2 # -*- coding: utf-8 -*-
4 from __future__ import print_function
12 sys.path.insert(0, "bin/python")
15 from samba.tests.subunitrun import SubunitOptions, TestProgram
17 import samba.getopt as options
19 # Some error messages that are being tested
20 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba import gensec, sd_utils
27 from samba.samdb import SamDB
28 from samba.credentials import Credentials, DONT_USE_KERBEROS
29 from samba.auth import system_session
30 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
31 from samba.dcerpc.security import (
32 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
34 from samba.tests import delete_force
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 subunitopts = SubunitOptions(parser)
45 parser.add_option_group(subunitopts)
47 opts, args = parser.parse_args()
55 lp = sambaopts.get_loadparm()
56 creds = credopts.get_credentials(lp)
57 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
64 class DescriptorTests(samba.tests.TestCase):
66 def get_users_domain_dn(self, name):
67 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
69 def create_schema_class(self, _ldb, desc=None):
71 class_id = random.randint(0, 65535)
72 class_name = "descriptor-test-class%s" % class_id
73 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
75 self.ldb_admin.search(base=class_dn, attrs=["name"])
78 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
82 dn: """ + class_dn + """
83 objectClass: classSchema
84 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
85 defaultObjectCategory: """ + class_dn + """
86 governsId: 1.3.6.1.4.1.7165.4.6.2.3.""" + str(class_id) + """
88 objectClassCategory: 1
89 subClassOf: organizationalPerson
96 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
97 if isinstance(desc, str):
98 ldif += "nTSecurityDescriptor: %s" % desc
99 elif isinstance(desc, security.descriptor):
100 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
104 def create_configuration_container(self, _ldb, object_dn, desc=None):
106 dn: """ + object_dn + """
107 objectClass: container
108 objectCategory: CN=Container,""" + self.schema_dn + """
109 showInAdvancedViewOnly: TRUE
113 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
114 if isinstance(desc, str):
115 ldif += "nTSecurityDescriptor: %s" % desc
116 elif isinstance(desc, security.descriptor):
117 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
120 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
122 dn: """ + object_dn + """
123 objectClass: displaySpecifier
124 showInAdvancedViewOnly: TRUE
127 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
128 if isinstance(desc, str):
129 ldif += "nTSecurityDescriptor: %s" % desc
130 elif isinstance(desc, security.descriptor):
131 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)).decode('utf8')
134 def get_ldb_connection(self, target_username, target_password):
135 creds_tmp = Credentials()
136 creds_tmp.set_username(target_username)
137 creds_tmp.set_password(target_password)
138 creds_tmp.set_domain(creds.get_domain())
139 creds_tmp.set_realm(creds.get_realm())
140 creds_tmp.set_workstation(creds.get_workstation())
141 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
142 | gensec.FEATURE_SEAL)
143 creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
144 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
148 super(DescriptorTests, self).setUp()
149 self.ldb_admin = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp,
151 self.base_dn = self.ldb_admin.domain_dn()
152 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
153 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
154 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
155 self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
156 self.addCleanup(self.delete_admin_connection)
157 print("baseDN: %s" % self.base_dn)
159 def delete_admin_connection(self):
163 ################################################################################################
167 # Default descriptor tests #####################################################################
170 class OwnerGroupDescriptorTests(DescriptorTests):
173 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
174 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
175 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
176 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
177 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
178 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
179 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
180 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
182 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
183 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
184 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
185 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
188 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers,"
189 + self.configuration_dn)
190 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
193 super(OwnerGroupDescriptorTests, self).setUp()
196 # User 1 - Enterprise Admins
197 self.ldb_admin.newuser("testuser1", "samba123@")
198 # User 2 - Domain Admins
199 self.ldb_admin.newuser("testuser2", "samba123@")
200 # User 3 - Schema Admins
201 self.ldb_admin.newuser("testuser3", "samba123@")
202 # User 4 - regular user
203 self.ldb_admin.newuser("testuser4", "samba123@")
204 # User 5 - Enterprise Admins and Domain Admins
205 self.ldb_admin.newuser("testuser5", "samba123@")
206 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
207 self.ldb_admin.newuser("testuser6", "samba123@")
208 # User 7 - Domain Admins and Schema Admins
209 self.ldb_admin.newuser("testuser7", "samba123@")
210 # User 5 - Enterprise Admins and Schema Admins
211 self.ldb_admin.newuser("testuser8", "samba123@")
213 self.ldb_admin.add_remove_group_members("Enterprise Admins",
214 ["testuser1", "testuser5", "testuser6", "testuser8"],
215 add_members_operation=True)
216 self.ldb_admin.add_remove_group_members("Domain Admins",
217 ["testuser2", "testuser5", "testuser6", "testuser7"],
218 add_members_operation=True)
219 self.ldb_admin.add_remove_group_members("Schema Admins",
220 ["testuser3", "testuser6", "testuser7", "testuser8"],
221 add_members_operation=True)
224 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
225 "ds_behavior_win2003": {
275 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
276 "ds_behavior_win2008": {
327 # Discover 'domainControllerFunctionality'
328 res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
329 attrs=['domainControllerFunctionality'])
330 res = int(res[0]['domainControllerFunctionality'][0])
331 if res < DS_DOMAIN_FUNCTION_2008:
332 self.DS_BEHAVIOR = "ds_behavior_win2003"
334 self.DS_BEHAVIOR = "ds_behavior_win2008"
337 super(OwnerGroupDescriptorTests, self).tearDown()
340 def check_user_belongs(self, user_dn, groups=[]):
341 """ Test whether user is member of the expected group(s) """
343 # User is member of at least one additional group
344 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
345 res = [str(x).upper() for x in sorted(list(res[0]["memberOf"]))]
348 expected.append(self.get_users_domain_dn(x))
349 expected = [x.upper() for x in sorted(expected)]
350 self.assertEqual(expected, res)
352 # User is not a member of any additional groups but default
353 res = self.ldb_admin.search(user_dn, attrs=["*"])
354 res = [x.upper() for x in res[0].keys()]
355 self.assertFalse("MEMBEROF" in res)
357 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
359 sd_user_utils = sd_utils.SDUtils(_ldb)
360 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
361 if owner_group != "":
362 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
364 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
365 # Make sure the modify operation has been applied
366 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
367 self.assertTrue(ace in desc_sddl)
368 # Make sure we have identical result for both "add" and "modify"
369 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
370 print(self._testMethodName)
371 test_number = self._testMethodName[5:]
372 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
375 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
377 user_name = "testuser1"
378 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
379 # Open Ldb connection with the tested user
380 _ldb = self.get_ldb_connection(user_name, "samba123@")
381 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
382 delete_force(self.ldb_admin, object_dn)
383 _ldb.newgroup("test_domain_group1", grouptype=4)
384 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
385 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
386 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
387 self.check_modify_inheritance(_ldb, object_dn)
