mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests: user: create gmsa with models
It was fetching the GMSA with the models straight after creating it anyway. Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
ea3838b6bc
commit
87cf1a2937
@ -33,12 +33,10 @@ from ldb import SCOPE_BASE
|
||||
|
||||
from samba.credentials import MUST_USE_KERBEROS
|
||||
from samba.dcerpc import samr, security
|
||||
from samba.domain.models import User
|
||||
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT
|
||||
from samba.ndr import ndr_pack, ndr_unpack
|
||||
from samba.domain.models import GroupManagedServiceAccount, User
|
||||
from samba.ndr import ndr_unpack
|
||||
from samba.nt_time import nt_time_from_datetime
|
||||
from samba.tests import (BlackboxTestCase, connect_samdb, connect_samdb_env,
|
||||
delete_force)
|
||||
from samba.tests import BlackboxTestCase, connect_samdb
|
||||
|
||||
DC_SERVER = os.environ["SERVER"]
|
||||
SERVER = os.environ["SERVER"]
|
||||
@ -65,34 +63,18 @@ class GMSAPasswordTest(BlackboxTestCase):
|
||||
|
||||
@classmethod
|
||||
def setUpTestData(cls):
|
||||
cls.username = "GMSA_Test_User$"
|
||||
cls.base_dn = f"CN=Managed Service Accounts,{cls.samdb.domain_dn()}"
|
||||
cls.user_dn = f"CN={cls.username},{cls.base_dn}"
|
||||
cls.gmsa = GroupManagedServiceAccount.create(
|
||||
cls.samdb,
|
||||
name="GMSA_Test_User",
|
||||
dns_host_name="samba.example.com",
|
||||
managed_password_interval=1,
|
||||
group_msa_membership=f"O:SYD:(A;;RP;;;{cls.samdb.connecting_user_sid})")
|
||||
|
||||
connecting_user_sid = cls.samdb.connecting_user_sid
|
||||
|
||||
domain_sid = security.dom_sid(cls.samdb.domain_sid)
|
||||
allow_sddl = f"O:SYD:(A;;RP;;;{connecting_user_sid})"
|
||||
allow_sd = ndr_pack(security.descriptor.from_sddl(allow_sddl, domain_sid))
|
||||
|
||||
details = {
|
||||
"dn": str(cls.user_dn),
|
||||
"objectClass": "msDS-GroupManagedServiceAccount",
|
||||
"dNSHostName": "samba.example.com",
|
||||
"msDS-ManagedPasswordInterval": "1",
|
||||
"msDS-GroupMSAMembership": allow_sd,
|
||||
"sAMAccountName": cls.username,
|
||||
"userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
|
||||
}
|
||||
|
||||
cls.samdb.add(details)
|
||||
cls.addClassCleanup(delete_force, cls.samdb, cls.user_dn)
|
||||
|
||||
cls.user = User.get(cls.samdb, account_name=cls.username)
|
||||
cls.addClassCleanup(cls.gmsa.delete, cls.samdb)
|
||||
|
||||
def getpassword(self, attrs):
|
||||
shattrs = shlex.quote(attrs)
|
||||
cmd = f"user getpassword --attributes={shattrs} {self.username}"
|
||||
cmd = f"user getpassword --attributes={shattrs} {self.gmsa.account_name}"
|
||||
|
||||
ldif = self.check_output(cmd).decode()
|
||||
res = self.samdb.parse_ldif(ldif)
|
||||
@ -114,14 +96,14 @@ class GMSAPasswordTest(BlackboxTestCase):
|
||||
password = user_msg["virtualClearTextUTF16"][0]
|
||||
|
||||
creds = self.insta_creds(template=self.env_creds)
|
||||
creds.set_username(self.username)
|
||||
creds.set_username(self.gmsa.account_name)
|
||||
creds.set_utf16_password(password)
|
||||
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
|
||||
|
||||
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
|
||||
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
|
||||
|
||||
self.assertEqual(self.user.object_sid, connecting_user_sid)
|
||||
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
|
||||
|
||||
def test_utf8_password(self):
|
||||
user_msg = self.getpassword("virtualClearTextUTF8")
|
||||
@ -132,20 +114,20 @@ class GMSAPasswordTest(BlackboxTestCase):
|
||||
# the nthash is no longer valid. We need to use AES kerberos ciphers
|
||||
# for this to work.
|
||||
creds.set_kerberos_state(MUST_USE_KERBEROS)
|
||||
creds.set_username(self.username)
|
||||
creds.set_username(self.gmsa.account_name)
|
||||
creds.set_password(password)
|
||||
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
|
||||
|
||||
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
|
||||
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
|
||||
|
||||
self.assertEqual(self.user.object_sid, connecting_user_sid)
|
||||
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
|
||||
|
||||
def test_unicode_pwd(self):
|
||||
user_msg = self.getpassword("unicodePwd")
|
||||
|
||||
creds = self.insta_creds(template=self.env_creds)
|
||||
creds.set_username(self.username)
|
||||
creds.set_username(self.gmsa.account_name)
|
||||
nt_pass = samr.Password()
|
||||
nt_pass.hash = list(user_msg["unicodePwd"][0])
|
||||
creds.set_nt_hash(nt_pass)
|
||||
@ -154,7 +136,7 @@ class GMSAPasswordTest(BlackboxTestCase):
|
||||
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
|
||||
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
|
||||
|
||||
self.assertEqual(self.user.object_sid, connecting_user_sid)
|
||||
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
|
||||
|
||||
def test_querytime(self):
|
||||
user_msg = self.getpassword("virtualManagedPasswordQueryTime")
|
||||
|
Loading…
Reference in New Issue
Block a user