mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
parent
ef5666bc51
commit
35292bd322
@ -378,6 +378,16 @@ class KDCBaseTest(RawKerberosTest):
|
||||
exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET,
|
||||
rodc=True)
|
||||
|
||||
def reveal_account_to_mock_rodc(self, dn):
|
||||
samdb = self.get_samdb()
|
||||
rodc_ctx = self.get_mock_rodc_ctx()
|
||||
|
||||
self.get_secrets(
|
||||
samdb,
|
||||
dn,
|
||||
destination_dsa_guid=rodc_ctx.ntds_guid,
|
||||
source_dsa_invocation_id=misc.GUID(samdb.invocation_id))
|
||||
|
||||
def check_revealed(self, dn, rodc_dn, revealed=True):
|
||||
samdb = self.get_samdb()
|
||||
|
||||
@ -555,8 +565,11 @@ class KDCBaseTest(RawKerberosTest):
|
||||
|
||||
opts_default = {
|
||||
'allowed_replication': False,
|
||||
'allowed_replication_mock': False,
|
||||
'denied_replication': False,
|
||||
'denied_replication_mock': False,
|
||||
'revealed_to_rodc': False,
|
||||
'revealed_to_mock_rodc': False,
|
||||
'no_auth_data_required': False,
|
||||
'supported_enctypes': None,
|
||||
'not_delegated': False,
|
||||
@ -583,8 +596,11 @@ class KDCBaseTest(RawKerberosTest):
|
||||
def create_account_opts(self, *,
|
||||
machine_account,
|
||||
allowed_replication,
|
||||
allowed_replication_mock,
|
||||
denied_replication,
|
||||
denied_replication_mock,
|
||||
revealed_to_rodc,
|
||||
revealed_to_mock_rodc,
|
||||
no_auth_data_required,
|
||||
supported_enctypes,
|
||||
not_delegated,
|
||||
@ -682,6 +698,40 @@ class KDCBaseTest(RawKerberosTest):
|
||||
# Deny replicating this account's secrets to the RODC.
|
||||
self.add_to_group(dn, rodc_dn, 'msDS-NeverRevealGroup')
|
||||
|
||||
# Handle secret replication to the mock RODC.
|
||||
|
||||
if allowed_replication_mock or revealed_to_mock_rodc:
|
||||
# Allow replicating this account's secrets if requested, or allow
|
||||
# it only temporarily if we want to add the account to the mock
|
||||
# RODC's msDS-RevealedUsers.
|
||||
rodc_ctx = self.get_mock_rodc_ctx()
|
||||
mock_rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
|
||||
|
||||
allowed_mock_cleanup = self.add_to_group(
|
||||
dn, mock_rodc_dn,
|
||||
'msDS-RevealOnDemandGroup')
|
||||
|
||||
if revealed_to_mock_rodc:
|
||||
# Request replicating this account's secrets to the mock RODC,
|
||||
# which updates msDS-RevealedUsers.
|
||||
self.reveal_account_to_mock_rodc(dn)
|
||||
|
||||
if not allowed_replication_mock:
|
||||
# If we don't want replicating secrets to be allowed for this
|
||||
# account, disable it again.
|
||||
samdb.modify(allowed_mock_cleanup)
|
||||
|
||||
self.check_revealed(dn,
|
||||
mock_rodc_dn,
|
||||
revealed=revealed_to_mock_rodc)
|
||||
|
||||
if denied_replication_mock:
|
||||
# Deny replicating this account's secrets to the mock RODC.
|
||||
rodc_ctx = self.get_mock_rodc_ctx()
|
||||
mock_rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
|
||||
|
||||
self.add_to_group(dn, mock_rodc_dn, 'msDS-NeverRevealGroup')
|
||||
|
||||
return creds
|
||||
|
||||
def get_client_creds(self,
|
||||
|
Loading…
Reference in New Issue
Block a user