sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-07-29 15:42:04 +03:00
Code Activity

Fix formating of sources to be less than 80 lines

Browse Source 
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Nov 21 01:51:59 CET 2017 on sn-devel-144
This commit is contained in:
Garming Sam
2017-11-20 10:28:33 +13:00
committed by Garming Sam
parent 644bbf083b
commit 6e7d037ace
4 changed files with 190 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
libgpo/pygpo.c
View File

@ -50,13 +50,18 @@ GPO_getter(user_extensions)
GPO_getter(machine_extensions)
static PyGetSetDef GPO_setters[] = {
{discard_const_p(char, "ds_path"), (getter)GPO_get_ds_path, NULL, NULL, NULL},
{discard_const_p(char, "file_sys_path"), (getter)GPO_get_file_sys_path, NULL, NULL, NULL},
{discard_const_p(char, "display_name"), (getter)GPO_get_display_name, NULL, NULL, NULL},
{discard_const_p(char, "ds_path"), (getter)GPO_get_ds_path, NULL, NULL,
NULL},
{discard_const_p(char, "file_sys_path"), (getter)GPO_get_file_sys_path,
NULL, NULL, NULL},
{discard_const_p(char, "display_name"), (getter)GPO_get_display_name, NULL,
NULL, NULL},
{discard_const_p(char, "name"), (getter)GPO_get_name, NULL, NULL, NULL},
{discard_const_p(char, "link"), (getter)GPO_get_link, NULL, NULL, NULL},
{discard_const_p(char, "user_extensions"), (getter)GPO_get_user_extensions, NULL, NULL, NULL},
{discard_const_p(char, "machine_extensions"), (getter)GPO_get_machine_extensions, NULL, NULL, NULL},
{discard_const_p(char, "user_extensions"), (getter)GPO_get_user_extensions,
NULL, NULL, NULL},
{discard_const_p(char, "machine_extensions"),
(getter)GPO_get_machine_extensions, NULL, NULL, NULL},
{NULL}
};
@ -72,15 +77,19 @@ static PyObject *py_gpo_get_unix_path(PyObject *self, PyObject *args,
struct GROUP_POLICY_OBJECT *gpo_ptr \
= (struct GROUP_POLICY_OBJECT *)pytalloc_get_ptr(self);
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|s", discard_const_p(char *, kwlist), &cache_dir)) {
PyErr_SetString(PyExc_SystemError, "Failed to parse arguments to gpo_get_unix_path()");
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|s",
discard_const_p(char *, kwlist),
&cache_dir)) {
PyErr_SetString(PyExc_SystemError,
"Failed to parse arguments to gpo_get_unix_path()");
goto out;
}
if (!cache_dir) {
cache_dir = cache_path(GPO_CACHE_DIR);
if (!cache_dir) {
PyErr_SetString(PyExc_MemoryError, "Failed to determine gpo cache dir");
PyErr_SetString(PyExc_MemoryError,
"Failed to determine gpo cache dir");
goto out;
}
}
@ -92,7 +101,8 @@ static PyObject *py_gpo_get_unix_path(PyObject *self, PyObject *args,
TALLOC_FREE(frame);
if (!NT_STATUS_IS_OK(status)) {
PyErr_SetString(PyExc_SystemError, "Failed to determine gpo unix path");
PyErr_SetString(PyExc_SystemError,
"Failed to determine gpo unix path");
goto out;
}
@ -145,8 +155,11 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
PyObject *lp_obj = NULL;
struct loadparm_context *lp_ctx = NULL;
static const char *kwlist[] = {"ldap_server", "loadparm_context", "credentials", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwds, "sO|O", discard_const_p(char *, kwlist), &ldap_server, &lp_obj, &py_creds))
static const char *kwlist[] = {"ldap_server", "loadparm_context",
"credentials", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwds, "sO|O",
discard_const_p(char *, kwlist),
&ldap_server, &lp_obj, &py_creds))
return -1;
if (py_creds) {
@ -189,10 +202,13 @@ static PyObject* py_ads_connect(ADS *self)
ADS_STATUS status;
TALLOC_CTX *frame = talloc_stackframe();
if (self->cli_creds) {
self->ads_ptr->auth.user_name = SMB_STRDUP(cli_credentials_get_username(self->cli_creds));
self->ads_ptr->auth.user_name =
SMB_STRDUP(cli_credentials_get_username(self->cli_creds));
self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
self->ads_ptr->auth.password = SMB_STRDUP(cli_credentials_get_password(self->cli_creds));
self->ads_ptr->auth.realm = SMB_STRDUP(cli_credentials_get_realm(self->cli_creds));
