The branch, master has been updated via 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir via 5ff80465975 libcli/security: fix talloc context for integer values (CID 1545156) via b2107889332 libcli/security: test_run_condtional_ace: va_end() on errors via 272f26e3ad0 libcli/security: conditional ACEs check again for NULL/empty claims via 6af1a71752b netcmd: auth: manpage documentation for conditional ace fields via 12a98ab4fc7 netcmd: tests: add some tests for valid and invalid SDDL in cli commands via 645b77342f4 netcmd: auth: add new SDDL fields to create and modify auth policy commands via 385029fbc67 netcmd: models: add SDDL fields to AuthenticationPolicy model via 1325e013034 netcmd: models: add SDDL model field via 83d321e764a netcmd: models: add FieldError subclass which stores the field via 950a70a190a netcmd: models: field to_db_value needs ldb param via 27cd5982085 netcmd: tests: modify auth silo cli tests setup their own test data via 2a333554594 netcmd: tests: modify auth policy cli tests setup their own test data via c01e9431276 netcmd: tests: modify claim cli tests setup their own test data via f1d5f93f3d4 netcmd: tests: test that create objects make use of addCleanup via 91fa5088b56 netcmd: tests: tests tidyup and make use of setUpTestData via 16c19c470ee netcmd: tests: make _run a classmethod in SambaToolCmdTest via 71c191ca9fc python: tests: implement setUpTestData overridable class method via f9d406dca60 netcmd: tests: bugfix: argument -U was already in creds so listed twice via 7f4db71025e netcmd: tests: avoid the need to create a random command in GetSamDB from 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 90ba53eee4a3614da81ee562be2a55c01888c2cf Author: Kacper <kac...@kacper.se> Date: Wed Aug 30 14:33:49 2023 +0200 samba-tool: Fix for gpo restore not working without --tmpdir cmd_restore depends on cmd_create but the later cleans up required temp files for cmd_restore to function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462 RN: Fix for gpo restore not working without --tmpdir Signed-off-by: Kacper Boström <kac...@kacper.se> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224 commit 5ff804659758e3aae2dc38645d7ab26cefb0c533 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 29 12:35:10 2023 +1300 libcli/security: fix talloc context for integer values (CID 1545156) Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b2107889332135fc39c092a8d44ff5b9a0ecdcfb Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 29 12:25:21 2023 +1300 libcli/security: test_run_condtional_ace: va_end() on errors CID 1545154, CID 1545155. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 272f26e3ad01a6017b52a992123106777ed3aaa3 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 29 12:24:14 2023 +1300 libcli/security: conditional ACEs check again for NULL/empty claims CID 1545152. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6af1a71752b715120075323dbcd1326c79df7ace Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 21 11:41:02 2023 +1200 netcmd: auth: manpage documentation for conditional ace fields Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 12a98ab4fc7765f8b58f115f90ef399c26a2fb77 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 15:33:18 2023 +1300 netcmd: tests: add some tests for valid and invalid SDDL in cli commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 645b77342f42a55b8693e867ec92da2ea5a3b31c Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 20 13:04:14 2023 +1200 netcmd: auth: add new SDDL fields to create and modify auth policy commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 385029fbc672cd6e3a37ff6a7ad09dc6ad1eb542 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 20 13:02:21 2023 +1200 netcmd: models: add SDDL fields to AuthenticationPolicy model Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1325e01303499b7d94e3b781bee3672c2a94f190 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 20 12:52:31 2023 +1200 netcmd: models: add SDDL model field Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 83d321e764a3fc1124ff656a4a7714d262c835e0 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 15:22:17 2023 +1300 netcmd: models: add FieldError subclass which stores the field This is so that errors on the CLI show the field name Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 950a70a190ab986c646a77d14295f6b1697db407 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 20 12:50:15 2023 +1200 netcmd: models: field to_db_value needs ldb param Required by SDDL field type added in next commit Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 