From ad98c0e1755e3fdc6efd8551590c1781b318a04f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 10 Dec 2014 15:54:11 +1300 Subject: [PATCH] dsdb-tests: Show that we can not change the primaryGroupID of a DC Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Garming Sam Pair-programmed-with: Garming Sam Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- .../dsdb/tests/python/user_account_control.py | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py index 69108835096..be50385f703 100644 --- a/source4/dsdb/tests/python/user_account_control.py +++ b/source4/dsdb/tests/python/user_account_control.py @@ -520,6 +520,116 @@ class UserAccountControlTests(samba.tests.TestCase): else: self.fail("Unable to set userAccountControl bit 0x%08X on %s: %s" % (bit, computername, estr)) + def test_primarygroupID_cc_add(self): + computername=self.computernames[0] + + user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn) + mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + + old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn) + + self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod) + try: + # When creating a new object, you can not ever set the primaryGroupID + self.add_computer_ldap(computername, others={"primaryGroupID": [str(security.DOMAIN_RID_ADMINS)]}) + self.fail("Unexpectedly able to set primaryGruopID to be an admin on %s" % computername) + except LdbError, (enum, estr): + self.assertEqual(enum, ldb.ERR_UNWILLING_TO_PERFORM) + + + def test_primarygroupID_priv_DC_modify(self): + computername=self.computernames[0] + + self.add_computer_ldap(computername, + others={"userAccountControl": [str(UF_SERVER_TRUST_ACCOUNT)]}, + samdb=self.admin_samdb) + res = self.admin_samdb.search("%s" % self.base_dn, + expression="(&(objectClass=computer)(samAccountName=%s$))" % computername, + scope=SCOPE_SUBTREE, + attrs=[""]) + + + m = ldb.Message() + m.dn = ldb.Dn(self.admin_samdb, "" % (str(self.domain_sid), + security.DOMAIN_RID_USERS)) + m["member"]= ldb.MessageElement( + [str(res[0].dn)], ldb.FLAG_MOD_ADD, + "member") + self.admin_samdb.modify(m) + + m = ldb.Message() + m.dn = res[0].dn + m["primaryGroupID"]= ldb.MessageElement( + [str(security.DOMAIN_RID_USERS)], ldb.FLAG_MOD_REPLACE, + "primaryGroupID") + try: + self.admin_samdb.modify(m) + + # When creating a new object, you can not ever set the primaryGroupID + self.fail("Unexpectedly able to set primaryGroupID to be other than DCS on %s" % computername) + except LdbError, (enum, estr): + self.assertEqual(enum, ldb.ERR_UNWILLING_TO_PERFORM) + + def test_primarygroupID_priv_member_modify(self): + computername=self.computernames[0] + + self.add_computer_ldap(computername, + others={"userAccountControl": [str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT)]}, + samdb=self.admin_samdb) + res = self.admin_samdb.search("%s" % self.base_dn, + expression="(&(objectClass=computer)(samAccountName=%s$))" % computername, + scope=SCOPE_SUBTREE, + attrs=[""]) + + + m = ldb.Message() + m.dn = ldb.Dn(self.admin_samdb, "" % (str(self.domain_sid), + security.DOMAIN_RID_USERS)) + m["member"]= ldb.MessageElement( + [str(res[0].dn)], ldb.FLAG_MOD_ADD, + "member") + self.admin_samdb.modify(m) + + m = ldb.Message() + m.dn = res[0].dn + m["primaryGroupID"]= ldb.MessageElement( + [str(security.DOMAIN_RID_USERS)], ldb.FLAG_MOD_REPLACE, + "primaryGroupID") + try: + self.admin_samdb.modify(m) + + # When creating a new object, you can not ever set the primaryGroupID + self.fail("Unexpectedly able to set primaryGroupID to be other than DCS on %s" % computername) + except LdbError, (enum, estr): + self.assertEqual(enum, ldb.ERR_UNWILLING_TO_PERFORM) + + + def test_primarygroupID_priv_user_modify(self): + computername=self.computernames[0] + + self.add_computer_ldap(computername, + others={"userAccountControl": [str(UF_WORKSTATION_TRUST_ACCOUNT)]}, + samdb=self.admin_samdb) + res = self.admin_samdb.search("%s" % self.base_dn, + expression="(&(objectClass=computer)(samAccountName=%s$))" % computername, + scope=SCOPE_SUBTREE, + attrs=[""]) + + + m = ldb.Message() + m.dn = ldb.Dn(self.admin_samdb, "" % (str(self.domain_sid), + security.DOMAIN_RID_ADMINS)) + m["member"]= ldb.MessageElement( + [str(res[0].dn)], ldb.FLAG_MOD_ADD, + "member") + self.admin_samdb.modify(m) + + m = ldb.Message() + m.dn = res[0].dn + m["primaryGroupID"]= ldb.MessageElement( + [str(security.DOMAIN_RID_ADMINS)], ldb.FLAG_MOD_REPLACE, + "primaryGroupID") + self.admin_samdb.modify(m) runner = SubunitTestRunner()