1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests: user: create gmsa with models

It was fetching the GMSA with the models straight after creating it anyway.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Rob van der Linde 2024-03-05 16:39:33 +13:00 committed by Andrew Bartlett
parent ea3838b6bc
commit 87cf1a2937

View File

@ -33,12 +33,10 @@ from ldb import SCOPE_BASE
from samba.credentials import MUST_USE_KERBEROS
from samba.dcerpc import samr, security
from samba.domain.models import User
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT
from samba.ndr import ndr_pack, ndr_unpack
from samba.domain.models import GroupManagedServiceAccount, User
from samba.ndr import ndr_unpack
from samba.nt_time import nt_time_from_datetime
from samba.tests import (BlackboxTestCase, connect_samdb, connect_samdb_env,
delete_force)
from samba.tests import BlackboxTestCase, connect_samdb
DC_SERVER = os.environ["SERVER"]
SERVER = os.environ["SERVER"]
@ -65,34 +63,18 @@ class GMSAPasswordTest(BlackboxTestCase):
@classmethod
def setUpTestData(cls):
cls.username = "GMSA_Test_User$"
cls.base_dn = f"CN=Managed Service Accounts,{cls.samdb.domain_dn()}"
cls.user_dn = f"CN={cls.username},{cls.base_dn}"
cls.gmsa = GroupManagedServiceAccount.create(
cls.samdb,
name="GMSA_Test_User",
dns_host_name="samba.example.com",
managed_password_interval=1,
group_msa_membership=f"O:SYD:(A;;RP;;;{cls.samdb.connecting_user_sid})")
connecting_user_sid = cls.samdb.connecting_user_sid
domain_sid = security.dom_sid(cls.samdb.domain_sid)
allow_sddl = f"O:SYD:(A;;RP;;;{connecting_user_sid})"
allow_sd = ndr_pack(security.descriptor.from_sddl(allow_sddl, domain_sid))
details = {
"dn": str(cls.user_dn),
"objectClass": "msDS-GroupManagedServiceAccount",
"dNSHostName": "samba.example.com",
"msDS-ManagedPasswordInterval": "1",
"msDS-GroupMSAMembership": allow_sd,
"sAMAccountName": cls.username,
"userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
}
cls.samdb.add(details)
cls.addClassCleanup(delete_force, cls.samdb, cls.user_dn)
cls.user = User.get(cls.samdb, account_name=cls.username)
cls.addClassCleanup(cls.gmsa.delete, cls.samdb)
def getpassword(self, attrs):
shattrs = shlex.quote(attrs)
cmd = f"user getpassword --attributes={shattrs} {self.username}"
cmd = f"user getpassword --attributes={shattrs} {self.gmsa.account_name}"
ldif = self.check_output(cmd).decode()
res = self.samdb.parse_ldif(ldif)
@ -114,14 +96,14 @@ class GMSAPasswordTest(BlackboxTestCase):
password = user_msg["virtualClearTextUTF16"][0]
creds = self.insta_creds(template=self.env_creds)
creds.set_username(self.username)
creds.set_username(self.gmsa.account_name)
creds.set_utf16_password(password)
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
self.assertEqual(self.user.object_sid, connecting_user_sid)
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_utf8_password(self):
user_msg = self.getpassword("virtualClearTextUTF8")
@ -132,20 +114,20 @@ class GMSAPasswordTest(BlackboxTestCase):
# the nthash is no longer valid. We need to use AES kerberos ciphers
# for this to work.
creds.set_kerberos_state(MUST_USE_KERBEROS)
creds.set_username(self.username)
creds.set_username(self.gmsa.account_name)
creds.set_password(password)
db = connect_samdb(HOST, credentials=creds, lp=self.lp)
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
self.assertEqual(self.user.object_sid, connecting_user_sid)
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_unicode_pwd(self):
user_msg = self.getpassword("unicodePwd")
creds = self.insta_creds(template=self.env_creds)
creds.set_username(self.username)
creds.set_username(self.gmsa.account_name)
nt_pass = samr.Password()
nt_pass.hash = list(user_msg["unicodePwd"][0])
creds.set_nt_hash(nt_pass)
@ -154,7 +136,7 @@ class GMSAPasswordTest(BlackboxTestCase):
msg = db.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
self.assertEqual(self.user.object_sid, connecting_user_sid)
self.assertEqual(self.gmsa.object_sid, connecting_user_sid)
def test_querytime(self):
user_msg = self.getpassword("virtualManagedPasswordQueryTime")