27cd59820859d57e93e8e6595580934c47fe75e8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 17:26:22 2023 +1300 netcmd: tests: modify auth silo cli tests setup their own test data Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a3335545946e3d6c06204912b2a7c8ad03e3de8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 17:13:15 2023 +1300 netcmd: tests: modify auth policy cli tests setup their own test data Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c01e9431276876db7555e58846ac7e2a6b5383c1 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 16:41:57 2023 +1300 netcmd: tests: modify claim cli tests setup their own test data Initially the test data was created in setUp, but it was moved to setUpClass. The problem with this is tests modifying objects, which could affect the next test. Create all required data in the test itself for clarity (and also is faster) Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1d5f93f3d4064d0779185a9d380a93c116d3b7c Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Sep 28 14:48:09 2023 +1300 netcmd: tests: test that create objects make use of addCleanup Since the samdb connection is on the class and hangs around between tests, we need to clean up what we created. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 91fa5088b5634320d7d882e474472bc13f076696 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 27 00:20:49 2023 +1300 netcmd: tests: tests tidyup and make use of setUpTestData Still only load the test data once per test class, but much easier to read. Made several methods static for creating/deleting claims, policies and silos. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 16c19c470eedb914eb1a82406ed3e203a7618d23 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Sep 27 00:01:06 2023 +1300 netcmd: tests: make _run a classmethod in SambaToolCmdTest So that it can be called from setUpClass as well Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 71c191ca9fc8c836609f579de78678711e1ed034 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Sep 26 21:10:33 2023 +1300 python: tests: implement setUpTestData overridable class method On Python 3.6 and 3.7 the addClassCleanup method needs to be implemented, and tearDownClass must be called by setupClass if any exception is raised. On Python 3.8 and higher, unittest already calls tearDownClass, even if it raises an exception in setUpClass. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f9d406dca608f99f4d2e07ac0438c8043a7d5669 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Sep 25 13:26:19 2023 +1300 netcmd: tests: bugfix: argument -U was already in creds so listed twice Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7f4db71025e5e473ccbc0d03255932ce2dd4b7f9 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Sep 25 12:51:19 2023 +1300 netcmd: tests: avoid the need to create a random command in GetSamDB Also the code that looks over kwargs is somewhat confusing and unnecessary. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 140 ++++++++++++++++ libcli/security/conditional_ace.c | 11 +- libcli/security/tests/test_run_conditional_ace.c | 2 + python/samba/netcmd/domain/auth/policy.py | 69 +++++++- python/samba/netcmd/domain/models/auth_policy.py | 13 +- python/samba/netcmd/domain/models/exceptions.py | 12 ++ python/samba/netcmd/domain/models/fields.py | 54 ++++-- python/samba/netcmd/domain/models/model.py | 15 +- python/samba/netcmd/gpo.py | 9 + python/samba/tests/__init__.py | 54 ++++++ python/samba/tests/samba_tool/base.py | 38 ++--- python/samba/tests/samba_tool/domain_auth_base.py | 116 ++++++------- .../samba/tests/samba_tool/domain_auth_policy.py | 158 ++++++++++++++---- python/samba/tests/samba_tool/domain_auth_silo.py | 69 +++++--- python/samba/tests/samba_tool/domain_claim.py | 182 ++++++++++----------- python/samba/tests/samba_tool/domain_models.py | 56 ++++++- python/samba/tests/samba_tool/visualize.py | 5 +- .../torture/drs/python/samba_tool_drs_showrepl.py | 6 +- 18 files changed, 739 insertions(+), 270 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 55e714dbed4..83d91bd0af1 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -728,6 +728,34 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>--user-allowed-to-authenticate-from</term> + <listitem> + <para> + Conditions user is allowed to authenticate from. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--user-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions user is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + </para> + </listitem> + </varlistentry> <varlistentry> <term>--service-tgt-lifetime</term> <listitem> @@ -745,6 +773,34 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>--service-allowed-to-authenticate-from</term> + <listitem> + <para> + Conditions service is allowed to authenticate from. