def setUp(self): super(AclSearchSpeedTest, self).setUp() self.ldb_admin.newuser("acltestuser", "samba123@") self.sd_utils = sd_utils.SDUtils(self.ldb_admin) self.ldb_user = self.get_ldb_connection("acltestuser", "samba123@") self.user_sid = self.sd_utils.get_object_sid( self.get_user_dn("acltestuser"))
def __init__(self, samdb, fix=False, add_update_container=True): """ :param samdb: LDB database :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise DomainUpdateException: """ self.samdb = samdb self.fix = fix self.add_update_container = add_update_container # TODO: In future we should check for inconsistencies when it claims it has been done self.check_update_applied = False self.config_dn = self.samdb.get_config_basedn() self.domain_dn = self.samdb.domain_dn() self.schema_dn = self.samdb.get_schema_basedn() self.sd_utils = sd_utils.SDUtils(samdb) self.domain_sid = security.dom_sid(samdb.get_domain_sid()) self.domainupdate_container = self.samdb.get_root_basedn() if not self.domainupdate_container.add_child( "CN=Operations,CN=DomainUpdates,CN=System"): raise DomainUpdateException( "Failed to add domain update container child") self.revision_object = self.samdb.get_root_basedn() if not self.revision_object.add_child( "CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System"): raise DomainUpdateException("Failed to add revision object child")
def setUp(self): super(UserAccountControlTests, self).setUp() self.admin_creds = creds self.admin_samdb = SamDB(url=ldaphost, session_info=system_session(), credentials=self.admin_creds, lp=lp) self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid()) self.base_dn = self.admin_samdb.domain_dn() self.unpriv_user = "******" self.unpriv_user_pw = "samba123@" self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw) delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn)) delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn)) delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn)) self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw) res = self.admin_samdb.search("CN=%s,CN=Users,%s" % (self.unpriv_user, self.admin_samdb.domain_dn()), scope=SCOPE_BASE, attrs=["objectSid"]) self.assertEqual(1, len(res)) self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) self.unpriv_user_dn = res[0].dn self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp) self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, self.unpriv_creds) self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED) self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid) self.sd_utils = sd_utils.SDUtils(self.admin_samdb) self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn) self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn) mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid) old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn) self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod) self.add_computer_ldap("testcomputer-t") self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd) self.computernames = ["testcomputer-0"] # Get the SD of the template account, then force it to match # what we expect for SeMachineAccountPrivilege accounts, so we # can confirm we created the accounts correctly self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn)) self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn)) for ace in self.sd_reference_modify.dacl.aces: if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid: ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP # Now reconnect without domain admin rights self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
def setUp(self): super(DrsReplicaSyncUnprivTestCase, self).setUp() self.get_changes_user = "******" self.base_dn = self.ldb_dc1.get_default_basedn() self.ou = "OU=test_getncchanges,%s" % self.base_dn self.user_pass = samba.generate_random_password(12, 16) self.ldb_dc1.add({"dn": self.ou, "objectclass": "organizationalUnit"}) self.ldb_dc1.newuser(self.get_changes_user, self.user_pass, userou="OU=test_getncchanges") (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1) self.sd_utils = sd_utils.SDUtils(self.ldb_dc1) user_dn = "cn=%s,%s" % (self.get_changes_user, self.ou) user_sid = self.sd_utils.get_object_sid(user_dn) mod = "(A;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;%s)" % str( user_sid) self.sd_utils.dacl_add_ace(self.base_dn, mod) # We set DONT_USE_KERBEROS to avoid a race with getting the # user replicated to our selected KDC self.user_creds = self.insta_creds(template=self.get_credentials(), username=self.get_changes_user, userpass=self.user_pass, kerberos_state=DONT_USE_KERBEROS) (self.user_drs, self.user_drs_handle) = self._ds_bind(self.dnsname_dc1, self.user_creds)
