#!/usr/bin/python # -*- coding: utf-8 -*- import getopt import optparse import sys import os import base64 import re import random import time sys.path.append("bin/python") sys.path.append("../lib/subunit/python") import samba.getopt as options # Some error messages that are being tested from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS # For running the test unit from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \ SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL from subunit import SubunitTestRunner import unittest parser = optparse.OptionParser("sec_descriptor [options] ") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) # use command line creds if available credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) opts, args = parser.parse_args() if len(args) < 1: parser.print_usage() sys.exit(1) host = args[0] lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) # # Tests start here # class DescriptorTests(unittest.TestCase): def delete_force(self, ldb, dn): try: ldb.delete(dn) except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) def find_basedn(self, ldb): res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["defaultNamingContext"]) self.assertEquals(len(res), 1) return res[0]["defaultNamingContext"][0] def find_configurationdn(self, ldb): res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) self.assertEquals(len(res), 1) return res[0]["configurationNamingContext"][0] def find_schemadn(self, ldb): res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) self.assertEquals(len(res), 1) return res[0]["schemaNamingContext"][0] def find_domain_sid(self, ldb): res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) def get_users_domain_dn(self, name): return "CN=%s,CN=Users,%s" % (name, self.base_dn) def modify_desc(self, _ldb, object_dn, desc, controls=None): assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) mod = """ dn: """ + object_dn + """ changetype: modify replace: nTSecurityDescriptor """ if isinstance(desc, str): mod += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.modify_ldif(mod, controls) def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None): ldif = """ dn: """ + ou_dn + """ ou: """ + ou_dn.split(",")[0][3:] + """ objectClass: organizationalUnit url: www.example.com """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif, controls) def create_domain_user(self, _ldb, user_dn, desc=None): ldif = """ dn: """ + user_dn + """ sAMAccountName: """ + user_dn.split(",")[0][3:] + """ objectClass: user userPassword: samba123@ url: www.example.com """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) def create_domain_group(self, _ldb, group_dn, desc=None): ldif = """ dn: """ + group_dn + """ objectClass: group sAMAccountName: """ + group_dn.split(",")[0][3:] + """ groupType: 4 url: www.example.com """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) def get_unique_schema_class_name(self): while True: class_name = "test-class%s" % random.randint(1,100000) class_dn = "CN=%s,%s" % (class_name, self.schema_dn) try: self.ldb_admin.search(base=class_dn, attrs=["*"]) except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) return class_name def create_schema_class(self, _ldb, object_dn, desc=None): ldif = """ dn: """ + object_dn + """ objectClass: classSchema objectCategory: CN=Class-Schema,""" + self.schema_dn + """ defaultObjectCategory: """ + object_dn + """ distinguishedName: """ + object_dn + """ governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 instanceType: 4 objectClassCategory: 1 subClassOf: organizationalPerson systemFlags: 16 rDNAttID: cn systemMustContain: cn systemOnly: FALSE """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) def create_configuration_container(self, _ldb, object_dn, desc=None): ldif = """ dn: """ + object_dn + """ objectClass: container objectCategory: CN=Container,""" + self.schema_dn + """ showInAdvancedViewOnly: TRUE instanceType: 4 """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) def create_configuration_specifier(self, _ldb, object_dn, desc=None): ldif = """ dn: """ + object_dn + """ objectClass: displaySpecifier showInAdvancedViewOnly: TRUE """ if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) def read_desc(self, object_dn, controls=None): res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls) desc = res[0]["nTSecurityDescriptor"][0] return ndr_unpack(security.descriptor, desc) def enable_account(self, user_dn): """Enable an account. :param user_dn: Dn of the account to enable. """ res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"]) assert len(res) == 1 userAccountControl = res[0]["userAccountControl"][0] userAccountControl = int(userAccountControl) if (userAccountControl & 0x2): userAccountControl = userAccountControl & ~0x2 # remove disabled bit if (userAccountControl & 0x20): userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit mod = """ dn: """ + user_dn + """ changetype: modify replace: userAccountControl userAccountControl: %s""" % userAccountControl if self.WIN2003: mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod) self.ldb_admin.modify_ldif(mod) def get_ldb_connection(self, target_username, target_password): username_save = creds.get_username(); password_save = creds.get_password() creds.set_username(target_username) creds.set_password(target_password) ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) creds.set_username(username_save); creds.set_password(password_save) return ldb_target def get_object_sid(self, object_dn): res = self.ldb_admin.search(object_dn) return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] ) def dacl_add_ace(self, object_dn, ace): desc = self.read_desc( object_dn ) desc_sddl = desc.as_sddl( self.domain_sid ) if ace in desc_sddl: return if desc_sddl.find("(") >= 0: desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] else: desc_sddl = desc_sddl + ace self.modify_desc(self.ldb_admin, object_dn, desc_sddl) def get_desc_sddl(self, object_dn, controls=None): """ Return object nTSecutiryDescriptor in SDDL format """ desc = self.read_desc(object_dn, controls) return desc.as_sddl(self.domain_sid) def setUp(self): self.ldb_admin = ldb self.base_dn = self.find_basedn(self.ldb_admin) self.configuration_dn = self.find_configurationdn(self.ldb_admin) self.schema_dn = self.find_schemadn(self.ldb_admin) self.domain_sid = self.find_domain_sid(self.ldb_admin) print "baseDN: %s" % self.base_dn self.SAMBA = False; self.WIN2003 = False res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"]) if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]: self.SAMBA = True else: self.WIN2003 = True ################################################################################################ ## Tests for DOMAIN # Default descriptor tests ##################################################################### class OwnerGroupDescriptorTests(DescriptorTests): def deleteAll(self): if self.SAMBA: self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) # DOMAIN self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) # SCHEMA # CONFIGURATION self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ + self.configuration_dn) self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) def setUp(self): DescriptorTests.setUp(self) self.deleteAll() if self.SAMBA: ### Create users # User 1 user_dn = self.get_users_domain_dn("testuser1") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 2 user_dn = self.get_users_domain_dn("testuser2") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 3 user_dn = self.get_users_domain_dn("testuser3") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 4 user_dn = self.get_users_domain_dn("testuser4") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) # User 5 user_dn = self.get_users_domain_dn("testuser5") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn + """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 6 user_dn = self.get_users_domain_dn("testuser6") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn + """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 7 user_dn = self.get_users_domain_dn("testuser7") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 8 user_dn = self.get_users_domain_dn("testuser8") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) self.results = { # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 "ds_behavior_win2003" : { "100" : "O:EAG:DU", "101" : "O:DAG:DU", "102" : "O:%sG:DU", "103" : "O:%sG:DU", "104" : "O:DAG:DU", "105" : "O:DAG:DU", "106" : "O:DAG:DU", "107" : "O:EAG:DU", "108" : "O:DAG:DA", "109" : "O:DAG:DA", "110" : "O:%sG:DA", "111" : "O:%sG:DA", "112" : "O:DAG:DA", "113" : "O:DAG:DA", "114" : "O:DAG:DA", "115" : "O:DAG:DA", "130" : "O:EAG:DU", "131" : "O:DAG:DU", "132" : "O:SAG:DU", "133" : "O:%sG:DU", "134" : "O:EAG:DU", "135" : "O:SAG:DU", "136" : "O:SAG:DU", "137" : "O:SAG:DU", "138" : "O:DAG:DA", "139" : "O:DAG:DA", "140" : "O:%sG:DA", "141" : "O:%sG:DA", "142" : "O:DAG:DA", "143" : "O:DAG:DA", "144" : "O:DAG:DA", "145" : "O:DAG:DA", "160" : "O:EAG:DU", "161" : "O:DAG:DU", "162" : "O:%sG:DU", "163" : "O:%sG:DU", "164" : "O:EAG:DU", "165" : "O:EAG:DU", "166" : "O:DAG:DU", "167" : "O:EAG:DU", "168" : "O:DAG:DA", "169" : "O:DAG:DA", "170" : "O:%sG:DA", "171" : "O:%sG:DA", "172" : "O:DAG:DA", "173" : "O:DAG:DA", "174" : "O:DAG:DA", "175" : "O:DAG:DA", }, # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008 "ds_behavior_win2008" : { "100" : "O:EAG:EA", "101" : "O:DAG:DA", "102" : "O:%sG:DU", "103" : "O:%sG:DU", "104" : "O:DAG:DA", "105" : "O:DAG:DA", "106" : "O:DAG:DA", "107" : "O:EAG:EA", "108" : "O:DAG:DA", "109" : "O:DAG:DA", "110" : "O:%sG:DA", "111" : "O:%sG:DA", "112" : "O:DAG:DA", "113" : "O:DAG:DA", "114" : "O:DAG:DA", "115" : "O:DAG:DA", "130" : "O:EAG:EA", "131" : "O:DAG:DA", "132" : "O:SAG:SA", "133" : "O:%sG:DU", "134" : "O:EAG:EA", "135" : "O:SAG:SA", "136" : "O:SAG:SA", "137" : "O:SAG:SA", "138" : "", "139" : "", "140" : "O:%sG:DA", "141" : "O:%sG:DA", "142" : "", "143" : "", "144" : "", "145" : "", "160" : "O:EAG:EA", "161" : "O:DAG:DA", "162" : "O:%sG:DU", "163" : "O:%sG:DU", "164" : "O:EAG:EA", "165" : "O:EAG:EA", "166" : "O:DAG:DA", "167" : "O:EAG:EA", "168" : "O:DAG:DA", "169" : "O:DAG:DA", "170" : "O:%sG:DA", "171" : "O:%sG:DA", "172" : "O:DAG:DA", "173" : "O:DAG:DA", "174" : "O:DAG:DA", "175" : "O:DAG:DA", }, } # Discover 'msDS-Behavior-Version' res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ attrs=['msDS-Behavior-Version']) res = int(res[0]['msDS-Behavior-Version'][0]) if res < DS_DOMAIN_FUNCTION_2008: self.DS_BEHAVIOR = "ds_behavior_win2003" else: self.DS_BEHAVIOR = "ds_behavior_win2008" def tearDown(self): self.deleteAll() def check_user_belongs(self, user_dn, groups=[]): """ Test wether user is member of the expected group(s) """ if groups != []: # User is member of at least one additional group res = self.ldb_admin.search(user_dn, attrs=["memberOf"]) res = [x.upper() for x in sorted(list(res[0]["memberOf"]))] expected = [] for x in groups: expected.append(self.get_users_domain_dn(x)) expected = [x.upper() for x in sorted(expected)] self.assertEqual(expected, res) else: # User is not a member of any additional groups but default res = self.ldb_admin.search(user_dn, attrs=["*"]) res = [x.upper() for x in res[0].keys()] self.assertFalse( "MEMBEROF" in