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--service-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions service is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + </para> + </listitem> + </varlistentry> <varlistentry> <term>--computer-tgt-lifetime</term> <listitem> @@ -753,6 +809,20 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>-computer-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions computer is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> </variablelist> </refsect3> @@ -847,6 +917,34 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>--user-allowed-to-authenticate-from</term> + <listitem> + <para> + Conditions user is allowed to authenticate from. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--user-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions user is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + </para> + </listitem> + </varlistentry> <varlistentry> <term>--service-tgt-lifetime</term> <listitem> @@ -864,6 +962,34 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>--service-allowed-to-authenticate-from</term> + <listitem> + <para> + Conditions service is allowed to authenticate from. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--service-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions service is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + </para> + </listitem> + </varlistentry> <varlistentry> <term>--computer-tgt-lifetime</term> <listitem> @@ -872,6 +998,20 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>-computer-allowed-to-authenticate-to</term> + <listitem> + <para> + Conditions computer is allowed to authenticate to. + </para> + <para> + Must be a valid SDDL string. + </para> + <para> + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + </para> + </listitem> + </varlistentry> </variablelist> </refsect3> diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c index 50935a20a53..2f15b873dd3 100644 --- a/libcli/security/conditional_ace.c +++ b/libcli/security/conditional_ace.c @@ -586,7 +586,7 @@ struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx, case CONDITIONAL_ACE_TOKEN_INT16: case CONDITIONAL_ACE_TOKEN_INT32: case CONDITIONAL_ACE_TOKEN_INT64: - consumed = pull_integer(mem_ctx, + consumed = pull_integer(program, tok_data, available, &tok->data.int64); @@ -830,6 +830,15 @@ static bool token_claim_lookup( return false; } + if (num_claims == 0) { + DBG_NOTICE("There are no type %u claims\n", op->type); + return false; + } + if (claims == NULL) { + DBG_ERR("Type %u claim list unexpectedly NULL!\n", op->type); + result->type = CONDITIONAL_ACE_SAMBA_RESULT_ERROR; + return false; + } /* * Loop backwards: a later claim will override an earlier one with the * same name. diff --git a/libcli/security/tests/test_run_conditional_ace.c b/libcli/security/tests/test_run_conditional_ace.c index f8500275148..c538b7cb55e 100644 --- a/libcli/security/tests/test_run_conditional_ace.c +++ b/libcli/security/tests/test_run_conditional_ace.c @@ -77,6 +77,7 @@ static bool fill_token_claims(TALLOC_CTX *mem_ctx, name, str); if (claim == NULL) { + va_end(args); debug_fail("bad claim: %s\n", str); return false; } @@ -117,6 +118,7 @@ static bool fill_token_sids(TALLOC_CTX *mem_ctx, sid = sddl_decode_sid(mem_ctx, &str, NULL); if (sid == NULL) { debug_fail("bad SID: %s\n", str); + va_end(args); return false; } add_sid_to_array(mem_ctx, sid, list, n); diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py index 07b21bdf81d..faf81cca616 100644 --- a/python/samba/netcmd/domain/auth/policy.py +++ b/python/samba/netcmd/domain/auth/policy.py @@ -148,6 +148,12 @@ class cmd_domain_auth_policy_create(Command): "is restricted to selected devices.", dest="user_allow_ntlm_auth", action="store_true", default=False), + Option("--user-allowed-to-authenticate-from", + help="Conditions user is allowed to authenticate from.", + dest="user_allowed_to_authenticate_from", type=str, action="store"), + Option("--user-allowed-to-authenticate-to", + help="Conditions user is allowed to authenticate to.", + dest="user_allowed_to_authenticate_to", type=str, action="store"), Option("--service-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for service accounts.", dest="service_tgt_lifetime", type=int, action="store", @@ -157,17 +163,29 @@ class cmd_domain_auth_policy_create(Command): "is restricted to selected devices.", dest="service_allow_ntlm_auth", action="store_true", default=False), + Option("--service-allowed-to-authenticate-from", + help="Conditions service is allowed to authenticate