2 # -*- coding: utf-8 -*-
4 from __future__ import print_function
12 sys.path.insert(0, "bin/python")
15 from samba.tests.subunitrun import SubunitOptions, TestProgram
17 import samba.getopt as options
19 # Some error messages that are being tested
20 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba import gensec, sd_utils
27 from samba.samdb import SamDB
28 from samba.credentials import Credentials, DONT_USE_KERBEROS
29 from samba.auth import system_session
30 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
31 from samba.dcerpc.security import (
32 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
34 from samba.tests import delete_force
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 subunitopts = SubunitOptions(parser)
45 parser.add_option_group(subunitopts)
47 opts, args = parser.parse_args()
55 lp = sambaopts.get_loadparm()
56 creds = credopts.get_credentials(lp)
57 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
63 class DescriptorTests(samba.tests.TestCase):
65 def get_users_domain_dn(self, name):
66 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
68 def create_schema_class(self, _ldb, desc=None):
70 class_id = random.randint(0,65535)
71 class_name = "descriptor-test-class%s" % class_id
72 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
74 self.ldb_admin.search(base=class_dn, attrs=["name"])
77 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
81 dn: """ + class_dn + """
82 objectClass: classSchema
83 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
84 defaultObjectCategory: """ + class_dn + """
85 governsId: 1.3.6.1.4.1.7165.4.6.2.3.""" + str(class_id) + """
87 objectClassCategory: 1
88 subClassOf: organizationalPerson
95 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
96 if isinstance(desc, str):
97 ldif += "nTSecurityDescriptor: %s" % desc
98 elif isinstance(desc, security.descriptor):
99 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
103 def create_configuration_container(self, _ldb, object_dn, desc=None):
105 dn: """ + object_dn + """
106 objectClass: container
107 objectCategory: CN=Container,""" + self.schema_dn + """
108 showInAdvancedViewOnly: TRUE
112 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
113 if isinstance(desc, str):
114 ldif += "nTSecurityDescriptor: %s" % desc
115 elif isinstance(desc, security.descriptor):
116 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
119 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
121 dn: """ + object_dn + """
122 objectClass: displaySpecifier
123 showInAdvancedViewOnly: TRUE
126 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
127 if isinstance(desc, str):
128 ldif += "nTSecurityDescriptor: %s" % desc
129 elif isinstance(desc, security.descriptor):
130 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
133 def get_ldb_connection(self, target_username, target_password):
134 creds_tmp = Credentials()
135 creds_tmp.set_username(target_username)
136 creds_tmp.set_password(target_password)
137 creds_tmp.set_domain(creds.get_domain())
138 creds_tmp.set_realm(creds.get_realm())
139 creds_tmp.set_workstation(creds.get_workstation())
140 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
141 | gensec.FEATURE_SEAL)
142 creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
143 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
147 super(DescriptorTests, self).setUp()
148 self.ldb_admin = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp,
150 self.base_dn = self.ldb_admin.domain_dn()
151 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
152 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
153 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
154 self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
155 self.addCleanup(self.delete_admin_connection)
156 print("baseDN: %s" % self.base_dn)
158 def delete_admin_connection(self):
162 ################################################################################################
166 # Default descriptor tests #####################################################################
168 class OwnerGroupDescriptorTests(DescriptorTests):
171 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
172 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
173 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
174 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
175 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
176 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
177 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
178 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
180 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
181 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
182 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
183 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
186 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
187 + self.configuration_dn)
188 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
191 super(OwnerGroupDescriptorTests, self).setUp()
194 # User 1 - Enterprise Admins
195 self.ldb_admin.newuser("testuser1", "samba123@")
196 # User 2 - Domain Admins
197 self.ldb_admin.newuser("testuser2", "samba123@")
198 # User 3 - Schema Admins
199 self.ldb_admin.newuser("testuser3", "samba123@")
200 # User 4 - regular user
201 self.ldb_admin.newuser("testuser4", "samba123@")
202 # User 5 - Enterprise Admins and Domain Admins
203 self.ldb_admin.newuser("testuser5", "samba123@")
204 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
205 self.ldb_admin.newuser("testuser6", "samba123@")
206 # User 7 - Domain Admins and Schema Admins
207 self.ldb_admin.newuser("testuser7", "samba123@")
208 # User 5 - Enterprise Admins and Schema Admins
209 self.ldb_admin.newuser("testuser8", "samba123@")
211 self.ldb_admin.add_remove_group_members("Enterprise Admins",
212 ["testuser1", "testuser5", "testuser6", "testuser8"],
213 add_members_operation=True)
214 self.ldb_admin.add_remove_group_members("Domain Admins",
215 ["testuser2","testuser5","testuser6","testuser7"],
216 add_members_operation=True)
217 self.ldb_admin.add_remove_group_members("Schema Admins",
218 ["testuser3","testuser6","testuser7","testuser8"],
219 add_members_operation=True)
222 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
223 "ds_behavior_win2003" : {
273 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
274 "ds_behavior_win2008" : {
325 # Discover 'domainControllerFunctionality'
326 res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
327 attrs=['domainControllerFunctionality'])
328 res = int(res[0]['domainControllerFunctionality'][0])
329 if res < DS_DOMAIN_FUNCTION_2008:
330 self.DS_BEHAVIOR = "ds_behavior_win2003"
332 self.DS_BEHAVIOR = "ds_behavior_win2008"
335 super(DescriptorTests, self).tearDown()
338 def check_user_belongs(self, user_dn, groups=[]):
339 """ Test wether user is member of the expected group(s) """
341 # User is member of at least one additional group
342 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
343 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
346 expected.append(self.get_users_domain_dn(x))
347 expected = [x.upper() for x in sorted(expected)]
348 self.assertEqual(expected, res)
350 # User is not a member of any additional groups but default
351 res = self.ldb_admin.search(user_dn, attrs=["*"])
352 res = [x.upper() for x in res[0].keys()]
353 self.assertFalse( "MEMBEROF" in res)
355 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
357 sd_user_utils = sd_utils.SDUtils(_ldb)
358 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
359 if owner_group != "":
360 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
362 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
363 # Make sure the modify operation has been applied
364 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
365 self.assertTrue(ace in desc_sddl)
366 # Make sure we have identical result for both "add" and "modify"
367 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
368 print(self._testMethodName)
369 test_number = self._testMethodName[5:]
370 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
373 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
375 user_name = "testuser1"
376 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
377 # Open Ldb connection with the tested user
378 _ldb = self.get_ldb_connection(user_name, "samba123@")
379 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
380 delete_force(self.ldb_admin, object_dn)
381 _ldb.newgroup("test_domain_group1", grouptype=4)
382 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
383 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
384 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
385 self.check_modify_inheritance(_ldb, object_dn)