res) def check_modify_inheritance(self, _ldb, object_dn, owner_group=""): # Modify ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account if owner_group != "": self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace) else: self.modify_desc(_ldb, object_dn, "D:" + ace) # Make sure the modify operation has been applied desc_sddl = self.get_desc_sddl(object_dn) self.assertTrue(ace in desc_sddl) # Make sure we have identical result for both "add" and "modify" res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) print self._testMethodName test_number = self._testMethodName[5:] self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res) def test_100(self): """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_101(self): """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_102(self): """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) # Create additional object into the first one object_dn = "CN=test_domain_user1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_user(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) # This fails, research why #self.check_modify_inheritance(_ldb, object_dn) def test_103(self): """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) # Create additional object into the first one object_dn = "CN=test_domain_user1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_user(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) #this fails, research why #self.check_modify_inheritance(_ldb, object_dn) def test_104(self): """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_105(self): """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_106(self): """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_107(self): """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN """ user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_group(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) # Control descriptor tests ##################################################################### def test_108(self): """ Enterprise admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_109(self): """ Domain admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_110(self): """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN """ user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) # Create additional object into the first one object_dn = "CN=test_domain_user1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_user(_ldb, object_dn, desc_sddl) desc = self.read_desc(object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_111(self): """ Regular user with CC right creates object (custom descriptor) in DOMAIN """ user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) # Create additional object into the first one object_dn = "CN=test_domain_user1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_user(_ldb, object_dn, desc_sddl) desc = self.read_desc(object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_112(self): """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_113(self): """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_114(self): """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_115(self): """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN """ user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_domain_group(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) def test_999(self): user_name = "Administrator" object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(D;CI;WP;;;S-1-3-0)" #mod = "" self.dacl_add_ace(object_dn, mod) desc_sddl = self.get_desc_sddl(object_dn) # Create additional object into the first one object_dn = "OU=test_domain_ou2," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) desc_sddl = self.get_desc_sddl(object_dn) ## Tests for SCHEMA # Defalt descriptor tests ################################################################## def test_130(self): user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) def test_131(self): user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) def test_132(self): user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) #self.check_modify_inheritance(_ldb, class_dn) def test_133(self): user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") #Change Schema partition descriptor user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) #self.check_modify_inheritance(_ldb, class_dn) def test_134(self): user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") #Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) def test_135(self): user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) def test_136(self): user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) def test_137(self): user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, class_dn) # Custom descriptor tests ################################################################## def test_138(self): user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_139(self): user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_140(self): user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_141(self): user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_142(self): user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_143(self): user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_144(self): user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_145(self): user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor mod = "(A;;CC;;;AU)" self.