def setUp(self): super().setUp() strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) if strict_checking is None: strict_checking = '1' self.strict_checking = bool(int(strict_checking)) self.admin_creds = creds self.admin_samdb = SamDB(url=ldaphost, credentials=self.admin_creds, lp=lp) self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid()) self.base_dn = self.admin_samdb.domain_dn() self.unpriv_user = "******" self.unpriv_user_pw = "samba123@" self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw) self.admin_sd_utils = sd_utils.SDUtils(self.admin_samdb) self.test_ou_name = "OU=test_priv_attrs" self.test_ou = self.test_ou_name + "," + self.base_dn delete_force(self.admin_samdb, self.test_ou, controls=["tree_delete:0"]) self.admin_samdb.create_ou(self.test_ou) expected_user_dn = f"CN={self.unpriv_user},{self.test_ou_name},{self.base_dn}" self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw, userou=self.test_ou_name) res = self.admin_samdb.search(expected_user_dn, scope=SCOPE_BASE, attrs=["objectSid"]) self.assertEqual(1, len(res)) self.unpriv_user_dn = res[0].dn self.addCleanup(delete_force, self.admin_samdb, self.unpriv_user_dn, controls=["tree_delete:0"]) self.unpriv_user_sid = self.admin_sd_utils.get_object_sid( self.unpriv_user_dn) self.unpriv_samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
def setUp(self): super(DirsyncBaseTests, self).setUp() self.ldb_admin = ldb self.base_dn = ldb.domain_dn() self.domain_sid = security.dom_sid(ldb.get_domain_sid()) self.user_pass = "******" self.configuration_dn = self.ldb_admin.get_config_basedn( ).get_linearized() self.sd_utils = sd_utils.SDUtils(ldb) #used for anonymous login print "baseDN: %s" % self.base_dn
def setUp(self): super(TrafficEmulatorPacketTests, self).setUp() self.server = os.environ["SERVER"] self.domain = os.environ["DOMAIN"] self.host = os.environ["SERVER_IP"] self.lp = self.get_loadparm() self.session = system_session() self.credentials = self.get_credentials() self.ldb = SamDB(url="ldap://%s" % self.host, session_info=self.session, credentials=self.credentials, lp=self.lp) self.domain_sid = self.ldb.get_domain_sid() traffic.clean_up_accounts(self.ldb, 1) self.tempdir = tempfile.mkdtemp(prefix="traffic_packet_test_") self.context = traffic.ReplayContext(server=self.server, lp=self.lp, creds=self.credentials, tempdir=self.tempdir, ou=traffic.ou_name(self.ldb, 1), domain_sid=self.domain_sid) self.conversation = traffic.Conversation() self.conversation.conversation_id = 1 self.machinename = "STGM-1-1" self.machinepass = samba.generate_random_password(32, 32) self.username = "******" self.userpass = samba.generate_random_password(32, 32) account = traffic.ConversationAccounts( self.machinename, self.machinepass, self.username, self.userpass) traffic.create_ou(self.ldb, 1) traffic.create_machine_account(self.ldb, 1, self.machinename, self.machinepass) traffic.create_user_account(self.ldb, 1, self.username, self.userpass) self.context.generate_process_local_config(account, self.conversation) # grant user write permission to do things like write account SPN sdutils = sd_utils.SDUtils(self.ldb) mod = "(A;;WP;;;PS)" sdutils.dacl_add_ace(self.context.user_dn, mod)
def setUp(self): super(DirsyncBaseTests, self).setUp() self.ldb_admin = SamDB(ldapshost, credentials=creds, session_info=system_session(lp), lp=lp) self.base_dn = self.ldb_admin.domain_dn() self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid()) self.user_pass = samba.generate_random_password(12, 16) self.configuration_dn = self.ldb_admin.get_config_basedn( ).get_linearized() self.sd_utils = sd_utils.SDUtils(self.ldb_admin) #used for anonymous login print("baseDN: %s" % self.base_dn)
