1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-21 18:04:06 +03:00
Rob van der Linde 3eccaf5d1e s4/dsdb: fix unnecessary backslash
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 04:58:30 +00:00

399 lines
15 KiB
Python

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This tests the restrictions on userAccountControl that apply even if write access is permitted
#
# Copyright Samuel Cabrero 2014 <samuelcabrero@kernevil.me>
# Copyright Andrew Bartlett 2014 <abartlet@samba.org>
#
# Licenced under the GPLv3
#
import optparse
import sys
import unittest
import samba
import samba.getopt as options
import samba.tests
import ldb
import base64
sys.path.insert(0, "bin/python")
from samba.tests.subunitrun import TestProgram, SubunitOptions
from samba.tests import DynamicTestCase
from samba.subunit.run import SubunitTestRunner
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc import samr, security, lsa
from samba.credentials import Credentials
from samba.ndr import ndr_unpack, ndr_pack
from samba.tests import delete_force
from samba import gensec, sd_utils
from samba.credentials import DONT_USE_KERBEROS
from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba.dsdb import UF_SCRIPT, UF_ACCOUNTDISABLE, UF_00000004, UF_HOMEDIR_REQUIRED, \
UF_LOCKOUT, UF_PASSWD_NOTREQD, UF_PASSWD_CANT_CHANGE, UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED,\
UF_TEMP_DUPLICATE_ACCOUNT, UF_NORMAL_ACCOUNT, UF_00000400, UF_INTERDOMAIN_TRUST_ACCOUNT, \
UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, UF_00004000, \
UF_00008000, UF_DONT_EXPIRE_PASSWD, UF_MNS_LOGON_ACCOUNT, UF_SMARTCARD_REQUIRED, \
UF_TRUSTED_FOR_DELEGATION, UF_NOT_DELEGATED, UF_USE_DES_KEY_ONLY, UF_DONT_REQUIRE_PREAUTH, \
UF_PASSWORD_EXPIRED, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, UF_NO_AUTH_DATA_REQUIRED, \
UF_PARTIAL_SECRETS_ACCOUNT, UF_USE_AES_KEYS
parser = optparse.OptionParser("user_account_control.py [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
# use command line creds if available
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
opts, args = parser.parse_args()
if len(args) < 1:
parser.print_usage()
sys.exit(1)
host = args[0]
if "://" not in host:
ldaphost = "ldap://%s" % host
else:
ldaphost = host
start = host.rindex("://")
host = host.lstrip(start + 3)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
"""
Check the combinations of:
rodc kdc
a2d2
useraccountcontrol (trusted for delegation)
sidHistory
x
add
modify(replace)
modify(add)
x
sd WP on add
cc default perms
admin created, WP to user
x
computer
user
"""
attrs = {"sidHistory":
{"value": ndr_pack(security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)),
"priv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
"msDS-AllowedToDelegateTo":
{"value": f"host/{host}",
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
"userAccountControl-a2d-user":
{"attr": "userAccountControl",
"value": str(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION|UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
"userAccountControl-a2d-computer":
{"attr": "userAccountControl",
"value": str(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION|UF_WORKSTATION_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-1": "computer"},
# This flag makes many legitimate authenticated clients
# send a forwardable ticket-granting-ticket to the server
"userAccountControl-t4d-user":
{"attr": "userAccountControl",
"value": str(UF_TRUSTED_FOR_DELEGATION|UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
"userAccountControl-t4d-computer":
{"attr": "userAccountControl",
"value": str(UF_TRUSTED_FOR_DELEGATION|UF_WORKSTATION_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-1": "computer"},
"userAccountControl-DC":
{"attr": "userAccountControl",
"value": str(UF_SERVER_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-2": "computer"},
"userAccountControl-RODC":
{"attr": "userAccountControl",
