The branch, master has been updated via 0bb67a3a7e7 python: silos: add support for allowed to authenticate from silo shortcut via 84916935751 python: add docstring for escaped_claim_id function via 16d52aa559a python: move method escaped_claim_id from test to samba.sd_utils via 47f5bc78b88 python: silos: add some missing tests for auth policy command via 2aa4d67411a python: tests: claims and silo tests make use of unique_name via 2dd06ae41a2 python: tests: improve comments for auth silo and policy tests via 95cb6a0bb16 python: tests: qa and developers were not in the correct case via e87d74066af python: tests: addCleanup is always before create operation via d19e268221e python: tests: function to generate a unique name from caller via ed245e28875 netcmd: tests: make use of addCleanup via 3e9f74a680b netcmd: claims: rename claims and silo tests via 156887c6d0b netcmd: silo command uses more consistent naming for tgt args via 15fb8a5f2ef netcmd: silo command uses more consistent naming for policy args via c22400fd8ef netcmd: silo command remove combined --policy which set all 3 from b6ae5d66819 codespell: Ignore .git
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0bb67a3a7e79a687e7809ab41f056c36629bc19f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 12 17:08:34 2023 +1300 python: silos: add support for allowed to authenticate from silo shortcut this avoids the need to write SDDL, the user just needs to give the silo name Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Oct 27 00:30:05 UTC 2023 on atb-devel-224 commit 8491693575115ef651a8320abd699edd3c739758 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Oct 27 12:11:34 2023 +1300 python: add docstring for escaped_claim_id function Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 16d52aa559ab60a9e2b1aba71c9f866833bab9f0 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 26 13:13:44 2023 +1300 python: move method escaped_claim_id from test to samba.sd_utils This is so that it can be used in other places too without the need to import or extend the test base class Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 47f5bc78b88b371c40a85b0b716793da771dc6c9 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 12 16:59:43 2023 +1300 python: silos: add some missing tests for auth policy command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2aa4d67411a91d1e135164ddb4857d04d6692a35 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 12 16:55:34 2023 +1300 python: tests: claims and silo tests make use of unique_name Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2dd06ae41a2154db82378587fa662a35bf78c386 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 26 11:18:04 2023 +1300 python: tests: improve comments for auth silo and policy tests Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 95cb6a0bb1625c2b2099c7374424d595164be2e8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Oct 25 17:25:51 2023 +1300 python: tests: qa and developers were not in the correct case Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e87d74066af3b552333aa28d4180e11b32e465b9 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Oct 25 16:02:31 2023 +1300 python: tests: addCleanup is always before create operation This way if it raises during a create, it will still end up running the cleanup. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d19e268221efca4079469c015f0fe3f2d0719f23 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 12 15:21:08 2023 +1300 python: tests: function to generate a unique name from caller Uses the caller function to generate a unique name from the test function name. Unique name is converted to camel case Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ed245e288756c34c263c37dd3d64203ee1efdaa5 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Oct 17 18:54:52 2023 +1300 netcmd: tests: make use of addCleanup Makes self.members redundant and tearDown method can go completely. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3e9f74a680bc1d8c0daa133df3c4f8b84e1addc4 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 12 14:53:18 2023 +1300 netcmd: claims: rename claims and silo tests Rename test function names that were starting to get very long. They were all prefixed with the test name, stop doing that and use double underscore for better separation. e.g. AuthPolicyCmdTestCase.test_authentication_policy_list_json becomes AuthPolicyCmdTestCase.test_list__json The claim types and value types test cases have been split into two testcases. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 156887c6d0b09795bae98564204e560919d0efa5 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Oct 26 15:12:39 2023 +1300 netcmd: silo command uses more consistent naming for tgt args The args --user-tgt-lifetime-mins, --service-tgt-lifetime-mins and --computer-tgt-lifetime-mins suffixed with -mins to be consistent with Windows tooling. For these, the internal names don't need to change and neither do the model fields, only the external cli interface has this. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 15fb8a5f2efec250acbd60b2855459c888859e20 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Oct 17 16:31:53 2023 +1300 netcmd: silo command uses more consistent naming for policy args Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c22400fd8ef961e472ce2803cf4a2ec58b778795 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Oct 17 14:30:40 2023 +1300 netcmd: silo command remove combined --policy which set all 3 doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 48 +- python/samba/netcmd/domain/auth/policy.py | 67 ++- python/samba/netcmd/domain/auth/silo.py | 120 ++-- python/samba/netcmd/domain/models/auth_silo.py | 12 +- python/samba/sd_utils.py | 16 + python/samba/tests/__init__.py | 19 + python/samba/tests/krb5/conditional_ace_tests.py | 31 +- python/samba/tests/samba_tool/domain_auth_base.py | 53 +- .../samba/tests/samba_tool/domain_auth_policy.py | 605 +++++++++++++++------ python/samba/tests/samba_tool/domain_auth_silo.py | 294 +++++----- python/samba/tests/samba_tool/domain_claim.py | 65 ++- selftest/knownfail.d/claims-client-tool | 2 +- selftest/knownfail.d/silo-client-tool | 4 +- 13 files changed, 856 insertions(+), 480 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 83d91bd0af1..6dfe07ea813 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -712,7 +712,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--user-tgt-lifetime</term> + <term>--user-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for user accounts. @@ -757,7 +757,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--service-tgt-lifetime</term> + <term>--service-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for service accounts. @@ -802,7 +802,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--computer-tgt-lifetime</term> + <term>--computer-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for computer accounts. @@ -901,7 +901,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--user-tgt-lifetime</term> + <term>--user-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for user accounts. @@ -946,7 +946,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--service-tgt-lifetime</term> + <term>--service-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for service accounts. @@ -991,7 +991,7 @@ </listitem> </varlistentry> <varlistentry> - <term>--computer-tgt-lifetime</term> + <term>--computer-tgt-lifetime-mins</term> <listitem> <para> Ticket-Granting-Ticket lifetime for computer accounts. @@ -1101,27 +1101,21 @@ </para></listitem> </varlistentry> <varlistentry> - <term>--policy</term> + <term>--user-authentication-policy</term> <listitem><para> - Use single policy for all principals in this silo. + User account authentication policy. </para></listitem> </varlistentry> <varlistentry> - <term>--user-policy</term> + <term>--service-authentication-policy</term> <listitem><para> - User account policy. + Managed service account authentication policy. </para></listitem> </varlistentry> <varlistentry> - <term>--service-policy</term> + <term>--computer-authentication-policy</term> <listitem><para> - Managed Service Account policy. - </para></listitem> - </varlistentry> - <varlistentry> - <term>--computer-policy</term> - <listitem><para> - Computer Account policy. + Computer authentication policy. </para></listitem> </varlistentry> <varlistentry> @@ -1194,27 +1188,21 @@ </para></listitem> </varlistentry> <varlistentry> - <term>--policy</term> - <listitem><para> - Use single policy for all principals in this silo. - </para></listitem> - </varlistentry> - <varlistentry> - <term>--user-policy</term> + <term>--user-authentication-policy</term> <listitem><para> - User account policy. + User account authentication policy. </para></listitem> </varlistentry> <varlistentry> - <term>--service-policy</term> + <term>--service-authentication-policy</term> <listitem><para> - Managed Service Account policy. + Managed service account authentication policy. </para></listitem> </varlistentry> <varlistentry> - <term>--computer-policy</term> + <term>--computer-authentication-policy</term> <listitem><para> - Computer Account policy. + Computer authentication policy. </para></listitem> </varlistentry> <varlistentry> diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py index 6ee85602907..d0ca96b677a 100644 --- a/python/samba/netcmd/domain/auth/policy.py +++ b/python/samba/netcmd/domain/auth/policy.py @@ -22,20 +22,31 @@ import samba.getopt as options from samba.netcmd import Command, CommandError, Option, SuperCommand -from samba.netcmd.domain.models import AuthenticationPolicy +from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo from samba.netcmd.domain.models.auth_policy import MIN_TGT_LIFETIME,\ MAX_TGT_LIFETIME, StrongNTLMPolicy from samba.netcmd.domain.models.exceptions import ModelError from samba.netcmd.validators import Range +def check_similar_args(option, args): + """Helper method for checking similar mutually exclusive args. + + Example: --user-allowed-to-authenticate-from and + --user-allowed-to-authenticate-from-silo + """ + num = sum(arg is not None for arg in args) + if num > 1: + raise CommandError(f"{option} argument repeated {num} times.") + + class UserOptions(options.OptionGroup): """User options used by policy create and policy modify commands.""" def __init__(self, parser): super().