390 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
392 user_name = "testuser2"
393 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
394 # Open Ldb connection with the tested user
395 _ldb = self.get_ldb_connection(user_name, "samba123@")
396 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
397 delete_force(self.ldb_admin, object_dn)
398 _ldb.newgroup("test_domain_group1", grouptype=4)
399 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
400 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
401 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
402 self.check_modify_inheritance(_ldb, object_dn)
405 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
407 user_name = "testuser3"
408 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
409 # Open Ldb connection with the tested user
410 _ldb = self.get_ldb_connection(user_name, "samba123@")
411 object_dn = "OU=test_domain_ou1," + self.base_dn
412 delete_force(self.ldb_admin, object_dn)
413 self.ldb_admin.create_ou(object_dn)
414 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
415 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
416 self.sd_utils.dacl_add_ace(object_dn, mod)
417 # Create additional object into the first one
418 object_dn = "CN=test_domain_user1," + object_dn
419 delete_force(self.ldb_admin, object_dn)
420 _ldb.newuser("test_domain_user1", "samba123@",
421 userou="OU=test_domain_ou1", setpassword=False)
422 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
423 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
424 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
425 # This fails, research why
426 #self.check_modify_inheritance(_ldb, object_dn)
429 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
431 user_name = "testuser4"
432 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
433 # Open Ldb connection with the tested user
434 _ldb = self.get_ldb_connection(user_name, "samba123@")
435 object_dn = "OU=test_domain_ou1," + self.base_dn
436 delete_force(self.ldb_admin, object_dn)
437 self.ldb_admin.create_ou(object_dn)
438 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
439 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
440 self.sd_utils.dacl_add_ace(object_dn, mod)
441 # Create additional object into the first one
442 object_dn = "CN=test_domain_user1," + object_dn
443 delete_force(self.ldb_admin, object_dn)
444 _ldb.newuser("test_domain_user1", "samba123@",
445 userou="OU=test_domain_ou1", setpassword=False)
446 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
447 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
448 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
449 # this fails, research why
450 #self.check_modify_inheritance(_ldb, object_dn)
453 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
455 user_name = "testuser5"
456 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
457 # Open Ldb connection with the tested user
458 _ldb = self.get_ldb_connection(user_name, "samba123@")
459 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
460 delete_force(self.ldb_admin, object_dn)
461 _ldb.newgroup("test_domain_group1", grouptype=4)
462 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
463 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
464 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
465 self.check_modify_inheritance(_ldb, object_dn)
468 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
470 user_name = "testuser6"
471 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
472 # Open Ldb connection with the tested user
473 _ldb = self.get_ldb_connection(user_name, "samba123@")
474 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
475 delete_force(self.ldb_admin, object_dn)
476 _ldb.newgroup("test_domain_group1", grouptype=4)
477 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
478 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
479 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
480 self.check_modify_inheritance(_ldb, object_dn)
483 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
485 user_name = "testuser7"
486 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
487 # Open Ldb connection with the tested user
488 _ldb = self.get_ldb_connection(user_name, "samba123@")
489 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
490 delete_force(self.ldb_admin, object_dn)
491 _ldb.newgroup("test_domain_group1", grouptype=4)
492 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
493 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
494 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
495 self.check_modify_inheritance(_ldb, object_dn)
498 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
500 user_name = "testuser8"
501 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
502 # Open Ldb connection with the tested user
503 _ldb = self.get_ldb_connection(user_name, "samba123@")
504 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
505 delete_force(self.ldb_admin, object_dn)
506 _ldb.newgroup("test_domain_group1", grouptype=4)
507 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
508 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
509 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
510 self.check_modify_inheritance(_ldb, object_dn)
512 # Control descriptor tests #####################################################################
515 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
517 user_name = "testuser1"
518 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
519 # Open Ldb connection with the tested user
520 _ldb = self.get_ldb_connection(user_name, "samba123@")
521 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
522 delete_force(self.ldb_admin, object_dn)
523 # Create a custom security descriptor
524 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
525 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
526 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
527 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
528 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
529 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
532 """ Domain admin group member creates object (custom descriptor) in DOMAIN
534 user_name = "testuser2"
535 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
536 # Open Ldb connection with the tested user
537 _ldb = self.get_ldb_connection(user_name, "samba123@")
538 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
539 delete_force(self.ldb_admin, object_dn)
540 # Create a custom security descriptor
541 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
542 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
543 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
544 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
545 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
546 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
549 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
551 user_name = "testuser3"
552 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
553 # Open Ldb connection with the tested user
554 _ldb = self.get_ldb_connection(user_name, "samba123@")
555 object_dn = "OU=test_domain_ou1," + self.base_dn
556 delete_force(self.ldb_admin, object_dn)
557 self.ldb_admin.create_ou(object_dn)
558 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
559 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
560 self.sd_utils.dacl_add_ace(object_dn, mod)
561 # Create a custom security descriptor
562 # NB! Problematic owner part won't accept DA only <User Sid> !!!
563 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
564 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
565 # Create additional object into the first one
566 object_dn = "CN=test_domain_user1," + object_dn
567 delete_force(self.ldb_admin, object_dn)
568 _ldb.newuser("test_domain_user1", "samba123@",
569 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
570 desc = self.sd_utils.read_sd_on_dn(object_dn)
571 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
572 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
573 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
576 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
578 user_name = "testuser4"
579 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
580 # Open Ldb connection with the tested user
581 _ldb = self.get_ldb_connection(user_name, "samba123@")
582 object_dn = "OU=test_domain_ou1," + self.base_dn
583 delete_force(self.ldb_admin, object_dn)
584 self.ldb_admin.create_ou(object_dn)
585 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
586 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
587 self.sd_utils.dacl_add_ace(object_dn, mod)
588 # Create a custom security descriptor
589 # NB! Problematic owner part won't accept DA only <User Sid> !!!
