Ejemplo n.º 1
0
 def setUp(self):
     super(AclSearchSpeedTest, self).setUp()
     self.ldb_admin.newuser("acltestuser", "samba123@")
     self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
     self.ldb_user = self.get_ldb_connection("acltestuser", "samba123@")
     self.user_sid = self.sd_utils.get_object_sid(
         self.get_user_dn("acltestuser"))
Ejemplo n.º 2
0
    def __init__(self, samdb, fix=False, add_update_container=True):
        """
        :param samdb: LDB database
        :param fix: Apply the update if the container is missing
        :param add_update_container: Add the container at the end of the change
        :raise DomainUpdateException:
        """
        self.samdb = samdb
        self.fix = fix
        self.add_update_container = add_update_container
        # TODO: In future we should check for inconsistencies when it claims it has been done
        self.check_update_applied = False

        self.config_dn = self.samdb.get_config_basedn()
        self.domain_dn = self.samdb.domain_dn()
        self.schema_dn = self.samdb.get_schema_basedn()

        self.sd_utils = sd_utils.SDUtils(samdb)
        self.domain_sid = security.dom_sid(samdb.get_domain_sid())

        self.domainupdate_container = self.samdb.get_root_basedn()
        if not self.domainupdate_container.add_child(
                "CN=Operations,CN=DomainUpdates,CN=System"):
            raise DomainUpdateException(
                "Failed to add domain update container child")

        self.revision_object = self.samdb.get_root_basedn()
        if not self.revision_object.add_child(
                "CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System"):
            raise DomainUpdateException("Failed to add revision object child")
Ejemplo n.º 3
0
    def setUp(self):
        super(UserAccountControlTests, self).setUp()
        self.admin_creds = creds
        self.admin_samdb = SamDB(url=ldaphost,
                                 session_info=system_session(),
                                 credentials=self.admin_creds, lp=lp)
        self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
        self.base_dn = self.admin_samdb.domain_dn()

        self.unpriv_user = "******"
        self.unpriv_user_pw = "samba123@"
        self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)

        delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
        delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
        delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))

        self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
        res = self.admin_samdb.search("CN=%s,CN=Users,%s" % (self.unpriv_user, self.admin_samdb.domain_dn()),
                                      scope=SCOPE_BASE,
                                      attrs=["objectSid"])
        self.assertEqual(1, len(res))

        self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
        self.unpriv_user_dn = res[0].dn

        self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)

        self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, self.unpriv_creds)
        self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
        self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)

        self.sd_utils = sd_utils.SDUtils(self.admin_samdb)

        self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn)
        self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
        mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)

        old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)

        self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)

        self.add_computer_ldap("testcomputer-t")

        self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd)

        self.computernames = ["testcomputer-0"]

        # Get the SD of the template account, then force it to match
        # what we expect for SeMachineAccountPrivilege accounts, so we
        # can confirm we created the accounts correctly
        self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))

        self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
        for ace in self.sd_reference_modify.dacl.aces:
            if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
                ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP

        # Now reconnect without domain admin rights
        self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
Ejemplo n.º 4
0
    def setUp(self):
        super(DrsReplicaSyncUnprivTestCase, self).setUp()
        self.get_changes_user = "******"
        self.base_dn = self.ldb_dc1.get_default_basedn()
        self.ou = "OU=test_getncchanges,%s" % self.base_dn
        self.user_pass = samba.generate_random_password(12, 16)
        self.ldb_dc1.add({"dn": self.ou, "objectclass": "organizationalUnit"})
        self.ldb_dc1.newuser(self.get_changes_user,
                             self.user_pass,
                             userou="OU=test_getncchanges")
        (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1)

        self.sd_utils = sd_utils.SDUtils(self.ldb_dc1)
        user_dn = "cn=%s,%s" % (self.get_changes_user, self.ou)
        user_sid = self.sd_utils.get_object_sid(user_dn)
        mod = "(A;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;%s)" % str(
            user_sid)
        self.sd_utils.dacl_add_ace(self.base_dn, mod)

