sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

netcmd:domain:policy: Fix missing conversion from tgt_lifetime minutes to 10^(-7) seconds

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15692
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct  4 04:01:22 UTC 2024 on atb-devel-224
This commit is contained in:
Andréas Leroux 2024-09-25 14:42:25 +02:00 committed by Douglas Bagnall
parent dea292c2fd
commit 3766b6a126
2 changed files with 25 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
python/samba/netcmd/domain/auth/policy/policy.py
View File

@ -26,7 +26,13 @@ from samba.domain.models import (MAX_TGT_LIFETIME, MIN_TGT_LIFETIME,
from samba.domain.models.exceptions import ModelError from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option from samba.netcmd import Command, CommandError, Option
from samba.netcmd.validators import Range from samba.netcmd.validators import Range
from samba.nt_time import NT_TICKS_PER_SEC
def mins_to_tgt_lifetime(minutes):
"""Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
if minutes is not None:
return minutes * 60 * NT_TICKS_PER_SEC
return minutes
class UserOptions(options.OptionGroup): class UserOptions(options.OptionGroup):
"""User options used by policy create and policy modify commands.""" """User options used by policy create and policy modify commands."""
@ -238,14 +244,14 @@ class cmd_domain_auth_policy_create(Command):
description=description, description=description,
strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()], strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()],
user_allow_ntlm_auth=useropts.allow_ntlm_auth, user_allow_ntlm_auth=useropts.allow_ntlm_auth,
user_tgt_lifetime=useropts.tgt_lifetime, user_tgt_lifetime=mins_to_tgt_lifetime(useropts.tgt_lifetime),
user_allowed_to_authenticate_from=useropts.allowed_to_authenticate_from, user_allowed_to_authenticate_from=useropts.allowed_to_authenticate_from,
user_allowed_to_authenticate_to=useropts.allowed_to_authenticate_to, user_allowed_to_authenticate_to=useropts.allowed_to_authenticate_to,
service_allow_ntlm_auth=serviceopts.allow_ntlm_auth, service_allow_ntlm_auth=serviceopts.allow_ntlm_auth,
service_tgt_lifetime=serviceopts.tgt_lifetime, service_tgt_lifetime=mins_to_tgt_lifetime(serviceopts.tgt_lifetime),
service_allowed_to_authenticate_from=serviceopts.allowed_to_authenticate_from, service_allowed_to_authenticate_from=serviceopts.allowed_to_authenticate_from,
service_allowed_to_authenticate_to=serviceopts.allowed_to_authenticate_to, service_allowed_to_authenticate_to=serviceopts.allowed_to_authenticate_to,
computer_tgt_lifetime=computeropts.tgt_lifetime, computer_tgt_lifetime=mins_to_tgt_lifetime(computeropts.tgt_lifetime),
computer_allowed_to_authenticate_to=computeropts.allowed_to_authenticate_to, computer_allowed_to_authenticate_to=computeropts.allowed_to_authenticate_to,
) )
@ -346,7 +352,7 @@ class cmd_domain_auth_policy_modify(Command):
StrongNTLMPolicy[strong_ntlm_policy.upper()] StrongNTLMPolicy[strong_ntlm_policy.upper()]
if useropts.tgt_lifetime is not None: if useropts.tgt_lifetime is not None:
policy.user_tgt_lifetime = useropts.tgt_lifetime policy.user_tgt_lifetime = mins_to_tgt_lifetime(useropts.tgt_lifetime)
if useropts.allowed_to_authenticate_from is not None: if useropts.allowed_to_authenticate_from is not None:
policy.user_allowed_to_authenticate_from = \ policy.user_allowed_to_authenticate_from = \
@ -360,7 +366,7 @@ class cmd_domain_auth_policy_modify(Command):
################## ##################
if serviceopts.tgt_lifetime is not None: if serviceopts.tgt_lifetime is not None:
policy.service_tgt_lifetime = serviceopts.tgt_lifetime policy.service_tgt_lifetime = mins_to_tgt_lifetime(serviceopts.tgt_lifetime)
if serviceopts.allowed_to_authenticate_from is not None: if serviceopts.allowed_to_authenticate_from is not None:
policy.service_allowed_to_authenticate_from = \ policy.service_allowed_to_authenticate_from = \
@ -374,7 +380,7 @@ class cmd_domain_auth_policy_modify(Command):
########### ###########
if computeropts.tgt_lifetime is not None: if computeropts.tgt_lifetime is not None:
policy.computer_tgt_lifetime = computeropts.tgt_lifetime policy.computer_tgt_lifetime = mins_to_tgt_lifetime(computeropts.tgt_lifetime)
if computeropts.allowed_to_authenticate_to is not None: if computeropts.allowed_to_authenticate_to is not None:
policy.computer_allowed_to_authenticate_to = \ policy.computer_allowed_to_authenticate_to = \

19
python/samba/tests/samba_tool/domain_auth_policy.py
View File

@ -27,12 +27,19 @@ from unittest.mock import patch
from samba.dcerpc import security from samba.dcerpc import security
from samba.domain.models.exceptions import ModelError from samba.domain.models.exceptions import ModelError
from samba.ndr import ndr_pack, ndr_unpack from samba.ndr import ndr_pack, ndr_unpack
from samba.nt_time import NT_TICKS_PER_SEC
from samba.samdb import SamDB from samba.samdb import SamDB
from samba.sd_utils import SDUtils from samba.sd_utils import SDUtils
from .silo_base import SiloTest from .silo_base import SiloTest
def mins_to_tgt_lifetime(minutes):
"""Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
if minutes is not None:
return minutes * 60 * NT_TICKS_PER_SEC
return minutes
class AuthPolicyCmdTestCase(SiloTest): class AuthPolicyCmdTestCase(SiloTest):
def test_list(self): def test_list(self):
@ -135,7 +142,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields. # Check policy fields.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name) self.assertEqual(str(policy["cn"]), name)
self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "60") self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create", result, out, err = self.runcmd("domain", "auth", "policy", "create",
@ -169,7 +176,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields. # Check policy fields.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name) self.assertEqual(str(policy["cn"]), name)
self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "60") self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create", result, out, err = self.runcmd("domain", "auth", "policy", "create",
@ -203,7 +210,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields. # Check policy fields.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name) self.assertEqual(str(policy["cn"]), name)
self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "60") self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create", result, out, err = self.runcmd("domain", "auth", "policy", "create",
@ -644,7 +651,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed. # Verify field was changed.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "120") self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify", result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@ -680,7 +687,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed. # Verify field was changed.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "120") self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify", result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@ -716,7 +723,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed. # Verify field was changed.
policy = self.get_authentication_policy(name) policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "120") self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
# check lower bounds (45) # check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify", result, out, err = self.runcmd("domain", "auth", "policy", "modify",