sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion

Browse Source 
It used to work with sddl as well, but this is confusing and could lead to errors. It also caused a message about tallocing a security descriptor to appear.

Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Thu Nov 25 19:46:42 CET 2010 on sn-devel-104
This commit is contained in:
Nadezhda Ivanova 2010-11-25 19:57:51 +02:00
parent db403ac35d
commit 1e9a7882be
2 changed files with 31 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
source4/dsdb/tests/python/acl.py
View File

@ -736,16 +736,13 @@ class AclSearchTests(AclTests):
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;;LC;;;%s)(A;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
#regular users must see only ou1 and ou2
res = self.ldb_user3.search("OU=ou1," + self.base_dn, expression="(objectClass=*)",
@ -807,16 +804,13 @@ class AclSearchTests(AclTests):
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LC;;;%s)(A;CI;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
print "Testing correct behavior on nonaccessible search base"
try:
@ -861,16 +855,13 @@ class AclSearchTests(AclTests):
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;CC;;;%s)" % (str(self.user_sid))
self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_user.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_user.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
self.ldb_user.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_user.create_ou("OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_user.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_user.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
ok_list = [Dn(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn),
Dn(self.ldb_admin, "OU=ou1," + self.base_dn)]
@ -891,8 +882,9 @@ class AclSearchTests(AclTests):
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LC;;;%s)" % (str(self.user_sid))
self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
# assert user can only see dn
res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)",
scope=SCOPE_SUBTREE)
@ -935,10 +927,10 @@ class AclSearchTests(AclTests):
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid))
self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod)
self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn,
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)")
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
self.ldb_user.create_ou("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)",
scope=SCOPE_SUBTREE)

12
source4/scripting/python/samba/samdb.py
View File

@ -663,16 +663,10 @@ accountExpires: %u
"objectClass": "organizationalUnit"}
if description:
m["description"] = description
m["description"] = description
if name:
m["name"] = name
m["name"] = name
if sd:
assert(isinstance(sd, str) or isinstance(sd, security.descriptor))
if isinstance(sd, str):
sid = security.dom_sid(self.get_domain_sid())
tmp_desc = security.descriptor.from_sddl(sd, sid)
m["nTSecurityDescriptor"] = ndr_pack(tmp_desc)
elif isinstance(sd, security.descriptor):
m["nTSecurityDescriptor"] = ndr_pack(sd)
m["nTSecurityDescriptor"] = ndr_pack(sd)
self.add(m)