The branch, master has been updated via c91af5f1a8b tests/krb5: Simplify logic via a9025b68b24 tests/krb5: Improve mock RODC creation via e729606631b selftest: Simplify krb5 test environments via 80b22a7869f python: Restore SDDL abbreviations for SIDs via 1137ebc654e sddl: Remove SDDL SID strings unsupported by Windows via 732d17a129a sddl: Add new SDDL SID strings via e61fa573fe1 sddl: Fix incorrect SDDL SID strings via 9b913fcb0f4 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation via d55b717fd62 python: Use explicit SIDs instead of SDDL abbreviations via c26ee3ba966 python:tests: Add tests for SDDL SID strings from ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c91af5f1a8b666cdd305165937bf28c551b88134 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 7 17:07:48 2022 +1300 tests/krb5: Simplify logic This code can be made part of the previous 'else' branch. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Joseph Sutton <jsut...@samba.org> Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184 commit a9025b68b24956bf543ef85c96a7a8fe91784630 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 7 17:01:40 2022 +1300 tests/krb5: Improve mock RODC creation Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the RODC has been created, so we don't try to use a mock RODC that failed to create. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit e729606631b5bfaf7c4ad8c1e70697adf8274777 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 4 16:57:27 2022 +1300 selftest: Simplify krb5 test environments It's not necessary to repeat the required environment variables for every test. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 80b22a7869f4ec8320a634810a10d3f058526aa7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Mar 15 10:20:59 2022 +1300 python: Restore SDDL abbreviations for SIDs This time we use the correct values. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1137ebc654e4dfd91601abd20262024063a495c8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 14 18:18:39 2022 +1300 sddl: Remove SDDL SID strings unsupported by Windows Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 732d17a129ab0f48d0025f5992af38d442b1fc6a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 14 18:18:09 2022 +1300 sddl: Add new SDDL SID strings Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e61fa573fe1a911460cfb3b64ba05b031d124256 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 14 18:14:15 2022 +1300 sddl: Fix incorrect SDDL SID strings Change the values to match those used by Windows. Verified with PowerShell commands of the form: New-Object Security.Principal.SecurityIdentifier ER Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9b913fcb0f4e69b9fd7db1c974d7534ef356a318 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 14 19:40:45 2022 +1300 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation This is to prepare for the SDDL string being removed. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d55b717fd62a17b424400af0de2bac41c3ae80f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 14 19:40:16 2022 +1300 python: Use explicit SIDs instead of SDDL abbreviations This is to prepare for changing the SDDL string values. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c26ee3ba9662d03f0c32ee518d7a0a69d3bc8401 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Mar 15 19:24:38 2022 +1300 python:tests: Add tests for SDDL SID strings We get the server to decode the SDDL by putting the SID strings in the defaultSecurityDescriptor of a new class and making an object of that class. We then check that the resulting SID is what we expect. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/security/sddl.c | 43 +++++- librpc/idl/security.idl | 30 ++++ python/samba/descriptor.py | 16 +- python/samba/schema.py | 6 +- python/samba/tests/krb5/kdc_base_test.py | 20 +-- python/samba/tests/krb5/raw_testcase.py | 10 +- python/samba/tests/sid_strings.py | 235 ++++++++++++++++++++++++++++++ selftest/knownfail.d/sid-strings | 3 + source4/rpc_server/lsa/lsa_init.c | 2 +- source4/selftest/tests.py | 241 +++++-------------------------- 10 files changed, 373 insertions(+), 233 deletions(-) create mode 100644 python/samba/tests/sid_strings.py create mode 100644 selftest/knownfail.d/sid-strings Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 26049ec458a..5bb65ddfd6b 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -92,6 +92,7 @@ static const struct { { .code = "CO", .sid = SID_CREATOR_OWNER }, { .code = "CG", .sid = SID_CREATOR_GROUP }, + { .code = "OW", .sid = SID_OWNER_RIGHTS }, { .code = "NU", .sid = SID_NT_NETWORK }, { .code = "IU", .sid = SID_NT_INTERACTIVE }, @@ -104,7 +105,7 @@ static const struct { { .code = "SY", .sid = SID_NT_SYSTEM }, { .code = "LS", .sid = SID_NT_LOCAL_SERVICE }, { .code = "NS", .sid = SID_NT_NETWORK_SERVICE }, - { .code = "IS", .sid = SID_NT_IUSR }, + { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE }, { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS }, { .code = "BU", .sid = SID_BUILTIN_USERS }, @@ -115,17 +116,41 @@ static const struct { { .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS }, { .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS }, { .code = "RE", .sid = SID_BUILTIN_REPLICATOR }, - { .code = "BR", .sid = SID_BUILTIN_RAS_SERVERS }, { .code = "RU", .sid = SID_BUILTIN_PREW2K }, { .