        # We set DONT_USE_KERBEROS to avoid a race with getting the
        # user replicated to our selected KDC
        self.user_creds = self.insta_creds(template=self.get_credentials(),
                                           username=self.get_changes_user,
                                           userpass=self.user_pass,
                                           kerberos_state=DONT_USE_KERBEROS)
        (self.user_drs,
         self.user_drs_handle) = self._ds_bind(self.dnsname_dc1,
                                               self.user_creds)
Ejemplo n.º 5
0
    def setUp(self):
        super().setUp()

        strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING',
                                                        allow_missing=True)
        if strict_checking is None:
            strict_checking = '1'
        self.strict_checking = bool(int(strict_checking))

        self.admin_creds = creds
        self.admin_samdb = SamDB(url=ldaphost,
                                 credentials=self.admin_creds,
                                 lp=lp)
        self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
        self.base_dn = self.admin_samdb.domain_dn()

        self.unpriv_user = "******"
        self.unpriv_user_pw = "samba123@"
        self.unpriv_creds = self.get_creds(self.unpriv_user,
                                           self.unpriv_user_pw)

        self.admin_sd_utils = sd_utils.SDUtils(self.admin_samdb)

        self.test_ou_name = "OU=test_priv_attrs"
        self.test_ou = self.test_ou_name + "," + self.base_dn

        delete_force(self.admin_samdb,
                     self.test_ou,
                     controls=["tree_delete:0"])

        self.admin_samdb.create_ou(self.test_ou)

        expected_user_dn = f"CN={self.unpriv_user},{self.test_ou_name},{self.base_dn}"

        self.admin_samdb.newuser(self.unpriv_user,
                                 self.unpriv_user_pw,
                                 userou=self.test_ou_name)
        res = self.admin_samdb.search(expected_user_dn,
                                      scope=SCOPE_BASE,
                                      attrs=["objectSid"])

        self.assertEqual(1, len(res))

        self.unpriv_user_dn = res[0].dn
        self.addCleanup(delete_force,
                        self.admin_samdb,
                        self.unpriv_user_dn,
                        controls=["tree_delete:0"])

        self.unpriv_user_sid = self.admin_sd_utils.get_object_sid(
            self.unpriv_user_dn)

        self.unpriv_samdb = SamDB(url=ldaphost,
                                  credentials=self.unpriv_creds,
                                  lp=lp)
Ejemplo n.º 6
0
 def setUp(self):
     super(DirsyncBaseTests, self).setUp()
     self.ldb_admin = ldb
     self.base_dn = ldb.domain_dn()
     self.domain_sid = security.dom_sid(ldb.get_domain_sid())
     self.user_pass = "******"
     self.configuration_dn = self.ldb_admin.get_config_basedn(
     ).get_linearized()
     self.sd_utils = sd_utils.SDUtils(ldb)
     #used for anonymous login
     print "baseDN: %s" % self.base_dn
Ejemplo n.º 7
0
    def setUp(self):
        super(TrafficEmulatorPacketTests, self).setUp()
        self.server      = os.environ["SERVER"]
        self.domain      = os.environ["DOMAIN"]
        self.host        = os.environ["SERVER_IP"]
        self.lp          = self.get_loadparm()
        self.session     = system_session()
        self.credentials = self.get_credentials()

        self.ldb = SamDB(url="ldap://%s" % self.host,
                         session_info=self.session,
                         credentials=self.credentials,
                         lp=self.lp)
        self.domain_sid = self.ldb.get_domain_sid()

        traffic.clean_up_accounts(self.ldb, 1)
        self.tempdir = tempfile.mkdtemp(prefix="traffic_packet_test_")
        self.context = traffic.ReplayContext(server=self.server,
                                             lp=self.lp,
                                             creds=self.credentials,
                                             tempdir=self.tempdir,
                                             ou=traffic.ou_name(self.ldb, 1),
                                             domain_sid=self.domain_sid)

