1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

5077 Commits

Author SHA1 Message Date
Jo Sutton
1f4e1c026d tests/krb5: Remove unused variable
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
586c4ec718 tests/krb5: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
5656fd2ff2 tests/krb5: Remove unused import
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
4b6f65a4a2 python:tests: Fix typo
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
5379956bd4 python:tests: Reformat code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
ae39a15b51 python:tests: Fix set declaration
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Jo Sutton
ea83bb84b9 python:tests: Replace deprecated method assertRaisesRegexp()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 03:58:31 +00:00
Andrew Bartlett
c9370d3ced selftest: Move some KDS root key tests around to prepare for gMSA server side
Once we have a gMSA server side the impact of deleting root keys becomes real
and so we must do this in a quiet place where it can not impact on other things.

Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run
somewhere that is not doing other things, so we can see what a bare provision
will do.  We must not allow test ordering inside the file to cause tests that
create root keys to run before checking if provision created a usable root key.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-04-16 03:58:31 +00:00
Andrew Bartlett
bda4e1233a ldb: Add more segfault tests DN handling
- from_dict DN use-after-free
- check for the same directly creating the ldb.Message

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-04-10 05:13:32 +00:00
Douglas Bagnall
d38a9e93cf python:upgrade/upgradeprovision: use dn.copy to align ldbs
We need to do this when the dn is on a message from another ldb.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-10 05:13:32 +00:00
Douglas Bagnall
8bb6287c3b pytest:segfault: some more ldb crashes
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-10 05:13:32 +00:00
Andrew Bartlett
0bf80c10ca samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-04-10 05:13:32 +00:00
Andrew Bartlett
ffbe623963 selftest: Add tests that demonstrate the issues with ldb use after free
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-04-10 05:13:32 +00:00
Douglas Bagnall
3ffc6c139b pytest:krb5/lockout: associate user DN with the ldb it is used with
LDB is soon going to object strongly to Python DNs that don't come from
the ldb that they are being used with, for memory safety reasons.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-10 05:13:32 +00:00
Andrew Bartlett
dbba6c22a4 auth/credentials: Read managed_password.passwords.query_interval only after parsing
The code previously read the uninitialised stack not the parsed
structure, and so could segfault if the stack was not zero.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr  9 23:59:54 UTC 2024 on atb-devel-224
2024-04-09 23:59:54 +00:00
Andrew Bartlett
005ce15aab python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-04-09 22:52:38 +00:00
Andreas Schneider
2d60d1b96a python: Use OpenPolicyFallback() in trust.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
859e7f8c5f python: Implement CreateTrustedDomainFallback()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
812d4e0d6c python: Add aead_aes_256_cbc_hmac_sha512()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
23e61d2ceb python: Use secrets.token_bytes instead of random
random should not be used to create secure random numbers for tokens.
The secrets module is exactly for this.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
decacb0e7e python: Set parameter types for CreateTrustedDomainRelax()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
9e5fc81564 python:tests: Clean lsa_utils.py code according to Python standards
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
e32be2ade4 python:tests: Rename createtrustrelax.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
00ed209e48 python: Implement OpenPolicyFallback()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Andreas Schneider
85d0ab38f7 python:samba: Rename trust_utils.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Rob van der Linde
be2ade2d88 netcmd: fix broken shell command missing Model
This is already in MODELS which is populated in ModelMeta

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr  8 04:07:22 UTC 2024 on atb-devel-224
2024-04-08 04:07:22 +00:00
Rob van der Linde
bcae4c2dbe python: lint: fix pylint R1720 unnecessary "raise" after "else"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Rob van der Linde
3dd49b9f56 python: lint: remove unused imports in claims and gmsa commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Rob van der Linde
8f7ff1c7ef python: tests: type check should always use "is" or "is not"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Rob van der Linde
e388bf4b4a python: tests: fix closing quote in docstring example
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Noel Power
93709d3159 selftest: Add new test for testing non-chunk transfer encoding
And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Noel Power
efdbf0511e selftest: fix potential reference before assigned error
This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Andreas Schneider
2ecb69d9b7 python:tests: Improve keytab comparison of dckeytab
This will give better output on failure as it compares strings instead
of bytes.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
Andrew Bartlett
06c589aaa1 python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED
This in particular tests the returned NTLM password buffers as well as
the password rotation on expired accounts described at
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 28 02:53:53 UTC 2024 on atb-devel-224
2024-03-28 02:53:53 +00:00
Andrew Bartlett
f29693d131 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash
We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case
as it will usually be random bytes so we can not just assert on the
value any more.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
2fd5166a8c python/tests/krb5: Allow getting a TGT in pkinit tests
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
b2fe1ea1c6 python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Jo Sutton
7cc8f45519 tests/krb5: Fix PK-INIT test framework to allow expired password keys
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
46263c5c20 python/samba/krb5: Allow client address (caddr) to be missing or empty
Currently (as of 2024-02) windows 21H2 returns this as [].