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" # Create example Schema class class_name = self.get_unique_schema_class_name() class_dn = "CN=%s,%s" % (class_name, self.schema_dn) self.create_schema_class(_ldb, class_dn, desc_sddl) desc_sddl = self.get_desc_sddl(class_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) ## Tests for CONFIGURATION # Defalt descriptor tests ################################################################## def test_160(self): user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_161(self): user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_162(self): user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;;WDCC;;;AU)" self.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_specifier(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) #self.check_modify_inheritance(_ldb, object_dn) def test_163(self): user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;CI;WDCC;;;AU)" self.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_specifier(_ldb, object_dn) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) #self.check_modify_inheritance(_ldb, object_dn) def test_164(self): user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_165(self): user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_166(self): user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) def test_167(self): user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(_ldb, object_dn, ) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) self.check_modify_inheritance(_ldb, object_dn) # Custom descriptor tests ################################################################## def test_168(self): user_name = "testuser1" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_169(self): user_name = "testuser2" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_170(self): user_name = "testuser3" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;;CC;;;AU)" self.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) self.create_configuration_specifier(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_171(self): user_name = "testuser4" self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn self.delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) mod = "(A;;CC;;;AU)" self.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) self.create_configuration_specifier(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) def test_172(self): user_name = "testuser5" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_173(self): user_name = "testuser6" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_174(self): user_name = "testuser7" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) def test_175(self): user_name = "testuser8" self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") # Create example Configuration container container_name = "test-container1" object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) self.delete_force(self.ldb_admin, object_dn) # Create a custom security descriptor desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" self.create_configuration_container(_ldb, object_dn, desc_sddl) desc_sddl = self.get_desc_sddl(object_dn) res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) self.assertEqual("O:DAG:DA", res) ######################################################################################## # Inharitance tests for DACL class DaclDescriptorTests(DescriptorTests): def deleteAll(self): self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) def setUp(self): DescriptorTests.setUp(self) self.deleteAll() def tearDown(self): self.deleteAll() def create_clean_ou(self, object_dn): """ Base repeating setup for unittests to follow """ res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ expression="distinguishedName=%s" % object_dn) # Make sure top testing OU has been deleted before starting the test self.assertEqual(res, []) self.create_domain_ou(self.ldb_admin, object_dn) desc_sddl = self.get_desc_sddl(object_dn) # Make sure there are inheritable ACEs initially self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) # Find and remove all inherit ACEs res = re.findall("\(.*?\)", desc_sddl) res = [x for x in res if ("CI" in x) or ("OI" in x)] for x in res: desc_sddl = desc_sddl.replace(x, "") # Add flag 'protected' in both DACL and SACL so no inherit ACEs # can propagate from above # remove SACL, we are not interested desc_sddl = desc_sddl.replace(":AI", ":AIP") self.modify_desc(self.ldb_admin, object_dn, desc_sddl) # Verify all inheritable ACEs are gone desc_sddl = self.get_desc_sddl(object_dn) self.assertFalse("CI" in desc_sddl) self.assertFalse("OI" in desc_sddl) def test_200(self): """ OU with protected flag and child group. See if the group has inherit ACEs. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn) # Make sure created group object contains NO inherit ACEs desc_sddl = self.get_desc_sddl(group_dn) self.assertFalse("ID" in desc_sddl) def test_201(self): """ OU with protected flag and no inherit ACEs, child group with custom descriptor. Verify group has custom and default ACEs only. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Create group child object using custom security descriptor sddl = "O:AUG:AUD:AI(D;;WP;;;DU)" self.create_domain_group(self.ldb_admin, group_dn, sddl) # Make sure created group descriptor has NO additional ACEs desc_sddl = self.get_desc_sddl(group_dn) self.assertEqual(desc_sddl, sddl) sddl = "O:AUG:AUD:AI(D;;CC;;;LG)" self.modify_desc(self.ldb_admin, group_dn, sddl) desc_sddl = self.get_desc_sddl(group_dn) self.assertEqual(desc_sddl, sddl) def test_202(self): """ OU with protected flag and add couple non-inheritable ACEs, child group. See if the group has any of the added ACEs. