summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZahari Zahariev <zahari.zahariev@postpath.com>2009-09-15 17:34:42 -0700
committerAndrew Bartlett <abartlet@samba.org>2009-09-16 07:51:45 -0700
commitfec33db90ebd998f17ed2d539d67abb448e09af2 (patch)
treee85d736ffa5409d3b3806da950bed83f6e01273a
parent932690c093692b1e9fca4dfa75c7cd55ea4e63b1 (diff)
downloadsamba-fec33db90ebd998f17ed2d539d67abb448e09af2.tar.gz
samba-fec33db90ebd998f17ed2d539d67abb448e09af2.tar.bz2
samba-fec33db90ebd998f17ed2d539d67abb448e09af2.zip
Tests for descriptor inheritance
Signed-off-by: Nadezhda Ivanova <nadezhda.ivanova@postpath.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/lib/ldb/tests/python/sec_descriptor.py1610
-rw-r--r--source4/selftest/knownfail1
-rwxr-xr-xsource4/selftest/tests.sh3
3 files changed, 1613 insertions, 1 deletions
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
new file mode 100644
index 0000000000..58a345450b
--- /dev/null
+++ b/source4/lib/ldb/tests/python/sec_descriptor.py
@@ -0,0 +1,1610 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import getopt
+import optparse
+import sys
+import os
+import base64
+import re
+import random
+
+sys.path.append("bin/python")
+sys.path.append("../lib/subunit/python")
+
+import samba.getopt as options
+
+# Some error messages that are being tested
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
+from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
+
+# For running the test unit
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+
+from samba.auth import system_session
+from samba import Ldb, DS_BEHAVIOR_WIN2008
+from subunit import SubunitTestRunner
+import unittest
+
+parser = optparse.OptionParser("ldap [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+#
+# Tests start here
+#
+
+class DescriptorTests(unittest.TestCase):
+
+ def delete_force(self, ldb, dn):
+ try:
+ ldb.delete(dn)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+
+ def find_basedn(self, ldb):
+ res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+ attrs=["defaultNamingContext"])
+ self.assertEquals(len(res), 1)
+ return res[0]["defaultNamingContext"][0]
+
+ def find_configurationdn(self, ldb):
+ res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
+ self.assertEquals(len(res), 1)
+ return res[0]["configurationNamingContext"][0]
+
+ def find_schemadn(self, ldb):
+ res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
+ self.assertEquals(len(res), 1)
+ return res[0]["schemaNamingContext"][0]
+
+ def find_domain_sid(self, ldb):
+ res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
+ return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+ def get_users_domain_dn(self, name):
+ return "CN=%s,CN=Users,%s" % (name, self.base_dn)
+
+ def modify_desc(self, object_dn, desc):
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ mod = """
+dn: """ + object_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+"""
+ if isinstance(desc, str):
+ mod += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ self.ldb_admin.modify_ldif(mod)
+
+ def create_domain_ou(self, _ldb, ou_dn, desc=None):
+ ldif = """
+dn: """ + ou_dn + """
+ou: """ + ou_dn.split(",")[0][3:] + """
+objectClass: organizationalUnit
+url: www.example.com
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def create_domain_user(self, _ldb, user_dn, desc=None):
+ ldif = """
+dn: """ + user_dn + """
+sAMAccountName: """ + user_dn.split(",")[0][3:] + """
+objectClass: user
+userPassword: samba123@
+url: www.example.com
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def create_domain_group(self, _ldb, group_dn, desc=None):
+ ldif = """
+dn: """ + group_dn + """
+objectClass: group
+sAMAccountName: """ + group_dn.split(",")[0][3:] + """
+groupType: 4
+url: www.example.com
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def get_unique_schema_class_name(self):
+ while True:
+ class_name = "test-class%s" % random.randint(1,100000)
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ try:
+ self.ldb_admin.search(base=class_dn, attrs=["*"])
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+ return class_name
+
+ def create_schema_class(self, _ldb, object_dn, desc=None):
+ ldif = """
+dn: """ + object_dn + """
+objectClass: classSchema
+objectCategory: CN=Class-Schema,""" + self.schema_dn + """
+defaultObjectCategory: """ + object_dn + """
+distinguishedName: """ + object_dn + """
+governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
+instanceType: 4
+objectClassCategory: 1
+subClassOf: organizationalPerson
+systemFlags: 16
+rDNAttID: cn
+systemMustContain: cn
+systemOnly: FALSE
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def create_configuration_container(self, _ldb, object_dn, desc=None):
+ ldif = """
+dn: """ + object_dn + """
+objectClass: container
+objectCategory: CN=Container,""" + self.schema_dn + """
+showInAdvancedViewOnly: TRUE
+instanceType: 4
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def create_configuration_specifier(self, _ldb, object_dn, desc=None):
+ ldif = """
+dn: """ + object_dn + """
+objectClass: displaySpecifier
+showInAdvancedViewOnly: TRUE
+"""
+ if desc:
+ assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
+ if isinstance(desc, str):
+ ldif += "nTSecurityDescriptor: %s" % desc
+ elif isinstance(desc, security.descriptor):
+ ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
+ _ldb.add_ldif(ldif)
+
+ def read_desc(self, object_dn):
+ res = self.ldb_admin.search(base=object_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ return ndr_unpack( security.descriptor, desc )
+
+ def enable_account(self, user_dn):
+ """Enable an account.