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Rob van der Linde
6e02c97193 netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
dcb6a14fa2 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
97c2ff19da netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
e88be1aed9 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
2cbacad82d netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
316a84a597 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
5db2a1581d netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
4ba087f818 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
49c3bca803 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
86d3706bd2 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
96f00738ce netcmd: auth policy: extract policy base commands into policy.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
c0e748f011 netcmd: auth policy: turn policy.py into module
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
13d53ee3e2 netcmd: auth silo: extract silo base commands into silo.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
a2e9529ee6 netcmd: auth silo: move silo_member.py into silo module
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
4d2c8ea957 netcmd: auth silo: turn silo.py into module
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
cf60e3cad6 netcmd: gmsa: improve descriptions of --dns-host-name and match docs
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
828420b4f0 python: domain: models: add OrganizationalUnit container model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
5ac4b6969b python: domain: models: move OrganizationalPerson to org.py
There are other models like OrganizationalUnit which can go in org.py better if this is done first

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
3c0833ead5 python: domain: models: move MODELS to registry.py because it's not really a constant
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
bfd1f8cd46 python: domain: models: MODELS lookup does need to include base Model for shell command
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
0c5d09ae14 python: domain: models: add children method to return a models direct children
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
cca0cfe421 python: tests: write a test for the Model.as_dict method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
917e2a7353 python: tests: computer model tests should clean up
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Rob van der Linde
ed07dee864 python: domain: models: as_dict() should also exclude empty list fields
Empty list fields happen if many=True is used on the field. This means that the field is automatically initialised as an empty list, so this can only ever be sa list or None.

The side-effect of this was that it appears in as_dict() when it shouldn't, because the field isn't populated. This fixes it.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
06912de3b2 dsdb: Add API tests for new_gkdi_root_key()
These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Noel Power
03240c91fb libcli/http: Handle http chunked transfer encoding
Also removes the knownfail for the chunked transfer test

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
2024-03-27 01:14:31 +00:00
Noel Power
30acd609f5 tests: add test for chunked encoding with http cli library
Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest

also adds a knownfail for the test

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
2024-03-27 01:14:31 +00:00
Noel Power
74cdebeae3 selftest: Add basic content-lenght http tests
very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-27 01:14:31 +00:00
Jo Sutton
4f0ed9b003 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224
2024-03-21 04:19:18 +00:00
Jo Sutton
67457394e4 tests/krb5: Allow specifying SamDB to use when creating an account
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
0bc8d1469b python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew
This is just too error‐prone.

current_gkid() will still continue to return the next GKID if it’s
within clock skew.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
96ac8144b4 python: Correct time conversion function name
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
d8fa0dd62e python: Type ‘format’ parameter as optional
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
cd7b0720de python: Correctly qualify strptime()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
ed5f8af329 python:tests: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
398a555fc2 python:tests: Simplify expression
‘not keytab_bytes’ is shorter and equivalent.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
86db305617 python:tests: Use Managed Service Accounts well‐known GUID
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Douglas Bagnall
c17ff0a335 pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 23:42:34 +00:00
Douglas Bagnall
5ceecd3f73 pytest:segfault: prevent @no_gdb_backtrace smearing on exception
It is OK for one of these tests to raise an exception -- that is often
the only reasonable thing to do when you'd otherwise crash -- but the
@no_gdb_backtrace decorator would not clean up in that case, leading to
no gdb backtraces for all subsequent tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 23:42:34 +00:00
Douglas Bagnall
c04ac95ce4 py:samdb: make SamDB.__str__ show the URL and ID
Getting the right samdb is going to matter more, so it is useful for
debugging to see which is which.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 23:42:34 +00:00
Rob van der Linde
da500249fc tests: gmsa blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
2024-03-20 04:53:57 +00:00
Rob van der Linde
7dcc06fa88 tests: models: test additional Computer constructor cases
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
c004fdd0f3 tests: models: fix username should be account_name
The reason this didn't fail, is because it doesn't save the Computers.