"value": str(UF_PARTIAL_SECRETS_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT),
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
"only-1": "computer"},
"msDS-SecondaryKrbTgtNumber":
{"value": "65536",
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS},
"primaryGroupID":
{"value": str(security.DOMAIN_RID_ADMINS),
"priv-error": ldb.ERR_UNWILLING_TO_PERFORM,
"unpriv-add-error": ldb.ERR_UNWILLING_TO_PERFORM,
"unpriv-error": ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS}
}
@DynamicTestCase
class PrivAttrsTests(samba.tests.TestCase):
def get_creds(self, target_username, target_password):
creds_tmp = Credentials()
creds_tmp.set_username(target_username)
creds_tmp.set_password(target_password)
creds_tmp.set_domain(creds.get_domain())
creds_tmp.set_realm(creds.get_realm())
creds_tmp.set_workstation(creds.get_workstation())
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
| gensec.FEATURE_SEAL)
creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
return creds_tmp
def assertGotLdbError(self, wanted, got):
if not self.strict_checking:
self.assertNotEqual(got, ldb.SUCCESS)
else:
self.assertEqual(got, wanted)
def setUp(self):
super().setUp()
strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True)
if strict_checking is None:
strict_checking = '1'
self.strict_checking = bool(int(strict_checking))
self.admin_creds = creds
self.admin_samdb = SamDB(url=ldaphost, credentials=self.admin_creds, lp=lp)
self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
self.base_dn = self.admin_samdb.domain_dn()
self.unpriv_user = "testuser1"
self.unpriv_user_pw = "samba123@"
self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)
self.admin_sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.test_ou_name = "OU=test_priv_attrs"
self.test_ou = self.test_ou_name + "," + self.base_dn
delete_force(self.admin_samdb, self.test_ou, controls=["tree_delete:0"])
self.admin_samdb.create_ou(self.test_ou)
expected_user_dn = f"CN={self.unpriv_user},{self.test_ou_name},{self.base_dn}"
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw, userou=self.test_ou_name)
res = self.admin_samdb.search(expected_user_dn,
scope=SCOPE_BASE,
attrs=["objectSid"])
self.assertEqual(1, len(res))
self.unpriv_user_dn = res[0].dn
self.addCleanup(delete_force, self.admin_samdb, self.unpriv_user_dn, controls=["tree_delete:0"])
self.unpriv_user_sid = self.admin_sd_utils.get_object_sid(self.unpriv_user_dn)
self.unpriv_samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
@classmethod
def setUpDynamicTestCases(cls):
for test_name in attrs.keys():
for add_or_mod in ["add", "mod-del-add", "mod-replace"]:
for permission in ["admin-add", "CC"]:
for sd in ["default", "WP"]:
for objectclass in ["computer", "user"]:
tname = f"{test_name}_{add_or_mod}_{permission}_{sd}_{objectclass}"
targs = (test_name,
add_or_mod,
permission,
sd,
objectclass)
cls.generate_dynamic_test("test_priv_attr",
tname,
*targs)
def add_computer_ldap(self, computername, others=None, samdb=None):
dn = "CN=%s,%s" % (computername, self.test_ou)
domainname = ldb.Dn(samdb, samdb.domain_dn()).canonical_str().replace("/", "")
samaccountname = "%s$" % computername
dnshostname = "%s.%s" % (computername, domainname)
msg_dict = {
"dn": dn,
"objectclass": "computer"}
if others is not None:
msg_dict = dict(list(msg_dict.items()) + list(others.items()))
msg = ldb.Message.from_dict(samdb, msg_dict)
msg["sAMAccountName"] = samaccountname
print("Adding computer account %s" % computername)
try:
samdb.add(msg)
except ldb.LdbError:
print(msg)
raise
return msg.dn
def add_user_ldap(self, username, others=None, samdb=None):
dn = "CN=%s,%s" % (username, self.test_ou)
domainname = ldb.Dn(samdb, samdb.domain_dn()).canonical_str().replace("/", "")
samaccountname = "%s$" % username
msg_dict = {
"dn": dn,
"objectclass": "user"}
if others is not None:
msg_dict = dict(list(msg_dict.items()) + list(others.items()))
