From aca7b7b44b7d19ea9b0508cdbd0d4e16cb538899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9as=20Leroux?= <aleroux@tranquil.it>
Date: Wed, 25 Sep 2024 14:42:25 +0200
Subject: [PATCH] netcmd:domain:policy: Fix missing conversion from
 tgt_lifetime minutes to 10^(-7) seconds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15692
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct  4 04:01:22 UTC 2024 on atb-devel-224

(cherry picked from commit 3766b6a126f659a43e2e36c66689c136fc22dbc4)
---
 .../samba/netcmd/domain/auth/policy/policy.py | 18 ++++++++++++------
 .../tests/samba_tool/domain_auth_policy.py    | 19 +++++++++++++------
 2 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py
index 207aa33c8d3..a1552c20fc5 100644
--- a/python/samba/netcmd/domain/auth/policy/policy.py
+++ b/python/samba/netcmd/domain/auth/policy/policy.py
@@ -26,7 +26,13 @@ from samba.domain.models import (MAX_TGT_LIFETIME, MIN_TGT_LIFETIME,
 from samba.domain.models.exceptions import ModelError
 from samba.netcmd import Command, CommandError, Option
 from samba.netcmd.validators import Range
+from samba.nt_time import NT_TICKS_PER_SEC
 
+def mins_to_tgt_lifetime(minutes):
+    """Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
+    if minutes is not None:
+        return minutes * 60 * NT_TICKS_PER_SEC
+    return minutes
 
 class UserOptions(options.OptionGroup):
     """User options used by policy create and policy modify commands."""
@@ -238,14 +244,14 @@ class cmd_domain_auth_policy_create(Command):
             description=description,
             strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()],
             user_allow_ntlm_auth=useropts.allow_ntlm_auth,
-            user_tgt_lifetime=useropts.tgt_lifetime,
+            user_tgt_lifetime=mins_to_tgt_lifetime(useropts.tgt_lifetime),
             user_allowed_to_authenticate_from=useropts.allowed_to_authenticate_from,
             user_allowed_to_authenticate_to=useropts.allowed_to_authenticate_to,
             service_allow_ntlm_auth=serviceopts.allow_ntlm_auth,
-            service_tgt_lifetime=serviceopts.tgt_lifetime,
+            service_tgt_lifetime=mins_to_tgt_lifetime(serviceopts.tgt_lifetime),
             service_allowed_to_authenticate_from=serviceopts.allowed_to_authenticate_from,
             service_allowed_to_authenticate_to=serviceopts.allowed_to_authenticate_to,
-            computer_tgt_lifetime=computeropts.tgt_lifetime,
+            computer_tgt_lifetime=mins_to_tgt_lifetime(computeropts.tgt_lifetime),
             computer_allowed_to_authenticate_to=computeropts.allowed_to_authenticate_to,
         )
 
@@ -346,7 +352,7 @@ class cmd_domain_auth_policy_modify(Command):
                 StrongNTLMPolicy[strong_ntlm_policy.upper()]
 
         if useropts.tgt_lifetime is not None:
-            policy.user_tgt_lifetime = useropts.tgt_lifetime
+            policy.user_tgt_lifetime = mins_to_tgt_lifetime(useropts.tgt_lifetime)
 
         if useropts.allowed_to_authenticate_from is not None:
             policy.user_allowed_to_authenticate_from = \
@@ -360,7 +366,7 @@ class cmd_domain_auth_policy_modify(Command):
         ##################
 
         if serviceopts.tgt_lifetime is not None:
-            policy.service_tgt_lifetime = serviceopts.tgt_lifetime
+            policy.service_tgt_lifetime = mins_to_tgt_lifetime(serviceopts.tgt_lifetime)
 
         if serviceopts.allowed_to_authenticate_from is not None:
             policy.service_allowed_to_authenticate_from = \
@@ -374,7 +380,7 @@ class cmd_domain_auth_policy_modify(Command):
         ###########
 
         if computeropts.tgt_lifetime is not None:
-            policy.computer_tgt_lifetime = computeropts.tgt_lifetime
+            policy.computer_tgt_lifetime = mins_to_tgt_lifetime(computeropts.tgt_lifetime)
 
         if computeropts.allowed_to_authenticate_to is not None:
             policy.computer_allowed_to_authenticate_to = \
diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 864979608ea..d5fa295ecd1 100644
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -27,12 +27,19 @@ from unittest.mock import patch
 from samba.dcerpc import security
 from samba.domain.models.exceptions import ModelError
 from samba.ndr import ndr_pack, ndr_unpack
+from samba.nt_time import NT_TICKS_PER_SEC
 from samba.samdb import SamDB
 from samba.sd_utils import SDUtils
 
 from .silo_base import SiloTest
 
 
+def mins_to_tgt_lifetime(minutes):
+    """Convert minutes to the tgt_lifetime attributes unit which is 10^-7 seconds"""
+    if minutes is not None:
+        return minutes * 60 * NT_TICKS_PER_SEC
+    return minutes
+
 class AuthPolicyCmdTestCase(SiloTest):
 
     def test_list(self):
@@ -135,7 +142,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -169,7 +176,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -203,7 +210,7 @@ class AuthPolicyCmdTestCase(SiloTest):
         # Check policy fields.
         policy = self.get_authentication_policy(name)
         self.assertEqual(str(policy["cn"]), name)
-        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "60")
+        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(60)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -644,7 +651,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-UserTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -680,7 +687,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -716,7 +723,7 @@ class AuthPolicyCmdTestCase(SiloTest):
 
         # Verify field was changed.
         policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "120")
+        self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), str(mins_to_tgt_lifetime(120)))
 
         # check lower bounds (45)
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",