590 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
591 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
592 # Create additional object into the first one
593 object_dn = "CN=test_domain_user1," + object_dn
594 delete_force(self.ldb_admin, object_dn)
595 _ldb.newuser("test_domain_user1", "samba123@",
596 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
597 desc = self.sd_utils.read_sd_on_dn(object_dn)
598 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
599 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
600 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
603 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
605 user_name = "testuser5"
606 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
607 # Open Ldb connection with the tested user
608 _ldb = self.get_ldb_connection(user_name, "samba123@")
609 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
610 delete_force(self.ldb_admin, object_dn)
611 # Create a custom security descriptor
612 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
613 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
614 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
615 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
616 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
617 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
620 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
622 user_name = "testuser6"
623 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
624 # Open Ldb connection with the tested user
625 _ldb = self.get_ldb_connection(user_name, "samba123@")
626 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
627 delete_force(self.ldb_admin, object_dn)
628 # Create a custom security descriptor
629 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
630 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
631 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
632 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
633 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
634 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
637 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
639 user_name = "testuser7"
640 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
641 # Open Ldb connection with the tested user
642 _ldb = self.get_ldb_connection(user_name, "samba123@")
643 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
644 delete_force(self.ldb_admin, object_dn)
645 # Create a custom security descriptor
646 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
647 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
648 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
649 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
650 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
651 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
654 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
656 user_name = "testuser8"
657 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
658 # Open Ldb connection with the tested user
659 _ldb = self.get_ldb_connection(user_name, "samba123@")
660 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
661 delete_force(self.ldb_admin, object_dn)
662 # Create a custom security descriptor
663 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
664 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
665 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
666 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
667 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
668 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
671 user_name = "Administrator"
672 object_dn = "OU=test_domain_ou1," + self.base_dn
673 delete_force(self.ldb_admin, object_dn)
674 self.ldb_admin.create_ou(object_dn)
675 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
676 mod = "(D;CI;WP;;;S-1-3-0)"
678 self.sd_utils.dacl_add_ace(object_dn, mod)
679 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
680 # Create additional object into the first one
681 object_dn = "OU=test_domain_ou2," + object_dn
682 delete_force(self.ldb_admin, object_dn)
683 self.ldb_admin.create_ou(object_dn)
684 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
688 # Defalt descriptor tests ##################################################################
691 user_name = "testuser1"
692 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
693 # Open Ldb connection with the tested user
694 _ldb = self.get_ldb_connection(user_name, "samba123@")
695 # Change Schema partition descriptor
696 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
697 mod = "(A;;WDCC;;;AU)"
698 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
699 # Create example Schema class
700 class_dn = self.create_schema_class(_ldb)
701 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
702 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
703 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
704 self.check_modify_inheritance(_ldb, class_dn)
707 user_name = "testuser2"
708 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
709 # Open Ldb connection with the tested user
710 _ldb = self.get_ldb_connection(user_name, "samba123@")
711 # Change Schema partition descriptor
712 mod = "(A;CI;WDCC;;;AU)"
713 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
714 # Create example Schema class
715 class_dn = self.create_schema_class(_ldb)
716 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
717 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
718 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
719 self.check_modify_inheritance(_ldb, class_dn)
722 user_name = "testuser3"
723 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
724 # Open Ldb connection with the tested user
725 _ldb = self.get_ldb_connection(user_name, "samba123@")
726 # Change Schema partition descriptor
727 mod = "(A;CI;WDCC;;;AU)"
728 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
729 # Create example Schema class
730 class_dn = self.create_schema_class(_ldb)
731 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
732 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
733 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
734 #self.check_modify_inheritance(_ldb, class_dn)
737 user_name = "testuser4"
738 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
739 # Open Ldb connection with the tested user
740 _ldb = self.get_ldb_connection(user_name, "samba123@")
741 # Change Schema partition descriptor
742 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
743 mod = "(A;CI;WDCC;;;AU)"
744 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
745 # Create example Schema class
746 class_dn = self.create_schema_class(_ldb)
747 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
748 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
749 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
750 #self.check_modify_inheritance(_ldb, class_dn)
753 user_name = "testuser5"
754 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
755 # Open Ldb connection with the tested user
756 _ldb = self.get_ldb_connection(user_name, "samba123@")
757 # Change Schema partition descriptor
758 mod = "(A;CI;WDCC;;;AU)"
759 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
760 # Create example Schema class
761 class_dn = self.create_schema_class(_ldb)
762 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
763 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
764 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
765 self.check_modify_inheritance(_ldb, class_dn)
768 user_name = "testuser6"
769 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
770 # Open Ldb connection with the tested user
771 _ldb = self.get_ldb_connection(user_name, "samba123@")
772 # Change Schema partition descriptor
773 mod = "(A;CI;WDCC;;;AU)"
774 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
775 # Create example Schema class
776 class_dn = self.create_schema_class(_ldb)
777 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
778 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
780 self.check_modify_inheritance(_ldb, class_dn)
783 user_name = "testuser7"
784 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
785 # Open Ldb connection with the tested user
786 _ldb = self.get_ldb_connection(user_name, "samba123@")
787 # Change Schema partition descriptor
788 mod = "(A;CI;WDCC;;;AU)"
789 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
790 # Create example Schema class
791 class_dn = self.create_schema_class(_ldb)
792 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
793 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
794 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
795 self.check_modify_inheritance(_ldb, class_dn)
798 user_name = "testuser8"
799 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
800 # Open Ldb connection with the tested user
801 _ldb = self.get_ldb_connection(user_name, "samba123@")
802 # Change Schema partition descriptor
803 mod = "(A;CI;WDCC;;;AU)"
804 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
805 # Create example Schema class
806 class_dn = self.create_schema_class(_ldb)
807 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
808 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
809 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
810 self.check_modify_inheritance(_ldb, class_dn)
812 # Custom descriptor tests ##################################################################
815 user_name = "testuser1"
816 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
817 # Open Ldb connection with the tested user
818 _ldb = self.get_ldb_connection(user_name, "samba123@")
819 # Change Schema partition descriptor
821 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
822 # Create a custom security descriptor
823 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
824 # Create example Schema class
825 class_dn = self.create_schema_class(_ldb, desc_sddl)
826 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
827 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
828 self.assertEqual("O:DAG:DA", res)
831 user_name = "testuser2"
832 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
833 # Open Ldb connection with the tested user
834 _ldb = self.get_ldb_connection(user_name, "samba123@")
835 # Change Schema partition descriptor
837 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
838 # Create a custom security descriptor
839 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
840 # Create example Schema class
841 class_dn = self.create_schema_class(_ldb, desc_sddl)
842 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
843 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
844 self.assertEqual("O:DAG:DA", res)
847 user_name = "testuser3"
848 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
849 # Open Ldb connection with the tested user
850 _ldb = self.get_ldb_connection(user_name, "samba123@")
851 # Create a custom security descriptor
852 # NB! Problematic owner part won't accept DA only <User Sid> !!!
853 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
854 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
855 # Create example Schema class
856 class_dn = self.create_schema_class(_ldb, desc_sddl)
857 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
858 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
859 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
862 user_name = "testuser4"
863 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
864 # Open Ldb connection with the tested user
865 _ldb = self.get_ldb_connection(user_name, "samba123@")
866 # Create a custom security descriptor
867 # NB! Problematic owner part won't accept DA only <User Sid> !!!