self->ads_ptr->auth.password =
SMB_STRDUP(cli_credentials_get_password(self->cli_creds));
self->ads_ptr->auth.realm =
SMB_STRDUP(cli_credentials_get_realm(self->cli_creds));
status = ads_connect_user_creds(self->ads_ptr);
if (!ADS_ERR_OK(status)) {
@ -203,7 +219,8 @@ self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
} else {
char *passwd;
if (asprintf(&(self->ads_ptr->auth.user_name), "%s$", lp_netbios_name()) == -1) {
if (asprintf(&(self->ads_ptr->auth.user_name), "%s$",
lp_netbios_name()) == -1) {
PyErr_SetString(PyExc_SystemError, "Failed to asprintf");
TALLOC_FREE(frame);
Py_RETURN_FALSE;
@ -214,9 +231,11 @@ self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
TALLOC_FREE(frame);
Py_RETURN_FALSE;
}
if (!(passwd = secrets_fetch_machine_password(self->ads_ptr->server.workgroup, NULL, NULL))) {
PyErr_SetString(PyExc_SystemError, "Failed to fetch the machine account password");
if (!(passwd =
secrets_fetch_machine_password(self->ads_ptr->server.workgroup,
NULL, NULL))) {
PyErr_SetString(PyExc_SystemError,
"Failed to fetch the machine account password");
TALLOC_FREE(frame);
Py_RETURN_FALSE;
}
@ -244,7 +263,8 @@ self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
void initgpo(void);
/* Global methods aka do not need a special pyobject type */
static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self, PyObject * args)
static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self,
PyObject * args)
{
TALLOC_CTX *tmp_ctx = NULL;
char *unix_path;
@ -272,7 +292,9 @@ static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self, PyObject * args)
return result;
}
static ADS_STATUS find_samaccount(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *samaccountname, uint32_t *uac_ret, const char **dn_ret)
static ADS_STATUS find_samaccount(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
const char *samaccountname,
uint32_t *uac_ret, const char **dn_ret)
{
ADS_STATUS status;
const char *attrs[] = { "userAccountControl", NULL };
@ -287,7 +309,8 @@ static ADS_STATUS find_samaccount(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const ch
goto out;
}
status = ads_do_search_all(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, filter, attrs, &res);
status = ads_do_search_all(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
filter, attrs, &res);
if (!ADS_ERR_OK(status)) {
goto out;
@ -343,8 +366,11 @@ static PyObject *py_ads_get_gpo_list(ADS *self, PyObject *args, PyObject *kwds)
size_t i;
static const char *kwlist[] = {"samaccountname", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", discard_const_p(char *, kwlist), &samaccountname)) {
PyErr_SetString(PyExc_SystemError, "Failed to parse arguments to py_ads_get_gpo_list()");
if (!PyArg_ParseTupleAndKeywords(args, kwds, "s",
discard_const_p(char *, kwlist),
&samaccountname)) {
PyErr_SetString(PyExc_SystemError,
"Failed to parse arguments to py_ads_get_gpo_list()");
goto out;
}
@ -370,7 +396,8 @@ static PyObject *py_ads_get_gpo_list(ADS *self, PyObject *args, PyObject *kwds)
}
gpo_ctx = talloc_new(frame);
status = ads_get_gpo_list(self->ads_ptr, gpo_ctx, dn, flags, token, &gpo_list);
status = ads_get_gpo_list(self->ads_ptr, gpo_ctx, dn, flags, token,
&gpo_list);
if (!ADS_ERR_OK(status)) {
TALLOC_FREE(frame);
PyErr_SetString(PyExc_SystemError, "Failed to fetch GPO list");
@ -409,7 +436,8 @@ out:
}
static PyMethodDef ADS_methods[] = {
{ "connect", (PyCFunction)py_ads_connect, METH_NOARGS, "Connect to the LDAP server" },
{ "connect", (PyCFunction)py_ads_connect, METH_NOARGS,
"Connect to the LDAP server" },
{ "get_gpo_list", (PyCFunction)py_ads_get_gpo_list, METH_KEYWORDS, NULL },
{ NULL }
};
@ -426,7 +454,8 @@ static PyTypeObject ads_ADSType = {
};
static PyMethodDef py_gpo_methods[] = {
{"gpo_get_sysvol_gpt_version", (PyCFunction) py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL},
{"gpo_get_sysvol_gpt_version", (PyCFunction) py_gpo_get_sysvol_gpt_version,
