpc import samr, security
-from samba.domain.models import User
-from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT
-from samba.ndr import ndr_pack, ndr_unpack
+from samba.domain.models import GroupManagedServiceAccount, User
+from samba.ndr import ndr_unpack
from samba.nt_time import nt_time_from_datetime
-from samba.tests import (BlackboxTestCase, connect_samdb, connect_samdb_env,
- delete_force)
+from samba.tests import BlackboxTestCase, connect_samdb
DC_SERVER = os.environ["SERVER"]
SERVER = os.environ["SERVER"]
@classmethod
def setUpTestData(cls):
- cls.username = "GMSA_Test_User$"
- cls.base_dn = f"CN=Managed Service Accounts,{cls.samdb.domain_dn()}"
- cls.user_dn = f"CN={cls.username},{cls.base_dn}"
+ cls.gmsa = GroupManagedServiceAccount.create(
+ cls.samdb,
+ name="GMSA_Test_User",
+ dns_host_name="samba.example.com",
+ managed_password_interval=1,
+ group_msa_membership=f"O:SYD:(A;;RP;;;{cls.samdb.connecting_user_sid})")
- connecting_user_sid = cls.samdb.connecting_user_sid
-
- domain_sid = security.dom_sid(cls.samdb.domain_sid)
- allow_sddl = f"O:SYD:(A;;RP;;;{connecting_user_sid})"
- allow_sd = ndr_pack(security.descriptor.from_sddl(allow_sddl, domain_sid))
-
- details = {
- "dn": str(cls.user_dn),
- "objectClass": "msDS-GroupManagedServiceAccount",
- "dNSHostName": "samba.example.com",
- "msDS-ManagedPasswordInterval": "1",
- "msDS-GroupMSAMembership": allow_sd,
- "sAMAccountName": cls.username,
- "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
- }
-
- cls.samdb.add(details)
- cls.addClassCleanup(delete_force, cls.samdb, cls.user_dn)
-
- cls.user = User.get(cls.samdb, account_name=cls.username)
+ cls.addClassCleanup(cls.gmsa.delete, cls.samdb)
def getpassword(self, attrs):
shattrs = shlex.quote(attrs)
- cmd = f"user getpassword --attributes={shattrs} {self.username}"
+ cmd = f"user getpassword --attributes={shattrs} {self.gmsa.account_name}"
ldif = self.check_output(cmd).decode()
res = self.samdb.parse_ldif(ldif)
password = user_msg["virtualClearTextUTF16"][0]
creds = self.insta_creds(template=self.env_creds)
- creds.set_username(self.username)
+ creds.set_username(self.gmsa.account_name)
creds.set_utf16_password(password)
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
- self.assertEqual(self.user.object_sid, connecting_user_sid)
+ self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_utf8_password(self):
user_msg = self.getpassword("virtualClearTextUTF8")
# the nthash is no longer valid. We need to use AES kerberos ciphers
# for this to work.
creds.set_kerberos_state(MUST_USE_KERBEROS)
- creds.set_username(self.username)
+ creds.set_username(self.gmsa.account_name)
creds.set_password(password)
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
- self.assertEqual(self.user.object_sid, connecting_user_sid)
+ self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_unicode_pwd(self):
user_msg = self.getpassword("unicodePwd")
creds = self.insta_creds(template=self.env_creds)
- creds.set_username(self.username)
+ creds.set_username(self.gmsa.account_name)
nt_pass = samr.Password()
nt_pass.hash = list(user_msg["unicodePwd"][0])
creds.set_nt_hash(nt_pass)
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
- self.assertEqual(self.user.object_sid, connecting_user_sid)
+ self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_querytime(self):
user_msg = self.getpassword("virtualManagedPasswordQueryTime")