868 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
869 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
870 # Create example Schema class
871 class_dn = self.create_schema_class(_ldb, desc_sddl)
872 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
873 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
874 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
877 user_name = "testuser5"
878 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
879 # Open Ldb connection with the tested user
880 _ldb = self.get_ldb_connection(user_name, "samba123@")
881 # Change Schema partition descriptor
883 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
884 # Create a custom security descriptor
885 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
886 # Create example Schema class
887 class_dn = self.create_schema_class(_ldb, desc_sddl)
888 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
889 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
890 self.assertEqual("O:DAG:DA", res)
893 user_name = "testuser6"
894 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
895 # Open Ldb connection with the tested user
896 _ldb = self.get_ldb_connection(user_name, "samba123@")
897 # Change Schema partition descriptor
899 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
900 # Create a custom security descriptor
901 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
902 # Create example Schema class
903 class_dn = self.create_schema_class(_ldb, desc_sddl)
904 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
905 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
906 self.assertEqual("O:DAG:DA", res)
909 user_name = "testuser7"
910 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
911 # Open Ldb connection with the tested user
912 _ldb = self.get_ldb_connection(user_name, "samba123@")
913 # Change Schema partition descriptor
915 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
916 # Create a custom security descriptor
917 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
918 # Create example Schema class
919 class_dn = self.create_schema_class(_ldb, desc_sddl)
920 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
921 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
922 self.assertEqual("O:DAG:DA", res)
925 user_name = "testuser8"
926 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
927 # Open Ldb connection with the tested user
928 _ldb = self.get_ldb_connection(user_name, "samba123@")
929 # Change Schema partition descriptor
931 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
932 # Create a custom security descriptor
933 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
934 # Create example Schema class
935 class_dn = self.create_schema_class(_ldb, desc_sddl)
936 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
937 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
938 self.assertEqual("O:DAG:DA", res)
940 # Tests for CONFIGURATION
942 # Defalt descriptor tests ##################################################################
945 user_name = "testuser1"
946 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
947 # Open Ldb connection with the tested user
948 _ldb = self.get_ldb_connection(user_name, "samba123@")
949 # Create example Configuration container
950 container_name = "test-container1"
951 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
952 delete_force(self.ldb_admin, object_dn)
953 self.create_configuration_container(_ldb, object_dn, )
954 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
955 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
956 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
957 self.check_modify_inheritance(_ldb, object_dn)
960 user_name = "testuser2"
961 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
962 # Open Ldb connection with the tested user
963 _ldb = self.get_ldb_connection(user_name, "samba123@")
964 # Create example Configuration container
965 container_name = "test-container1"
966 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
967 delete_force(self.ldb_admin, object_dn)
968 self.create_configuration_container(_ldb, object_dn, )
969 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
970 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
971 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
972 self.check_modify_inheritance(_ldb, object_dn)
975 user_name = "testuser3"
976 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
977 # Open Ldb connection with the tested user
978 _ldb = self.get_ldb_connection(user_name, "samba123@")
979 # Create example Configuration container
980 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
981 delete_force(self.ldb_admin, object_dn)
982 self.create_configuration_container(self.ldb_admin, object_dn, )
983 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
984 mod = "(A;;WDCC;;;AU)"
985 self.sd_utils.dacl_add_ace(object_dn, mod)
986 # Create child object with user's credentials
987 object_dn = "CN=test-specifier1," + object_dn
988 delete_force(self.ldb_admin, object_dn)
989 self.create_configuration_specifier(_ldb, object_dn)
990 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
991 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
992 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
993 #self.check_modify_inheritance(_ldb, object_dn)
996 user_name = "testuser4"
997 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
998 # Open Ldb connection with the tested user
999 _ldb = self.get_ldb_connection(user_name, "samba123@")
1000 # Create example Configuration container
1001 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1002 delete_force(self.ldb_admin, object_dn)
1003 self.create_configuration_container(self.ldb_admin, object_dn, )
1004 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1005 mod = "(A;CI;WDCC;;;AU)"
1006 self.sd_utils.dacl_add_ace(object_dn, mod)
1007 # Create child object with user's credentials
1008 object_dn = "CN=test-specifier1," + object_dn
1009 delete_force(self.ldb_admin, object_dn)
1010 self.create_configuration_specifier(_ldb, object_dn)
1011 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1012 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1013 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1014 #self.check_modify_inheritance(_ldb, object_dn)
1017 user_name = "testuser5"
1018 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1019 # Open Ldb connection with the tested user
1020 _ldb = self.get_ldb_connection(user_name, "samba123@")
1021 # Create example Configuration container
1022 container_name = "test-container1"
1023 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1024 delete_force(self.ldb_admin, object_dn)
1025 self.create_configuration_container(_ldb, object_dn, )
1026 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1027 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1028 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1029 self.check_modify_inheritance(_ldb, object_dn)
1032 user_name = "testuser6"
1033 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1034 # Open Ldb connection with the tested user
1035 _ldb = self.get_ldb_connection(user_name, "samba123@")
1036 # Create example Configuration container
1037 container_name = "test-container1"
1038 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1039 delete_force(self.ldb_admin, object_dn)
1040 self.create_configuration_container(_ldb, object_dn, )
1041 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1042 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1043 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1044 self.check_modify_inheritance(_ldb, object_dn)
1047 user_name = "testuser7"
1048 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1049 # Open Ldb connection with the tested user
1050 _ldb = self.get_ldb_connection(user_name, "samba123@")
1051 # Create example Configuration container
1052 container_name = "test-container1"
1053 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1054 delete_force(self.ldb_admin, object_dn)
1055 self.create_configuration_container(_ldb, object_dn, )
1056 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1057 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1058 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1059 self.check_modify_inheritance(_ldb, object_dn)
1062 user_name = "testuser8"
1063 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1064 # Open Ldb connection with the tested user
1065 _ldb = self.get_ldb_connection(user_name, "samba123@")
1066 # Create example Configuration container
1067 container_name = "test-container1"
1068 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1069 delete_force(self.ldb_admin, object_dn)
1070 self.create_configuration_container(_ldb, object_dn, )
1071 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1072 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1073 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1074 self.check_modify_inheritance(_ldb, object_dn)
1076 # Custom descriptor tests ##################################################################
1079 user_name = "testuser1"
1080 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1081 # Open Ldb connection with the tested user
1082 _ldb = self.get_ldb_connection(user_name, "samba123@")
1083 # Create example Configuration container
1084 container_name = "test-container1"
1085 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1086 delete_force(self.ldb_admin, object_dn)
1087 # Create a custom security descriptor
1088 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1089 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1090 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1091 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1092 self.assertEqual("O:DAG:DA", res)
1095 user_name = "testuser2"
1096 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1097 # Open Ldb connection with the tested user
1098 _ldb = self.get_ldb_connection(user_name, "samba123@")
1099 # Create example Configuration container
1100 container_name = "test-container1"
1101 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1102 delete_force(self.ldb_admin, object_dn)
1103 # Create a custom security descriptor
1104 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1105 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1106 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1107 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1108 self.assertEqual("O:DAG:DA", res)
1111 user_name = "testuser3"
1112 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1113 # Open Ldb connection with the tested user
1114 _ldb = self.get_ldb_connection(user_name, "samba123@")
1115 # Create example Configuration container
1116 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1117 delete_force(self.ldb_admin, object_dn)
1118 self.create_configuration_container(self.ldb_admin, object_dn, )
1119 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1120 mod = "(A;;CC;;;AU)"
1121 self.sd_utils.dacl_add_ace(object_dn, mod)
1122 # Create child object with user's credentials
1123 object_dn = "CN=test-specifier1," + object_dn
1124 delete_force(self.ldb_admin, object_dn)
1125 # Create a custom security descriptor
1126 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1127 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1128 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1129 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1130 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1131 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1134 user_name = "testuser4"
1135 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1136 # Open Ldb connection with the tested user
1137 _ldb = self.get_ldb_connection(user_name, "samba123@")
1138 # Create example Configuration container
1139 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1140 delete_force(self.ldb_admin, object_dn)
1141 self.create_configuration_container(self.ldb_admin, object_dn, )
1142 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
1143 mod = "(A;;CC;;;AU)"
1144 self.sd_utils.dacl_add_ace(object_dn, mod)
1145 # Create child object with user's credentials
1146 object_dn = "CN=test-specifier1," + object_dn
1147 delete_force(self.ldb_admin, object_dn)
1148 # Create a custom security descriptor
1149 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1150 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1151 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1152 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1153 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1154 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1157 user_name = "testuser5"
1158 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1159 # Open Ldb connection with the tested user
1160 _ldb = self.get_ldb_connection(user_name, "samba123@")
1161 # Create example Configuration container
1162 container_name = "test-container1"
1163 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1164 delete_force(self.ldb_admin, object_dn)
1165 # Create a custom security descriptor
1166 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1167 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1168 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1169 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1170 self.assertEqual("O:DAG:DA", res)
1173 user_name = "testuser6"
1174 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1175 # Open Ldb connection with the tested user
1176 _ldb = self.get_ldb_connection(user_name, "samba123@")
1177 # Create example Configuration container
1178 container_name = "test-container1"
1179 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1180 delete_force(self.ldb_admin, object_dn)
1181 # Create a custom security descriptor
1182 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1183 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1184 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1185 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1186 self.assertEqual("O:DAG:DA", res)
1189 user_name = "testuser7"
1190 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1191 # Open Ldb connection with the tested user
1192 _ldb = self.get_ldb_connection(user_name, "samba123@")
1193 # Create example Configuration container
1194 container_name = "test-container1"
1195 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1196 delete_force(self.ldb_admin, object_dn)
1197 # Create a custom security descriptor
1198 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1199 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1200 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1201 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1202 self.assertEqual("O:DAG:DA", res)
1205 user_name = "testuser8"
1206 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1207 # Open Ldb connection with the tested user
1208 _ldb = self.get_ldb_connection(user_name, "samba123@")
1209 # Create example Configuration container
1210 container_name = "test-container1"
1211 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1212 delete_force(self.ldb_admin, object_dn)
1213 # Create a custom security descriptor
1214 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1215 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1216 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1217 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1218 self.assertEqual("O:DAG:DA", res)
1220 ########################################################################################
1221 # Inheritance tests for DACL
1224 class DaclDescriptorTests(DescriptorTests):
1226 def deleteAll(self):
1227 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1228 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1229 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1230 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1231 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1232 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1233 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1234 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1235 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1238 super(DaclDescriptorTests, self).setUp()
1241 def create_clean_ou(self, object_dn):
1242 """ Base repeating setup for unittests to follow """
1243 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE,
1244 expression="distinguishedName=%s" % object_dn)
1245 # Make sure top testing OU has been deleted before starting the test
1246 self.assertEqual(len(res), 0)
1247 self.ldb_admin.create_ou(object_dn)
1248 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1249 # Make sure there are inheritable ACEs initially
1250 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1251 # Find and remove all inherit ACEs
1252 res = re.findall("\(.*?\)", desc_sddl)
1253 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1255 desc_sddl = desc_sddl.replace(x, "")
1256 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1257 # can propagate from above
1258 # remove SACL, we are not interested
1259 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1260 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1261 # Verify all inheritable ACEs are gone
1262 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1263 self.assertFalse("CI" in desc_sddl)
1264 self.assertFalse("OI" in desc_sddl)
1267 """ OU with protected flag and child group. See if the group has inherit ACEs.