__init__(parser, "User Options") - self.add_option("--user-tgt-lifetime", + self.add_option("--user-tgt-lifetime-mins", help="Ticket-Granting-Ticket lifetime for user accounts.", dest="tgt_lifetime", type=int, action="callback", callback=self.set_option, @@ -49,6 +60,10 @@ class UserOptions(options.OptionGroup): help="Conditions user is allowed to authenticate from.", type=str, dest="allowed_to_authenticate_from", action="callback", callback=self.set_option) + self.add_option("--user-allowed-to-authenticate-from-silo", + help="User is allowed to authenticate from silo.", + type=str, dest="allowed_to_authenticate_from_silo", + action="callback", callback=self.set_option) self.add_option("--user-allowed-to-authenticate-to", help="Conditions user is allowed to authenticate to.", type=str, dest="allowed_to_authenticate_to", @@ -61,7 +76,7 @@ class ServiceOptions(options.OptionGroup): def __init__(self, parser): super().__init__(parser, "Service Options") - self.add_option("--service-tgt-lifetime", + self.add_option("--service-tgt-lifetime-mins", help="Ticket-Granting-Ticket lifetime for service accounts.", dest="tgt_lifetime", type=int, action="callback", callback=self.set_option, @@ -75,6 +90,10 @@ class ServiceOptions(options.OptionGroup): help="Conditions service is allowed to authenticate from.", type=str, dest="allowed_to_authenticate_from", action="callback", callback=self.set_option) + self.add_option("--service-allowed-to-authenticate-from-silo", + help="Service is allowed to authenticate from silo.", + type=str, dest="allowed_to_authenticate_from_silo", + action="callback", callback=self.set_option) self.add_option("--service-allowed-to-authenticate-to", help="Conditions service is allowed to authenticate to.", type=str, dest="allowed_to_authenticate_to", @@ -87,7 +106,7 @@ class ComputerOptions(options.OptionGroup): def __init__(self, parser): super().__init__(parser, "Computer Options") - self.add_option("--computer-tgt-lifetime", + self.add_option("--computer-tgt-lifetime-mins", help="Ticket-Granting-Ticket lifetime for computer accounts.", dest="tgt_lifetime", type=int, action="callback", callback=self.set_option, @@ -217,8 +236,28 @@ class cmd_domain_auth_policy_create(Command): if audit and enforce: raise CommandError("--audit and --enforce cannot be used together.") + # Check for repeated, similar arguments. + check_similar_args("--user-allowed-to-authenticate-from", + [useropts.allowed_to_authenticate_from, + useropts.allowed_to_authenticate_from_silo]) + check_similar_args("--service-allowed-to-authenticate-from", + [serviceopts.allowed_to_authenticate_from, + serviceopts.allowed_to_authenticate_from_silo]) + ldb = self.ldb_connect(hostopts, sambaopts, credopts) + # Generate SDDL for authenticating users from a silo + if useropts.allowed_to_authenticate_from_silo: + silo = AuthenticationSilo.get( + ldb, cn=useropts.allowed_to_authenticate_from_silo) + useropts.allowed_to_authenticate_from = silo.get_authentication_sddl() + + # Generate SDDL for authenticating service accounts from a silo + if serviceopts.allowed_to_authenticate_from_silo: + silo = AuthenticationSilo.get( + ldb, cn=serviceopts.allowed_to_authenticate_from_silo) + serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl() + try: policy = AuthenticationPolicy.get(ldb, cn=name) except ModelError as e: @@ -313,8 +352,28 @@ class cmd_domain_auth_policy_modify(Command): if audit and enforce: raise CommandError("--audit and --enforce cannot be used together.") + # Check for repeated, similar arguments. + check_similar_args("--user-allowed-to-authenticate-from", + [useropts.allowed_to_authenticate_from, + useropts.allowed_to_authenticate_from_silo]) + check_similar_args("--service-allowed-to-authenticate-from", + [serviceopts.allowed_to_authenticate_from, + serviceopts.allowed_to_authenticate_from_silo]) + ldb = self.ldb_connect(hostopts, sambaopts, credopts) + # Generate SDDL for authenticating users from a silo + if useropts.allowed_to_authenticate_from_silo: + silo = AuthenticationSilo.get( + ldb, cn=useropts.allowed_to_authenticate_from_silo) + useropts.allowed_to_authenticate_from = silo.get_authentication_sddl() + + # Generate SDDL for authenticating service accounts from a silo + if serviceopts.allowed_to_authenticate_from_silo: + silo = AuthenticationSilo.get( + ldb, cn=serviceopts.allowed_to_authenticate_from_silo) + serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl() + try: policy = AuthenticationPolicy.get(ldb, cn=name) except ModelError as e: diff --git a/python/samba/netcmd/domain/auth/silo.py b/python/samba/netcmd/domain/auth/silo.py index 0c486aeeaff..b1e2ef0a0ae 100644 --- a/python/samba/netcmd/domain/auth/silo.py +++ b/python/samba/netcmd/domain/auth/silo.py @@ -115,18 +115,15 @@ class cmd_domain_auth_silo_create(Command): Option("--description", help="Optional description for authentication silo.", dest="description", action="store", type=str), - Option("--policy", - help="Use single policy for all principals in this silo.", - dest="policy", action="store", type=str), - Option("--user-policy", - help="User account policy.", - dest="user_policy", action="store", type=str), - Option("--service-policy", - help="Managed Service Account policy.", - dest="service_policy", action="store", type=str), - Option("--computer-policy", - help="Computer account policy.", - dest="computer_policy", action="store", type=str), + Option("--user-authentication-policy", + help="User account authentication policy.", + dest="user_authentication_policy", action="store", type=str), + Option("--service-authentication-policy", + help="Managed service account authentication policy.", + dest="service_authentication_policy", action="store", type=str), + Option("--computer-authentication-policy", + help="Computer authentication policy.", + dest="computer_authentication_policy", action="store", type=str), Option("--protect", help="Protect authentication silo from accidental deletion.", dest="protect", action="store_true"), @@ -153,23 +150,19 @@ class cmd_domain_auth_silo_create(Command): except (LookupError, ValueError) as e: raise CommandError(e) - def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, - description=None, policy=None, user_policy=None, - service_policy=None, computer_policy=None, protect=None, - unprotect=None, audit=None, enforce=None): + def run(self, hostopts=None, sambaopts=None, credopts=None, + name=None, description=None, + user_authentication_policy=None, + service_authentication_policy=None, + computer_authentication_policy=None, + protect=None, unprotect=None, + audit=None, enforce=None): if protect and unprotect: raise CommandError("--protect and --unprotect cannot be used together.") if audit and enforce: raise CommandError("--audit and --enforce cannot be used together.") - # If --policy is present start with that as the base. Then optionally - # --user-policy, --service-policy, --computer-policy can override this. - if policy is not None: - user_policy = user_policy or policy - service_policy = service_policy or policy - computer_policy = computer_policy or policy - ldb = self.ldb_connect(hostopts, sambaopts, credopts) try: @@ -185,16 +178,19 @@ class cmd_domain_auth_silo_create(Command): silo = AuthenticationSilo(cn=name, description=description) # Set user policy - if user_policy: - silo.user_policy = self.get_policy(ldb, user_policy).dn + if user_authentication_policy: + silo.user_authentication_policy = \ + self.get_policy(ldb, user_authentication_policy).dn # Set service policy - if service_policy: - silo.service_policy = self.get_policy(ldb, service_policy).dn + if service_authentication_policy: + silo.service_authentication_policy = \ + self.get_policy(ldb, service_authentication_policy).dn # Set computer policy - if computer_policy: - silo.computer_policy = self.get_policy(ldb, computer_policy).dn + if computer_authentication_policy: + silo.computer_authentication_policy = \ + self.get_policy(ldb, computer_authentication_policy).dn # Either --enforce will be set or --audit but never both. # The default if both are missing is enforce=True. @@ -233,18 +229,15 @@ class cmd_domain_auth_silo_modify(Command): Option("--description", help="Optional description for authentication silo.", dest="description", action="store", type=str), - Option("--policy", - help="Set single policy for all principals in this silo.", - dest="policy", action="store", type=str), - Option("--user-policy", - help="Set User account policy.", - dest="user_policy", action="store", type=str), - Option("--service-policy", - help="Set Managed Service Account policy.", - dest="service_policy", action="store", type=str), - Option("--computer-policy", - help="Set Computer Account policy.", - dest="computer_policy", action="store", type=str), + Option("--user-authentication-policy", + help="User account authentication policy.", + dest="user_authentication_policy", action="store", type=str), + Option("--service-authentication-policy", + help="Managed service account