+ :param user_dn: Dn of the account to enable.
+ """
+ res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
+ assert len(res) == 1
+ userAccountControl = res[0]["userAccountControl"][0]
+ userAccountControl = int(userAccountControl)
+ if (userAccountControl & 0x2):
+ userAccountControl = userAccountControl & ~0x2 # remove disabled bit
+ if (userAccountControl & 0x20):
+ userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: userAccountControl
+userAccountControl: %s""" % userAccountControl
+ if self.WIN2003:
+ mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
+ self.ldb_admin.modify_ldif(mod)
+
+ def get_ldb_connection(self, target_username, target_password):
+ username_save = creds.get_username(); password_save = creds.get_password()
+ creds.set_username(target_username)
+ creds.set_password(target_password)
+ ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
+ creds.set_username(username_save); creds.set_password(password_save)
+ return ldb_target
+
+ def get_object_sid(self, object_dn):
+ res = self.ldb_admin.search(object_dn)
+ return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
+
+ def dacl_add_ace(self, object_dn, ace):
+ desc = self.read_desc( object_dn )
+ desc_sddl = desc.as_sddl( self.domain_sid )
+ if ace in desc_sddl:
+ return
+ desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
+ self.modify_desc(object_dn, desc_sddl)
+
+ def get_desc_sddl(self, object_dn):
+ """ Return object nTSecutiryDescriptor in SDDL format
+ """
+ desc = self.read_desc(object_dn)
+ return desc.as_sddl(self.domain_sid)
+
+ def setUp(self):
+ self.ldb_admin = ldb
+ self.base_dn = self.find_basedn(self.ldb_admin)
+ self.configuration_dn = self.find_configurationdn(self.ldb_admin)
+ self.schema_dn = self.find_schemadn(self.ldb_admin)
+ self.domain_sid = self.find_domain_sid(self.ldb_admin)
+ print "baseDN: %s" % self.base_dn
+ self.SAMBA = False; self.WIN2003 = False
+ res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
+ if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
+ self.SAMBA = True
+ else:
+ self.WIN2003 = True
+ #print "self.SAMBA:", self.SAMBA
+ #print "self.WIN2003:", self.WIN2003
+
+ ################################################################################################
+
+ ## Tests for DOMAIN
+
+ # Default descriptor tests #####################################################################
+
+class OwnerGroupDescriptorTests(DescriptorTests):
+
+ def setUp(self):
+ DescriptorTests.setUp(self)
+ if self.SAMBA:
+ ### Create users
+ # User 1
+ user_dn = self.get_users_domain_dn("testuser1")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 2
+ user_dn = self.get_users_domain_dn("testuser2")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 3
+ user_dn = self.get_users_domain_dn("testuser3")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 4
+ user_dn = self.get_users_domain_dn("testuser4")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ # User 5
+ user_dn = self.get_users_domain_dn("testuser5")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn + """
+
+dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 6
+ user_dn = self.get_users_domain_dn("testuser6")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn + """
+
+dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn + """
+
+dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 7
+ user_dn = self.get_users_domain_dn("testuser7")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn + """
+
+dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ # User 8
+ user_dn = self.get_users_domain_dn("testuser8")
+ self.create_domain_user(self.ldb_admin, user_dn)
+ self.enable_account(user_dn)
+ ldif = """
+dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn + """
+
+dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
+changetype: add
+member: """ + user_dn
+ self.ldb_admin.modify_ldif(ldif)
+ self.results = {
+ # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
+ "ds_behavior_win2003" : {
+ "100" : "O:EAG:DU",
+ "101" : "O:DAG:DU",
+ "102" : "O:%sG:DU",
+ "103" : "O:%sG:DU",
+ "104" : "O:DAG:DU",
+ "105" : "O:DAG:DU",
+ "106" : "O:DAG:DU",
+ "107" : "O:EAG:DU",
+ "108" : "O:DAG:DA",
+ "109" : "O:DAG:DA",
+ "110" : "O:%sG:DA",
+ "111" : "O:%sG:DA",
+ "112" : "O:DAG:DA",
+ "113" : "O:DAG:DA",
+ "114" : "O:DAG:DA",
+ "115" : "O:DAG:DA",
+ "130" : "O:EAG:DU",
+ "131" : "O:DAG:DU",
+ "132" : "O:SAG:DU",
+ "133" : "O:%sG:DU",
+ "134" : "O:EAG:DU",
+ "135" : "O:SAG:DU",
+ "136" : "O:SAG:DU",
+ "137" : "O:SAG:DU",
+ "138" : "O:DAG:DA",
+ "139" : "O:DAG:DA",
+ "140" : "O:%sG:DA",
+ "141" : "O:%sG:DA",
+ "142" : "O:DAG:DA",
+ "143" : "O:DAG:DA",
+ "144" : "O:DAG:DA",
+ "145" : "O:DAG:DA",
+ "160" : "O:EAG:DU",
+ "161" : "O:DAG:DU",
+ "162" : "O:%sG:DU",
+ "163" : "O:%sG:DU",
+ "164" : "O:EAG:DU",
+ "165" : "O:EAG:DU",
+ "166" : "O:DAG:DU",