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom non-inheritable ACEs mod = "(D;;WP;;;DU)(A;;RP;;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) # Verify all inheritable ACEs are gone desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn) # Make sure created group object contains NO inherit ACEs # also make sure the added above non-inheritable ACEs are absent too desc_sddl = self.get_desc_sddl(group_dn) self.assertFalse("ID" in desc_sddl) for x in re.findall("\(.*?\)", mod): self.assertFalse(x in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertFalse("ID" in desc_sddl) for x in re.findall("\(.*?\)", mod): self.assertFalse(x in desc_sddl) def test_203(self): """ OU with protected flag and add 'CI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'CI' ACE mod = "(D;CI;WP;;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_204(self): """ OU with protected flag and add 'OI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'CI' ACE mod = "(D;OI;WP;;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" +moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_205(self): """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'OA' for 'name' attribute & 'CI' ACE mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_206(self): """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'OA' for 'name' attribute & 'OI' ACE mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_207(self): """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_208(self): """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) def test_209(self): """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. See if the group has the added inherited ACE. """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn # Create inheritable-free OU self.create_clean_ou(ou_dn) # Add some custom 'CI' ACE mod = "(D;CI;WP;;;CO)" moded = "(D;;CC;;;LG)" self.dacl_add_ace(ou_dn, mod) desc_sddl = self.get_desc_sddl(ou_dn) # Create group child object self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") # Make sure created group object contains only the above inherited ACE(s) # that we've added manually desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) ######################################################################################## class SdFlagsDescriptorTests(DescriptorTests): def deleteAll(self): self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) def setUp(self): DescriptorTests.setUp(self) self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)" self.deleteAll() def tearDown(self): self.deleteAll() def test_301(self): """ Modify a descriptor with OWNER_SECURITY_INFORMATION set. See that only the owner has been changed. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the owner self.assertTrue("O:AU" in desc_sddl) # make sure nothing else has been modified self.assertFalse("G:AU" in desc_sddl) self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) def test_302(self): """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. See that only the owner has been changed. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the group self.assertTrue("G:AU" in desc_sddl) # make sure nothing else has been modified self.assertFalse("O:AU" in desc_sddl) self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) def test_303(self): """ Modify a descriptor with SACL_SECURITY_INFORMATION set. See that only the owner has been changed. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the DACL self.assertTrue("(D;;CC;;;LG)" in desc_sddl) # make sure nothing else has been modified self.assertFalse("O:AU" in desc_sddl) self.assertFalse("G:AU" in desc_sddl) self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) def test_304(self): """ Modify a descriptor with SACL_SECURITY_INFORMATION set. See that only the owner has been changed. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the DACL self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) # make sure nothing else has been modified self.assertFalse("O:AU" in desc_sddl) self.assertFalse("G:AU" in desc_sddl) self.assertFalse("(D;;CC;;;LG)" in desc_sddl) def test_305(self): """ Modify a descriptor with 0x0 set. Contrary to logic this is interpreted as no control, which is the same as 0xF """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the DACL self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) # make sure nothing else has been modified self.assertTrue("O:AU" in desc_sddl) self.assertTrue("G:AU" in desc_sddl) self.assertTrue("(D;;CC;;;LG)" in desc_sddl) def test_306(self): """ Modify a descriptor with 0xF set. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"]) desc_sddl = self.get_desc_sddl(ou_dn) # make sure we have modified the DACL self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) # make sure nothing else has been modified self.assertTrue("O:AU" in desc_sddl) self.assertTrue("G:AU" in desc_sddl) self.assertTrue("(D;;CC;;;LG)" in desc_sddl) def test_307(self): """ Read a descriptor with OWNER_SECURITY_INFORMATION Only the owner part should be returned. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) # make sure we have read the owner self.assertTrue("O:" in desc_sddl) # make sure we have read nothing else self.assertFalse("G:" in desc_sddl) self.assertFalse("D:" in desc_sddl) self.assertFalse("S:" in desc_sddl) def test_308(self): """ Read a descriptor with GROUP_SECURITY_INFORMATION Only the group part should be returned. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) # make sure we have read the owner self.assertTrue("G:" in desc_sddl) # make sure we have read nothing else self.assertFalse("O:" in desc_sddl) self.assertFalse("D:" in desc_sddl) self.assertFalse("S:" in desc_sddl) def test_309(self): """ Read a descriptor with SACL_SECURITY_INFORMATION Only the sacl part should be returned. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) # make sure we have read the owner self.assertTrue("S:" in desc_sddl) # make sure we have read nothing else self.assertFalse("O:" in desc_sddl) self.assertFalse("D:" in desc_sddl) self.assertFalse("G:" in desc_sddl) def test_310(self): """ Read a descriptor with DACL_SECURITY_INFORMATION Only the dacl part should be returned. """ ou_dn = "OU=test_sdflags_ou," + self.base_dn self.create_domain_ou(self.ldb_admin, ou_dn) desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) # make sure we have read the owner self.assertTrue("D:" in desc_sddl) # make sure we have read nothing else self.assertFalse("O:" in desc_sddl) self.assertFalse("S:" in desc_sddl) self.assertFalse("G:" in desc_sddl) class RightsAttributesTests(DescriptorTests): def deleteAll(self): if self.SAMBA: self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr")) self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2")) self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) def setUp(self): DescriptorTests.setUp(self) self.deleteAll() if self.SAMBA: ### Create users # User 1 user_dn = self.get_users_domain_dn("testuser_attr") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) # User 2, Domain Admins user_dn = self.get_users_domain_dn("testuser_attr2") self.create_domain_user(self.ldb_admin, user_dn) self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ changetype: modify add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) def tearDown(self): self.deleteAll() def test_sDRightsEffective(self): object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) print self.get_users_domain_dn("testuser_attr") user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) #give testuser1 read access so attributes can be retrieved mod = "(A;CI;RP;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) _ldb = self.get_ldb_connection("testuser_attr", "samba123@") res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["sDRightsEffective"]) #user whould have no rights at all self.assertEquals(len(res), 1) self.assertEquals(res[0]["sDRightsEffective"][0], "0") #give the user Write DACL and see what happens mod = "(A;CI;WD;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["sDRightsEffective"]) #user whould have DACL_SECURITY_INFORMATION self.assertEquals(len(res), 1) self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL) #give the user Write Owners and see what happens mod = "(A;CI;WO;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["sDRightsEffective"]) #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION self.assertEquals(len(res), 1) self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER)) #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins _ldb = self.get_ldb_connection("testuser_attr2", "samba123@") res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["sDRightsEffective"]) #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION self.assertEquals(len(res), 1) self.assertEquals(res[0]["sDRightsEffective"][0], \ ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL)) def test_allowedChildClassesEffective(self): object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) #give testuser1 read access so attributes can be retrieved mod = "(A;CI;RP;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) _ldb = self.get_ldb_connection("testuser_attr", "samba123@") res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["allowedChildClassesEffective"]) #there should be no allowed child classes self.assertEquals(len(res), 1) self.assertFalse("allowedChildClassesEffective" in res[0].keys()) #give the user the right to create children of type user mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["allowedChildClassesEffective"]) # allowedChildClassesEffective should only have one value, user self.assertEquals(len(res), 1) self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1) self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user") def test_allowedAttributesEffective(self): object_dn = "OU=test_domain_ou1," + self.base_dn self.delete_force(self.ldb_admin, object_dn) self.create_domain_ou(self.ldb_admin, object_dn) user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) #give testuser1 read access so attributes can be retrieved mod = "(A;CI;RP;;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod) _ldb = self.get_ldb_connection("testuser_attr", "samba123@") #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, # attrs=["allowedAttributes"]) #print res res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["allowedAttributesEffective"]) #there should be no allowed attributes self.assertEquals(len(res), 1) self.assertFalse("allowedAttributesEffective" in res[0].keys()) #give the user the right to write displayName and managedBy mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid) # also rights to modify an read only attribute, fromEntry mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid) self.dacl_add_ace(object_dn, mod + mod2 + mod3) res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, attrs=["allowedAttributesEffective"]) # value should only contain user and managedBy print res self.assertEquals(len(res), 1) self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2) self.assertTrue("displayName" in res[0]["allowedAttributesEffective"]) self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"]) if not "://" in host: if os.path.isfile(host): host = "tdb://%s" % host else: host = "ldap://%s" % host ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) runner = SubunitTestRunner() rc = 0 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful(): rc = 1 sys.exit(rc)