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS }, { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS }, - { .code = "IF", .sid = SID_BUILTIN_INCOMING_FOREST_TRUST }, + + { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS }, + { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS }, + { .code = "IS", .sid = SID_BUILTIN_IUSERS }, + { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS }, + { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS }, + { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS }, + { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS }, + { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS }, + { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS }, + { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS }, + { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS }, + { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS }, + + { .code = "UD", .sid = SID_USER_MODE_DRIVERS }, + + { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE }, + + { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW }, + { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM }, + { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS }, + { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH }, + { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM }, + + { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY }, + { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY }, + + { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, { .code = "LA", .sid = NULL, .rid = DOMAIN_RID_ADMINISTRATOR }, { .code = "LG", .sid = NULL, .rid = DOMAIN_RID_GUEST }, - { .code = "LK", .sid = NULL, .rid = DOMAIN_RID_KRBTGT }, - { .code = "ER", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, { .code = "DA", .sid = NULL, .rid = DOMAIN_RID_ADMINS }, { .code = "DU", .sid = NULL, .rid = DOMAIN_RID_USERS }, { .code = "DG", .sid = NULL, .rid = DOMAIN_RID_GUESTS }, @@ -135,7 +160,13 @@ static const struct { { .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS }, { .code = "EA", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_ADMINS }, { .code = "PA", .sid = NULL, .rid = DOMAIN_RID_POLICY_ADMINS }, - { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_READONLY_DCS }, + + { .code = "CN", .sid = NULL, .rid = DOMAIN_RID_CLONEABLE_CONTROLLERS }, + + { .code = "AP", .sid = NULL, .rid = DOMAIN_RID_PROTECTED_USERS }, + { .code = "KA", .sid = NULL, .rid = DOMAIN_RID_KEY_ADMINS }, + { .code = "EK", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS }, + { .code = "RS", .sid = NULL, .rid = DOMAIN_RID_RAS_SERVERS } }; diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 9845becd826..6b867595a28 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -274,9 +274,18 @@ interface security const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560"; const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561"; const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562"; + const string SID_BUILTIN_IUSERS = "S-1-5-32-568"; const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569"; const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573"; const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574"; + const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575"; + const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576"; + const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577"; + const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578"; + const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579"; + const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580"; + + const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33"; /* UID/GID mapping Samba style */ const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1"; @@ -295,6 +304,16 @@ interface security const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496"; const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497"; + const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0"; + + const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1"; + + const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096"; + const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192"; + const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448"; + const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288"; + const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384"; + /* * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx */ @@ -320,6 +339,10 @@ interface security const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; const int DOMAIN_RID_POLICY_ADMINS = 520; const int DOMAIN_RID_READONLY_DCS = 521; + const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522; + const int DOMAIN_RID_PROTECTED_USERS = 525; + const int DOMAIN_RID_KEY_ADMINS = 526; + const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527; const int DOMAIN_RID_RAS_SERVERS = 553; const int DOMAIN_RID_RODC_ALLOW = 571; const int DOMAIN_RID_RODC_DENY = 572; @@ -344,9 +367,16 @@ interface security const int BUILTIN_RID_AUTH_ACCESS = 560; const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562; + const int BUILTIN_RID_IUSERS = 568; const int BUILTIN_RID_CRYPTO_OPERATORS = 569; const int BUILTIN_RID_EVENT_LOG_READERS = 573; const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574; + const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575; + const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576; + const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577; + const int BUILTIN_RID_HYPER_V_ADMINS = 578; + const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579; + const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580; /******************************************************************** This