The branch, master has been updated via 35380fa6a5b gpupdate: Use winbind separator in PAM Access Policies via 893cfefa9ed gpupdate: Test that PAM Access uses winbind separator from f3fad5a189f libcli/security: prepare sddl machine/forest_sid handling
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 35380fa6a5bcf84827a007332f83ac7f84ffacbb Author: David Mulder <dmul...@samba.org> Date: Thu Mar 16 15:31:33 2023 -0600 gpupdate: Use winbind separator in PAM Access Policies Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224 commit 893cfefa9ed6048fc45d0a5d2b48a4821e8ff3d1 Author: David Mulder <dmul...@samba.org> Date: Thu Mar 16 15:39:47 2023 -0600 gpupdate: Test that PAM Access uses winbind separator Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/gp/vgp_access_ext.py | 18 ++++++++++++++---- python/samba/tests/gpo.py | 11 +++++++---- 2 files changed, 21 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp/vgp_access_ext.py b/python/samba/gp/vgp_access_ext.py index c41bc678176..4748352d14a 100644 --- a/python/samba/gp/vgp_access_ext.py +++ b/python/samba/gp/vgp_access_ext.py @@ -82,6 +82,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): deny_conf = self.parse(path) entries = [] policy_files = [] + winbind_sep = self.lp.get('winbind separator') if allow_conf: policy = allow_conf.find('policysetting') data = policy.find('data') @@ -90,7 +91,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): adobject = listelement.find('adobject') name = adobject.find('name').text domain = adobject.find('domain').text - entries.append('+:%s\\%s:ALL' % (domain, name)) + entries.append('+:%s%s%s:ALL' % (domain, + winbind_sep, + name)) if len(allow_listelements) > 0: log.info('Adding an implicit deny ALL because an allow' ' entry is present') @@ -102,7 +105,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): adobject = listelement.find('adobject') name = adobject.find('name').text domain = adobject.find('domain').text - entries.append('-:%s\\%s:ALL' % (domain, name)) + entries.append('-:%s%s%s:ALL' % (domain, + winbind_sep, + name)) if len(allow_listelements) > 0: log.warn("Deny entry '%s' is meaningless with " "allow present" % entries[-1]) @@ -143,6 +148,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): path = os.path.join(gpo.file_sys_path, deny) deny_conf = self.parse(path) entries = [] + winbind_sep = self.lp.get('winbind separator') if allow_conf: policy = allow_conf.find('policysetting') data = policy.find('data') @@ -153,7 +159,9 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): domain = adobject.find('domain').text if str(self) not in output.keys(): output[str(self)] = [] - output[str(self)].append('+:%s\\%s:ALL' % (name, domain)) + output[str(self)].append('+:%s%s%s:ALL' % (name, + winbind_sep, + domain)) if len(allow_listelements) > 0: output[str(self)].append('-:ALL:ALL') if deny_conf: @@ -165,5 +173,7 @@ class vgp_access_ext(gp_xml_ext, gp_file_applier): domain = adobject.find('domain').text if str(self) not in output.keys(): output[str(self)] = [] - output[str(self)].append('-:%s\\%s:ALL' % (name, domain)) + output[str(self)].append('-:%s%s%s:ALL' % (name, + winbind_sep, + domain)) return output diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index b9ded20c828..8aea59eb61a 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -6415,6 +6415,9 @@ class GPOTests(tests.TestCase): machine_creds.set_machine_account() # Initialize the group policy extension + winbind_sep = self.lp.get('winbind separator') + self.addCleanup(self.lp.set, 'winbind separator', winbind_sep) + self.lp.set('winbind separator', '+') ext = vgp_access_ext(self.lp, machine_creds, machine_creds.get_username(), store) @@ -6517,10 +6520,10 @@ class GPOTests(tests.TestCase): # Check the access config for the correct access.conf entries print('Config file %s found' % gp_cfg) data = open(gp_cfg, 'r').read() - self.assertIn('+:%s\\goodguy:ALL' % realm, data) - self.assertIn('+:%s\\goodguys:ALL' % realm, data) - self.assertIn('-:%s\\badguy:ALL' % realm, data) - self.assertIn('-:%s\\badguys:ALL' % realm, data) + self.assertIn('+:%s+goodguy:ALL' % realm, data) + self.assertIn('+:%s+goodguys:ALL' % realm, data) + self.assertIn('-:%s+badguy:ALL' % realm, data) + self.assertIn('-:%s+badguys:ALL' % realm, data) # Check that a call to gpupdate --rsop also succeeds ret = rsop(self.lp) -- Samba Shared Repository