authentication policy.", + dest="service_authentication_policy", action="store", type=str), + Option("--computer-authentication-policy", + help="Computer authentication policy.", + dest="computer_authentication_policy", action="store", type=str), Option("--protect", help="Protect authentication silo from accidental deletion.", dest="protect", action="store_true"), @@ -271,23 +264,19 @@ class cmd_domain_auth_silo_modify(Command): except (LookupError, ModelError, ValueError) as e: raise CommandError(e) - def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, - description=None, policy=None, user_policy=None, - service_policy=None, computer_policy=None, protect=None, - unprotect=None, audit=None, enforce=None): + def run(self, hostopts=None, sambaopts=None, credopts=None, + name=None, description=None, + user_authentication_policy=None, + service_authentication_policy=None, + computer_authentication_policy=None, + protect=None, unprotect=None, + audit=None, enforce=None): if audit and enforce: raise CommandError("--audit and --enforce cannot be used together.") if protect and unprotect: raise CommandError("--protect and --unprotect cannot be used together.") - # If --policy is set then start with that for all policies. - # They can be individually overridden as well after that. - if policy is not None: - user_policy = user_policy or policy - service_policy = service_policy or policy - computer_policy = computer_policy or policy - ldb = self.ldb_connect(hostopts, sambaopts, credopts) try: @@ -310,22 +299,25 @@ class cmd_domain_auth_silo_modify(Command): silo.description = description # Set or unset user policy. - if user_policy == "": - silo.user_policy = None - elif user_policy: - silo.user_policy = self.get_policy(ldb, user_policy).dn + if user_authentication_policy == "": + silo.user_authentication_policy = None + elif user_authentication_policy: + silo.user_authentication_policy = \ + self.get_policy(ldb, user_authentication_policy).dn # Set or unset service policy. - if service_policy == "": - silo.service_policy = None - elif service_policy: - silo.service_policy = self.get_policy(ldb, service_policy).dn + if service_authentication_policy == "": + silo.service_authentication_policy = None + elif service_authentication_policy: + silo.service_authentication_policy = \ + self.get_policy(ldb, service_authentication_policy).dn # Set or unset computer policy. - if computer_policy == "": - silo.computer_policy = None - elif computer_policy: - silo.computer_policy = self.get_policy(ldb, computer_policy).dn + if computer_authentication_policy == "": + silo.computer_authentication_policy = None + elif computer_authentication_policy: + silo.computer_authentication_policy = \ + self.get_policy(ldb, computer_authentication_policy).dn # Update silo try: diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py index e3228d5607b..28d94e64fa3 100644 --- a/python/samba/netcmd/domain/models/auth_silo.py +++ b/python/samba/netcmd/domain/models/auth_silo.py @@ -22,6 +22,8 @@ from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE, LdbError, Message, MessageElement +from samba.sd_utils import escaped_claim_id + from .exceptions import AddMemberError, RemoveMemberError from .fields import DnField, BooleanField, StringField from .model import Model @@ -30,9 +32,9 @@ from .model import Model class AuthenticationSilo(Model): description = StringField("description") enforced = BooleanField("msDS-AuthNPolicySiloEnforced") - user_policy = DnField("msDS-UserAuthNPolicy") - service_policy = DnField("msDS-ServiceAuthNPolicy") - computer_policy = DnField("msDS-ComputerAuthNPolicy") + user_authentication_policy = DnField("msDS-UserAuthNPolicy") + service_authentication_policy = DnField("msDS-ServiceAuthNPolicy") + computer_authentication_policy = DnField("msDS-ComputerAuthNPolicy") members = DnField("msDS-AuthNPolicySiloMembers", many=True) @staticmethod @@ -96,3 +98,7 @@ class AuthenticationSilo(Model): # If the modify operation was successful refresh members field. self.refresh(ldb, fields=["members"]) + + def get_authentication_sddl(self): + return ("O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/" + f"AuthenticationSilo/{escaped_claim_id(self.name)}))") diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py index 67d89ef29fe..cabbd47b591 100644 --- a/python/samba/sd_utils.py +++ b/python/samba/sd_utils.py @@ -28,6 +28,22 @@ from samba.ntstatus import ( ) +def escaped_claim_id(claim_id): + """Encode claim attribute names according to [MS-DTYP] 2.5.1 ("attr-char2") + + Some characters must be encoded as %hhhh, while others must not be. + Of the optional ones, we encode some control characters. + + The \x00 byte is also encoded, which is useful for tests, but it + is forbidden in either form. + """ + escapes = '\x00\t\n\x0b\x0c\r !"%&()<=>|' -- Samba Shared Repository