1269 ou_dn = "OU=test_inherit_ou," + self.base_dn
1270 group_dn = "CN=test_inherit_group," + ou_dn
1271 # Create inheritable-free OU
1272 self.create_clean_ou(ou_dn)
1273 # Create group child object
1274 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1275 # Make sure created group object contains NO inherit ACEs
1276 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1277 self.assertFalse("ID" in desc_sddl)
1280 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1281 Verify group has custom and default ACEs only.
1283 ou_dn = "OU=test_inherit_ou," + self.base_dn
1284 group_dn = "CN=test_inherit_group," + ou_dn
1285 # Create inheritable-free OU
1286 self.create_clean_ou(ou_dn)
1287 # Create group child object using custom security descriptor
1288 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1289 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1290 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1291 # Make sure created group descriptor has NO additional ACEs
1292 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1293 self.assertEqual(desc_sddl, sddl)
1294 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1295 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1296 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1297 self.assertEqual(desc_sddl, sddl)
1300 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1301 See if the group has any of the added ACEs.
1303 ou_dn = "OU=test_inherit_ou," + self.base_dn
1304 group_dn = "CN=test_inherit_group," + ou_dn
1305 # Create inheritable-free OU
1306 self.create_clean_ou(ou_dn)
1307 # Add some custom non-inheritable ACEs
1308 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1309 moded = "(D;;CC;;;LG)"
1310 self.sd_utils.dacl_add_ace(ou_dn, mod)
1311 # Verify all inheritable ACEs are gone
1312 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1313 # Create group child object
1314 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1315 # Make sure created group object contains NO inherit ACEs
1316 # also make sure the added above non-inheritable ACEs are absent too
1317 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1318 self.assertFalse("ID" in desc_sddl)
1319 for x in re.findall("\(.*?\)", mod):
1320 self.assertFalse(x in desc_sddl)
1321 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1322 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1323 self.assertFalse("ID" in desc_sddl)
1324 for x in re.findall("\(.*?\)", mod):
1325 self.assertFalse(x in desc_sddl)
1328 """ OU with protected flag and add 'CI' ACE, child group.
1329 See if the group has the added inherited ACE.
1331 ou_dn = "OU=test_inherit_ou," + self.base_dn
1332 group_dn = "CN=test_inherit_group," + ou_dn
1333 # Create inheritable-free OU
1334 self.create_clean_ou(ou_dn)
1335 # Add some custom 'CI' ACE
1336 mod = "(D;CI;WP;;;DU)"
1337 moded = "(D;;CC;;;LG)"
1338 self.sd_utils.dacl_add_ace(ou_dn, mod)
1339 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1340 # Create group child object
1341 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1342 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1343 # Make sure created group object contains only the above inherited ACE
1344 # that we've added manually
1345 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1346 mod = mod.replace(";CI;", ";CIID;")
1347 self.assertTrue(mod in desc_sddl)
1348 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1349 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1350 self.assertTrue(moded in desc_sddl)
1351 self.assertTrue(mod in desc_sddl)
1354 """ OU with protected flag and add 'OI' ACE, child group.
1355 See if the group has the added inherited ACE.
1357 ou_dn = "OU=test_inherit_ou," + self.base_dn
1358 group_dn = "CN=test_inherit_group," + ou_dn
1359 # Create inheritable-free OU
1360 self.create_clean_ou(ou_dn)
1361 # Add some custom 'CI' ACE
1362 mod = "(D;OI;WP;;;DU)"
1363 moded = "(D;;CC;;;LG)"
1364 self.sd_utils.dacl_add_ace(ou_dn, mod)
1365 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1366 # Create group child object
1367 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1368 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1369 # Make sure created group object contains only the above inherited ACE
1370 # that we've added manually
1371 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1372 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1373 self.assertTrue(mod in desc_sddl)
1374 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1375 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1376 self.assertTrue(moded in desc_sddl)
1377 self.assertTrue(mod in desc_sddl)
1380 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1381 See if the group has the added inherited ACE.
1383 ou_dn = "OU=test_inherit_ou," + self.base_dn
1384 group_dn = "CN=test_inherit_group," + ou_dn
1385 # Create inheritable-free OU
1386 self.create_clean_ou(ou_dn)
1387 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1388 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1389 moded = "(D;;CC;;;LG)"
1390 self.sd_utils.dacl_add_ace(ou_dn, mod)
1391 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1392 # Create group child object
1393 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1394 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1395 # Make sure created group object contains only the above inherited ACE
1396 # that we've added manually
1397 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1398 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1399 self.assertTrue(mod in desc_sddl)
1400 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1401 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1402 self.assertTrue(moded in desc_sddl)
1403 self.assertTrue(mod in desc_sddl)
1406 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1407 See if the group has the added inherited ACE.
1409 ou_dn = "OU=test_inherit_ou," + self.base_dn
1410 group_dn = "CN=test_inherit_group," + ou_dn
1411 # Create inheritable-free OU
1412 self.create_clean_ou(ou_dn)
1413 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1414 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1415 moded = "(D;;CC;;;LG)"
1416 self.sd_utils.dacl_add_ace(ou_dn, mod)
1417 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1418 # Create group child object
1419 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1420 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1421 # Make sure created group object contains only the above inherited ACE
1422 # that we've added manually
1423 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1424 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1425 self.assertTrue(mod in desc_sddl)
1426 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1427 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1428 self.assertTrue(moded in desc_sddl)
1429 self.assertTrue(mod in desc_sddl)
1432 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1433 See if the group has the added inherited ACE.