This gets fixed in the next commit.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
87cf1a2937 tests: user: create gmsa with models
It was fetching the GMSA with the models straight after creating it anyway.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
ea3838b6bc tests: user: fix PEP8 spacing around operator
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
878abe023e tests: user: gmsa dNSHostName is a required field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
40e0cb2cca tests: samdb: Make use of the domain_sid property
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
3c022f444a python: fix json encoder should handle Exception
This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.

This happens in the print_json_status method.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
52165b8ead python: models: add Container model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
bda232944c python: models: add kwargs to __json__ and as_dict methods
Allows passing arguments through

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
7fafb268bf python: pep8: fix import sorting after move
Only touch files where samba.domain.models import was moved

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
f739ef813c python: move models out of the netcmd package
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
1f511acc13 python: create domain module to move models into
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
e25c487203 netcmd: gmsa: show viewers also works if SID is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
12adbfc6ab netcmd: gmsa: add and remove don't fetch trustee if it is a SID
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
87d00915e9 netcmd: gmsa: add_trustee and remove_trustee change argument to sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
48c0ed76e0 netcmd: gmsa: fix typo if trustee is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
a6e79982c9 netcmd: gmsa: create should allow custom SDDL
gMSA update already supported it but not create

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:35 +00:00
Rob van der Linde
200948c172 netcmd: models: improve Computer constructor adding "$" handling
In some cases the previous code would end up creating computers where the account name ended on double "$"

Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Rob van der Linde
bd79c074e2 netcmd: models: allow scope to be overridden in query
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Rob van der Linde
3e22f8f303 netcmd: models: add User.get_sid_for_principal helper
Unlike User.find, this will not fetch the User if an SID is provided.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Rob van der Linde
12f3db0109 netcmd: models: User.find also tries object_sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Rob van der Linde
4f97df7056 python: samdb: Make connecting_user_sid a property
This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Rob van der Linde
c221f7080c python: samdb: Move get_connecting_user_sid to samdb
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-20 03:49:34 +00:00
Andrew Bartlett
3bb215d194 selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
f81d7047b6 selftest: Add tests for "samba-tool domain exportkeytab" with existing files"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
b2dff17366 samba-tool domain exportkeytab: Raise a proper CommandError
This avoids giving just a backtrace for things like exporting a keytab
to an existing file.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
0cb1e4dbf8 samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
43ce741d1f python/tests: Add test that gMSA keytab export works and matches direct keytab export
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
b8308f3fe0 auth/credentials: Make cli_credentials_get_aes256_key into generic key access
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
9fc11e329c auth/credentials: Use salt on credentials object for Creds.get_aes256_key()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
9246ee4804 samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
7a8c091698 python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal
This code is now common between Heimdal and MIT Kerberos, but can still be missing
for builds of "samba-tool" that do not include the whole AD DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Jule Anger
0e40506d21 selftest: add tests for "samba-tool user list --locked-only"
Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Mar 12 10:54:49 UTC 2024 on atb-devel-224
2024-03-12 10:54:49 +00:00
Jule Anger
055b4cd50f samba-tool: add "samba-tool user list --locked-only"
Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-12 09:49:31 +00:00
Andrew Bartlett
d73c92a35d dsdb: Remove calls to ldb.set_opaque_integer()
This routine will shortly be removed, it is now replaced by an
improved ldb.set_opaque()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-05 02:54:36 +00:00
Andrew Bartlett
b42043897a python/samba/provision: Ensure KDS root key is usable as soon as provision is complete
We do this by setting the start time to being 10 hours 5min earlier
than now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-05 02:54:36 +00:00
Andrew Bartlett
fb219d545b selftest: Assert that the provision KDS root key is already valid for use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-05 02:54:36 +00:00
Douglas Bagnall
9b0330ea3f pytest:samba-tool domain kds root-key: test with normal user
It would be bad if samba-tool let ordinary users read root-key secrets.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar  4 03:20:46 UTC 2024 on atb-devel-224
2024-03-04 03:20:46 +00:00
Douglas Bagnall
ccfa16e2ec samba-tool: tidy up uncaught insufficient rights LdbError
It is likely that many sub-commands will produce a traceback when people
go `-H ldap://server -Ubob` when they needed to go `-UAdministrator`.