388 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
390 user_name = "testuser2"
391 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
392 # Open Ldb connection with the tested user
393 _ldb = self.get_ldb_connection(user_name, "samba123@")
394 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
395 delete_force(self.ldb_admin, object_dn)
396 _ldb.newgroup("test_domain_group1", grouptype=4)
397 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
398 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
399 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
400 self.check_modify_inheritance(_ldb, object_dn)
403 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
405 user_name = "testuser3"
406 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
407 # Open Ldb connection with the tested user
408 _ldb = self.get_ldb_connection(user_name, "samba123@")
409 object_dn = "OU=test_domain_ou1," + self.base_dn
410 delete_force(self.ldb_admin, object_dn)
411 self.ldb_admin.create_ou(object_dn)
412 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
413 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
414 self.sd_utils.dacl_add_ace(object_dn, mod)
415 # Create additional object into the first one
416 object_dn = "CN=test_domain_user1," + object_dn
417 delete_force(self.ldb_admin, object_dn)
418 _ldb.newuser("test_domain_user1", "samba123@",
419 userou="OU=test_domain_ou1", setpassword=False)
420 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
421 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
422 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
423 # This fails, research why
424 #self.check_modify_inheritance(_ldb, object_dn)
427 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
429 user_name = "testuser4"
430 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
431 # Open Ldb connection with the tested user
432 _ldb = self.get_ldb_connection(user_name, "samba123@")
433 object_dn = "OU=test_domain_ou1," + self.base_dn
434 delete_force(self.ldb_admin, object_dn)
435 self.ldb_admin.create_ou(object_dn)
436 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
437 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
438 self.sd_utils.dacl_add_ace(object_dn, mod)
439 # Create additional object into the first one
440 object_dn = "CN=test_domain_user1," + object_dn
441 delete_force(self.ldb_admin, object_dn)
442 _ldb.newuser("test_domain_user1", "samba123@",
443 userou="OU=test_domain_ou1", setpassword=False)
444 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
445 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
446 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
447 #this fails, research why
448 #self.check_modify_inheritance(_ldb, object_dn)
451 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
453 user_name = "testuser5"
454 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
455 # Open Ldb connection with the tested user
456 _ldb = self.get_ldb_connection(user_name, "samba123@")
457 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
458 delete_force(self.ldb_admin, object_dn)
459 _ldb.newgroup("test_domain_group1", grouptype=4)
460 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
461 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
462 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
463 self.check_modify_inheritance(_ldb, object_dn)
466 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
468 user_name = "testuser6"
469 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
470 # Open Ldb connection with the tested user
471 _ldb = self.get_ldb_connection(user_name, "samba123@")
472 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
473 delete_force(self.ldb_admin, object_dn)
474 _ldb.newgroup("test_domain_group1", grouptype=4)
475 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
476 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
477 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
478 self.check_modify_inheritance(_ldb, object_dn)
481 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
483 user_name = "testuser7"
484 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
485 # Open Ldb connection with the tested user
486 _ldb = self.get_ldb_connection(user_name, "samba123@")
487 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
488 delete_force(self.ldb_admin, object_dn)
489 _ldb.newgroup("test_domain_group1", grouptype=4)
490 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
491 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
492 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
493 self.check_modify_inheritance(_ldb, object_dn)
496 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
498 user_name = "testuser8"
499 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
500 # Open Ldb connection with the tested user
501 _ldb = self.get_ldb_connection(user_name, "samba123@")
502 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
503 delete_force(self.ldb_admin, object_dn)
504 _ldb.newgroup("test_domain_group1", grouptype=4)
505 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
506 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
507 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
508 self.check_modify_inheritance(_ldb, object_dn)
510 # Control descriptor tests #####################################################################
513 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
515 user_name = "testuser1"
516 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
517 # Open Ldb connection with the tested user
518 _ldb = self.get_ldb_connection(user_name, "samba123@")
519 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
520 delete_force(self.ldb_admin, object_dn)
521 # Create a custom security descriptor
522 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
523 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
524 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
525 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
526 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
527 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
530 """ Domain admin group member creates object (custom descriptor) in DOMAIN
532 user_name = "testuser2"
533 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
534 # Open Ldb connection with the tested user
535 _ldb = self.get_ldb_connection(user_name, "samba123@")
536 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
537 delete_force(self.ldb_admin, object_dn)
538 # Create a custom security descriptor
539 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
540 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
541 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
542 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
543 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
544 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
547 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
549 user_name = "testuser3"
550 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
551 # Open Ldb connection with the tested user
552 _ldb = self.get_ldb_connection(user_name, "samba123@")
553 object_dn = "OU=test_domain_ou1," + self.base_dn
554 delete_force(self.ldb_admin, object_dn)
555 self.ldb_admin.create_ou(object_dn)
556 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
557 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
558 self.sd_utils.dacl_add_ace(object_dn, mod)
559 # Create a custom security descriptor
560 # NB! Problematic owner part won't accept DA only <User Sid> !!!
561 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
562 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
563 # Create additional object into the first one
564 object_dn = "CN=test_domain_user1," + object_dn
565 delete_force(self.ldb_admin, object_dn)
566 _ldb.newuser("test_domain_user1", "samba123@",
567 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
568 desc = self.sd_utils.read_sd_on_dn(object_dn)
569 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
570 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
571 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
574 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
576 user_name = "testuser4"
577 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
578 # Open Ldb connection with the tested user
579 _ldb = self.get_ldb_connection(user_name, "samba123@")
580 object_dn = "OU=test_domain_ou1," + self.base_dn
581 delete_force(self.ldb_admin, object_dn)
582 self.ldb_admin.create_ou(object_dn)
583 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
584 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
585 self.sd_utils.dacl_add_ace(object_dn, mod)
586 # Create a custom security descriptor
587 # NB! Problematic owner part won't accept DA only <User Sid> !!!