        self.conversation = traffic.Conversation()
        self.conversation.conversation_id = 1
        self.machinename = "STGM-1-1"
        self.machinepass = samba.generate_random_password(32, 32)
        self.username    = "******"
        self.userpass    = samba.generate_random_password(32, 32)
        account = traffic.ConversationAccounts(
            self.machinename,
            self.machinepass,
            self.username,
            self.userpass)

        traffic.create_ou(self.ldb, 1)
        traffic.create_machine_account(self.ldb,
                                       1,
                                       self.machinename,
                                       self.machinepass)
        traffic.create_user_account(self.ldb,
                                    1,
                                    self.username,
                                    self.userpass)

        self.context.generate_process_local_config(account, self.conversation)

        # grant user write permission to do things like write account SPN
        sdutils = sd_utils.SDUtils(self.ldb)
        mod = "(A;;WP;;;PS)"
        sdutils.dacl_add_ace(self.context.user_dn, mod)
Ejemplo n.º 8
0
 def setUp(self):
     super(DirsyncBaseTests, self).setUp()
     self.ldb_admin = SamDB(ldapshost,
                            credentials=creds,
                            session_info=system_session(lp),
                            lp=lp)
     self.base_dn = self.ldb_admin.domain_dn()
     self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
     self.user_pass = samba.generate_random_password(12, 16)
     self.configuration_dn = self.ldb_admin.get_config_basedn(
     ).get_linearized()
     self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
     #used for anonymous login
     print("baseDN: %s" % self.base_dn)
Ejemplo n.º 9
0
    def setUp(self):
        super(ReplAclTestCase, self).setUp()
        self.mod = "(A;CIOI;GA;;;SY)"
        self.mod_becomes = "(A;OICIIO;GA;;;SY)"
        self.mod_inherits_as = "(A;OICIIOID;GA;;;SY)"

        self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1)
        self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2)

        self.ou = samba.tests.create_test_ou(self.ldb_dc1, "test_acl_inherit")

        # disable replication for the tests so we can control at what point
        # the DCs try to replicate
        self._disable_all_repl(self.dnsname_dc1)
        self._disable_all_repl(self.dnsname_dc2)

        # make sure DCs are synchronized before the test
        self._net_drs_replicate(DC=self.dnsname_dc2,
                                fromDC=self.dnsname_dc1,
                                forced=True)
        self._net_drs_replicate(DC=self.dnsname_dc1,
                                fromDC=self.dnsname_dc2,
                                forced=True)
Ejemplo n.º 10
0
    def __init__(self,
                 samdb,
                 verbose=False,
                 fix=False,
                 add_update_container=True):
        """
        :param samdb: LDB database
        :param verbose: Show the ldif changes
        :param fix: Apply the update if the container is missing
        :param add_update_container: Add the container at the end of the change
        :raise ForestUpdateException:
        """
        from samba.ms_forest_updates_markdown import read_ms_markdown

        self.samdb = samdb
        self.fix = fix
        self.verbose = verbose
        self.add_update_container = add_update_container
        # TODO In future we should check for inconsistencies when it claims it has been done
        self.check_update_applied = False

        self.config_dn = self.samdb.get_config_basedn()
        self.domain_dn = self.samdb.domain_dn()
        self.schema_dn = self.samdb.get_schema_basedn()

        self.sd_utils = sd_utils.SDUtils(samdb)
        self.domain_sid = security.dom_sid(samdb.get_domain_sid())

        self.forestupdate_container = self.samdb.get_config_basedn()
        if not self.forestupdate_container.add_child(
                "CN=Operations,CN=ForestUpdates"):
            raise ForestUpdateException(
                "Failed to add forest update container child")

        self.revision_object = self.samdb.get_config_basedn()
        if not self.revision_object.add_child(
                "CN=ActiveDirectoryUpdate,CN=ForestUpdates"):
            raise ForestUpdateException("Failed to add revision object child")