We can catch these and show only the core message.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-04 02:16:33 +00:00
Andrew Bartlett
757036cefe pyldb: Remove unused and broken Python access to LDB module API
These exposed the private LDB modules API to python, and was
untested and broken since LDB was made async internally as
it never called ldb_wait() on the result.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Rob van der Linde
cabe817f63 netcmd: models: Create ClaimType in the model layer instead
Having it inside a command isn't very re-usable.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  1 05:52:53 UTC 2024 on atb-devel-224
2024-03-01 05:52:53 +00:00
Rob van der Linde
09aa259788 netcmd: models: ClaimType: move all dunder methods to the top for consistency
It's nice to consistently list the __str__ method first and all the dunder methods, then the static methods, then the rest.

At least for the models.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
2d7cbba23e netcmd: claims: tidy up, avoid setting enabled twice
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
0509844347 netcmd: models: rename lookup methods to find for consistency
There are a mixture of methods called either 'lookup' or 'find'.

This dates back to when they raised LookupError, but these now raise NotFound.

They should be all called 'find' for consistency.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
076bc6ee1d netcmd: models: Rename username to account_name for consistency
When creating the User model initially, "username" was the only field that was inconsistently named, it maps to "sAMAccountName".

It should really have been account "account_name".

There is also a field "account_type" and should be similarly named to "account_name".

Basically the naming of fields should always be consistent, breaking the rule for one field only was a mistake.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
e70b875139 netcmd: models: Add optional base_dn argument to Model.query method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
d961aacdf2 netcmd: models: Add Person and OrganizationalPerson
Move only those fields over that we already had on User that actually belong on Person and OrganizationalPerson

There are more fields to add later.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
7a4dc03521 netcmd: models: Add a repr method to Query for help in the shell
This means in the shell you can just do User.query(samdb) without having to wrap it in list() all the time.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
3d36707908 netcmd: models: Rename method to Query._from_message for consistency
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
a1345442cc netcmd: models: Model.from_message should be internal
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
993b6da2db netcmd: silos: silo and auth policy commands use Query class better
Since the introduction of the Query class these can be written to be a lot clearer using models.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
9238afc16c netcmd: silos: silo and auth policy commands use print
This adds more consistency with newer code added after these commands.

But also print seems more flexible and requires no newline characters added constantly which ends up being a bit cleaner.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
983f04e1aa netcmd: models: move remove trustee code to the GMSA model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
2456fa71bd netcmd: models: move add trustee code to the GMSA model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
85ca9e7cba netcmd: tests: add tests for service-account commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
a7a35ae5e3 netcmd: gmsa: cli commands for managing group msa membership
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
7b1b7d130b netcmd: gmsa: base cli commands for group managed service accounts
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
14a4f642b4 python: models: Computer constructor automatically adds "$" to account name
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
87c8e578de selftest: aces: fix mutable default args in assemble_ace
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
1093f4b6b1 selftest: aces: use constant from samba.security
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
62e11cfa8a python: sd_utils: pep8 import sorting
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
0127ddd7e2 python: sd_utils: remove redundant brackets around simple assert statements
Ideally these should be exceptions not asserts

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
1afb6465b8 python: sd_utils: pep8 fix spacing around
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
63d9b27908 netcmd: properly show command name in show help
This comes up if a user ends up typing something wrong, and it incorrectly showed only part of the command under Usage:

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
120bf34c69 netcmd: add newline before epilog so there is a space between
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
982ebebfbe netcmd: models: model __json__ method should call as_dict instead
The comment about RelatedField is not really relevant so removed that part, RelatedField isn't used at this point.

The idea with RelatedField is that it fetches the object (vs DnField which just returns a Dn).

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
181764a5d6 netcmd: models: setting kwarg to None should use field default
This comes up when trying to create a GroupManagedServiceAccount and setting the value of managed_password_interval to None.

We still want it to pick up the field default of 30 in this case.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
ca973caa28 netcmd: models: Model.query adds optional polymorphic flag for returning specific class types
This defaults to False, query the User class returns only User instances.