588 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
589 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
590 # Create additional object into the first one
591 object_dn = "CN=test_domain_user1," + object_dn
592 delete_force(self.ldb_admin, object_dn)
593 _ldb.newuser("test_domain_user1", "samba123@",
594 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
595 desc = self.sd_utils.read_sd_on_dn(object_dn)
596 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
597 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
598 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
601 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
603 user_name = "testuser5"
604 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
605 # Open Ldb connection with the tested user
606 _ldb = self.get_ldb_connection(user_name, "samba123@")
607 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
608 delete_force(self.ldb_admin, object_dn)
609 # Create a custom security descriptor
610 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
611 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
612 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
613 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
614 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
615 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
618 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
620 user_name = "testuser6"
621 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
622 # Open Ldb connection with the tested user
623 _ldb = self.get_ldb_connection(user_name, "samba123@")
624 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
625 delete_force(self.ldb_admin, object_dn)
626 # Create a custom security descriptor
627 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
628 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
629 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
630 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
631 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
632 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
635 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
637 user_name = "testuser7"
638 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
639 # Open Ldb connection with the tested user
640 _ldb = self.get_ldb_connection(user_name, "samba123@")
641 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
642 delete_force(self.ldb_admin, object_dn)
643 # Create a custom security descriptor
644 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
645 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
646 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
647 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
648 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
649 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
652 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
654 user_name = "testuser8"
655 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
656 # Open Ldb connection with the tested user
657 _ldb = self.get_ldb_connection(user_name, "samba123@")
658 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
659 delete_force(self.ldb_admin, object_dn)
660 # Create a custom security descriptor
661 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
662 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
663 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
664 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
665 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
666 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
669 user_name = "Administrator"
670 object_dn = "OU=test_domain_ou1," + self.base_dn
671 delete_force(self.ldb_admin, object_dn)
672 self.ldb_admin.create_ou(object_dn)
673 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
674 mod = "(D;CI;WP;;;S-1-3-0)"
676 self.sd_utils.dacl_add_ace(object_dn, mod)
677 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
678 # Create additional object into the first one
679 object_dn = "OU=test_domain_ou2," + object_dn
680 delete_force(self.ldb_admin, object_dn)
681 self.ldb_admin.create_ou(object_dn)
682 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
686 # Defalt descriptor tests ##################################################################
689 user_name = "testuser1"
690 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
691 # Open Ldb connection with the tested user
692 _ldb = self.get_ldb_connection(user_name, "samba123@")
693 # Change Schema partition descriptor
694 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
695 mod = "(A;;WDCC;;;AU)"
696 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
697 # Create example Schema class
698 class_dn = self.create_schema_class(_ldb)
699 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
700 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
701 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
702 self.check_modify_inheritance(_ldb, class_dn)
705 user_name = "testuser2"
706 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
707 # Open Ldb connection with the tested user
708 _ldb = self.get_ldb_connection(user_name, "samba123@")
709 # Change Schema partition descriptor
710 mod = "(A;CI;WDCC;;;AU)"
711 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
712 # Create example Schema class
713 class_dn = self.create_schema_class(_ldb)
714 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
715 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
716 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
717 self.check_modify_inheritance(_ldb, class_dn)
720 user_name = "testuser3"
721 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
722 # Open Ldb connection with the tested user
723 _ldb = self.get_ldb_connection(user_name, "samba123@")
724 # Change Schema partition descriptor
725 mod = "(A;CI;WDCC;;;AU)"
726 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
727 # Create example Schema class
728 class_dn = self.create_schema_class(_ldb)
729 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
730 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
731 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
732 #self.check_modify_inheritance(_ldb, class_dn)
735 user_name = "testuser4"
736 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
737 # Open Ldb connection with the tested user
738 _ldb = self.get_ldb_connection(user_name, "samba123@")
739 #Change Schema partition descriptor
740 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
741 mod = "(A;CI;WDCC;;;AU)"
742 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
743 # Create example Schema class
744 class_dn = self.create_schema_class(_ldb)
745 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
746 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
747 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
748 #self.check_modify_inheritance(_ldb, class_dn)
751 user_name = "testuser5"
752 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
753 # Open Ldb connection with the tested user
754 _ldb = self.get_ldb_connection(user_name, "samba123@")
755 #Change Schema partition descriptor
756 mod = "(A;CI;WDCC;;;AU)"
757 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
758 # Create example Schema class
759 class_dn = self.create_schema_class(_ldb)
760 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
761 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
762 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
763 self.check_modify_inheritance(_ldb, class_dn)
766 user_name = "testuser6"
767 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768 # Open Ldb connection with the tested user
769 _ldb = self.get_ldb_connection(user_name, "samba123@")
770 # Change Schema partition descriptor
771 mod = "(A;CI;WDCC;;;AU)"
772 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
773 # Create example Schema class
774 class_dn = self.create_schema_class(_ldb)
775 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
776 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
777 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
778 self.check_modify_inheritance(_ldb, class_dn)
781 user_name = "testuser7"
782 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
783 # Open Ldb connection with the tested user
784 _ldb = self.get_ldb_connection(user_name, "samba123@")
785 # Change Schema partition descriptor
786 mod = "(A;CI;WDCC;;;AU)"
787 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
788 # Create example Schema class
789 class_dn = self.create_schema_class(_ldb)
790 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
791 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
792 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
793 self.check_modify_inheritance(_ldb, class_dn)
796 user_name = "testuser8"
797 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
798 # Open Ldb connection with the tested user
799 _ldb = self.get_ldb_connection(user_name, "samba123@")
800 # Change Schema partition descriptor
801 mod = "(A;CI;WDCC;;;AU)"
802 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
803 # Create example Schema class
804 class_dn = self.create_schema_class(_ldb)
805 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
806 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
807 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
808 self.check_modify_inheritance(_ldb, class_dn)
810 # Custom descriptor tests ##################################################################
813 user_name = "testuser1"
814 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
815 # Open Ldb connection with the tested user
816 _ldb = self.get_ldb_connection(user_name, "samba123@")
817 # Change Schema partition descriptor
819 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
820 # Create a custom security descriptor
821 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
822 # Create example Schema class
823 class_dn = self.create_schema_class(_ldb, desc_sddl)
824 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
825 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
826 self.assertEqual("O:DAG:DA", res)
829 user_name = "testuser2"
830 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
831 # Open Ldb connection with the tested user
832 _ldb = self.get_ldb_connection(user_name, "samba123@")
833 # Change Schema partition descriptor
835 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
836 # Create a custom security descriptor
837 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
838 # Create example Schema class
839 class_dn = self.create_schema_class(_ldb, desc_sddl)
840 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
841 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
842 self.assertEqual("O:DAG:DA", res)
845 user_name = "testuser3"
846 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
847 # Open Ldb connection with the tested user
848 _ldb = self.get_ldb_connection(user_name, "samba123@")
849 # Create a custom security descriptor
850 # NB! Problematic owner part won't accept DA only <User Sid> !!!
851 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
852 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
853 # Create example Schema class
854 class_dn = self.create_schema_class(_ldb, desc_sddl)
855 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
856 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
857 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
860 user_name = "testuser4"
861 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
862 # Open Ldb connection with the tested user
863 _ldb = self.get_ldb_connection(user_name, "samba123@")
864 # Create a custom security descriptor
865 # NB! Problematic owner part won't accept DA only <User Sid> !!!