+ "167" : "O:EAG:DU",
+ "168" : "O:DAG:DA",
+ "169" : "O:DAG:DA",
+ "170" : "O:%sG:DA",
+ "171" : "O:%sG:DA",
+ "172" : "O:DAG:DA",
+ "173" : "O:DAG:DA",
+ "174" : "O:DAG:DA",
+ "175" : "O:DAG:DA",
+ },
+ # msDS-Behavior-Version >= 3
+ "ds_behavior_win2008" : {
+ "100" : "O:EAG:EA",
+ "101" : "O:DAG:DA",
+ "102" : "O:%sG:DU",
+ "103" : "O:%sG:DU",
+ "104" : "O:DAG:DA",
+ "105" : "O:DAG:DA",
+ "106" : "O:DAG:DA",
+ "107" : "O:EAG:EA",
+ "108" : "O:DAG:DA",
+ "109" : "O:DAG:DA",
+ "110" : "O:%sG:DA",
+ "111" : "O:%sG:DA",
+ "112" : "O:DAG:DA",
+ "113" : "O:DAG:DA",
+ "114" : "O:DAG:DA",
+ "115" : "O:DAG:DA",
+ "130" : "",
+ "131" : "",
+ "132" : "",
+ "133" : "%s",
+ "134" : "",
+ "135" : "",
+ "136" : "",
+ "137" : "",
+ "138" : "",
+ "139" : "",
+ "140" : "%s",
+ "141" : "%s",
+ "142" : "",
+ "143" : "",
+ "144" : "",
+ "145" : "",
+ "160" : "O:EAG:EA",
+ "161" : "O:DAG:DA",
+ "162" : "O:%sG:DU",
+ "163" : "O:%sG:DU",
+ "164" : "O:EAG:EA",
+ "165" : "O:EAG:EA",
+ "166" : "O:DAG:DA",
+ "167" : "O:EAG:EA",
+ "168" : "O:DAG:DA",
+ "169" : "O:DAG:DA",
+ "170" : "O:%sG:DA",
+ "171" : "O:%sG:DA",
+ "172" : "O:DAG:DA",
+ "173" : "O:DAG:DA",
+ "174" : "O:DAG:DA",
+ "175" : "O:DAG:DA",
+ },
+ }
+ # Discover 'msDS-Behavior-Version'
+ res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
+ attrs=['msDS-Behavior-Version'])
+ res = int(res[0]['msDS-Behavior-Version'][0])
+ if res < DS_BEHAVIOR_WIN2008:
+ self.DS_BEHAVIOR = "ds_behavior_win2003"
+ else:
+ self.DS_BEHAVIOR = "ds_behavior_win2008"
+
+ def tearDown(self):
+ if self.SAMBA:
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
+ # DOMAIN
+ self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
+ self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
+ # SCHEMA
+ # CONFIGURATION
+ self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
+ + self.configuration_dn)
+ self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
+
+ def check_user_belongs(self, user_dn, groups=[]):
+ """ Test wether user is member of the expected group(s) """
+ if groups != []:
+ # User is member of at least one additional group
+ res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
+ res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
+ expected = []
+ for x in groups:
+ expected.append(self.get_users_domain_dn(x))
+ expected = [x.upper() for x in sorted(expected)]
+ self.assertEqual(expected, res)
+ else:
+ # User is not a member of any additional groups but default
+ res = self.ldb_admin.search(user_dn, attrs=["*"])
+ res = [x.upper() for x in res[0].keys()]
+ self.assertFalse( "MEMBEROF" in res)
+
+ def test_100(self):
+ """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection("testuser1", "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res)
+
+ def test_101(self):
+ """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res)
+
+ def test_102(self):
+ """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ object_dn = "OU=test_domain_ou1," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;%s)" % str(user_sid)
+ self.dacl_add_ace(object_dn, mod)
+ # Create additional object into the first one
+ object_dn = "CN=test_domain_user1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_user(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res)
+
+ def test_103(self):
+ """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ object_dn = "OU=test_domain_ou1," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;%s)" % str(user_sid)
+ self.dacl_add_ace(object_dn, mod)
+ # Create additional object into the first one
+ object_dn = "CN=test_domain_user1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_user(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res)
+
+ def test_104(self):
+ """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res)
+
+ def test_105(self):
+ """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res)
+
+ def test_106(self):
+ """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res)
+
+ def test_107(self):
+ """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
+ """
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ self.create_domain_group(_ldb, group_dn)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res)
+
+ # Control descriptor tests #####################################################################
+
+ def test_108(self):
+ """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res)
+
+ def test_109(self):
+ """ Domain admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res)
+
+ def test_110(self):
+ """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ object_dn = "OU=test_domain_ou1," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;%s)" % str(user_sid)
+ self.dacl_add_ace(object_dn, mod)
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ # Create additional object into the first one