def setUp(self): super(ReplAclTestCase, self).setUp() self.mod = "(A;CIOI;GA;;;SY)" self.mod_becomes = "(A;OICIIO;GA;;;SY)" self.mod_inherits_as = "(A;OICIIOID;GA;;;SY)" self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1) self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2) self.ou = samba.tests.create_test_ou(self.ldb_dc1, "test_acl_inherit") # disable replication for the tests so we can control at what point # the DCs try to replicate self._disable_all_repl(self.dnsname_dc1) self._disable_all_repl(self.dnsname_dc2) # make sure DCs are synchronized before the test self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True) self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, forced=True)
def __init__(self, samdb, verbose=False, fix=False, add_update_container=True): """ :param samdb: LDB database :param verbose: Show the ldif changes :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise ForestUpdateException: """ from samba.ms_forest_updates_markdown import read_ms_markdown self.samdb = samdb self.fix = fix self.verbose = verbose self.add_update_container = add_update_container # TODO In future we should check for inconsistencies when it claims it has been done self.check_update_applied = False self.config_dn = self.samdb.get_config_basedn() self.domain_dn = self.samdb.domain_dn() self.schema_dn = self.samdb.get_schema_basedn() self.sd_utils = sd_utils.SDUtils(samdb) self.domain_sid = security.dom_sid(samdb.get_domain_sid()) self.forestupdate_container = self.samdb.get_config_basedn() if not self.forestupdate_container.add_child( "CN=Operations,CN=ForestUpdates"): raise ForestUpdateException( "Failed to add forest update container child") self.revision_object = self.samdb.get_config_basedn() if not self.revision_object.add_child( "CN=ActiveDirectoryUpdate,CN=ForestUpdates"): raise ForestUpdateException("Failed to add revision object child") # Store the result of parsing the markdown in a dictionary self.stored_ldif = {} read_ms_markdown( setup_path("adprep/WindowsServerDocs/Forest-Wide-Updates.md"), out_dict=self.stored_ldif)
def setUp(self): super(DrsReplicaSyncUnprivTestCase, self).setUp() self.get_changes_user = "******" self.base_dn = self.ldb_dc1.get_default_basedn() self.user_pass = samba.generate_random_password(12, 16) # add some randomness to the test OU. (Deletion of the last test's # objects can be slow to replicate out. So the OU created by a previous # testenv may still exist at this point). rand = random.randint(1, 10000000) test_ou = "OU=test_getnc_unpriv%d" % rand self.ou = "%s,%s" % (test_ou, self.base_dn) self.ldb_dc1.add({ "dn": self.ou, "objectclass": "organizationalUnit"}) self.ldb_dc1.newuser(self.get_changes_user, self.user_pass, userou=test_ou) (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1) self.sd_utils = sd_utils.SDUtils(self.ldb_dc1) self.user_dn = "cn=%s,%s" % (self.get_changes_user, self.ou) user_sid = self.sd_utils.get_object_sid(self.user_dn) self.acl_mod_get_changes = "(OA;;CR;%s;;%s)" % (security.GUID_DRS_GET_CHANGES, str(user_sid)) self.acl_mod_get_all_changes = "(OA;;CR;%s;;%s)" % (security.GUID_DRS_GET_ALL_CHANGES, str(user_sid)) self.desc_sddl = self.sd_utils.get_sd_as_sddl(self.base_dn) # We set DONT_USE_KERBEROS to avoid a race with getting the # user replicated to our selected KDC self.user_creds = self.insta_creds(template=self.get_credentials(), username=self.get_changes_user, userpass=self.user_pass, kerberos_state=DONT_USE_KERBEROS) (self.user_drs, self.user_drs_handle) = self._ds_bind(self.dnsname_dc1, self.user_creds)
