diff options
author | Nadezhda Ivanova <nivanova@symas.com> | 2013-10-14 12:38:10 +0300 |
---|---|---|
committer | Nadezhda Ivanova <nivanova@samba.org> | 2013-10-14 13:31:50 +0200 |
commit | 13a10d43141c29dad61868b451c0c1dca82360de (patch) | |
tree | ec660ca94f27c085be55e5f85e6789a1a2437099 /source4/dsdb/tests | |
parent | 064433f265d2215389f2a377b6e8243318669b65 (diff) | |
download | samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.gz samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.bz2 samba-13a10d43141c29dad61868b451c0c1dca82360de.zip |
s4-samldb: Do not allow deletion of objects with RID < 1000
According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion
of security objects with RID < 1000. This patch will prevent deletion of
well-known accounts and groups.
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/dsdb/tests')
-rwxr-xr-x | source4/dsdb/tests/python/sam.py | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index 754096a015..b2d4d4920f 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -586,7 +586,7 @@ class SamTests(samba.tests.TestCase): def test_sam_attributes(self): """Test the behaviour of special attributes of SAM objects""" - print "Testing the behaviour of special attributes of SAM objects\n""" + print "Testing the behaviour of special attributes of SAM objects\n" ldb.add({ "dn": "cn=ldaptestuser,cn=users," + self.base_dn, @@ -2604,7 +2604,7 @@ class SamTests(samba.tests.TestCase): def test_sam_description_attribute(self): """Test SAM description attribute""" - print "Test SAM description attribute""" + print "Test SAM description attribute" self.ldb.add({ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, @@ -2772,7 +2772,7 @@ class SamTests(samba.tests.TestCase): def test_fSMORoleOwner_attribute(self): """Test fSMORoleOwner attribute""" - print "Test fSMORoleOwner attribute""" + print "Test fSMORoleOwner attribute" ds_service_name = self.ldb.get_dsServiceName() @@ -2846,6 +2846,37 @@ class SamTests(samba.tests.TestCase): delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + def test_protected_sid_objects(self): + """Test deletion of objects with RID < 1000""" + self.ldb.create_ou("ou=ldaptestou," + self.base_dn) + # a list of some well-known sids + # objects in Builtin are aready covered by objectclass + protected_list = [ + ["CN=Domain Admins","CN=Users,"], + ["CN=Schema Admins","CN=Users,"], + ["CN=Enterprise Admins","CN=Users,"], + ["CN=Administrator","CN=Users,"], + ["CN=Domain Controllers","CN=Users,"], + ] + + + + for pr_object in protected_list: + try: + self.ldb.delete(pr_object[0] + "," + pr_object[1] + self.base_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + else: + self.fail("Deleted " + pr_object[0]) + + try: + self.ldb.rename(pr_object[0] + "," + pr_object[1] + self.base_dn, + pr_object[0] + "2," + pr_object[1] + self.base_dn) + except LdbError, (num, _): + self.fail("Could not rename " + pr_object[0]) + + self.ldb.rename(pr_object[0] + "2," + pr_object[1] + self.base_dn, + pr_object[0] + "," + pr_object[1] + self.base_dn) if not "://" in host: if os.path.isfile(host): |