"""test removal of 1 site"""
self.ldb_admin.transaction_start()
ok = sites.delete_site(self.ldb_admin, self.ldb_admin.get_config_basedn(),
"testsamba")
self.ldb_admin.transaction_commit()
self.assertRaises(sites.SiteNotFoundException,
sites.delete_site, self.ldb_admin, self.ldb_admin.get_config_basedn(),
"testsamba")
def test_delete_not_empty(self):
"""test removal of 1 site with servers"""
self.assertRaises(sites.SiteServerNotEmptyException,
sites.delete_site, self.ldb_admin, self.ldb_admin.get_config_basedn(),
"Default-First-Site-Name")
ldb = SamDB(ldapshost, credentials=creds, session_info=system_session(lp), lp=lp)
runner = SubunitTestRunner()
rc = 0
if not runner.run(unittest.makeSuite(SimpleSitesTests)).wasSuccessful():
rc = 1
sys.exit(rc)
def setUp(self):
super(UserAccountControlTests, self).setUp()
self.admin_creds = creds
self.admin_samdb = SamDB(url=ldaphost,
session_info=system_session(),
credentials=self.admin_creds,
lp=lp)
self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
self.base_dn = self.admin_samdb.domain_dn()
self.unpriv_user = "******"
self.unpriv_user_pw = "samba123@"
self.unpriv_creds = self.get_creds(self.unpriv_user,
self.unpriv_user_pw)
self.OU = "OU=test_computer_ou1,%s" % (self.base_dn)
delete_force(self.admin_samdb, self.OU, controls=["tree_delete:0"])
delete_force(self.admin_samdb,
"CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
res = self.admin_samdb.search(
"CN=%s,CN=Users,%s" %
(self.unpriv_user, self.admin_samdb.domain_dn()),
scope=SCOPE_BASE,
attrs=["objectSid"])
self.assertEqual(1, len(res))
self.unpriv_user_sid = ndr_unpack(security.dom_sid,
res[0]["objectSid"][0])
self.unpriv_user_dn = res[0].dn
self.addCleanup(self.admin_samdb.delete, self.unpriv_user_dn)
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp,
self.unpriv_creds)
self.samr_handle = self.samr.Connect2(
None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(
self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
self.domain_sid)
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.admin_samdb.create_ou(self.OU)
self.addCleanup(self.admin_samdb.delete, self.OU, ["tree_delete:1"])
self.unpriv_user_sid = self.sd_utils.get_object_sid(
self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(
self.unpriv_user_sid)
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
self.sd_utils.dacl_add_ace(self.OU, mod)
self.add_computer_ldap("testcomputer-t")
self.sd_utils.modify_sd_on_dn(self.OU, old_sd)
self.computernames = ["testcomputer-0"]
# Get the SD of the template account, then force it to match
# what we expect for SeMachineAccountPrivilege accounts, so we
# can confirm we created the accounts correctly
self.sd_reference_cc = self.sd_utils.read_sd_on_dn(
"CN=testcomputer-t,%s" % (self.OU))
self.sd_reference_modify = self.sd_utils.read_sd_on_dn(
"CN=testcomputer-t,%s" % (self.OU))
for ace in self.sd_reference_modify.dacl.aces:
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP
# Now reconnect without domain admin rights
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
def setUp(self):
super(DynamicTokenTest, self).setUp()
self.admin_ldb = SamDB(url,
credentials=creds,
session_info=system_session(lp),
lp=lp)
self.base_dn = self.admin_ldb.domain_dn()
self.test_user = "******"
self.test_user_pass = "******"
self.admin_ldb.newuser(self.test_user, self.test_user_pass)
self.test_group0 = "tokengroups_group0"
self.admin_ldb.newgroup(
self.test_group0, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group0, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group0_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group0,
[self.test_user],
add_members_operation=True)
self.test_group1 = "tokengroups_group1"
self.admin_ldb.newgroup(self.test_group1,
grouptype=dsdb.GTYPE_SECURITY_GLOBAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group1, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group1_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group1,
[self.test_user],
add_members_operation=True)
self.test_group2 = "tokengroups_group2"
self.admin_ldb.newgroup(self.test_group2,
grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group2, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group2_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group2,
[self.test_user],
add_members_operation=True)
self.test_group3 = "tokengroups_group3"
self.admin_ldb.newgroup(self.test_group3,
grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group3, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group3_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group3,
[self.test_group1],