from.", + dest="service_allowed_to_authenticate_from", type=str, action="store"), + Option("--service-allowed-to-authenticate-to", + help="Conditions service is allowed to authenticate to.", + dest="service_allowed_to_authenticate_to", type=str, action="store"), Option("--computer-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for computer accounts.", dest="computer_tgt_lifetime", type=int, action="store", validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]), + Option("--computer-allowed-to-authenticate-to", + help="Conditions computer is allowed to authenticate to.", + dest="computer_allowed_to_authenticate_to", type=str, action="store"), ] def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None, description=None, protect=None, unprotect=None, audit=None, enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None, - user_allow_ntlm_auth=None, service_tgt_lifetime=None, - service_allow_ntlm_auth=None, computer_tgt_lifetime=None): + user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None, + user_allowed_to_authenticate_to=None, service_tgt_lifetime=None, + service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None, + service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None, + computer_allowed_to_authenticate_to=None): if not name: raise CommandError("Argument --name is required.") @@ -194,9 +212,14 @@ class cmd_domain_auth_policy_create(Command): strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()], user_allow_ntlm_auth=user_allow_ntlm_auth, user_tgt_lifetime=user_tgt_lifetime, + user_allowed_to_authenticate_from=user_allowed_to_authenticate_from, + user_allowed_to_authenticate_to=user_allowed_to_authenticate_to, service_allow_ntlm_auth=service_allow_ntlm_auth, service_tgt_lifetime=service_tgt_lifetime, + service_allowed_to_authenticate_from=service_allowed_to_authenticate_from, + service_allowed_to_authenticate_to=service_allowed_to_authenticate_to, computer_tgt_lifetime=computer_tgt_lifetime, + computer_allowed_to_authenticate_to=computer_allowed_to_authenticate_to, ) # Either --enforce will be set or --audit but never both. @@ -262,6 +285,12 @@ class cmd_domain_auth_policy_modify(Command): "is restricted to selected devices.", dest="user_allow_ntlm_auth", action="store_true", default=False), + Option("--user-allowed-to-authenticate-from", + help="Conditions user is allowed to authenticate from.", + dest="user_allowed_to_authenticate_from", type=str, action="store"), + Option("--user-allowed-to-authenticate-to", + help="Conditions user is allowed to authenticate to.", + dest="user_allowed_to_authenticate_to", type=str, action="store"), Option("--service-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for service accounts.", dest="service_tgt_lifetime", type=int, action="store", @@ -271,17 +300,29 @@ class cmd_domain_auth_policy_modify(Command): "is restricted to selected devices.", dest="service_allow_ntlm_auth", action="store_true", default=False), + Option("--service-allowed-to-authenticate-from", + help="Conditions service is allowed to authenticate from.", + dest="service_allowed_to_authenticate_from", type=str, action="store"), + Option("--service-allowed-to-authenticate-to", + help="Conditions service is allowed to authenticate to.", + dest="service_allowed_to_authenticate_to", type=str, action="store"), Option("--computer-tgt-lifetime", help="Ticket-Granting-Ticket lifetime for computer accounts.", dest="computer_tgt_lifetime", type=int, action="store", validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]), + Option("--computer-allowed-to-authenticate-to", + help="Conditions computer is allowed to authenticate to.", + dest="computer_allowed_to_authenticate_to", type=str, action="store"), ] def run(self, ldap_url=None, sambaopts=None, credopts=None, name=None, description=None, protect=None, unprotect=None, audit=None, enforce=None, strong_ntlm_policy=None, user_tgt_lifetime=None, - user_allow_ntlm_auth=None, service_tgt_lifetime=None, - service_allow_ntlm_auth=None, computer_tgt_lifetime=None): + user_allow_ntlm_auth=None, user_allowed_to_authenticate_from=None, + user_allowed_to_authenticate_to=None, service_tgt_lifetime=None, + service_allow_ntlm_auth=None, service_allowed_to_authenticate_from=None, + service_allowed_to_authenticate_to=None, computer_tgt_lifetime=None, + computer_allowed_to_authenticate_to=None): if not name: raise CommandError("Argument --name is required.") @@ -321,18 +362,38 @@ class cmd_domain_auth_policy_modify(Command): if user_tgt_lifetime is not None: policy.user_tgt_lifetime = user_tgt_lifetime + if user_allowed_to_authenticate_from is not None: + policy.user_allowed_to_authenticate_from = \ + user_allowed_to_authenticate_from + + if user_allowed_to_authenticate_to is not None: + policy.user_allowed_to_authenticate_to = \ + user_allowed_to_authenticate_to + # Service sign on ################## if service_tgt_lifetime is not None: policy.service_tgt_lifetime = service_tgt_lifetime + if service_allowed_to_authenticate_from is not None: + policy.service_allowed_to_authenticate_from = \ + service_allowed_to_authenticate_from + + if service_allowed_to_authenticate_to is not None: + policy.service_allowed_to_authenticate_to = \ + service_allowed_to_authenticate_to + # Computer ########### if computer_tgt_lifetime is not None: policy.computer_tgt_lifetime = computer_tgt_lifetime + if computer_allowed_to_authenticate_to is not None: + policy.computer_allowed_to_authenticate_to = \ + computer_allowed_to_authenticate_to + # Update policy. try: policy.save(ldb) diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/netcmd/domain/models/auth_policy.py index dec8bb26190..df9f936ffa8 100644 --- a/python/samba/netcmd/domain/models/auth_policy.py +++ b/python/samba/netcmd/domain/models/auth_policy.py @@ -23,7 +23,8 @@ from enum import IntEnum from ldb import Dn -from .fields import BooleanField, EnumField, IntegerField, StringField +from .fields import (BooleanField, EnumField, IntegerField, SDDLField, + StringField) from .model import Model # Ticket-Granting-Ticket lifetimes. @@ -56,6 +57,16 @@ class AuthenticationPolicy(Model): "msDS-ServiceAllowedNTLMNetworkAuthentication") service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime") computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime") + user_allowed_to_authenticate_from = SDDLField( + "msDS-UserAllowedToAuthenticateFrom") + user_allowed_to_authenticate_to = SDDLField( + "msDS-UserAllowedToAuthenticateTo") + service_allowed_to_authenticate_from = SDDLField( + "msDS-ServiceAllowedToAuthenticateFrom") + service_allowed_to_authenticate_to = SDDLField( + "msDS-ServiceAllowedToAuthenticateTo") + computer_allowed_to_authenticate_to = SDDLField( + "msDS-ComputerAllowedToAuthenticateTo") @staticmethod def get_base_dn(ldb): diff --git a/python/samba/netcmd/domain/models/exceptions.py b/python/samba/netcmd/domain/models/exceptions.py index 805c7a221b7..b28b423f64d 100644 --- a/python/samba/netcmd/domain/models/exceptions.py +++ b/python/samba/netcmd/domain/models/exceptions.py @@ -24,6 +24,18 @@ class ModelError(Exception): pass +class FieldError(ModelError): + """A ModelError on a specific field.""" + + def __init__(self, *args, field=None): + self.field = field + super().__init__(*args) + + def __str__(self): + message = super().__str__() + return f"{self.field.name}: {message}" + + class MultipleObjectsReturned(ModelError): pass diff --git a/python/samba/netcmd/domain/models/fields.py b/python/samba/netcmd/domain/models/fields.py index 523b7d69d57..845b34d10ab 100644 --- a/python/samba/netcmd/domain/models/fields.py +++ b/python/samba/netcmd/domain/models/fields.py @@ -28,6 +28,7 @@ from datetime import datetime from xml.etree import ElementTree from ldb import Dn, MessageElement, string_to_time, timestring +from samba.dcerpc import security from samba.dcerpc.misc import GUID from samba.ndr import ndr_pack, ndr_unpack @@ -74,12 +75,13 @@ class Field(metaclass=ABCMeta): pass @abstractmethod - def to_db_value(self, value, flags): + def to_db_value(self, ldb, value, flags): """Converts value to database value. This should return a MessageElement or None, where None means the field will be unset on the next save. + :param ldb: Ldb connection :param value: Input value from Python field :param flags: MessageElement flags :returns: MessageElement or None @@ -99,7 +101,7 @@ class IntegerField(Field): else: return int(value[0]) - def to_db_value(self, value, flags): + def to_db_value(self, ldb, value, flags): """Convert int or list of int to MessageElement.""" if value is None: return @@ -129,7 +131,7 @@ class BinaryField(Field): else: return bytes(value[0]) - def to_db_value(self, value, flags): + def to_db_value(self, ldb, value, flags): """Convert bytes or list of bytes to MessageElement.""" if value is None: return @@ -152,7 +154,7 @@ class StringField(Field): else: return str(value) - def to_db_value(self, value, flags): + def to_db_value(self, ldb, value, flags): """Convert str or list of str to MessageElement.""" if value is None: return @@ -190,7 +192,7 @@ class EnumField(Field): else: return self.enum_from_value(value) - def to_db_value(self, value, flags): + def to_db_value(self, ldb, value, flags): """Convert enum or list of enum to MessageElement.""" if value is None: return -- Samba Shared Repository