METH_VARARGS, NULL},
{NULL}
};
@ -439,7 +468,8 @@ void initgpo(void)
/* Instantiate the types */
m = Py_InitModule3("gpo", py_gpo_methods, "libgpo python bindings");
if (m == NULL) return;
PyModule_AddObject(m, "version", PyString_FromString(SAMBA_VERSION_STRING));
PyModule_AddObject(m, "version",
PyString_FromString(SAMBA_VERSION_STRING));
if (PyType_Ready(&ads_ADSType) < 0)
return;

135
python/samba/gpclass.py
View File

@ -44,7 +44,8 @@ except ImportError:
class gp_log:
''' Log settings overwritten by gpo apply
The gp_log is an xml file that stores a history of gpo changes (and the original setting value).
The gp_log is an xml file that stores a history of gpo changes (and the
original setting value).
The log is organized like so:
@ -69,19 +70,22 @@ class gp_log:
</user>
</gp>
Each guid value contains a list of extensions, which contain a list of attributes. The guid value
represents a GPO. The attributes are the values of those settings prior to the application of
the GPO.
The list of guids is enclosed within a user name, which represents the user the settings were
applied to. This user may be the samaccountname of the local computer, which implies that these
are machine policies.
The applylog keeps track of the order in which the GPOs were applied, so that they can be rolled
back in reverse, returning the machine to the state prior to policy application.
Each guid value contains a list of extensions, which contain a list of
attributes. The guid value represents a GPO. The attributes are the values
of those settings prior to the application of the GPO.
The list of guids is enclosed within a user name, which represents the user
the settings were applied to. This user may be the samaccountname of the
local computer, which implies that these are machine policies.
The applylog keeps track of the order in which the GPOs were applied, so
that they can be rolled back in reverse, returning the machine to the state
prior to policy application.
'''
def __init__(self, user, gpostore, db_log=None):
''' Initialize the gp_log
param user - the username (or machine name) that policies are being applied to
param gpostore - the GPOStorage obj which references the tdb which contains gp_logs
param user - the username (or machine name) that policies are
being applied to
param gpostore - the GPOStorage obj which references the tdb which
contains gp_logs
param db_log - (optional) a string to initialize the gp_log
'''
self._state = GPOSTATE.APPLY
@ -100,10 +104,11 @@ class gp_log:
''' Policy application state
param value - APPLY, ENFORCE, or UNAPPLY
The behavior of the gp_log depends on whether we are applying policy, enforcing policy,
or unapplying policy. During an apply, old settings are recorded in the log. During an
enforce, settings are being applied but the gp_log does not change. During an unapply,
additions to the log should be ignored (since function calls to apply settings are actually
The behavior of the gp_log depends on whether we are applying policy,
enforcing policy, or unapplying policy. During an apply, old settings
are recorded in the log. During an enforce, settings are being applied
but the gp_log does not change. During an unapply, additions to the log
should be ignored (since function calls to apply settings are actually
reverting policy), but removals from the log are allowed.
'''
# If we're enforcing, but we've unapplied, apply instead
@ -118,7 +123,8 @@ class gp_log:
def set_guid(self, guid):
''' Log to a different GPO guid
param guid - guid value of the GPO from which we're applying policy
param guid - guid value of the GPO from which we're applying
policy
'''
self.guid = self.user.find('guid[@value="%s"]' % guid)
if self.guid is None:
@ -136,7 +142,8 @@ class gp_log:
''' Pop a GPO guid from the applylog
return - last applied GPO guid
Removes the GPO guid last added to the list, which is the most recently applied GPO.