    User.query(samdb)

When set to True, query the User class can return User, Computer, ManagedServiceAccount instances.

    User.query(samdb, polymorphic=True)

If polymorphic is False the same records are still returned but records will always be interpreted as the model that is being queried only, rather than a more specific model that matches that object class.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
ccce7e7c03 netcmd: models: ModelMeta needs to also set fields and meta if class is Model
This is needed for polymorphic query, if querying from the Base model, which was not previously a feature.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
5870035486 netcmd: models: move object_sid field from User to base Model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
f54cfbea90 netcmd: models: bring Model class forward into module
This is important for polymorphic query support

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
f8b5f7f592 netcmd: models: ModelMeta no longer needs to inherit from ABCMeta
There are no more abstract methods since the previous commit, so ABCMeta is no longer needed.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
f90e09a285 netcmd: models: Model.get_object_class returns top instead of None
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
b3cc3ade43 netcmd: models: Query.first and Query.last should use count from instance
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
e41114ad5b netcmd: models: set the default for managed password interval on the model
This is to avoid having to provide a default in multiple places

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
611403d401 netcmd: models: move group msa membership default to constants
This means the constant can be imported and used by the tests

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
dccafff1b3 netcmd: shell: show Models subheading
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
14285db482 netcmd: models: make MODELS constant keyed by object class instead
This helps with polymorphic querying, mapping object class name to model class.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
1d0084673e netcmd: models: move MODELS constant to constants.py to avoid import loop
query.py and models.py otherwise cause an import loop, query.py needs to import MODELS

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
a547062352 netcmd: models: update docstring of Computer.find method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
6834a1bdc9 netcmd: models: gmsa move find method to Computer model
The find method is the same as the find method from the User model, with the exception of adding "$".

This means it is actually logic that belongs in the parent class of GroupManagedServiceAccount, which is Computer.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
e1d61746c3 netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
1cd7cf6680 netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py
It needs to inherit from the Computer model, the Computer model also inherits from User.

First, moving it to its own file from user.py to gmsa.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
84c721ec4a netcmd: models: gmsa trustees update docstring and incorrect return type
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
c8857abb74 netcmd: models: gmsa trustees property only looks at allowed aces
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
f5c6a42d97 netcmd: models: make GroupManagedServiceAccount.trustees a property
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
cd395558b0 netcmd: models: avoid fetching each user in trustees method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
cf110742af netcmd: models: Remove unused groups_sddl method from User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Rob van der Linde
4e31942d1f netcmd: models: add default SDDL to group_msa_membership
LA can be used for the administrator and Windows will expand that on save, making the group_sddl method redundant.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Douglas Bagnall
d6bfd26049 pytests: samba-tool domain kds root_key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  1 01:27:30 UTC 2024 on atb-devel-224
2024-03-01 01:27:30 +00:00
Douglas Bagnall
d0234391a8 samba-tool: add samba-tool domain kds root_key delete
For deleting root keys.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
710093dc27 samba-tool: add samba-tool domain kds root_key create
For making new root keys.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
ee1e9f1fb2 samba-tool: add samba-tool domain kds root_key view
This is for looking at one root key. There isn't much to know.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
a92699cda0 samba-tool: add samba-tool domain kds root_key list
This lists root keys, in descending chronological order according to the
use_start_toime attribute. That's becuase you usually only care about
the newest one.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
884d40ca16 samba-tool: don't error if there are no sub-commands
This is useful when you commit samba-tool tests before you commit the
samba-tool code, and you want the tests to fail rather than error.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
79342a8411 provision: add a default root key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
53bf56c62b pytest:dsdb: check that there is a gkdi root key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
c6208a3b0e pytest:gkdi: shift create_root_key into a function
This is so the samba-tool domain kds root_key tests can use it as a
function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
e1ab10b1fc pytest:samba-tool: add a flag to print more in runcmd
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
ae0f38c319 samba-tool user delete: use account type constant
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
e5efa21746 samba-tool domain: add LDB Result to json encoders
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
17dbaf4d33 python:samdb: wrapper for _dsdb_create_gkdi_root_key()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
214ac139d8 samba-tool domain kds root_key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
327f5dc4e5 samba-tool domain kds: add root key sub-command
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
fbd9740272 samba-tool domain: add kds sub-branch
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Andrew Bartlett
02f18a88da selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline
Like serverReferenceBL etc, this will point to a DC that created the object, and
as part of the backup and restore, this DC will be deleted.  It is just for
tracking the object creation, so this is fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 00:19:45 +00:00
Andrew Bartlett
0c1ac19776 samba-tool user getpassword: Clarify success wording
It may be the case that there was no password, or read access to the
password was not permitted.  The structure of the code and the pattern
in LDIF that missing information is simply returned as missing
attributes makes it hard to detect and communicate a clear
error here, particularly as an error may not be wanted if
(say) pwdLastSet is queried on a gMSA that we can not read.