        # Store the result of parsing the markdown in a dictionary
        self.stored_ldif = {}
        read_ms_markdown(
            setup_path("adprep/WindowsServerDocs/Forest-Wide-Updates.md"),
            out_dict=self.stored_ldif)
Ejemplo n.º 11
0
    def setUp(self):
        super(DrsReplicaSyncUnprivTestCase, self).setUp()
        self.get_changes_user = "******"
        self.base_dn = self.ldb_dc1.get_default_basedn()
        self.user_pass = samba.generate_random_password(12, 16)

        # add some randomness to the test OU. (Deletion of the last test's
        # objects can be slow to replicate out. So the OU created by a previous
        # testenv may still exist at this point).
        rand = random.randint(1, 10000000)
        test_ou = "OU=test_getnc_unpriv%d" % rand
        self.ou = "%s,%s" % (test_ou, self.base_dn)
        self.ldb_dc1.add({
            "dn": self.ou,
            "objectclass": "organizationalUnit"})
        self.ldb_dc1.newuser(self.get_changes_user, self.user_pass,
                             userou=test_ou)
        (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1)

        self.sd_utils = sd_utils.SDUtils(self.ldb_dc1)
        self.user_dn = "cn=%s,%s" % (self.get_changes_user, self.ou)
        user_sid = self.sd_utils.get_object_sid(self.user_dn)
        self.acl_mod_get_changes = "(OA;;CR;%s;;%s)" % (security.GUID_DRS_GET_CHANGES,
                                                        str(user_sid))
        self.acl_mod_get_all_changes = "(OA;;CR;%s;;%s)" % (security.GUID_DRS_GET_ALL_CHANGES,
                                                            str(user_sid))
        self.desc_sddl = self.sd_utils.get_sd_as_sddl(self.base_dn)

        # We set DONT_USE_KERBEROS to avoid a race with getting the
        # user replicated to our selected KDC
        self.user_creds = self.insta_creds(template=self.get_credentials(),
                                           username=self.get_changes_user,
                                           userpass=self.user_pass,
                                           kerberos_state=DONT_USE_KERBEROS)
        (self.user_drs, self.user_drs_handle) = self._ds_bind(self.dnsname_dc1,
                                                              self.user_creds)
Ejemplo n.º 12
0
    def setUp(self):
        super(ConfidentialAttrCommon, self).setUp()

        self.ldb_admin = SamDB(ldaphost,
                               credentials=creds,
                               session_info=system_session(lp),
                               lp=lp)
        self.user_pass = "******"
        self.base_dn = self.ldb_admin.domain_dn()
        self.schema_dn = self.ldb_admin.get_schema_basedn()
        self.sd_utils = sd_utils.SDUtils(self.ldb_admin)

        # the tests work by setting the 'Confidential' bit in the searchFlags
        # for an existing schema attribute. This only works against Windows if
        # the systemFlags does not have FLAG_SCHEMA_BASE_OBJECT set for the
        # schema attribute being modified. There are only a few attributes that
        # meet this criteria (most of which only apply to 'user' objects)
        self.conf_attr = "homePostalAddress"
        attr_cn = "CN=Address-Home"
        # schemaIdGuid for homePostalAddress (used for ACE tests)
        self.conf_attr_guid = "16775781-47f3-11d1-a9c3-0000f80367c1"
        self.conf_attr_sec_guid = "77b5b886-944a-11d1-aebd-0000f80367c1"
        self.attr_dn = "{},{}".format(attr_cn, self.schema_dn)

        userou = "OU=conf-attr-test"
        self.ou = "{},{}".format(userou, self.base_dn)
        self.ldb_admin.create_ou(self.ou)

        # use a common username prefix, so we can use sAMAccountName=CATC-* as
        # a search filter to only return the users we're interested in
        self.user_prefix = "catc-"

        # add a test object with this attribute set
        self.conf_value = "abcdef"
        self.conf_user = "******".format(self.user_prefix)
        self.ldb_admin.newuser(self.conf_user, self.user_pass, userou=userou)
        self.conf_dn = self.get_user_dn(self.conf_user)
        self.add_attr(self.conf_dn, self.conf_attr, self.conf_value)