Removes the GPO guid last added to the list, which is the most recently
applied GPO.
'''
apply_log = self.user.find('applylog')
if apply_log is not None:
@ -152,7 +159,8 @@ class gp_log:
''' Store an attribute in the gp_log
param gp_ext_name - Name of the extension applying policy
param attribute - The attribute being modified
param old_val - The value of the attribute prior to policy application
param old_val - The value of the attribute prior to policy
application
'''
if self._state == GPOSTATE.UNAPPLY or self._state == GPOSTATE.ENFORCE:
return None
@ -171,7 +179,8 @@ class gp_log:
''' Retrieve a stored attribute from the gp_log
param gp_ext_name - Name of the extension which applied policy
param attribute - The attribute being retrieved
return - The value of the attribute prior to policy application
return - The value of the attribute prior to policy
application
'''
assert self.guid is not None, "gpo guid was not set"
ext = self.guid.find('gp_ext[@name="%s"]' % gp_ext_name)
@ -182,9 +191,12 @@ class gp_log:
return None
def list(self, gp_extensions):
''' Return a list of attributes, their previous values, and functions to set them
param gp_extensions - list of extension objects, for retrieving attr to func mappings
return - list of (attr, value, apply_func) tuples for unapplying policy
''' Return a list of attributes, their previous values, and functions
to set them
param gp_extensions - list of extension objects, for retrieving attr to
func mappings
return - list of (attr, value, apply_func) tuples for
unapplying policy
'''
assert self.guid is not None, "gpo guid was not set"
ret = []
@ -194,15 +206,18 @@ class gp_log:
exts = self.guid.findall('gp_ext')
if exts is not None:
for ext in exts:
ext_map = {val[0]: val[1] for (key, val) in data_maps[ext.attrib['name']].items()}
ext_map = {val[0]: val[1] for (key, val) in \
data_maps[ext.attrib['name']].items()}
attrs = ext.findall('attribute')
for attr in attrs:
ret.append((attr.attrib['name'], attr.text, ext_map[attr.attrib['name']]))
ret.append((attr.attrib['name'], attr.text,
ext_map[attr.attrib['name']]))
return ret
def delete(self, gp_ext_name, attribute):
''' Remove an attribute from the gp_log
param gp_ext_name - name of extension from which to remove the attribute
param gp_ext_name - name of extension from which to remove the
attribute
param attribute - attribute to remove
'''
assert self.guid is not None, "gpo guid was not set"
@ -313,7 +328,8 @@ class inf_to_kdc_tdb(inf_to):
def set_kdc_tdb(self, val):
old_val = self.gp_db.gpostore.get(self.attribute)
self.logger.info('%s was changed from %s to %s' % (self.attribute, old_val, val))
self.logger.info('%s was changed from %s to %s' % (self.attribute,
old_val, val))
if val is not None:
self.gp_db.gpostore.store(self.attribute, val)
self.gp_db.store(str(self), self.attribute, old_val)
@ -323,40 +339,47 @@ class inf_to_kdc_tdb(inf_to):
def mapper(self):
return { 'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
'kdc:service_ticket_lifetime': (self.set_kdc_tdb, self.mins_to_hours),
'kdc:renewal_lifetime': (self.set_kdc_tdb, self.days_to_hours),
'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
self.mins_to_hours),
'kdc:renewal_lifetime': (self.set_kdc_tdb,
self.days_to_hours),
}
def __str__(self):
return 'Kerberos Policy'
class inf_to_ldb(inf_to):
'''This class takes the .inf file parameter (essentially a GPO file mapped to a GUID),
hashmaps it to the Samba parameter, which then uses an ldb object to update the
parameter to Samba4. Not registry oriented whatsoever.
'''This class takes the .inf file parameter (essentially a GPO file mapped
to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
object to update the parameter to Samba4. Not registry oriented whatsoever.
