Example #1
0
        """test removal of 1 site"""

        self.ldb_admin.transaction_start()
        ok = sites.delete_site(self.ldb_admin, self.ldb_admin.get_config_basedn(),
                            "testsamba")

        self.ldb_admin.transaction_commit()

        self.assertRaises(sites.SiteNotFoundException,
                            sites.delete_site, self.ldb_admin, self.ldb_admin.get_config_basedn(),
                            "testsamba")


    def test_delete_not_empty(self):
        """test removal of 1 site with servers"""

        self.assertRaises(sites.SiteServerNotEmptyException,
                            sites.delete_site, self.ldb_admin, self.ldb_admin.get_config_basedn(),
                            "Default-First-Site-Name")


ldb = SamDB(ldapshost, credentials=creds, session_info=system_session(lp), lp=lp)

runner = SubunitTestRunner()
rc = 0

if not runner.run(unittest.makeSuite(SimpleSitesTests)).wasSuccessful():
    rc = 1

sys.exit(rc)
Example #2
0
    def setUp(self):
        super(UserAccountControlTests, self).setUp()
        self.admin_creds = creds
        self.admin_samdb = SamDB(url=ldaphost,
                                 session_info=system_session(),
                                 credentials=self.admin_creds,
                                 lp=lp)
        self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
        self.base_dn = self.admin_samdb.domain_dn()

        self.unpriv_user = "******"
        self.unpriv_user_pw = "samba123@"
        self.unpriv_creds = self.get_creds(self.unpriv_user,
                                           self.unpriv_user_pw)

        self.OU = "OU=test_computer_ou1,%s" % (self.base_dn)

        delete_force(self.admin_samdb, self.OU, controls=["tree_delete:0"])
        delete_force(self.admin_samdb,
                     "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))

        self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
        res = self.admin_samdb.search(
            "CN=%s,CN=Users,%s" %
            (self.unpriv_user, self.admin_samdb.domain_dn()),
            scope=SCOPE_BASE,
            attrs=["objectSid"])
        self.assertEqual(1, len(res))

        self.unpriv_user_sid = ndr_unpack(security.dom_sid,
                                          res[0]["objectSid"][0])
        self.unpriv_user_dn = res[0].dn
        self.addCleanup(self.admin_samdb.delete, self.unpriv_user_dn)

        self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)

        self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp,
                              self.unpriv_creds)
        self.samr_handle = self.samr.Connect2(
            None, security.SEC_FLAG_MAXIMUM_ALLOWED)
        self.samr_domain = self.samr.OpenDomain(
            self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
            self.domain_sid)

        self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
        self.admin_samdb.create_ou(self.OU)
        self.addCleanup(self.admin_samdb.delete, self.OU, ["tree_delete:1"])

        self.unpriv_user_sid = self.sd_utils.get_object_sid(
            self.unpriv_user_dn)
        mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(
            self.unpriv_user_sid)

        old_sd = self.sd_utils.read_sd_on_dn(self.OU)

        self.sd_utils.dacl_add_ace(self.OU, mod)

        self.add_computer_ldap("testcomputer-t")

        self.sd_utils.modify_sd_on_dn(self.OU, old_sd)

        self.computernames = ["testcomputer-0"]

        # Get the SD of the template account, then force it to match
        # what we expect for SeMachineAccountPrivilege accounts, so we
        # can confirm we created the accounts correctly
        self.sd_reference_cc = self.sd_utils.read_sd_on_dn(
            "CN=testcomputer-t,%s" % (self.OU))

        self.sd_reference_modify = self.sd_utils.read_sd_on_dn(
            "CN=testcomputer-t,%s" % (self.OU))
        for ace in self.sd_reference_modify.dacl.aces:
            if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
                ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP

        # Now reconnect without domain admin rights
        self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
Example #3
0
    def setUp(self):
        super(DynamicTokenTest, self).setUp()
        self.admin_ldb = SamDB(url,
                               credentials=creds,
                               session_info=system_session(lp),
                               lp=lp)

        self.base_dn = self.admin_ldb.domain_dn()

        self.test_user = "******"
        self.test_user_pass = "******"
        self.admin_ldb.newuser(self.test_user, self.test_user_pass)
        self.test_group0 = "tokengroups_group0"
        self.admin_ldb.newgroup(
            self.test_group0, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)
        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group0, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group0_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group0,
                                                [self.test_user],
                                                add_members_operation=True)

        self.test_group1 = "tokengroups_group1"
        self.admin_ldb.newgroup(self.test_group1,
                                grouptype=dsdb.GTYPE_SECURITY_GLOBAL_GROUP)
        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group1, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group1_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group1,
                                                [self.test_user],
                                                add_members_operation=True)

        self.test_group2 = "tokengroups_group2"
        self.admin_ldb.newgroup(self.test_group2,
                                grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)

        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group2, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group2_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group2,
                                                [self.test_user],
                                                add_members_operation=True)

        self.test_group3 = "tokengroups_group3"
        self.admin_ldb.newgroup(self.test_group3,
                                grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)

        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group3, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group3_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group3,
                                                [self.test_group1],
                                                add_members_operation=True)

        self.test_group4 = "tokengroups_group4"
        self.admin_ldb.newgroup(self.test_group4,
                                grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)

        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group4, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group4_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group4,
                                                [self.test_group3],
                                                add_members_operation=True)

        self.test_group5 = "tokengroups_group5"
        self.admin_ldb.newgroup(
            self.test_group5, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)