So we just make the string to indicate, as I think it was meant,
that the tool ran to compleation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 29 05:07:45 UTC 2024 on atb-devel-224
2024-02-29 05:07:45 +00:00
Douglas Bagnall
00daa520ce python/nt_time: have a go at using 1_000_000 number separators.
I noticed these are available in Python 3.6+, which is what we support,
and they're arguably nicer than using exponentiation.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
d3d87aee2a python:nt_time: add a nt_now() function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
33a8ae1748 python:nt_time: add string_from_nt_time
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
60022ed55f py:nt_time: add nt_time_from_string()
This is for samba-tool, which could do with a common understanding of
time strings across various sub-tools.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
8cf9d4cae1 pytest:audit_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
6d087d1d29 pytest:auth_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
0fe263a56d pylibs: add string_is_guid() helper.
In various places we use regular expressions to check for GUID-ness,
though typically we don't match GUIDs with uppercase hex digits when
we really should.

If we centralise the check, we have more chance of getting it right.

Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 29 02:38:07 UTC 2024 on atb-devel-224
2024-02-29 02:38:06 +00:00
Douglas Bagnall
7b089e1206 samba-tool: with --json, error messages are in JSON
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
1f128fee27 samba-tool: instances remember whether --json was requested
All our subcommands are going to learn --json eventually, and they
shouldn't all have to do this individually.

The next commit uses this to automatically format CommandErrors as JSON.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
542ba5cbd5 samba-tool: add self.print_json_status() helper
This is a helper to return JSON for simple messages.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
742fc4d841 samba-tool: avoid mutable Command class values
These values are shared across all instances of the class,
which makes no difference in samba-tool itself, because there
is one instance per process. But in tests we can have many
Command classes at once (due to runcmd()), and if any of them
happened to append to takes_args or takes_options rather than
replacing it, well, the effect would be subtle.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
29abab6a46 samba-tool domain level: avoid using assert
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
8650ba0a18 samba-tool domain claim: use secrets module for token
`binascii.hexlify(os.urandom(8)).decode()` was fine, but `os.urandom`
is OS specific and can theoretically block (says the documentation).

We will let Python's secrets module worry about such details.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
2908a6d67b samba-tool user getpassword: Also return the time a GMSA password is valid until
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
71f7c4a3c5 samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes
To convert a virtual attribute we must understand that it has
been put into "obj" under the name including the ;format= part
and so we must look it back up with that name when looking to
covert it from (say) NTTIME to a unix time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
dfe71c4235 python/samba/tests: Include more detail on invoication in test of "samba-tool user show"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
380c80b4d6 samba-tool user getpassword: Do not show preview of gMSA password
The AD server will send a preview of the next gMSA password, 5mins before
it is expected to be active.

This is useful in a keytab, which needs to be in place before a ticket
could possibly be issued, but is not helpful for authentication, as
the server also accepts passwords for 5mins after the change.

This avoids needing teach all users of this tool how to fall back to
the previous password for a 5min period every 30 days, by default.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
009a4706d2 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Jo Sutton
4b0f3f3d10 python: Fail the test if we don’t receive an NTSTATUSError
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
3e342e2d37 tests/krb5: Move assertLocalSamDB() into RawKerberosTest
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
df475fbc2f tests/krb5: type hinting
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
69c3044a72 python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
a1d7af2485 python/tests: Convert dckeytab test to use new NDR keytab parser
This is much nicer than reading strings out of the binary file.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
2e230f728e python/tests: Add test for new krb5 keytab parser
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
9a5cc12042 python/samba/samdb: Only do caching of well known DNs in dbcheck
The fact that get_wellknown_dn() returned a cached DN that could
not be modified safely was unexpected, particularly given that
other similar routines did not do that.

