diff options
author | Nadezhda Ivanova <nivanova@samba.org> | 2010-11-25 19:57:51 +0200 |
---|---|---|
committer | Nadezhda Ivanova <nivanova@samba.org> | 2010-11-25 19:46:42 +0100 |
commit | 1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306 (patch) | |
tree | e2ac591d5c20218ccc34cec1d3025b94341b2a4c | |
parent | db403ac35dde415231498aee41b2306dfbe6a983 (diff) | |
download | samba-1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306.tar.gz samba-1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306.tar.bz2 samba-1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306.zip |
s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion
It used to work with sddl as well, but this is confusing and could lead to errors. It also caused a message about tallocing a security descriptor to appear.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Thu Nov 25 19:46:42 CET 2010 on sn-devel-104
-rwxr-xr-x | source4/dsdb/tests/python/acl.py | 64 | ||||
-rw-r--r-- | source4/scripting/python/samba/samdb.py | 12 |
2 files changed, 31 insertions, 45 deletions
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 691f358d80..fb6676693e 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -736,16 +736,13 @@ class AclSearchTests(AclTests): self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;;LC;;;%s)(A;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) - self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) - self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) - self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) - self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) + tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, + self.domain_sid) + self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) #regular users must see only ou1 and ou2 res = self.ldb_user3.search("OU=ou1," + self.base_dn, expression="(objectClass=*)", @@ -807,16 +804,13 @@ class AclSearchTests(AclTests): self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LC;;;%s)(A;CI;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") + tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, + self.domain_sid) + self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) print "Testing correct behavior on nonaccessible search base" try: @@ -861,16 +855,13 @@ class AclSearchTests(AclTests): self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;CC;;;%s)" % (str(self.user_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_user.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_user.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") - self.ldb_user.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") + tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, + self.domain_sid) + self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_user.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_user.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_user.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) ok_list = [Dn(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn), Dn(self.ldb_admin, "OU=ou1," + self.base_dn)] @@ -891,8 +882,9 @@ class AclSearchTests(AclTests): self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LC;;;%s)" % (str(self.user_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) + tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, + self.domain_sid) + self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) # assert user can only see dn res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", scope=SCOPE_SUBTREE) @@ -935,10 +927,10 @@ class AclSearchTests(AclTests): self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) - self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, - "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") + tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, + self.domain_sid) + self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) + self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)", scope=SCOPE_SUBTREE) diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 109e948d5c..df1af165ac 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -663,16 +663,10 @@ accountExpires: %u "objectClass": "organizationalUnit"} if description: - m["description"] = description + m["description"] = description if name: - m["name"] = name + m["name"] = name if sd: - assert(isinstance(sd, str) or isinstance(sd, security.descriptor)) - if isinstance(sd, str): - sid = security.dom_sid(self.get_domain_sid()) - tmp_desc = security.descriptor.from_sddl(sd, sid) - m["nTSecurityDescriptor"] = ndr_pack(tmp_desc) - elif isinstance(sd, security.descriptor): - m["nTSecurityDescriptor"] = ndr_pack(sd) + m["nTSecurityDescriptor"] = ndr_pack(sd) self.add(m) |