'''
def ch_minPwdAge(self, val):
old_val = self.ldb.get_minPwdAge()
self.logger.info('KDC Minimum Password age was changed from %s to %s' % (old_val, val))
self.logger.info('KDC Minimum Password age was changed from %s to %s' \
% (old_val, val))
self.gp_db.store(str(self), self.attribute, old_val)
self.ldb.set_minPwdAge(val)
def ch_maxPwdAge(self, val):
old_val = self.ldb.get_maxPwdAge()
self.logger.info('KDC Maximum Password age was changed from %s to %s' % (old_val, val))
self.logger.info('KDC Maximum Password age was changed from %s to %s' \
% (old_val, val))
self.gp_db.store(str(self), self.attribute, old_val)
self.ldb.set_maxPwdAge(val)
def ch_minPwdLength(self, val):
old_val = self.ldb.get_minPwdLength()
self.logger.info('KDC Minimum Password length was changed from %s to %s' % (old_val, val))
self.logger.info(
'KDC Minimum Password length was changed from %s to %s' \
% (old_val, val))
self.gp_db.store(str(self), self.attribute, old_val)
self.ldb.set_minPwdLength(val)
def ch_pwdProperties(self, val):
old_val = self.ldb.get_pwdProperties()
self.logger.info('KDC Password Properties were changed from %s to %s' % (old_val, val))
self.logger.info('KDC Password Properties were changed from %s to %s' \
% (old_val, val))
self.gp_db.store(str(self), self.attribute, old_val)
self.ldb.set_pwdProperties(val)
@ -373,7 +396,8 @@ class inf_to_ldb(inf_to):
'''ldap value : samba setter'''
return { "minPwdAge" : (self.ch_minPwdAge, self.days2rel_nttime),
"maxPwdAge" : (self.ch_maxPwdAge, self.days2rel_nttime),
# Could be none, but I like the method assignment in update_samba
# Could be none, but I like the method assignment in
# update_samba
"minPwdLength" : (self.ch_minPwdLength, self.explicit),
"pwdProperties" : (self.ch_pwdProperties, self.explicit),
@ -398,7 +422,8 @@ class gp_sec_ext(gp_ext):
return "Security GPO extension"
def list(self, rootpath):
return os.path.join(rootpath, "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
return os.path.join(rootpath,
"MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
def listmachpol(self, rootpath):
return os.path.join(rootpath, "Machine/Registry.pol")
@ -407,14 +432,27 @@ class gp_sec_ext(gp_ext):
return os.path.join(rootpath, "User/Registry.pol")
def apply_map(self):
return {"System Access": {"MinimumPasswordAge": ("minPwdAge", inf_to_ldb),
"MaximumPasswordAge": ("maxPwdAge", inf_to_ldb),
"MinimumPasswordLength": ("minPwdLength", inf_to_ldb),
"PasswordComplexity": ("pwdProperties", inf_to_ldb),
return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
inf_to_ldb),
"MaximumPasswordAge": ("maxPwdAge",
inf_to_ldb),
"MinimumPasswordLength": ("minPwdLength",
inf_to_ldb),
"PasswordComplexity": ("pwdProperties",
inf_to_ldb),
},
"Kerberos Policy": {"MaxTicketAge": ("kdc:user_ticket_lifetime", inf_to_kdc_tdb),
"MaxServiceAge": ("kdc:service_ticket_lifetime", inf_to_kdc_tdb),
"MaxRenewAge": ("kdc:renewal_lifetime", inf_to_kdc_tdb),
"Kerberos Policy": {"MaxTicketAge": (
"kdc:user_ticket_lifetime",
inf_to_kdc_tdb
),
"MaxServiceAge": (
"kdc:service_ticket_lifetime",
inf_to_kdc_tdb
),
"MaxRenewAge": (
"kdc:renewal_lifetime",
inf_to_kdc_tdb
),
}
}
@ -447,7 +485,8 @@ class gp_sec_ext(gp_ext):
(att, setter) = current_section.get(key)
value = value.encode('ascii', 'ignore')
ret = True
setter(self.logger, self.ldb, self.gp_db, self.lp, att, value).update_samba()
setter(self.logger, self.ldb, self.gp_db, self.lp, att,
value).update_samba()
self.gp_db.commit()
return ret
@ -461,8 +500,10 @@ class gp_sec_ext(gp_ext):
try:
blist = afile.split('/')
idx = afile.lower().split('/').index('machine')