866 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
867 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
868 # Create example Schema class
869 class_dn = self.create_schema_class(_ldb, desc_sddl)
870 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
871 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
872 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
875 user_name = "testuser5"
876 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
877 # Open Ldb connection with the tested user
878 _ldb = self.get_ldb_connection(user_name, "samba123@")
879 # Change Schema partition descriptor
881 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
882 # Create a custom security descriptor
883 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
884 # Create example Schema class
885 class_dn = self.create_schema_class(_ldb, desc_sddl)
886 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
887 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
888 self.assertEqual("O:DAG:DA", res)
891 user_name = "testuser6"
892 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
893 # Open Ldb connection with the tested user
894 _ldb = self.get_ldb_connection(user_name, "samba123@")
895 # Change Schema partition descriptor
897 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
898 # Create a custom security descriptor
899 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
900 # Create example Schema class
901 class_dn = self.create_schema_class(_ldb, desc_sddl)
902 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
903 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
904 self.assertEqual("O:DAG:DA", res)
907 user_name = "testuser7"
908 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb = self.get_ldb_connection(user_name, "samba123@")
911 # Change Schema partition descriptor
913 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
914 # Create a custom security descriptor
915 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
916 # Create example Schema class
917 class_dn = self.create_schema_class(_ldb, desc_sddl)
918 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
919 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
920 self.assertEqual("O:DAG:DA", res)
923 user_name = "testuser8"
924 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
925 # Open Ldb connection with the tested user
926 _ldb = self.get_ldb_connection(user_name, "samba123@")
927 # Change Schema partition descriptor
929 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
930 # Create a custom security descriptor
931 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
932 # Create example Schema class
933 class_dn = self.create_schema_class(_ldb, desc_sddl)
934 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
935 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
936 self.assertEqual("O:DAG:DA", res)
938 ## Tests for CONFIGURATION
940 # Defalt descriptor tests ##################################################################
943 user_name = "testuser1"
944 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
945 # Open Ldb connection with the tested user
946 _ldb = self.get_ldb_connection(user_name, "samba123@")
947 # Create example Configuration container
948 container_name = "test-container1"
949 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
950 delete_force(self.ldb_admin, object_dn)
951 self.create_configuration_container(_ldb, object_dn, )
952 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
953 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
954 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
955 self.check_modify_inheritance(_ldb, object_dn)
958 user_name = "testuser2"
959 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
960 # Open Ldb connection with the tested user
961 _ldb = self.get_ldb_connection(user_name, "samba123@")
962 # Create example Configuration container
963 container_name = "test-container1"
964 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
965 delete_force(self.ldb_admin, object_dn)
966 self.create_configuration_container(_ldb, object_dn, )
967 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
968 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
969 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
970 self.check_modify_inheritance(_ldb, object_dn)
973 user_name = "testuser3"
974 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
975 # Open Ldb connection with the tested user
976 _ldb = self.get_ldb_connection(user_name, "samba123@")
977 # Create example Configuration container
978 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
979 delete_force(self.ldb_admin, object_dn)
980 self.create_configuration_container(self.ldb_admin, object_dn, )
981 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
982 mod = "(A;;WDCC;;;AU)"
983 self.sd_utils.dacl_add_ace(object_dn, mod)
984 # Create child object with user's credentials
985 object_dn = "CN=test-specifier1," + object_dn
986 delete_force(self.ldb_admin, object_dn)
987 self.create_configuration_specifier(_ldb, object_dn)
988 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
989 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
990 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
991 #self.check_modify_inheritance(_ldb, object_dn)
994 user_name = "testuser4"
995 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
996 # Open Ldb connection with the tested user
997 _ldb = self.get_ldb_connection(user_name, "samba123@")
998 # Create example Configuration container
999 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1000 delete_force(self.ldb_admin, object_dn)
1001 self.create_configuration_container(self.ldb_admin, object_dn, )
1002 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1003 mod = "(A;CI;WDCC;;;AU)"
1004 self.sd_utils.dacl_add_ace(object_dn, mod)
1005 # Create child object with user's credentials
1006 object_dn = "CN=test-specifier1," + object_dn
1007 delete_force(self.ldb_admin, object_dn)
1008 self.create_configuration_specifier(_ldb, object_dn)
1009 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1010 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1011 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1012 #self.check_modify_inheritance(_ldb, object_dn)
1015 user_name = "testuser5"
1016 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1017 # Open Ldb connection with the tested user
1018 _ldb = self.get_ldb_connection(user_name, "samba123@")
1019 # Create example Configuration container
1020 container_name = "test-container1"
1021 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1022 delete_force(self.ldb_admin, object_dn)
1023 self.create_configuration_container(_ldb, object_dn, )
1024 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1025 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1026 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1027 self.check_modify_inheritance(_ldb, object_dn)
1030 user_name = "testuser6"
1031 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1032 # Open Ldb connection with the tested user
1033 _ldb = self.get_ldb_connection(user_name, "samba123@")
1034 # Create example Configuration container
1035 container_name = "test-container1"
1036 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1037 delete_force(self.ldb_admin, object_dn)
1038 self.create_configuration_container(_ldb, object_dn, )
1039 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1040 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1041 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1042 self.check_modify_inheritance(_ldb, object_dn)
1045 user_name = "testuser7"
1046 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1047 # Open Ldb connection with the tested user
1048 _ldb = self.get_ldb_connection(user_name, "samba123@")
1049 # Create example Configuration container
1050 container_name = "test-container1"
1051 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1052 delete_force(self.ldb_admin, object_dn)
1053 self.create_configuration_container(_ldb, object_dn, )
1054 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1055 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1056 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1057 self.check_modify_inheritance(_ldb, object_dn)
1060 user_name = "testuser8"
1061 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1062 # Open Ldb connection with the tested user
1063 _ldb = self.get_ldb_connection(user_name, "samba123@")
1064 # Create example Configuration container
1065 container_name = "test-container1"
1066 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1067 delete_force(self.ldb_admin, object_dn)
1068 self.create_configuration_container(_ldb, object_dn, )
1069 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1070 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1071 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1072 self.check_modify_inheritance(_ldb, object_dn)
1074 # Custom descriptor tests ##################################################################
1077 user_name = "testuser1"
1078 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1079 # Open Ldb connection with the tested user
1080 _ldb = self.get_ldb_connection(user_name, "samba123@")
1081 # Create example Configuration container
1082 container_name = "test-container1"
1083 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1084 delete_force(self.ldb_admin, object_dn)
1085 # Create a custom security descriptor
1086 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1087 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1088 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1089 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1090 self.assertEqual("O:DAG:DA", res)
1093 user_name = "testuser2"
1094 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1095 # Open Ldb connection with the tested user
1096 _ldb = self.get_ldb_connection(user_name, "samba123@")
1097 # Create example Configuration container
1098 container_name = "test-container1"
1099 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1100 delete_force(self.ldb_admin, object_dn)
1101 # Create a custom security descriptor
1102 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1103 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1104 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1105 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1106 self.assertEqual("O:DAG:DA", res)
1109 user_name = "testuser3"
1110 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1111 # Open Ldb connection with the tested user
1112 _ldb = self.get_ldb_connection(user_name, "samba123@")
1113 # Create example Configuration container
1114 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1115 delete_force(self.ldb_admin, object_dn)
1116 self.create_configuration_container(self.ldb_admin, object_dn, )
1117 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1118 mod = "(A;;CC;;;AU)"
1119 self.sd_utils.dacl_add_ace(object_dn, mod)
1120 # Create child object with user's credentials
1121 object_dn = "CN=test-specifier1," + object_dn
1122 delete_force(self.ldb_admin, object_dn)
1123 # Create a custom security descriptor
1124 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1125 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1126 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1127 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1129 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1132 user_name = "testuser4"
1133 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1134 # Open Ldb connection with the tested user