+ object_dn = "CN=test_domain_user1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_user(_ldb, object_dn, desc_sddl)
+ desc = self.read_desc(object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res)
+
+ def test_111(self):
+ """ Regular user with CC right creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ object_dn = "OU=test_domain_ou1," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;%s)" % str(user_sid)
+ self.dacl_add_ace(object_dn, mod)
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ # Create additional object into the first one
+ object_dn = "CN=test_domain_user1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_user(_ldb, object_dn, desc_sddl)
+ desc = self.read_desc(object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res)
+
+ def test_112(self):
+ """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res)
+
+ def test_113(self):
+ """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res)
+
+ def test_114(self):
+ """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res)
+
+ def test_115(self):
+ """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
+ """
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, group_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_domain_group(_ldb, group_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res)
+
+
+ def test_999(self):
+ user_name = "Administrator"
+ object_dn = "OU=test_domain_ou1," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(D;CI;WP;;;S-1-3-0)"
+ #mod = ""
+ self.dacl_add_ace(object_dn, mod)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ #print desc_sddl
+ # Create additional object into the first one
+ object_dn = "OU=test_domain_ou2," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ #print desc_sddl
+
+ ## Tests for SCHEMA
+
+ # Defalt descriptor tests ##################################################################
+
+ def test_130(self):
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res)
+
+ def test_131(self):
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res)
+
+ def test_132(self):
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res)
+
+ def test_133(self):
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ #Change Schema partition descriptor
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res)
+
+ def test_134(self):
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ #Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res)
+
+ def test_135(self):
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res)
+
+ def test_136(self):
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res)
+
+ def test_137(self):
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res)
+
+ # Custom descriptor tests ##################################################################
+
+ def test_138(self):
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_139(self):
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_140(self):
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res)
+
+ def test_141(self):
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res)
+
+ def test_142(self):
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_143(self):
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_144(self):
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_145(self):
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Change Schema partition descriptor
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(self.schema_dn, mod)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ # Create example Schema class
+ class_name = self.get_unique_schema_class_name()
+ class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
+ self.create_schema_class(_ldb, class_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(class_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ ## Tests for CONFIGURATION
+
+ # Defalt descriptor tests ##################################################################
+
+ def test_160(self):
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res)
+
+ def test_161(self):
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res)
+
+ def test_162(self):
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(self.ldb_admin, object_dn, )
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(object_dn, mod)
+ # Create child object with user's credentials
+ object_dn = "CN=test-specifier1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_specifier(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res)
+
+ def test_163(self):
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(self.ldb_admin, object_dn, )
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(object_dn, mod)
+ # Create child object with user's credentials
+ object_dn = "CN=test-specifier1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_specifier(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res)
+