1435 ou_dn = "OU=test_inherit_ou," + self.base_dn
1436 group_dn = "CN=test_inherit_group," + ou_dn
1437 # Create inheritable-free OU
1438 self.create_clean_ou(ou_dn)
1439 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1440 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1441 moded = "(D;;CC;;;LG)"
1442 self.sd_utils.dacl_add_ace(ou_dn, mod)
1443 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1444 # Create group child object
1445 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1446 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1447 # Make sure created group object contains only the above inherited ACE
1448 # that we've added manually
1449 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1450 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1451 self.assertTrue(mod in desc_sddl)
1452 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1453 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1454 self.assertTrue(moded in desc_sddl)
1455 self.assertTrue(mod in desc_sddl)
1458 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1459 See if the group has the added inherited ACE.
1461 ou_dn = "OU=test_inherit_ou," + self.base_dn
1462 group_dn = "CN=test_inherit_group," + ou_dn
1463 # Create inheritable-free OU
1464 self.create_clean_ou(ou_dn)
1465 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1466 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1467 moded = "(D;;CC;;;LG)"
1468 self.sd_utils.dacl_add_ace(ou_dn, mod)
1469 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1470 # Create group child object
1471 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1472 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1473 # Make sure created group object contains only the above inherited ACE
1474 # that we've added manually
1475 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1476 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1477 self.assertTrue(mod in desc_sddl)
1478 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1479 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1480 self.assertTrue(moded in desc_sddl)
1481 self.assertTrue(mod in desc_sddl)
1484 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1485 See if the group has the added inherited ACE.
1487 ou_dn = "OU=test_inherit_ou," + self.base_dn
1488 group_dn = "CN=test_inherit_group," + ou_dn
1489 # Create inheritable-free OU
1490 self.create_clean_ou(ou_dn)
1491 # Add some custom 'CI' ACE
1492 mod = "(D;CI;WP;;;CO)"
1493 moded = "(D;;CC;;;LG)"
1494 self.sd_utils.dacl_add_ace(ou_dn, mod)
1495 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1496 # Create group child object
1497 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1498 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1499 # Make sure created group object contains only the above inherited ACE(s)
1500 # that we've added manually
1501 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1502 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1503 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1504 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1505 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1506 self.assertTrue(moded in desc_sddl)
1507 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1508 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1511 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1513 ou_dn = "OU=test_inherit_ou," + self.base_dn
1514 group_dn = "CN=test_inherit_group," + ou_dn
1515 self.create_clean_ou(ou_dn)
1516 # Add some custom ACE
1517 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1518 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1519 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1520 # Make sure created group object does not contain the ID ace
1521 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1522 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1525 """ Provide ACE with CO SID, should be expanded and replaced
1527 ou_dn = "OU=test_inherit_ou," + self.base_dn
1528 group_dn = "CN=test_inherit_group," + ou_dn
1529 # Create inheritable-free OU
1530 self.create_clean_ou(ou_dn)
1531 # Add some custom 'CI' ACE
1532 mod = "D:(D;CI;WP;;;CO)"
1533 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1534 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1535 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1536 self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1537 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1540 """ Provide ACE with IO flag, should be ignored
1542 ou_dn = "OU=test_inherit_ou," + self.base_dn
1543 group_dn = "CN=test_inherit_group," + ou_dn
1544 # Create inheritable-free OU
1545 self.create_clean_ou(ou_dn)
1546 # Add some custom 'CI' ACE
1547 mod = "D:(D;CIIO;WP;;;CO)"
1548 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1549 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1550 # Make sure created group object contains only the above inherited ACE(s)
1551 # that we've added manually
1552 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1553 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1554 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1555 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1558 """ Provide ACE with IO flag, should be ignored
1560 ou_dn = "OU=test_inherit_ou," + self.base_dn
1561 group_dn = "CN=test_inherit_group," + ou_dn
1562 # Create inheritable-free OU
1563 self.create_clean_ou(ou_dn)
1564 mod = "D:(D;IO;WP;;;DA)"
1565 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1566 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1567 # Make sure created group object contains only the above inherited ACE(s)
1568 # that we've added manually
1569 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1570 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1573 """ Test behavior of ACEs containing generic rights
1575 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1576 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1577 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1578 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1579 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1580 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1581 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1582 # Create inheritable-free OU
1583 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1584 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1585 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1586 mod = "D:(A;CI;GA;;;DU)"
1587 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1588 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1589 mod = "D:(A;CIIO;GA;;;DU)"
1590 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1591 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1592 mod = "D:(A;;GA;;;DU)"
1593 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1594 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1595 mod = "D:(A;IO;GA;;;DU)"
1596 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1597 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1599 self.ldb_admin.create_ou(ou_dn5)
1600 self.ldb_admin.create_ou(ou_dn6)
1602 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1603 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1604 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1605 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1606 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1607 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1608 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1609 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1610 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1611 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1612 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1613 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1614 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1615 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1616 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1617 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1618 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1619 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1622 """ Make sure IO flag is removed in child objects
1624 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1625 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1626 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1627 # Create inheritable-free OU
1628 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1629 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1630 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1631 mod = "D:(A;CIIO;WP;;;DU)"
1632 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1633 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1634 self.ldb_admin.create_ou(ou_dn5)
1635 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1636 self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1637 self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1640 """ Make sure ID ACES provided by user are ignored
1642 ou_dn = "OU=test_inherit_ou," + self.base_dn
1643 group_dn = "CN=test_inherit_group," + ou_dn
1644 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1645 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1646 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1647 # Add some custom ACE
1648 mod = "D:(D;ID;WP;;;AU)"
1649 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1650 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1651 # Make sure created group object does not contain the ID ace
1652 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1653 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1654 self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1657 """ Make sure ID ACES provided by user are not ignored if P flag is set
1659 ou_dn = "OU=test_inherit_ou," + self.base_dn
1660 group_dn = "CN=test_inherit_group," + ou_dn
1661 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1662 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1663 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1664 # Add some custom ACE
1665 mod = "D:P(A;ID;WP;;;AU)"
1666 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1667 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1668 # Make sure created group object does not contain the ID ace
1669 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1670 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1671 self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1673 ########################################################################################
1676 class SdFlagsDescriptorTests(DescriptorTests):
1677 def deleteAll(self):
1678 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1681 super(SdFlagsDescriptorTests, self).setUp()
1682 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1686 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1687 See that only the owner has been changed.
1689 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1690 self.ldb_admin.create_ou(ou_dn)
1691 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1692 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1693 # make sure we have modified the owner
1694 self.assertTrue("O:AU" in desc_sddl)
1695 # make sure nothing else has been modified
1696 self.assertFalse("G:AU" in desc_sddl)
1697 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1698 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1701 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1702 See that only the owner has been changed.
1704 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1705 self.ldb_admin.create_ou(ou_dn)
1706 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1707 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1708 # make sure we have modified the group
1709 self.assertTrue("G:AU" in desc_sddl)
1710 # make sure nothing else has been modified
1711 self.assertFalse("O:AU" in desc_sddl)
1712 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1713 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1716 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1717 See that only the owner has been changed.