1135 _ldb = self.get_ldb_connection(user_name, "samba123@")
1136 # Create example Configuration container
1137 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1138 delete_force(self.ldb_admin, object_dn)
1139 self.create_configuration_container(self.ldb_admin, object_dn, )
1140 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1141 mod = "(A;;CC;;;AU)"
1142 self.sd_utils.dacl_add_ace(object_dn, mod)
1143 # Create child object with user's credentials
1144 object_dn = "CN=test-specifier1," + object_dn
1145 delete_force(self.ldb_admin, object_dn)
1146 # Create a custom security descriptor
1147 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1148 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1149 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1150 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1151 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1152 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1155 user_name = "testuser5"
1156 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1157 # Open Ldb connection with the tested user
1158 _ldb = self.get_ldb_connection(user_name, "samba123@")
1159 # Create example Configuration container
1160 container_name = "test-container1"
1161 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1162 delete_force(self.ldb_admin, object_dn)
1163 # Create a custom security descriptor
1164 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1165 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1166 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1167 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1168 self.assertEqual("O:DAG:DA", res)
1171 user_name = "testuser6"
1172 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1173 # Open Ldb connection with the tested user
1174 _ldb = self.get_ldb_connection(user_name, "samba123@")
1175 # Create example Configuration container
1176 container_name = "test-container1"
1177 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1178 delete_force(self.ldb_admin, object_dn)
1179 # Create a custom security descriptor
1180 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1181 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1182 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1183 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1184 self.assertEqual("O:DAG:DA", res)
1187 user_name = "testuser7"
1188 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1189 # Open Ldb connection with the tested user
1190 _ldb = self.get_ldb_connection(user_name, "samba123@")
1191 # Create example Configuration container
1192 container_name = "test-container1"
1193 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1194 delete_force(self.ldb_admin, object_dn)
1195 # Create a custom security descriptor
1196 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1197 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1198 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1199 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1200 self.assertEqual("O:DAG:DA", res)
1203 user_name = "testuser8"
1204 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1205 # Open Ldb connection with the tested user
1206 _ldb = self.get_ldb_connection(user_name, "samba123@")
1207 # Create example Configuration container
1208 container_name = "test-container1"
1209 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1210 delete_force(self.ldb_admin, object_dn)
1211 # Create a custom security descriptor
1212 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1213 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1214 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1215 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1216 self.assertEqual("O:DAG:DA", res)
1218 ########################################################################################
1219 # Inheritance tests for DACL
1221 class DaclDescriptorTests(DescriptorTests):
1223 def deleteAll(self):
1224 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1225 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1226 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1227 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1228 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1229 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1230 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1231 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1232 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1235 super(DaclDescriptorTests, self).setUp()
1238 def create_clean_ou(self, object_dn):
1239 """ Base repeating setup for unittests to follow """
1240 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1241 expression="distinguishedName=%s" % object_dn)
1242 # Make sure top testing OU has been deleted before starting the test
1243 self.assertEqual(len(res), 0)
1244 self.ldb_admin.create_ou(object_dn)
1245 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1246 # Make sure there are inheritable ACEs initially
1247 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1248 # Find and remove all inherit ACEs
1249 res = re.findall("\(.*?\)", desc_sddl)
1250 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1252 desc_sddl = desc_sddl.replace(x, "")
1253 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1254 # can propagate from above
1255 # remove SACL, we are not interested
1256 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1257 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1258 # Verify all inheritable ACEs are gone
1259 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1260 self.assertFalse("CI" in desc_sddl)
1261 self.assertFalse("OI" in desc_sddl)
1264 """ OU with protected flag and child group. See if the group has inherit ACEs.
1266 ou_dn = "OU=test_inherit_ou," + self.base_dn
1267 group_dn = "CN=test_inherit_group," + ou_dn
1268 # Create inheritable-free OU
1269 self.create_clean_ou(ou_dn)
1270 # Create group child object
1271 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1272 # Make sure created group object contains NO inherit ACEs
1273 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1274 self.assertFalse("ID" in desc_sddl)
1277 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1278 Verify group has custom and default ACEs only.
1280 ou_dn = "OU=test_inherit_ou," + self.base_dn
1281 group_dn = "CN=test_inherit_group," + ou_dn
1282 # Create inheritable-free OU
1283 self.create_clean_ou(ou_dn)
1284 # Create group child object using custom security descriptor
1285 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1286 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1287 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1288 # Make sure created group descriptor has NO additional ACEs
1289 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1290 self.assertEqual(desc_sddl, sddl)
1291 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1292 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1293 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1294 self.assertEqual(desc_sddl, sddl)
1297 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1298 See if the group has any of the added ACEs.
1300 ou_dn = "OU=test_inherit_ou," + self.base_dn
1301 group_dn = "CN=test_inherit_group," + ou_dn
1302 # Create inheritable-free OU
1303 self.create_clean_ou(ou_dn)
1304 # Add some custom non-inheritable ACEs
1305 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1306 moded = "(D;;CC;;;LG)"
1307 self.sd_utils.dacl_add_ace(ou_dn, mod)
1308 # Verify all inheritable ACEs are gone
1309 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1310 # Create group child object
1311 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1312 # Make sure created group object contains NO inherit ACEs
1313 # also make sure the added above non-inheritable ACEs are absent too
1314 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1315 self.assertFalse("ID" in desc_sddl)
1316 for x in re.findall("\(.*?\)", mod):
1317 self.assertFalse(x in desc_sddl)
1318 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1319 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1320 self.assertFalse("ID" in desc_sddl)
1321 for x in re.findall("\(.*?\)", mod):
1322 self.assertFalse(x in desc_sddl)
1325 """ OU with protected flag and add 'CI' ACE, child group.
1326 See if the group has the added inherited ACE.
1328 ou_dn = "OU=test_inherit_ou," + self.base_dn
1329 group_dn = "CN=test_inherit_group," + ou_dn
1330 # Create inheritable-free OU
1331 self.create_clean_ou(ou_dn)
1332 # Add some custom 'CI' ACE
1333 mod = "(D;CI;WP;;;DU)"
1334 moded = "(D;;CC;;;LG)"
1335 self.sd_utils.dacl_add_ace(ou_dn, mod)
1336 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1337 # Create group child object
1338 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1339 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1340 # Make sure created group object contains only the above inherited ACE
1341 # that we've added manually
1342 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1343 mod = mod.replace(";CI;", ";CIID;")
1344 self.assertTrue(mod in desc_sddl)
1345 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1346 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1347 self.assertTrue(moded in desc_sddl)
1348 self.assertTrue(mod in desc_sddl)
1351 """ OU with protected flag and add 'OI' ACE, child group.
1352 See if the group has the added inherited ACE.
1354 ou_dn = "OU=test_inherit_ou," + self.base_dn
1355 group_dn = "CN=test_inherit_group," + ou_dn
1356 # Create inheritable-free OU
1357 self.create_clean_ou(ou_dn)
1358 # Add some custom 'CI' ACE
1359 mod = "(D;OI;WP;;;DU)"
1360 moded = "(D;;CC;;;LG)"
1361 self.sd_utils.dacl_add_ace(ou_dn, mod)
1362 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1363 # Create group child object
1364 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1365 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1366 # Make sure created group object contains only the above inherited ACE
1367 # that we've added manually
1368 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1369 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1370 self.assertTrue(mod in desc_sddl)
1371 self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1372 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1373 self.assertTrue(moded in desc_sddl)
1374 self.assertTrue(mod in desc_sddl)
1377 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1378 See if the group has the added inherited ACE.
1380 ou_dn = "OU=test_inherit_ou," + self.base_dn
1381 group_dn = "CN=test_inherit_group," + ou_dn
1382 # Create inheritable-free OU
1383 self.create_clean_ou(ou_dn)
1384 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1385 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1386 moded = "(D;;CC;;;LG)"
1387 self.sd_utils.dacl_add_ace(ou_dn, mod)
1388 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1389 # Create group child object
1390 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1391 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1392 # Make sure created group object contains only the above inherited ACE
1393 # that we've added manually
1394 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1395 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1396 self.assertTrue(mod in desc_sddl)
1397 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1398 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1399 self.assertTrue(moded in desc_sddl)
1400 self.assertTrue(mod in desc_sddl)
1403 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1404 See if the group has the added inherited ACE.