add_members_operation=True)
self.test_group4 = "tokengroups_group4"
self.admin_ldb.newgroup(self.test_group4,
grouptype=dsdb.GTYPE_SECURITY_UNIVERSAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group4, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group4_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group4,
[self.test_group3],
add_members_operation=True)
self.test_group5 = "tokengroups_group5"
self.admin_ldb.newgroup(
self.test_group5, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group5, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group5_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group5,
[self.test_group4],
add_members_operation=True)
self.test_group6 = "tokengroups_group6"
self.admin_ldb.newgroup(
self.test_group6, grouptype=dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)
res = self.admin_ldb.search(base="cn=%s,cn=users,%s" %
(self.test_group6, self.base_dn),
attrs=["objectSid"],
scope=ldb.SCOPE_BASE)
self.test_group6_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["objectSid"][0])
self.admin_ldb.add_remove_group_members(self.test_group6,
[self.test_user],
add_members_operation=True)
self.ldb = self.get_ldb_connection(self.test_user, self.test_user_pass)
res = self.ldb.search("", scope=ldb.SCOPE_BASE, attrs=["tokenGroups"])
self.assertEqual(len(res), 1)
self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
res[0]["tokenGroups"][0])
self.user_sid_dn = "<SID=%s>" % str(self.user_sid)
res = self.ldb.search(self.user_sid_dn, scope=ldb.SCOPE_BASE, attrs=[])
self.assertEqual(len(res), 1)
self.test_user_dn = res[0].dn
session_info_flags = (AUTH_SESSION_INFO_DEFAULT_GROUPS
| AUTH_SESSION_INFO_AUTHENTICATED
| AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
session_info_flags |= AUTH_SESSION_INFO_NTLM
session = samba.auth.user_session(
self.ldb,
lp_ctx=lp,
dn=self.user_sid_dn,
session_info_flags=session_info_flags)
token = session.security_token
self.user_sids = []
for s in token.sids:
self.user_sids.append(str(s))
def get_ldb_connection(self, target_username, target_password):
creds_tmp = self.get_creds(target_username, target_password)
ldb_target = SamDB(url=url, credentials=creds_tmp, lp=lp)
return ldb_target
def get_db(self, H, sambaopts, credopts):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, credentials=creds, lp=lp)
return samdb
def test_multiple_searches(self):
"""The maximum number of concurrent vlv searches per connection is
currently set at 3. That means if you open 4 VLV searches the
cookie on the first one should fail.
"""
# Windows has a limit of 10 VLVs where there are low numbers
# of objects in each search.
attrs = ([
x for x in self.users[0].keys() if x not in ('dn', 'objectclass')
] * 2)[:12]
vlv_cookies = []
for attr in attrs:
sort_control = "server_sort:1:0:%s" % attr
res = self.ldb.search(self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control, "vlv:1:1:1:1:0"])
cookie = get_cookie(res.controls, len(self.users))
vlv_cookies.append(cookie)
time.sleep(0.2)
# now this one should fail
self.assertRaises(
ldb.LdbError,
self.ldb.search,
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[0]])
# and this one should succeed
res = self.ldb.search(
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])
# this one should fail because it is a new connection and
# doesn't share cookies
new_ldb = SamDB(host,
credentials=creds,
session_info=system_session(lp),
lp=lp)
self.assertRaises(
ldb.LdbError,
new_ldb.search,
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])
# but now without the critical flag it just does no VLV.
new_ldb.search(
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:0:1:1:1:0:%s" % vlv_cookies[-1]])
from samba.param import LoadParm
from samba.provision import (
ProvisionPaths,
ProvisionNames,
)
from samba.provision.common import (setup_path, setup_add_ldif, setup_ldb)
from samba.provision.sambadns import secretsdb_setup_dns
if __name__ == '__main__':
## most of this is extracted from source4/scripting/python/samba/provision/*
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
samdb = SamDB('/var/lib/samba/private/sam.ldb',
session_info=system_session(lp),
lp=lp)
secretsdb = samba.Ldb('/var/lib/samba/private/secrets.ldb',
session_info=system_session(lp),
lp=lp)
paths = ProvisionPaths()
paths.private_dir = lp.get("private dir")
names = ProvisionNames()
# NT domain, kerberos realm, root dn, domain dn, domain dns name
names.realm = lp.get("realm").upper()
names.domain = lp.get("workgroup").upper()
names.domaindn = samdb.domain_dn()
names.dnsdomain = samba.ldb.Dn(samdb,
names.domaindn).canonical_str().replace(