        # add a sneaky user that will try to steal our secrets
        self.user = "******".format(self.user_prefix)
        self.ldb_admin.newuser(self.user, self.user_pass, userou=userou)
        self.ldb_user = self.get_ldb_connection(self.user, self.user_pass)

        self.all_users = [self.user, self.conf_user]

        # add some other users that also have confidential attributes, so we can
        # check we don't disclose their details, particularly in '!' searches
        for i in range(1, 3):
            username = "******".format(self.user_prefix, i)
            self.ldb_admin.newuser(username, self.user_pass, userou=userou)
            userdn = self.get_user_dn(username)
            self.add_attr(userdn, self.conf_attr, "xyz{}".format(i))
            self.all_users.append(username)

        # there are 4 users in the OU, plus the OU itself
        self.test_dn = self.ou
        self.total_objects = len(self.all_users) + 1
        self.objects_with_attr = 3

        # sanity-check the flag is not already set (this'll cause problems if
        # previous test run didn't clean up properly)
        search_flags = self.get_attr_search_flags(self.attr_dn)
        self.assertTrue(
            int(search_flags) & SEARCH_FLAG_CONFIDENTIAL == 0,
            "{} searchFlags already {}".format(self.conf_attr, search_flags))
Ejemplo n.º 13
0
def add_dns_records(samdb, name, dns_conn, change_owner_sd, server,
                    ip_address_list, logger):
    """Add DNS A or AAAA records while creating computer. """
    name = name.rstrip('$')
    client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
    select_flags = dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA | dnsserver.DNS_RPC_VIEW_NO_CHILDREN
    zone = samdb.domain_dns_name()
    name_found = True
    sd_helper = sd_utils.SDUtils(samdb)

    try:
        buflen, res = dns_conn.DnssrvEnumRecords2(
            client_version,
            0,
            server,
            zone,
            name,
            None,
            dnsp.DNS_TYPE_ALL,
            select_flags,
            None,
            None,
        )
    except WERRORError as e:
        if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
            name_found = False
            pass

    if name_found:
        for rec in res.rec:
            for record in rec.records:
                if record.wType == dnsp.DNS_TYPE_A or record.wType == dnsp.DNS_TYPE_AAAA:
                    # delete record
                    del_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
                    del_rec_buf.rec = record
                    try:
                        dns_conn.DnssrvUpdateRecord2(
                            client_version,
                            0,
                            server,
                            zone,
                            name,
                            None,
                            del_rec_buf,
                        )
                    except WERRORError as e:
                        if e.args[
                                0] != werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
                            raise

    for ip_address in ip_address_list:
        if _is_valid_ipv6(ip_address):
            logger.info("Adding DNS AAAA record %s.%s for IPv6 IP: %s" %
                        (name, zone, ip_address))
            rec = AAAARecord(ip_address)
        elif _is_valid_ipv4(ip_address):
            logger.info("Adding DNS A record %s.%s for IPv4 IP: %s" %
                        (name, zone, ip_address))
            rec = ARecord(ip_address)
        else:
            raise ValueError('Invalid IP: {}'.format(ip_address))

        # Add record
        add_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
        add_rec_buf.rec = rec

        dns_conn.DnssrvUpdateRecord2(
            client_version,
            0,
            server,
            zone,
            name,
            add_rec_buf,
            None,
        )

    if (len(ip_address_list) > 0):
        domaindns_zone_dn = ldb.Dn(
            samdb,
            'DC=DomainDnsZones,%s' % samdb.get_default_basedn(),
        )

        dns_a_dn, ldap_record = samdb.dns_lookup(
            "%s.%s" % (name, zone),
            dns_partition=domaindns_zone_dn,
        )

        # Make the DC own the DNS record, not the administrator
        sd_helper.modify_sd_on_dn(
            dns_a_dn,
            change_owner_sd,
            controls=[
                "sd_flags:1:%d" %
                (security.SECINFO_OWNER | security.SECINFO_GROUP)
            ],
        )