1406 ou_dn = "OU=test_inherit_ou," + self.base_dn
1407 group_dn = "CN=test_inherit_group," + ou_dn
1408 # Create inheritable-free OU
1409 self.create_clean_ou(ou_dn)
1410 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1411 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1412 moded = "(D;;CC;;;LG)"
1413 self.sd_utils.dacl_add_ace(ou_dn, mod)
1414 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1415 # Create group child object
1416 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1417 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1418 # Make sure created group object contains only the above inherited ACE
1419 # that we've added manually
1420 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1421 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1422 self.assertTrue(mod in desc_sddl)
1423 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1424 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1425 self.assertTrue(moded in desc_sddl)
1426 self.assertTrue(mod in desc_sddl)
1429 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1430 See if the group has the added inherited ACE.
1432 ou_dn = "OU=test_inherit_ou," + self.base_dn
1433 group_dn = "CN=test_inherit_group," + ou_dn
1434 # Create inheritable-free OU
1435 self.create_clean_ou(ou_dn)
1436 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1437 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1438 moded = "(D;;CC;;;LG)"
1439 self.sd_utils.dacl_add_ace(ou_dn, mod)
1440 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1441 # Create group child object
1442 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1443 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1444 # Make sure created group object contains only the above inherited ACE
1445 # that we've added manually
1446 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1447 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1448 self.assertTrue(mod in desc_sddl)
1449 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1450 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1451 self.assertTrue(moded in desc_sddl)
1452 self.assertTrue(mod in desc_sddl)
1455 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1456 See if the group has the added inherited ACE.
1458 ou_dn = "OU=test_inherit_ou," + self.base_dn
1459 group_dn = "CN=test_inherit_group," + ou_dn
1460 # Create inheritable-free OU
1461 self.create_clean_ou(ou_dn)
1462 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1463 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1464 moded = "(D;;CC;;;LG)"
1465 self.sd_utils.dacl_add_ace(ou_dn, mod)
1466 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1467 # Create group child object
1468 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1469 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1470 # Make sure created group object contains only the above inherited ACE
1471 # that we've added manually
1472 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1473 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1474 self.assertTrue(mod in desc_sddl)
1475 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1476 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1477 self.assertTrue(moded in desc_sddl)
1478 self.assertTrue(mod in desc_sddl)
1481 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1482 See if the group has the added inherited ACE.
1484 ou_dn = "OU=test_inherit_ou," + self.base_dn
1485 group_dn = "CN=test_inherit_group," + ou_dn
1486 # Create inheritable-free OU
1487 self.create_clean_ou(ou_dn)
1488 # Add some custom 'CI' ACE
1489 mod = "(D;CI;WP;;;CO)"
1490 moded = "(D;;CC;;;LG)"
1491 self.sd_utils.dacl_add_ace(ou_dn, mod)
1492 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1493 # Create group child object
1494 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1495 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1496 # Make sure created group object contains only the above inherited ACE(s)
1497 # that we've added manually
1498 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1499 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1500 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1501 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1502 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1503 self.assertTrue(moded in desc_sddl)
1504 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1505 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1508 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1510 ou_dn = "OU=test_inherit_ou," + self.base_dn
1511 group_dn = "CN=test_inherit_group," + ou_dn
1512 self.create_clean_ou(ou_dn)
1513 # Add some custom ACE
1514 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1515 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1516 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1517 # Make sure created group object does not contain the ID ace
1518 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1519 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1522 """ Provide ACE with CO SID, should be expanded and replaced
1524 ou_dn = "OU=test_inherit_ou," + self.base_dn
1525 group_dn = "CN=test_inherit_group," + ou_dn
1526 # Create inheritable-free OU
1527 self.create_clean_ou(ou_dn)
1528 # Add some custom 'CI' ACE
1529 mod = "D:(D;CI;WP;;;CO)"
1530 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1531 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1532 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1533 self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1534 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1537 """ Provide ACE with IO flag, should be ignored
1539 ou_dn = "OU=test_inherit_ou," + self.base_dn
1540 group_dn = "CN=test_inherit_group," + ou_dn
1541 # Create inheritable-free OU
1542 self.create_clean_ou(ou_dn)
1543 # Add some custom 'CI' ACE
1544 mod = "D:(D;CIIO;WP;;;CO)"
1545 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1546 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1547 # Make sure created group object contains only the above inherited ACE(s)
1548 # that we've added manually
1549 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1550 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1551 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1552 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1555 """ Provide ACE with IO flag, should be ignored
1557 ou_dn = "OU=test_inherit_ou," + self.base_dn
1558 group_dn = "CN=test_inherit_group," + ou_dn
1559 # Create inheritable-free OU
1560 self.create_clean_ou(ou_dn)
1561 mod = "D:(D;IO;WP;;;DA)"
1562 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1563 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1564 # Make sure created group object contains only the above inherited ACE(s)
1565 # that we've added manually
1566 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1567 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1570 """ Test behavior of ACEs containing generic rights
1572 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1573 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1574 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1575 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1576 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1577 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1578 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1579 # Create inheritable-free OU
1580 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1581 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1582 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1583 mod = "D:(A;CI;GA;;;DU)"
1584 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1585 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1586 mod = "D:(A;CIIO;GA;;;DU)"
1587 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1588 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1589 mod = "D:(A;;GA;;;DU)"
1590 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1591 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1592 mod = "D:(A;IO;GA;;;DU)"
1593 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1594 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1596 self.ldb_admin.create_ou(ou_dn5)
1597 self.ldb_admin.create_ou(ou_dn6)
1599 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1600 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1601 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1602 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1603 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1604 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1605 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1606 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1607 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1608 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1609 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1610 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1611 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1612 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1613 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1614 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1615 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1616 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1619 """ Make sure IO flag is removed in child objects
1621 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1622 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1623 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1624 # Create inheritable-free OU
1625 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1626 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1627 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1628 mod = "D:(A;CIIO;WP;;;DU)"
1629 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1630 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1631 self.ldb_admin.create_ou(ou_dn5)
1632 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1633 self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1634 self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1637 """ Make sure ID ACES provided by user are ignored
1639 ou_dn = "OU=test_inherit_ou," + self.base_dn
1640 group_dn = "CN=test_inherit_group," + ou_dn
1641 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1642 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1643 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1644 # Add some custom ACE
1645 mod = "D:(D;ID;WP;;;AU)"
1646 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1647 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1648 # Make sure created group object does not contain the ID ace
1649 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1650 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1651 self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1654 """ Make sure ID ACES provided by user are not ignored if P flag is set
1656 ou_dn = "OU=test_inherit_ou," + self.base_dn
1657 group_dn = "CN=test_inherit_group," + ou_dn
1658 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1659 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1660 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1661 # Add some custom ACE
1662 mod = "D:P(A;ID;WP;;;AU)"
1663 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1664 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1665 # Make sure created group object does not contain the ID ace
1666 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1667 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1668 self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1670 ########################################################################################
1673 class SdFlagsDescriptorTests(DescriptorTests):
1674 def deleteAll(self):
1675 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1678 super(SdFlagsDescriptorTests, self).setUp()
1679 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1683 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1684 See that only the owner has been changed.
1686 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1687 self.ldb_admin.create_ou(ou_dn)
1688 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1689 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1690 # make sure we have modified the owner
1691 self.assertTrue("O:AU" in desc_sddl)
1692 # make sure nothing else has been modified
1693 self.assertFalse("G:AU" in desc_sddl)
1694 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1695 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1698 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1699 See that only the owner has been changed.