for case in [blist[idx].upper(), blist[idx].capitalize(), blist[idx].lower()]:
bfile = '/'.join(blist[:idx]) + '/' + case + '/' + '/'.join(blist[idx+1:])
for case in [blist[idx].upper(), blist[idx].capitalize(),
blist[idx].lower()]:
bfile = '/'.join(blist[:idx]) + '/' + case + '/' + \
'/'.join(blist[idx+1:])
try:
return self.read_inf(bfile, conn)
except NTSTATUSError:

10
source4/scripting/bin/samba_gpoupdate
View File

@ -64,8 +64,9 @@ def apply_gp(lp, creds, test_ldb, logger, store, gp_extensions):
guid = gpo_obj.name
if guid == 'Local Policy':
continue
local_path = os.path.join(lp.get('realm').lower(), 'Policies', guid)
version = int(gpo.gpo_get_sysvol_gpt_version(os.path.join(lp.get("path", "sysvol"), local_path))[1])
path = os.path.join(lp.get('realm').lower(), 'Policies', guid)
local_path = os.path.join(lp.get("path", "sysvol"), path)
version = int(gpo.gpo_get_sysvol_gpt_version(local_path)[1])
if version != store.get_int(guid):
logger.info('GPO %s has changed' % guid)
gp_db.state(GPOSTATE.APPLY)
@ -75,7 +76,7 @@ def apply_gp(lp, creds, test_ldb, logger, store, gp_extensions):
store.start()
try:
for ext in gp_extensions:
ext.parse(ext.list(local_path), test_ldb, conn, gp_db, lp)
ext.parse(ext.list(path), test_ldb, conn, gp_db, lp)
except:
logger.error('Failed to parse gpo %s' % guid)
store.cancel()
@ -112,7 +113,8 @@ if __name__ == "__main__":
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option('-H', '--url', dest='url', help='URL for the samdb')
parser.add_option('-X', '--unapply', help='Unapply Group Policy', action='store_true')
parser.add_option('-X', '--unapply', help='Unapply Group Policy',
action='store_true')
parser.add_option_group(credopts)
# Set the options and the arguments

56
source4/torture/gpo/apply.c
View File

@ -32,7 +32,8 @@ struct torture_suite *gpo_apply_suite(TALLOC_CTX *ctx)
{
struct torture_suite *suite = torture_suite_create(ctx, "apply");
torture_suite_add_simple_test(suite, "gpo_param_from_gpo", torture_gpo_system_access_policies);
torture_suite_add_simple_test(suite, "gpo_param_from_gpo",
torture_gpo_system_access_policies);
suite->description = talloc_strdup(suite, "Group Policy apply tests");
@ -64,7 +65,9 @@ static int unix2nttime(char *sval)
return (strtoll(sval, NULL, 10) * -1 / 60 / 60 / 24 / 10000000);
}
#define GPODIR "addom.samba.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit"
#define GPODIR "addom.samba.example.com/Policies/"\
"{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/"\
"Windows NT/SecEdit"
#define GPOFILE "GptTmpl.inf"
#define GPTTMPL "[System Access]\n\
MinimumPasswordAge = %d\n\
@ -72,12 +75,14 @@ MaximumPasswordAge = %d\n\
MinimumPasswordLength = %d\n\
PasswordComplexity = %d\n\
"
#define GPTINI "addom.samba.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI"
#define GPTINI "addom.samba.example.com/Policies/"\
"{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI"
bool torture_gpo_system_access_policies(struct torture_context *tctx)
{
int ret, vers = 0, i;
const char *sysvol_path = NULL, *gpo_dir = NULL, *gpo_file = NULL, *gpt_file = NULL;
const char *sysvol_path = NULL, *gpo_dir = NULL;
const char *gpo_file = NULL, *gpt_file = NULL;
struct ldb_context *samdb = NULL;
struct ldb_result *result;
const char *attrs[] = {
@ -96,7 +101,8 @@ bool torture_gpo_system_access_policies(struct torture_context *tctx)
int pwdpropcases[] = { 0, 1, 1 };
struct ldb_message *old_message = NULL;
sysvol_path = lpcfg_path(lpcfg_service(tctx->lp_ctx, "sysvol"), lpcfg_default_service(tctx->lp_ctx), tctx);
sysvol_path = lpcfg_path(lpcfg_service(tctx->lp_ctx, "sysvol"),