        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group5, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group5_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group5,
                                                [self.test_group4],
                                                add_members_operation=True)

        self.test_group6 = "tokengroups_group6"
        self.admin_ldb.newgroup(
            self.test_group6, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)

        res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
                                    (self.test_group6, self.base_dn),
                                    attrs=["objectSid"],
                                    scope=ldb.SCOPE_BASE)
        self.test_group6_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                          res[0]["objectSid"][0])

        self.admin_ldb.add_remove_group_members(self.test_group6,
                                                [self.test_user],
                                                add_members_operation=True)

        self.ldb = self.get_ldb_connection(self.test_user, self.test_user_pass)

        res = self.ldb.search("", scope=ldb.SCOPE_BASE, attrs=["tokenGroups"])
        self.assertEqual(len(res), 1)

        self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
                                   res[0]["tokenGroups"][0])
        self.user_sid_dn = "<SID=%s>" % str(self.user_sid)

        res = self.ldb.search(self.user_sid_dn, scope=ldb.SCOPE_BASE, attrs=[])
        self.assertEqual(len(res), 1)

        self.test_user_dn = res[0].dn

        session_info_flags = (AUTH_SESSION_INFO_DEFAULT_GROUPS
                              | AUTH_SESSION_INFO_AUTHENTICATED
                              | AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)

        if creds.get_kerberos_state() == DONT_USE_KERBEROS:
            session_info_flags |= AUTH_SESSION_INFO_NTLM

        session = samba.auth.user_session(
            self.ldb,
            lp_ctx=lp,
            dn=self.user_sid_dn,
            session_info_flags=session_info_flags)

        token = session.security_token
        self.user_sids = []
        for s in token.sids:
            self.user_sids.append(str(s))
Example #4
0
 def get_ldb_connection(self, target_username, target_password):
     creds_tmp = self.get_creds(target_username, target_password)
     ldb_target = SamDB(url=url, credentials=creds_tmp, lp=lp)
     return ldb_target
Example #5
0
 def get_db(self, H, sambaopts, credopts):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp, fallback_machine=True)
     samdb = SamDB(url=H, credentials=creds, lp=lp)
     return samdb
Example #6
0
    def test_multiple_searches(self):
        """The maximum number of concurrent vlv searches per connection is
        currently set at 3. That means if you open 4 VLV searches the
        cookie on the first one should fail.
        """
        # Windows has a limit of 10 VLVs where there are low numbers
        # of objects in each search.
        attrs = ([
            x for x in self.users[0].keys() if x not in ('dn', 'objectclass')
        ] * 2)[:12]

        vlv_cookies = []
        for attr in attrs:
            sort_control = "server_sort:1:0:%s" % attr

            res = self.ldb.search(self.ou,
                                  scope=ldb.SCOPE_ONELEVEL,
                                  attrs=[attr],
                                  controls=[sort_control, "vlv:1:1:1:1:0"])

            cookie = get_cookie(res.controls, len(self.users))
            vlv_cookies.append(cookie)
            time.sleep(0.2)

        # now this one should fail
        self.assertRaises(
            ldb.LdbError,
            self.ldb.search,
            self.ou,
            scope=ldb.SCOPE_ONELEVEL,
            attrs=[attr],
            controls=[sort_control,
                      "vlv:1:1:1:1:0:%s" % vlv_cookies[0]])

        # and this one should succeed
        res = self.ldb.search(
            self.ou,
            scope=ldb.SCOPE_ONELEVEL,
            attrs=[attr],
            controls=[sort_control,
                      "vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])

        # this one should fail because it is a new connection and
        # doesn't share cookies
        new_ldb = SamDB(host,
                        credentials=creds,
                        session_info=system_session(lp),
                        lp=lp)

        self.assertRaises(
            ldb.LdbError,
            new_ldb.search,
            self.ou,
            scope=ldb.SCOPE_ONELEVEL,
            attrs=[attr],
            controls=[sort_control,
                      "vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])

        # but now without the critical flag it just does no VLV.
        new_ldb.search(
            self.ou,
            scope=ldb.SCOPE_ONELEVEL,
            attrs=[attr],
            controls=[sort_control,
                      "vlv:0:1:1:1:0:%s" % vlv_cookies[-1]])
Example #7
0
from samba.param import LoadParm
from samba.provision import (
    ProvisionPaths,
    ProvisionNames,
)
from samba.provision.common import (setup_path, setup_add_ldif, setup_ldb)
from samba.provision.sambadns import secretsdb_setup_dns

if __name__ == '__main__':
    ## most of this is extracted from source4/scripting/python/samba/provision/*

    lp = LoadParm()
    lp.load('/etc/samba/smb.conf')

    samdb = SamDB('/var/lib/samba/private/sam.ldb',
                  session_info=system_session(lp),
                  lp=lp)
    secretsdb = samba.Ldb('/var/lib/samba/private/secrets.ldb',
                          session_info=system_session(lp),
                          lp=lp)

    paths = ProvisionPaths()
    paths.private_dir = lp.get("private dir")

    names = ProvisionNames()
    # NT domain, kerberos realm, root dn, domain dn, domain dns name
    names.realm = lp.get("realm").upper()
    names.domain = lp.get("workgroup").upper()
    names.domaindn = samdb.domain_dn()
    names.dnsdomain = samba.ldb.Dn(samdb,
                                   names.domaindn).canonical_str().replace(