+ def test_164(self):
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res)
+
+ def test_165(self):
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res)
+
+ def test_166(self):
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res)
+
+ def test_167(self):
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(_ldb, object_dn, )
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res)
+
+ # Custom descriptor tests ##################################################################
+
+ def test_168(self):
+ user_name = "testuser1"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_169(self):
+ user_name = "testuser2"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_170(self):
+ user_name = "testuser3"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(self.ldb_admin, object_dn, )
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(object_dn, mod)
+ # Create child object with user's credentials
+ object_dn = "CN=test-specifier1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res)
+
+ def test_171(self):
+ user_name = "testuser4"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), [])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_configuration_container(self.ldb_admin, object_dn, )
+ user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
+ mod = "(A;;CC;;;AU)"
+ self.dacl_add_ace(object_dn, mod)
+ # Create child object with user's credentials
+ object_dn = "CN=test-specifier1," + object_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ # NB! Problematic owner part won't accept DA only <User Sid> !!!
+ desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
+ self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res)
+
+ def test_172(self):
+ user_name = "testuser5"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_173(self):
+ user_name = "testuser6"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_174(self):
+ user_name = "testuser7"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ def test_175(self):
+ user_name = "testuser8"
+ self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
+ # Open Ldb connection with the tested user
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ # Create example Configuration container
+ container_name = "test-container1"
+ object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
+ self.delete_force(self.ldb_admin, object_dn)
+ # Create a custom security descriptor
+ desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
+ self.create_configuration_container(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ self.assertEqual("O:DAG:DA", res)
+
+ ########################################################################################
+ # Inharitance tests for DACL
+
+class DaclDescriptorTests(DescriptorTests):
+
+ def setUp(self):
+ DescriptorTests.setUp(self)
+
+ def tearDown(self):
+ self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
+
+ def create_clean_ou(self, object_dn):
+ """ Base repeating setup for unittests to follow """
+ res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
+ expression="distinguishedName=%s" % object_dn)
+ # Make sure top testing OU has been deleted before starting the test
+ self.assertEqual(res, [])
+ self.create_domain_ou(self.ldb_admin, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
+ # Make sutre there are inheritable ACEs initially
+ self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
+ # Find and remove all inherit ACEs
+ res = re.findall("\(.*?\)", desc_sddl)
+ res = [x for x in res if ("CI" in x) or ("OI" in x)]
+ for x in res:
+ desc_sddl = desc_sddl.replace(x, "")
+ # Add flag 'protected' in both DACL and SACL so no inherit ACEs
+ # can propagate from above
+ desc_sddl = desc_sddl.replace(":AI", ":AIP")
+ self.modify_desc(object_dn, desc_sddl)
+ # Verify all inheritable ACEs are gone
+ desc_sddl = self.get_desc_sddl(object_dn)
+ self.assertFalse("CI" in desc_sddl)
+ self.assertFalse("OI" in desc_sddl)
+
+ def test_200(self):
+ """ OU with protected flag and child group. See if the group has inherit ACEs.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn)
+ # Make sure created group object contains NO inherit ACEs
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertFalse("ID" in desc_sddl)
+
+ def test_201(self):
+ """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
+ Verify group has custom and default ACEs only.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Create group child object using custom security descriptor
+ sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
+ self.create_domain_group(self.ldb_admin, group_dn, sddl)
+ # Make sure created group descriptor has NO additional ACEs
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertEqual(desc_sddl, sddl)
+
+ def test_202(self):
+ """ OU with protected flag and add couple non-inheritable ACEs, child group.