lpcfg_default_service(tctx->lp_ctx), tctx);
torture_assert(tctx, sysvol_path, "Failed to fetch the sysvol path");
/* Ensure the sysvol path exists */
@ -106,21 +112,27 @@ bool torture_gpo_system_access_policies(struct torture_context *tctx)
/* Get the gpo update command */
gpo_update_cmd = lpcfg_gpo_update_command(tctx->lp_ctx);
torture_assert(tctx, gpo_update_cmd && gpo_update_cmd[0], "Failed to fetch the gpo update command");
torture_assert(tctx, gpo_update_cmd && gpo_update_cmd[0],
"Failed to fetch the gpo update command");
/* Open and read the samba db and store the initial password settings */
samdb = samdb_connect(tctx, tctx->ev, tctx->lp_ctx, system_session(tctx->lp_ctx), 0);
samdb = samdb_connect(tctx, tctx->ev, tctx->lp_ctx,
system_session(tctx->lp_ctx), 0);
torture_assert(tctx, samdb, "Failed to connect to the samdb");
ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb), LDB_SCOPE_BASE, attrs, NULL);
torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1, "Searching the samdb failed");
ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb),
LDB_SCOPE_BASE, attrs, NULL);
torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1,
"Searching the samdb failed");
old_message = result->msgs[0];
for (i = 0; i < 3; i++) {
/* Write out the sysvol */
if ( (fp = fopen(gpo_file, "w")) ) {
fputs(talloc_asprintf(tctx, GPTTMPL, minpwdcases[i], maxpwdcases[i], pwdlencases[i], pwdpropcases[i]), fp);
fputs(talloc_asprintf(tctx, GPTTMPL, minpwdcases[i],
maxpwdcases[i], pwdlencases[i],
pwdpropcases[i]), fp);
fclose(fp);
}
@ -137,33 +149,41 @@ bool torture_gpo_system_access_policies(struct torture_context *tctx)
fclose(fp);
}
if ( (fp = fopen(gpt_file, "w")) ) {
char *data = talloc_asprintf(tctx, "[General]\nVersion=%d\n", ++vers);
char *data = talloc_asprintf(tctx, "[General]\nVersion=%d\n",
++vers);
fputs(data, fp);
fclose(fp);
}
/* Run the gpo update command */
ret = exec_wait(gpo_update_cmd);
torture_assert(tctx, ret == 0, "Failed to execute the gpo update command");
torture_assert(tctx, ret == 0,
"Failed to execute the gpo update command");
ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb), LDB_SCOPE_BASE, attrs, NULL);
torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1, "Searching the samdb failed");
ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb),
LDB_SCOPE_BASE, attrs, NULL);
torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1,
"Searching the samdb failed");
/* minPwdAge */
val = ldb_msg_find_ldb_val(result->msgs[0], attrs[0]);
torture_assert(tctx, unix2nttime((char*)val->data) == minpwdcases[i], "The minPwdAge was not applied");
torture_assert(tctx, unix2nttime((char*)val->data) == minpwdcases[i],
"The minPwdAge was not applied");
/* maxPwdAge */
val = ldb_msg_find_ldb_val(result->msgs[0], attrs[1]);
torture_assert(tctx, unix2nttime((char*)val->data) == maxpwdcases[i], "The maxPwdAge was not applied");
torture_assert(tctx, unix2nttime((char*)val->data) == maxpwdcases[i],
"The maxPwdAge was not applied");
/* minPwdLength */
val = ldb_msg_find_ldb_val(result->msgs[0], attrs[2]);
torture_assert(tctx, atoi((char*)val->data) == pwdlencases[i], "The minPwdLength was not applied");
torture_assert(tctx, atoi((char*)val->data) == pwdlencases[i],
"The minPwdLength was not applied");
/* pwdProperties */
val = ldb_msg_find_ldb_val(result->msgs[0], attrs[3]);
torture_assert(tctx, atoi((char*)val->data) == pwdpropcases[i], "The pwdProperties were not applied");
torture_assert(tctx, atoi((char*)val->data) == pwdpropcases[i],
"The pwdProperties were not applied");
}
for (i = 0; i < old_message->num_elements; i++) {