def setUp(self): super(ConfidentialAttrCommon, self).setUp() self.ldb_admin = SamDB(ldaphost, credentials=creds, session_info=system_session(lp), lp=lp) self.user_pass = "******" self.base_dn = self.ldb_admin.domain_dn() self.schema_dn = self.ldb_admin.get_schema_basedn() self.sd_utils = sd_utils.SDUtils(self.ldb_admin) # the tests work by setting the 'Confidential' bit in the searchFlags # for an existing schema attribute. This only works against Windows if # the systemFlags does not have FLAG_SCHEMA_BASE_OBJECT set for the # schema attribute being modified. There are only a few attributes that # meet this criteria (most of which only apply to 'user' objects) self.conf_attr = "homePostalAddress" attr_cn = "CN=Address-Home" # schemaIdGuid for homePostalAddress (used for ACE tests) self.conf_attr_guid = "16775781-47f3-11d1-a9c3-0000f80367c1" self.conf_attr_sec_guid = "77b5b886-944a-11d1-aebd-0000f80367c1" self.attr_dn = "{},{}".format(attr_cn, self.schema_dn) userou = "OU=conf-attr-test" self.ou = "{},{}".format(userou, self.base_dn) self.ldb_admin.create_ou(self.ou) # use a common username prefix, so we can use sAMAccountName=CATC-* as # a search filter to only return the users we're interested in self.user_prefix = "catc-" # add a test object with this attribute set self.conf_value = "abcdef" self.conf_user = "******".format(self.user_prefix) self.ldb_admin.newuser(self.conf_user, self.user_pass, userou=userou) self.conf_dn = self.get_user_dn(self.conf_user) self.add_attr(self.conf_dn, self.conf_attr, self.conf_value) # add a sneaky user that will try to steal our secrets self.user = "******".format(self.user_prefix) self.ldb_admin.newuser(self.user, self.user_pass, userou=userou) self.ldb_user = self.get_ldb_connection(self.user, self.user_pass) self.all_users = [self.user, self.conf_user] # add some other users that also have confidential attributes, so we can # check we don't disclose their details, particularly in '!' searches for i in range(1, 3): username = "******".format(self.user_prefix, i) self.ldb_admin.newuser(username, self.user_pass, userou=userou) userdn = self.get_user_dn(username) self.add_attr(userdn, self.conf_attr, "xyz{}".format(i)) self.all_users.append(username) # there are 4 users in the OU, plus the OU itself self.test_dn = self.ou self.total_objects = len(self.all_users) + 1 self.objects_with_attr = 3 # sanity-check the flag is not already set (this'll cause problems if # previous test run didn't clean up properly) search_flags = self.get_attr_search_flags(self.attr_dn) self.assertTrue( int(search_flags) & SEARCH_FLAG_CONFIDENTIAL == 0, "{} searchFlags already {}".format(self.conf_attr, search_flags))
def add_dns_records(samdb, name, dns_conn, change_owner_sd, server, ip_address_list, logger): """Add DNS A or AAAA records while creating computer. """ name = name.rstrip('$') client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN select_flags = dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA | dnsserver.DNS_RPC_VIEW_NO_CHILDREN zone = samdb.domain_dns_name() name_found = True sd_helper = sd_utils.SDUtils(samdb) try: buflen, res = dns_conn.DnssrvEnumRecords2( client_version, 0, server, zone, name, None, dnsp.DNS_TYPE_ALL, select_flags, None, None, ) except WERRORError as e: if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST: name_found = False pass if name_found: for rec in res.rec: for record in rec.records: if record.wType == dnsp.DNS_TYPE_A or record.wType == dnsp.DNS_TYPE_AAAA: # delete record del_rec_buf = dnsserver.DNS_RPC_RECORD_BUF() del_rec_buf.rec = record try: dns_conn.DnssrvUpdateRecord2( client_version, 0, server, zone, name, None, del_rec_buf, ) except WERRORError as e: if e.args[ 0] != werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST: raise for ip_address in ip_address_list: if _is_valid_ipv6(ip_address): logger.info("Adding DNS AAAA record %s.%s for IPv6 IP: %s" % (name, zone, ip_address)) rec = AAAARecord(ip_address) elif _is_valid_ipv4(ip_address): logger.info("Adding DNS A record %s.%s for IPv4 IP: %s" % (name, zone, ip_address)) rec = ARecord(ip_address) else: raise ValueError('Invalid IP: {}'.format(ip_address)) # Add record add_rec_buf = dnsserver.DNS_RPC_RECORD_BUF() add_rec_buf.rec = rec dns_conn.DnssrvUpdateRecord2( client_version, 0, server, zone, name, add_rec_buf, None, ) if (len(ip_address_list) > 0): domaindns_zone_dn = ldb.Dn( samdb, 'DC=DomainDnsZones,%s' % samdb.get_default_basedn(), ) dns_a_dn, ldap_record = samdb.dns_lookup( "%s.%s" % (name, zone), dns_partition=domaindns_zone_dn, ) # Make the DC own the DNS record, not the administrator sd_helper.modify_sd_on_dn( dns_a_dn, change_owner_sd, controls=[ "sd_flags:1:%d" % (security.SECINFO_OWNER | security.SECINFO_GROUP) ], )