+ See if the group has any of the added ACEs.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom non-inheritable ACEs
+ mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ # Verify all inheritable ACEs are gone
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn)
+ # Make sure created group object contains NO inherit ACEs
+ # also make sure the added above non-inheritable ACEs are absant too
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertFalse("ID" in desc_sddl)
+ for x in re.findall("\(.*?\)", mod):
+ self.assertFalse(x in desc_sddl)
+
+ def test_203(self):
+ """ OU with protected flag and add 'CI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'CI' ACE
+ mod = "(D;CI;WP;;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";CI;", ";CIID;")
+ self.assertTrue(mod in desc_sddl)
+
+ def test_204(self):
+ """ OU with protected flag and add 'OI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'CI' ACE
+ mod = "(D;OI;WP;;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ self.assertTrue(mod in desc_sddl)
+
+ def test_205(self):
+ """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'OA' for 'name' attribute & 'CI' ACE
+ mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
+ self.assertTrue(mod in desc_sddl)
+
+ def test_206(self):
+ """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'OA' for 'name' attribute & 'OI' ACE
+ mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ self.assertTrue(mod in desc_sddl)
+
+ def test_207(self):
+ """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
+ mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
+ self.assertTrue(mod in desc_sddl)
+
+ def test_208(self):
+ """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
+ mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
+ self.assertTrue(mod in desc_sddl)
+
+ def test_209(self):
+ """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
+ See if the group has the added inherited ACE.
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'CI' ACE
+ mod = "(D;CI;WP;;;CO)"
+ self.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # Create group child object
+ self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
+ # Make sure created group object contains only the above inherited ACE(s)
+ # that we've added manually
+ desc_sddl = self.get_desc_sddl(group_dn)
+ #print desc_sddl
+ self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
+ self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
+
+ ########################################################################################
+
+if not "://" in host:
+ host = "ldap://%s" % host
+ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
+
+runner = SubunitTestRunner()
+rc = 0
+if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
+ rc = 1
+if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
+ rc = 1
+
+sys.exit(rc)
diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail
index 0d0f59f006..d4ad716d6a 100644
--- a/source4/selftest/knownfail
+++ b/source4/selftest/knownfail
@@ -56,3 +56,4 @@ samba4.winbind.struct.*.LOOKUP_NAME_SID # Not yet working in winbind
^samba4.*base.delaywrite.*update of write time using SET_END_OF_FILE$
^samba4.*base.delaywrite.*update of write time using SET_ALLOCATION_SIZE$
^samba4.ldap.python \(dc\).Test add_ldif\(\) with BASE64 security descriptor input using WRONG domain SID$
+^samba4.ldap.secdesc.python \ No newline at end of file
diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh
index dd5bf6dfaf..4689b69c94 100755
--- a/source4/selftest/tests.sh
+++ b/source4/selftest/tests.sh
@@ -450,7 +450,8 @@ plantest "subunit.python" none $SUBUNITRUN subunit
plantest "rpcecho.python" dc:local $SUBUNITRUN samba.tests.rpcecho
plantest "winreg.python" dc:local $SUBUNITRUN -U\$USERNAME%\$PASSWORD samba.tests.registry
plantest "ldap.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python" $PYTHON $samba4srcdir/lib/ldb/tests/python/ldap.py $CONFIGURATION \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN
-plantest "possibleInferiors.python" dc $PYTHON $samba4srcdir/dsdb/samdb/ldb_modules/tests/possibleinferiors.py $CONFIGURATION ldap://\$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN
+plantest "ldap.possibleInferiors.python" dc $PYTHON $samba4srcdir/dsdb/samdb/ldb_modules/tests/possibleinferiors.py $CONFIGURATION ldap://\$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN
+plantest "ldap.secdesc.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python" $PYTHON $samba4srcdir/lib/ldb/tests/python/sec_descriptor.py $CONFIGURATION \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN
plantest "blackbox.samba3dump" none $PYTHON $samba4srcdir/scripting/bin/samba3dump $samba4srcdir/../testdata/samba3
rm -rf $PREFIX/upgrade
plantest "blackbox.upgrade" none $PYTHON $samba4srcdir/setup/upgrade $CONFIGURATION --targetdir=$PREFIX/upgrade $samba4srcdir/../testdata/samba3 ../testdata/samba3/smb.conf