1719 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1720 self.ldb_admin.create_ou(ou_dn)
1721 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1722 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1723 # make sure we have modified the DACL
1724 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1725 # make sure nothing else has been modified
1726 self.assertFalse("O:AU" in desc_sddl)
1727 self.assertFalse("G:AU" in desc_sddl)
1728 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1731 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1732 See that only the owner has been changed.
1734 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1735 self.ldb_admin.create_ou(ou_dn)
1736 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1737 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1738 # make sure we have modified the DACL
1739 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1740 # make sure nothing else has been modified
1741 self.assertFalse("O:AU" in desc_sddl)
1742 self.assertFalse("G:AU" in desc_sddl)
1743 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1746 """ Modify a descriptor with 0x0 set.
1747 Contrary to logic this is interpreted as no control,
1748 which is the same as 0xF
1750 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1751 self.ldb_admin.create_ou(ou_dn)
1752 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1753 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1754 # make sure we have modified the DACL
1755 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1756 # make sure nothing else has been modified
1757 self.assertTrue("O:AU" in desc_sddl)
1758 self.assertTrue("G:AU" in desc_sddl)
1759 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1762 """ Modify a descriptor with 0xF set.
1764 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1765 self.ldb_admin.create_ou(ou_dn)
1766 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1767 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1768 # make sure we have modified the DACL
1769 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1770 # make sure nothing else has been modified
1771 self.assertTrue("O:AU" in desc_sddl)
1772 self.assertTrue("G:AU" in desc_sddl)
1773 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1776 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1777 Only the owner part should be returned.
1779 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1780 self.ldb_admin.create_ou(ou_dn)
1781 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1782 # make sure we have read the owner
1783 self.assertTrue("O:" in desc_sddl)
1784 # make sure we have read nothing else
1785 self.assertFalse("G:" in desc_sddl)
1786 self.assertFalse("D:" in desc_sddl)
1787 self.assertFalse("S:" in desc_sddl)
1790 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1791 Only the group part should be returned.
1793 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1794 self.ldb_admin.create_ou(ou_dn)
1795 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1796 # make sure we have read the owner
1797 self.assertTrue("G:" in desc_sddl)
1798 # make sure we have read nothing else
1799 self.assertFalse("O:" in desc_sddl)
1800 self.assertFalse("D:" in desc_sddl)
1801 self.assertFalse("S:" in desc_sddl)
1804 """ Read a descriptor with SACL_SECURITY_INFORMATION
1805 Only the sacl part should be returned.
1807 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1808 self.ldb_admin.create_ou(ou_dn)
1809 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1810 # make sure we have read the owner
1811 self.assertTrue("S:" in desc_sddl)
1812 # make sure we have read nothing else
1813 self.assertFalse("O:" in desc_sddl)
1814 self.assertFalse("D:" in desc_sddl)
1815 self.assertFalse("G:" in desc_sddl)
1818 """ Read a descriptor with DACL_SECURITY_INFORMATION
1819 Only the dacl part should be returned.
1821 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1822 self.ldb_admin.create_ou(ou_dn)
1823 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1824 # make sure we have read the owner
1825 self.assertTrue("D:" in desc_sddl)
1826 # make sure we have read nothing else
1827 self.assertFalse("O:" in desc_sddl)
1828 self.assertFalse("S:" in desc_sddl)
1829 self.assertFalse("G:" in desc_sddl)
1832 sd_flags = (SECINFO_OWNER |
1837 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1839 self.assertFalse("nTSecurityDescriptor" in res[0])
1841 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1842 ["name"], controls=None)
1843 self.assertFalse("nTSecurityDescriptor" in res[0])
1845 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1846 ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
1847 self.assertFalse("nTSecurityDescriptor" in res[0])
1849 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1850 [], controls=["sd_flags:1:%d" % (sd_flags)])
1851 self.assertTrue("nTSecurityDescriptor" in res[0])
1852 tmp = res[0]["nTSecurityDescriptor"][0]
1853 sd = ndr_unpack(security.descriptor, tmp)
1854 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1855 self.assertTrue("O:" in sddl)
1856 self.assertTrue("G:" in sddl)
1857 self.assertTrue("D:" in sddl)
1858 self.assertTrue("S:" in sddl)
1860 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1861 ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
1862 self.assertTrue("nTSecurityDescriptor" in res[0])
1863 tmp = res[0]["nTSecurityDescriptor"][0]
1864 sd = ndr_unpack(security.descriptor, tmp)
1865 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1866 self.assertTrue("O:" in sddl)
1867 self.assertTrue("G:" in sddl)
1868 self.assertTrue("D:" in sddl)
1869 self.assertTrue("S:" in sddl)
1871 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1872 ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
1873 self.assertTrue("nTSecurityDescriptor" in res[0])
1874 tmp = res[0]["nTSecurityDescriptor"][0]
1875 sd = ndr_unpack(security.descriptor, tmp)
1876 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1877 self.assertTrue("O:" in sddl)
1878 self.assertTrue("G:" in sddl)
1879 self.assertTrue("D:" in sddl)
1880 self.assertTrue("S:" in sddl)
1882 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1883 ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1884 self.assertTrue("nTSecurityDescriptor" in res[0])
1885 tmp = res[0]["nTSecurityDescriptor"][0]
1886 sd = ndr_unpack(security.descriptor, tmp)
1887 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1888 self.assertTrue("O:" in sddl)
1889 self.assertTrue("G:" in sddl)
1890 self.assertTrue("D:" in sddl)
1891 self.assertTrue("S:" in sddl)
1893 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1894 ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
1895 self.assertTrue("nTSecurityDescriptor" in res[0])
1896 tmp = res[0]["nTSecurityDescriptor"][0]
1897 sd = ndr_unpack(security.descriptor, tmp)
1898 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1899 self.assertTrue("O:" in sddl)
1900 self.assertTrue("G:" in sddl)
1901 self.assertTrue("D:" in sddl)
1902 self.assertTrue("S:" in sddl)
1904 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1905 ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1906 self.assertTrue("nTSecurityDescriptor" in res[0])
1907 tmp = res[0]["nTSecurityDescriptor"][0]
1908 sd = ndr_unpack(security.descriptor, tmp)
1909 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1910 self.assertTrue("O:" in sddl)
1911 self.assertTrue("G:" in sddl)
1912 self.assertTrue("D:" in sddl)
1913 self.assertTrue("S:" in sddl)
1915 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1916 ["nTSecurityDescriptor"], controls=None)
1917 self.assertTrue("nTSecurityDescriptor" in res[0])
1918 tmp = res[0]["nTSecurityDescriptor"][0]
1919 sd = ndr_unpack(security.descriptor, tmp)
1920 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1921 self.assertTrue("O:" in sddl)
1922 self.assertTrue("G:" in sddl)
1923 self.assertTrue("D:" in sddl)
1924 self.assertTrue("S:" in sddl)
1926 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1927 ["name", "nTSecurityDescriptor"], controls=None)
1928 self.assertTrue("nTSecurityDescriptor" in res[0])
1929 tmp = res[0]["nTSecurityDescriptor"][0]
1930 sd = ndr_unpack(security.descriptor, tmp)
1931 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1932 self.assertTrue("O:" in sddl)
1933 self.assertTrue("G:" in sddl)
1934 self.assertTrue("D:" in sddl)
1935 self.assertTrue("S:" in sddl)
1937 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1938 ["nTSecurityDescriptor", "name"], controls=None)
1939 self.assertTrue("nTSecurityDescriptor" in res[0])
1940 tmp = res[0]["nTSecurityDescriptor"][0]
1941 sd = ndr_unpack(security.descriptor, tmp)
1942 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1943 self.assertTrue("O:" in sddl)
1944 self.assertTrue("G:" in sddl)
1945 self.assertTrue("D:" in sddl)
1946 self.assertTrue("S:" in sddl)
1949 """This search is done by the windows dc join..."""
