netcmd:domain:policy: Fix missing conversion from tgt_lifetime minutes to 10^(-7) seconds

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15692
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct  4 04:01:22 UTC 2024 on atb-devel-224

(backported from commit 3766b6a126f659a43e2e36c66689c136fc22dbc4
 requiring manual merge in the test file imports)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Oct  7 09:45:40 UTC 2024 on atb-devel-224

python/samba/netcmd/domain/auth/policy.py

@@ -28,7 +28,13 @@ from samba.netcmd.domain.models.auth_policy import MIN_TGT_LIFETIME,\
     MAX_TGT_LIFETIME, StrongNTLMPolicy
 from samba.netcmd.domain.models.exceptions import ModelError
 from samba.netcmd.validators import Range
+from samba.nt_time import NT_TICKS_PER_SEC
 
+def mins_to_tgt_lifetime(minutes):
+    """Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
+    if minutes is not None:
+        return minutes * 60 * NT_TICKS_PER_SEC
+    return minutes
 
 def check_similar_args(option, args):
     """Helper method for checking similar mutually exclusive args.
@@ -385,14 +391,14 @@ class cmd_domain_auth_policy_create(Command):
             description=description,
             strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()],
             user_allow_ntlm_auth=useropts.allow_ntlm_auth,
-            user_tgt_lifetime=useropts.tgt_lifetime,
+            user_tgt_lifetime=mins_to_tgt_lifetime(useropts.tgt_lifetime),
             user_allowed_to_authenticate_from=useropts.allowed_to_authenticate_from,
             user_allowed_to_authenticate_to=useropts.allowed_to_authenticate_to,
             service_allow_ntlm_auth=serviceopts.allow_ntlm_auth,
-            service_tgt_lifetime=serviceopts.tgt_lifetime,
+            service_tgt_lifetime=mins_to_tgt_lifetime(serviceopts.tgt_lifetime),
             service_allowed_to_authenticate_from=serviceopts.allowed_to_authenticate_from,
             service_allowed_to_authenticate_to=serviceopts.allowed_to_authenticate_to,
-            computer_tgt_lifetime=computeropts.tgt_lifetime,
+            computer_tgt_lifetime=mins_to_tgt_lifetime(computeropts.tgt_lifetime),
             computer_allowed_to_authenticate_to=computeropts.allowed_to_authenticate_to,
         )
 
@@ -575,7 +581,7 @@ class cmd_domain_auth_policy_modify(Command):
                 StrongNTLMPolicy[strong_ntlm_policy.upper()]
 
         if useropts.tgt_lifetime is not None:
-            policy.user_tgt_lifetime = useropts.tgt_lifetime
+            policy.user_tgt_lifetime = mins_to_tgt_lifetime(useropts.tgt_lifetime)
 
         if useropts.allowed_to_authenticate_from is not None:
             policy.user_allowed_to_authenticate_from = \
@@ -589,7 +595,7 @@ class cmd_domain_auth_policy_modify(Command):
         ##################
 
         if serviceopts.tgt_lifetime is not None:
-            policy.service_tgt_lifetime = serviceopts.tgt_lifetime
+            policy.service_tgt_lifetime = mins_to_tgt_lifetime(serviceopts.tgt_lifetime)
 
         if serviceopts.allowed_to_authenticate_from is not None:
             policy.service_allowed_to_authenticate_from = \
@@ -603,7 +609,7 @@ class cmd_domain_auth_policy_modify(Command):
         ###########
 
         if computeropts.tgt_lifetime is not None:
-            policy.computer_tgt_lifetime = computeropts.tgt_lifetime
+            policy.computer_tgt_lifetime = mins_to_tgt_lifetime(computeropts.tgt_lifetime)
 
         if computeropts.allowed_to_authenticate_to is not None:
             policy.computer_allowed_to_authenticate_to = \

python/samba/tests/samba_tool/domain_auth_policy.py

@@ -27,12 +27,19 @@ from unittest.mock import patch
 from samba.dcerpc import security
 from samba.ndr import ndr_pack, ndr_unpack
 from samba.netcmd.domain.models.exceptions import ModelError
+from samba.nt_time import NT_TICKS_PER_SEC
 from samba.samdb import SamDB
 from samba.sd_utils import SDUtils
 
 from .silo_base import SiloTest
 
 
+def mins_to_tgt_lifetime(minutes):
+    """Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
+    if minutes is not None:
+        return minutes * 60 * NT_TICKS_PER_SEC
+    return minutes
+
 class AuthPolicyCmdTestCase(SiloTest):
 
     def test_list(self):
@@ -135,7 +142,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -254,7 +261,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -373,7 +380,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -840,7 +847,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -876,7 +883,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -912,7 +919,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",