msg = ldb.Message.from_dict(samdb, msg_dict)
msg["sAMAccountName"] = samaccountname
print("Adding user account %s" % username)
try:
samdb.add(msg)
except ldb.LdbError:
print(msg)
raise
return msg.dn
def add_thing_ldap(self, user, others, samdb, objectclass):
if objectclass == "user":
dn = self.add_user_ldap(user, others, samdb=samdb)
elif objectclass == "computer":
dn = self.add_computer_ldap(user, others, samdb=samdb)
return dn
def _test_priv_attr_with_args(self, test_name, add_or_mod, permission, sd, objectclass):
user="privattrs"
if "attr" in attrs[test_name]:
attr = attrs[test_name]["attr"]
else:
attr = test_name
if add_or_mod == "add":
others = {attr: attrs[test_name]["value"]}
else:
others = {}
if permission == "CC":
samdb = self.unpriv_samdb
# Set CC on container to allow user add
mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
self.admin_sd_utils.dacl_add_ace(self.test_ou, mod)
mod = "(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
self.admin_sd_utils.dacl_add_ace(self.test_ou, mod)
else:
samdb = self.admin_samdb
if sd == "WP":
# Set SD to WP to the target user as part of add
sd = "O:%sG:DUD:(OA;CIID;RPWP;;;%s)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;%s)" % (self.unpriv_user_sid, self.unpriv_user_sid, self.unpriv_user_sid)
tmp_desc = security.descriptor.from_sddl(sd, self.domain_sid)
others["ntSecurityDescriptor"] = ndr_pack(tmp_desc)
if add_or_mod == "add":
# only-1 and only-2 are due to windows behaviour
if "only-1" in attrs[test_name] and \
attrs[test_name]["only-1"] != objectclass:
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
self.fail(f"{test_name}: Unexpectedly able to set {attr} on new {objectclass} as ADMIN (should fail LDAP_OBJECT_CLASS_VIOLATION)")
except LdbError as e5:
(enum, estr) = e5.args
self.assertGotLdbError(ldb.ERR_OBJECT_CLASS_VIOLATION, enum)
elif permission == "CC":
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
self.fail(f"{test_name}: Unexpectedly able to set {attr} on new {objectclass}")
except LdbError as e5:
(enum, estr) = e5.args
if "unpriv-add-error" in attrs[test_name]:
self.assertGotLdbError(attrs[test_name]["unpriv-add-error"],
enum)
else:
self.assertGotLdbError(attrs[test_name]["unpriv-error"],
enum)
elif "only-2" in attrs[test_name] and \
attrs[test_name]["only-2"] != objectclass:
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
self.fail(f"{test_name}: Unexpectedly able to set {attr} on new {objectclass} as ADMIN (should fail LDAP_OBJECT_CLASS_VIOLATION)")
except LdbError as e5:
(enum, estr) = e5.args
self.assertGotLdbError(ldb.ERR_OBJECT_CLASS_VIOLATION, enum)
elif "priv-error" in attrs[test_name]:
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
self.fail(f"{test_name}: Unexpectedly able to set {attr} on new {objectclass} as ADMIN")
except LdbError as e5:
(enum, estr) = e5.args
self.assertGotLdbError(attrs[test_name]["priv-error"], enum)
else:
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
except LdbError as e5:
(enum, estr) = e5.args
self.fail(f"Failed to add account {user} as objectclass {objectclass}")
else:
try:
dn = self.add_thing_ldap(user, others, samdb, objectclass)
except LdbError as e5:
(enum, estr) = e5.args
self.fail(f"Failed to add account {user} as objectclass {objectclass}")
if add_or_mod == "add":
return
m = ldb.Message()
m.dn = dn
# Do modify
if add_or_mod == "mod-del-add":
m["0"] = ldb.MessageElement([],
ldb.FLAG_MOD_DELETE,
attr)
m["1"] = ldb.MessageElement(attrs[test_name]["value"],
ldb.FLAG_MOD_ADD,
attr)
else:
m["0"] = ldb.MessageElement(attrs[test_name]["value"],
ldb.FLAG_MOD_REPLACE,
attr)
try:
self.unpriv_samdb.modify(m)
self.fail(f"{test_name}: Unexpectedly able to set {attr} on {m.dn}")
except LdbError as e5:
(enum, estr) = e5.args
self.assertGotLdbError(attrs[test_name]["unpriv-error"], enum)
runner = SubunitTestRunner()
rc = 0
if not runner.run(unittest.makeSuite(PrivAttrsTests)).wasSuccessful():
rc = 1
sys.exit(rc)