1951 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
1952 controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
1953 self.assertFalse("nTSecurityDescriptor" in res[0])
1956 class RightsAttributesTests(DescriptorTests):
1958 def deleteAll(self):
1959 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1960 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1961 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1964 super(RightsAttributesTests, self).setUp()
1968 self.ldb_admin.newuser("testuser_attr", "samba123@")
1969 # User 2, Domain Admins
1970 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1971 self.ldb_admin.add_remove_group_members("Domain Admins",
1973 add_members_operation=True)
1975 def test_sDRightsEffective(self):
1976 object_dn = "OU=test_domain_ou1," + self.base_dn
1977 delete_force(self.ldb_admin, object_dn)
1978 self.ldb_admin.create_ou(object_dn)
1979 print(self.get_users_domain_dn("testuser_attr"))
1980 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1981 # give testuser1 read access so attributes can be retrieved
1982 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1983 self.sd_utils.dacl_add_ace(object_dn, mod)
1984 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1985 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1986 attrs=["sDRightsEffective"])
1987 # user whould have no rights at all
1988 self.assertEquals(len(res), 1)
1989 self.assertEquals(str(res[0]["sDRightsEffective"][0]), "0")
1990 # give the user Write DACL and see what happens
1991 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1992 self.sd_utils.dacl_add_ace(object_dn, mod)
1993 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1994 attrs=["sDRightsEffective"])
1995 # user whould have DACL_SECURITY_INFORMATION
1996 self.assertEquals(len(res), 1)
1997 self.assertEquals(str(res[0]["sDRightsEffective"][0]), ("%d") % SECINFO_DACL)
1998 # give the user Write Owners and see what happens
1999 mod = "(A;CI;WO;;;%s)" % str(user_sid)
2000 self.sd_utils.dacl_add_ace(object_dn, mod)
2001 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2002 attrs=["sDRightsEffective"])
2003 # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2004 self.assertEquals(len(res), 1)
2005 self.assertEquals(str(res[0]["sDRightsEffective"][0]), ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
2006 # no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
2007 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
2008 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2009 attrs=["sDRightsEffective"])
2010 # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2011 self.assertEquals(len(res), 1)
2012 self.assertEquals(str(res[0]["sDRightsEffective"][0]),
2013 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
2015 def test_allowedChildClassesEffective(self):
2016 object_dn = "OU=test_domain_ou1," + self.base_dn
2017 delete_force(self.ldb_admin, object_dn)
2018 self.ldb_admin.create_ou(object_dn)
2019 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2020 # give testuser1 read access so attributes can be retrieved
2021 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2022 self.sd_utils.dacl_add_ace(object_dn, mod)
2023 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2024 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2025 attrs=["allowedChildClassesEffective"])
2026 # there should be no allowed child classes
2027 self.assertEquals(len(res), 1)
2028 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
2029 # give the user the right to create children of type user
2030 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2031 self.sd_utils.dacl_add_ace(object_dn, mod)
2032 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2033 attrs=["allowedChildClassesEffective"])
2034 # allowedChildClassesEffective should only have one value, user
2035 self.assertEquals(len(res), 1)
2036 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
2037 self.assertEquals(str(res[0]["allowedChildClassesEffective"][0]), "user")
2039 def test_allowedAttributesEffective(self):
2040 object_dn = "OU=test_domain_ou1," + self.base_dn
2041 delete_force(self.ldb_admin, object_dn)
2042 self.ldb_admin.create_ou(object_dn)
2043 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2044 # give testuser1 read access so attributes can be retrieved
2045 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2046 self.sd_utils.dacl_add_ace(object_dn, mod)
2047 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2048 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2049 attrs=["allowedAttributesEffective"])
2050 # there should be no allowed attributes
2051 self.assertEquals(len(res), 1)
2052 self.assertFalse("allowedAttributesEffective" in res[0].keys())
2053 # give the user the right to write displayName and managedBy
2054 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2055 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2056 # also rights to modify an read only attribute, fromEntry
2057 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2058 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
2059 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2060 attrs=["allowedAttributesEffective"])
2061 # value should only contain user and managedBy
2062 self.assertEquals(len(res), 1)
2063 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
2064 self.assertTrue(b"displayName" in res[0]["allowedAttributesEffective"])
2065 self.assertTrue(b"managedBy" in res[0]["allowedAttributesEffective"])
2068 class SdAutoInheritTests(DescriptorTests):
2069 def deleteAll(self):
2070 delete_force(self.ldb_admin, self.sub_dn)
2071 delete_force(self.ldb_admin, self.ou_dn)
2074 super(SdAutoInheritTests, self).setUp()
2075 self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
2076 self.sub_dn = "OU=test_sub," + self.ou_dn
2080 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2081 See that only the owner has been changed.
2083 attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2084 controls = ["sd_flags:1:%d" % (SECINFO_DACL)]
2085 ace = "(A;CI;CC;;;NU)"
2086 sub_ace = "(A;CIID;CC;;;NU)"
2087 sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2088 sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
2090 self.ldb_admin.create_ou(self.ou_dn, sd=sd)
2091 self.ldb_admin.create_ou(self.sub_dn)
2093 ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2094 None, attrs, controls=controls)
2095 sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2096 None, attrs, controls=controls)
2098 ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
2099 sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
2101 ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
2102 sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
2104 self.assertFalse(ace in ou_sddl0)
2105 self.assertFalse(ace in sub_sddl0)
2107 ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
2108 ou_sddl0[ou_sddl0.index("("):])
2110 sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
2111 sub_sddl0[sub_sddl0.index("("):])
2113 self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
2115 sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2116 None, attrs, controls=controls)
2117 ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2118 None, attrs, controls=controls)
2120 ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
2121 sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
2123 ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
2124 sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
2126 self.assertFalse(ou_sddl2 == ou_sddl0)
2127 self.assertFalse(sub_sddl2 == sub_sddl0)
2129 if ace not in ou_sddl2:
2130 print("ou0: %s" % ou_sddl0)
2131 print("ou2: %s" % ou_sddl2)
2133 if sub_ace not in sub_sddl2:
2134 print("sub0: %s" % sub_sddl0)
2135 print("sub2: %s" % sub_sddl2)
2137 self.assertTrue(ace in ou_sddl2)
2138 self.assertTrue(sub_ace in sub_sddl2)
2140 ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
2141 ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
2142 self.assertTrue(ou_usn2 > ou_usn0)
2144 sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
2145 sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
2146 self.assertTrue(sub_usn2 == sub_usn0)
2149 if "://" not in host:
2150 if os.path.isfile(host):
2151 host = "tdb://%s" % host
2153 host = "ldap://%s" % host
2155 # use 'paged_search' module when connecting remotely
2156 if host.lower().startswith("ldap://"):
2157 ldb_options = ["modules:paged_searches"]
2159 TestProgram(module=__name__, opts=subunitopts)