1701 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1702 self.ldb_admin.create_ou(ou_dn)
1703 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1704 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1705 # make sure we have modified the group
1706 self.assertTrue("G:AU" in desc_sddl)
1707 # make sure nothing else has been modified
1708 self.assertFalse("O:AU" in desc_sddl)
1709 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1710 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1713 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1714 See that only the owner has been changed.
1716 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1717 self.ldb_admin.create_ou(ou_dn)
1718 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1719 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1720 # make sure we have modified the DACL
1721 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1722 # make sure nothing else has been modified
1723 self.assertFalse("O:AU" in desc_sddl)
1724 self.assertFalse("G:AU" in desc_sddl)
1725 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1728 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1729 See that only the owner has been changed.
1731 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1732 self.ldb_admin.create_ou(ou_dn)
1733 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1734 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1735 # make sure we have modified the DACL
1736 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1737 # make sure nothing else has been modified
1738 self.assertFalse("O:AU" in desc_sddl)
1739 self.assertFalse("G:AU" in desc_sddl)
1740 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1743 """ Modify a descriptor with 0x0 set.
1744 Contrary to logic this is interpreted as no control,
1745 which is the same as 0xF
1747 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1748 self.ldb_admin.create_ou(ou_dn)
1749 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1750 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1751 # make sure we have modified the DACL
1752 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1753 # make sure nothing else has been modified
1754 self.assertTrue("O:AU" in desc_sddl)
1755 self.assertTrue("G:AU" in desc_sddl)
1756 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1759 """ Modify a descriptor with 0xF set.
1761 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1762 self.ldb_admin.create_ou(ou_dn)
1763 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1764 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1765 # make sure we have modified the DACL
1766 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1767 # make sure nothing else has been modified
1768 self.assertTrue("O:AU" in desc_sddl)
1769 self.assertTrue("G:AU" in desc_sddl)
1770 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1773 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1774 Only the owner part should be returned.
1776 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1777 self.ldb_admin.create_ou(ou_dn)
1778 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1779 # make sure we have read the owner
1780 self.assertTrue("O:" in desc_sddl)
1781 # make sure we have read nothing else
1782 self.assertFalse("G:" in desc_sddl)
1783 self.assertFalse("D:" in desc_sddl)
1784 self.assertFalse("S:" in desc_sddl)
1787 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1788 Only the group part should be returned.
1790 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1791 self.ldb_admin.create_ou(ou_dn)
1792 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1793 # make sure we have read the owner
1794 self.assertTrue("G:" in desc_sddl)
1795 # make sure we have read nothing else
1796 self.assertFalse("O:" in desc_sddl)
1797 self.assertFalse("D:" in desc_sddl)
1798 self.assertFalse("S:" in desc_sddl)
1801 """ Read a descriptor with SACL_SECURITY_INFORMATION
1802 Only the sacl part should be returned.
1804 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1805 self.ldb_admin.create_ou(ou_dn)
1806 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1807 # make sure we have read the owner
1808 self.assertTrue("S:" in desc_sddl)
1809 # make sure we have read nothing else
1810 self.assertFalse("O:" in desc_sddl)
1811 self.assertFalse("D:" in desc_sddl)
1812 self.assertFalse("G:" in desc_sddl)
1815 """ Read a descriptor with DACL_SECURITY_INFORMATION
1816 Only the dacl part should be returned.
1818 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1819 self.ldb_admin.create_ou(ou_dn)
1820 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1821 # make sure we have read the owner
1822 self.assertTrue("D:" in desc_sddl)
1823 # make sure we have read nothing else
1824 self.assertFalse("O:" in desc_sddl)
1825 self.assertFalse("S:" in desc_sddl)
1826 self.assertFalse("G:" in desc_sddl)
1829 sd_flags = (SECINFO_OWNER |
1834 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1836 self.assertFalse("nTSecurityDescriptor" in res[0])
1838 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1839 ["name"], controls=None)
1840 self.assertFalse("nTSecurityDescriptor" in res[0])
1842 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1843 ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
1844 self.assertFalse("nTSecurityDescriptor" in res[0])
1846 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1847 [], controls=["sd_flags:1:%d" % (sd_flags)])
1848 self.assertTrue("nTSecurityDescriptor" in res[0])
1849 tmp = res[0]["nTSecurityDescriptor"][0]
1850 sd = ndr_unpack(security.descriptor, tmp)
1851 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1852 self.assertTrue("O:" in sddl)
1853 self.assertTrue("G:" in sddl)
1854 self.assertTrue("D:" in sddl)
1855 self.assertTrue("S:" in sddl)
1857 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1858 ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
1859 self.assertTrue("nTSecurityDescriptor" in res[0])
1860 tmp = res[0]["nTSecurityDescriptor"][0]
1861 sd = ndr_unpack(security.descriptor, tmp)
1862 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1863 self.assertTrue("O:" in sddl)
1864 self.assertTrue("G:" in sddl)
1865 self.assertTrue("D:" in sddl)
1866 self.assertTrue("S:" in sddl)
1868 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1869 ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
1870 self.assertTrue("nTSecurityDescriptor" in res[0])
1871 tmp = res[0]["nTSecurityDescriptor"][0]
1872 sd = ndr_unpack(security.descriptor, tmp)
1873 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1874 self.assertTrue("O:" in sddl)
1875 self.assertTrue("G:" in sddl)
1876 self.assertTrue("D:" in sddl)
1877 self.assertTrue("S:" in sddl)
1879 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1880 ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1881 self.assertTrue("nTSecurityDescriptor" in res[0])
1882 tmp = res[0]["nTSecurityDescriptor"][0]
1883 sd = ndr_unpack(security.descriptor, tmp)
1884 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1885 self.assertTrue("O:" in sddl)
1886 self.assertTrue("G:" in sddl)
1887 self.assertTrue("D:" in sddl)
1888 self.assertTrue("S:" in sddl)
1890 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1891 ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
1892 self.assertTrue("nTSecurityDescriptor" in res[0])
1893 tmp = res[0]["nTSecurityDescriptor"][0]
1894 sd = ndr_unpack(security.descriptor, tmp)
1895 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1896 self.assertTrue("O:" in sddl)
1897 self.assertTrue("G:" in sddl)
1898 self.assertTrue("D:" in sddl)
1899 self.assertTrue("S:" in sddl)
1901 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1902 ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1903 self.assertTrue("nTSecurityDescriptor" in res[0])
1904 tmp = res[0]["nTSecurityDescriptor"][0]
1905 sd = ndr_unpack(security.descriptor, tmp)
1906 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1907 self.assertTrue("O:" in sddl)
1908 self.assertTrue("G:" in sddl)
1909 self.assertTrue("D:" in sddl)
1910 self.assertTrue("S:" in sddl)
1912 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1913 ["nTSecurityDescriptor"], controls=None)
1914 self.assertTrue("nTSecurityDescriptor" in res[0])
1915 tmp = res[0]["nTSecurityDescriptor"][0]
1916 sd = ndr_unpack(security.descriptor, tmp)
1917 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1918 self.assertTrue("O:" in sddl)
1919 self.assertTrue("G:" in sddl)
1920 self.assertTrue("D:" in sddl)
1921 self.assertTrue("S:" in sddl)
1923 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1924 ["name", "nTSecurityDescriptor"], controls=None)
1925 self.assertTrue("nTSecurityDescriptor" in res[0])
1926 tmp = res[0]["nTSecurityDescriptor"][0]
1927 sd = ndr_unpack(security.descriptor, tmp)
1928 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1929 self.assertTrue("O:" in sddl)
1930 self.assertTrue("G:" in sddl)
1931 self.assertTrue("D:" in sddl)
1932 self.assertTrue("S:" in sddl)
1934 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1935 ["nTSecurityDescriptor", "name"], controls=None)
1936 self.assertTrue("nTSecurityDescriptor" in res[0])
1937 tmp = res[0]["nTSecurityDescriptor"][0]
1938 sd = ndr_unpack(security.descriptor, tmp)
1939 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1940 self.assertTrue("O:" in sddl)
1941 self.assertTrue("G:" in sddl)
1942 self.assertTrue("D:" in sddl)
1943 self.assertTrue("S:" in sddl)
1946 """This search is done by the windows dc join..."""