The use case given at the time this was written by
Matthieu Patou in 6122acad0f
was dbcheck, so move the cache there, and name it clearly.

dbcheck is the only case that uses this rotuine in an inner
loop.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andreas Schneider
e4c3c61302 python:gp: Implement client site lookup in site_dn_for_machine()
This is [MS-GPOL] 3.2.5.1.4 Site Search.

The netr_DsRGetSiteName() needs to run over local rpc, however we do not
have the call implemented in our rpc_server. What netr_DsRGetSiteName()
actually does is an ldap query to get the sitename, we can just do the
same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 26 08:06:08 UTC 2024 on atb-devel-224
2024-02-26 08:06:08 +00:00
Jo Sutton
8fe5765822 python:tests: Remove unused imports
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
2748466ec6 python: Reformat nt_time.py
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
22c6629e16 samba-tool: Display friendlier error message if no password is available
‘samba-tool user get-kerberos-ticket’ is supposed to display an error
message if no password is available. However, the conditions for which
the message is displayed are impossible to be met. If ‘utf16_pw’ is not
None, the message is not displayed; if ‘utf16_pw’ *is* None, ‘nt_pass’
is assigned with a samr.Password object, which is not None — and so the
message is still not displayed.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
75ca027f61 python:tests: Pass correct arguments to set_named_ccache()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
678ed54e78 python:tests: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
b2215aaee0 python:tests: Produce more helpful error message for future GKIDs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Rob van der Linde
b401502c55 netcmd: models: add GroupManagedServiceAccount model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
5e52e211a9 netcmd: models: add missing fields to User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
b31cdb0398 netcmd: models: add missing enum fields to Group model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
16e1ea9bf5 netcmd: models: make Group.system_flags a flags based EnumField
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
5165d54da4 netcmd: models: add Computer model subclass of User
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
128a5cf087 netcmd: models: stop using LookupError exception and change it to NotFound
LookupError is a base class for IndexError and KeyError and isn't really the appropriate exception.

NotFound inherits from ModelError just like the other model exceptions.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
0a3da8dccd netcmd: models: rename DoesNotExist exception to NotFound
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
73c44e96dd netcmd: models: SDDLField move line down where it gets used
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
63064d4c9f netcmd: models: SDDLField parses to object instead of string
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
9ca05ec28c netcmd: delegation: don't use assert but raise CommandError
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
6d7ad27865 netcmd: delegation: initial value not required because of raise below
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
ec6fb98b4a netcmd: delegation: move line down where it gets used
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
1608dde944 netcmd: delegation: pep8 fix blank lines
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
68092f85fa netcmd: bugfix: json encoder failed to call super method
This lead to a strange recursion error when a field came up that the JSONEncoder couldn't encode.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
ea63b058fc netcmd: json encoder supports security descriptor objects
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
de8b61cbbe netcmd: support hyphens in top-level commands and convert to underscore
Hyphens in python modules are invalid and makes them only importable by importlib, which makes them harder to import in tests.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-16 02:41:36 +00:00
Rob van der Linde
a3641b323b netcmd: models: mark some hidden fields on the base Model as readonly
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
dcb3dd5914 netcmd: models: tests: add tests for NtTimeField
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
37855511f6 netcmd: models: add new NtTimeField model field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
4c08b420dd netcmd: models: model field DateTimeField returns datetime in UTC
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
10ef49b049 netcmd: models: move enum import to correct place
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
21667b9b51 netcmd: models: fix build_expression on SIDField handles security.dom_sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
cbcc8039d1 netcmd: models: fix build_expression did not work with EnumField
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
9bd7a56364 netcmd: models: fix BooleanField filtering didn't work on FALSE value
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
e11aa29ef8 netcmd: models: move expression code to Field class
This is necessary to deal with edge cases for specific fields.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
d8251cc0ea netcmd: models: add AccountType enum to User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
884b24dc6d netcmd: models: add AccountType IntFlag field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
4595a1dae3 netcmd: models: EnumField now also supports IntFlag
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
3c8d449ad3 netcmd: models: check for None in build_expression instead
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
c2b63fe85e netcmd: models: change import style to use brackets
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Rob van der Linde
d046f71878 netcmd: models: enums and constants also brought forward
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00