1948 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
1949 controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
1950 self.assertFalse("nTSecurityDescriptor" in res[0])
1952 class RightsAttributesTests(DescriptorTests):
1954 def deleteAll(self):
1955 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1956 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1957 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1960 super(RightsAttributesTests, self).setUp()
1964 self.ldb_admin.newuser("testuser_attr", "samba123@")
1965 # User 2, Domain Admins
1966 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1967 self.ldb_admin.add_remove_group_members("Domain Admins",
1969 add_members_operation=True)
1971 def test_sDRightsEffective(self):
1972 object_dn = "OU=test_domain_ou1," + self.base_dn
1973 delete_force(self.ldb_admin, object_dn)
1974 self.ldb_admin.create_ou(object_dn)
1975 print(self.get_users_domain_dn("testuser_attr"))
1976 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1977 #give testuser1 read access so attributes can be retrieved
1978 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1979 self.sd_utils.dacl_add_ace(object_dn, mod)
1980 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1981 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1982 attrs=["sDRightsEffective"])
1983 #user whould have no rights at all
1984 self.assertEquals(len(res), 1)
1985 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1986 #give the user Write DACL and see what happens
1987 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1988 self.sd_utils.dacl_add_ace(object_dn, mod)
1989 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1990 attrs=["sDRightsEffective"])
1991 #user whould have DACL_SECURITY_INFORMATION
1992 self.assertEquals(len(res), 1)
1993 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1994 #give the user Write Owners and see what happens
1995 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1996 self.sd_utils.dacl_add_ace(object_dn, mod)
1997 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1998 attrs=["sDRightsEffective"])
1999 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2000 self.assertEquals(len(res), 1)
2001 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
2002 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
2003 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
2004 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2005 attrs=["sDRightsEffective"])
2006 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2007 self.assertEquals(len(res), 1)
2008 self.assertEquals(res[0]["sDRightsEffective"][0], \
2009 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
2011 def test_allowedChildClassesEffective(self):
2012 object_dn = "OU=test_domain_ou1," + self.base_dn
2013 delete_force(self.ldb_admin, object_dn)
2014 self.ldb_admin.create_ou(object_dn)
2015 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2016 #give testuser1 read access so attributes can be retrieved
2017 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2018 self.sd_utils.dacl_add_ace(object_dn, mod)
2019 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2020 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2021 attrs=["allowedChildClassesEffective"])
2022 #there should be no allowed child classes
2023 self.assertEquals(len(res), 1)
2024 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
2025 #give the user the right to create children of type user
2026 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2027 self.sd_utils.dacl_add_ace(object_dn, mod)
2028 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2029 attrs=["allowedChildClassesEffective"])
2030 # allowedChildClassesEffective should only have one value, user
2031 self.assertEquals(len(res), 1)
2032 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
2033 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
2035 def test_allowedAttributesEffective(self):
2036 object_dn = "OU=test_domain_ou1," + self.base_dn
2037 delete_force(self.ldb_admin, object_dn)
2038 self.ldb_admin.create_ou(object_dn)
2039 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2040 #give testuser1 read access so attributes can be retrieved
2041 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2042 self.sd_utils.dacl_add_ace(object_dn, mod)
2043 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2044 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2045 attrs=["allowedAttributesEffective"])
2046 #there should be no allowed attributes
2047 self.assertEquals(len(res), 1)
2048 self.assertFalse("allowedAttributesEffective" in res[0].keys())
2049 #give the user the right to write displayName and managedBy
2050 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2051 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2052 # also rights to modify an read only attribute, fromEntry
2053 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2054 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
2055 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2056 attrs=["allowedAttributesEffective"])
2057 # value should only contain user and managedBy
2058 self.assertEquals(len(res), 1)
2059 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
2060 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
2061 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
2063 class SdAutoInheritTests(DescriptorTests):
2064 def deleteAll(self):
2065 delete_force(self.ldb_admin, self.sub_dn)
2066 delete_force(self.ldb_admin, self.ou_dn)
2069 super(SdAutoInheritTests, self).setUp()
2070 self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
2071 self.sub_dn = "OU=test_sub," + self.ou_dn
2075 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2076 See that only the owner has been changed.
2078 attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2079 controls=["sd_flags:1:%d" % (SECINFO_DACL)]
2080 ace = "(A;CI;CC;;;NU)"
2081 sub_ace = "(A;CIID;CC;;;NU)"
2082 sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2083 sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
2085 self.ldb_admin.create_ou(self.ou_dn,sd=sd)
2086 self.ldb_admin.create_ou(self.sub_dn)
2088 ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2089 None, attrs, controls=controls)
2090 sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2091 None, attrs, controls=controls)
2093 ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
2094 sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
2096 ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
2097 sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
2099 self.assertFalse(ace in ou_sddl0)
2100 self.assertFalse(ace in sub_sddl0)
2102 ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
2103 ou_sddl0[ou_sddl0.index("("):])
2105 sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
2106 sub_sddl0[sub_sddl0.index("("):])
2108 self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
2110 sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2111 None, attrs, controls=controls)
2112 ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2113 None, attrs, controls=controls)
2115 ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
2116 sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
2118 ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
2119 sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
2121 self.assertFalse(ou_sddl2 == ou_sddl0)
2122 self.assertFalse(sub_sddl2 == sub_sddl0)
2124 if ace not in ou_sddl2:
2125 print("ou0: %s" % ou_sddl0)
2126 print("ou2: %s" % ou_sddl2)
2128 if sub_ace not in sub_sddl2:
2129 print("sub0: %s" % sub_sddl0)
2130 print("sub2: %s" % sub_sddl2)
2132 self.assertTrue(ace in ou_sddl2)
2133 self.assertTrue(sub_ace in sub_sddl2)
2135 ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
2136 ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
2137 self.assertTrue(ou_usn2 > ou_usn0)
2139 sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
2140 sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
2141 self.assertTrue(sub_usn2 == sub_usn0)
2143 if not "://" in host:
2144 if os.path.isfile(host):
2145 host = "tdb://%s" % host
2147 host = "ldap://%s" % host
2149 # use 'paged_search' module when connecting remotely
2150 if host.lower().startswith("ldap://"):
2151 ldb_options = ["modules:paged_searches"]
2153 TestProgram(module=__name__, opts=subunitopts)