is a list of privileges reported by a WIndows 2008 R2 DC diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index 09983481992..ac4c7e3273d 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -65,7 +65,7 @@ def get_config_descriptor(domain_sid, name_map={}): "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ - "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" return sddl2binary(sddl, domain_sid, name_map) @@ -92,7 +92,7 @@ def get_config_partitions_descriptor(domain_sid, name_map={}): def get_config_sites_descriptor(domain_sid, name_map={}): sddl = "D:" \ "(A;;RPLCLORC;;;AU)" \ - "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ + "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;RO)" \ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ "S:" \ @@ -147,7 +147,7 @@ def get_domain_descriptor(domain_sid, name_map={}): "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ - "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ @@ -158,7 +158,7 @@ def get_domain_descriptor(domain_sid, name_map={}): "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ - "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ + "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ @@ -211,7 +211,7 @@ def get_domain_builtin_descriptor(domain_sid, name_map={}): "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ - "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ @@ -222,7 +222,7 @@ def get_domain_builtin_descriptor(domain_sid, name_map={}): "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ - "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ + "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ @@ -335,7 +335,7 @@ def get_dns_partition_descriptor(domain_sid, name_map={}): "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ - "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ @@ -345,7 +345,7 @@ def get_dns_partition_descriptor(domain_sid, name_map={}): "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ - "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ + "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)" \ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/python/samba/schema.py b/python/samba/schema.py index a3adc162fa3..54ed616a557 100644 --- a/python/samba/schema.py +++ b/python/samba/schema.py @@ -48,9 +48,9 @@ def get_schema_descriptor(domain_sid, name_map={}): "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ - "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ - "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ - "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ER)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;RO)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;RO)" \ "S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \ "(AU;CISA;WP;;;WD)" \ "(AU;SA;CR;;;BA)" \ diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 9c79411d487..4fa9384cba9 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -198,17 +198,19 @@ class KDCBaseTest(RawKerberosTest): admin_creds = self.get_admin_creds() lp = self.get_lp() - rodc_name = 'KRB5RODC' + rodc_name = self.get_new_username() site_name = 'Default-First-Site-Name' - type(self)._rodc_ctx = DCJoinContext(server=self.dc_host, - creds=admin_creds, - lp=lp, - site=site_name, - netbios_name=rodc_name, - targetdir=None, - domain=None) - self.create_rodc(self._rodc_ctx) + rodc_ctx = DCJoinContext(server=self.dc_host, + creds=admin_creds, + lp=lp, + site=site_name, + netbios_name=rodc_name, + targetdir=None, + domain=None) + self.create_rodc(rodc_ctx) + + type(self)._rodc_ctx = rodc_ctx return self._rodc_ctx diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 69c52b25761..bb3b7280515 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2756,11 +2756,11 @@ class RawKerberosTest(TestCaseInTempDir): expect_pac_attrs_pac_request = kdc_exchange_dict[ 'pac_request'] - if expect_pac_attrs is None: - if self.expect_extra_pac_buffers: - expect_pac_attrs = expect_extra_pac_buffers - else: - require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) + if expect_pac_attrs is None: + if self.expect_extra_pac_buffers: + expect_pac_attrs = expect_extra_pac_buffers + else: + require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) if expect_pac_attrs: expected_types.append(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) diff --git a/python/samba/tests/sid_strings.py b/python/samba/tests/sid_strings.py new file mode 100644 index 00000000000..ece35c12bfc --- /dev/null +++ b/python/samba/tests/sid_strings.py @@ -0,0 +1,235 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Catalyst.NET Ltd 2022 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +import random +import string +import sys +import time + +import ldb + +from samba import param + +from samba.auth import system_session +from samba.credentials import Credentials +from samba.dcerpc import security +from samba.ndr import ndr_unpack +from samba.samdb import SamDB +from samba.tests import ( + DynamicTestCase, + TestCase, + delete_force, + env_get_var_value, +) + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + + +@DynamicTestCase +class SidStringTests(TestCase): + @classmethod + def setUpDynamicTestCases(cls): + if env_get_var_value('CHECK_ALL_COMBINATIONS', + allow_missing=True): + for x in string.ascii_uppercase: + for y in string.ascii_uppercase: + code = x + y + if code not in cls.cases: + cls.cases[code] = None + + for code, expected_sid in cls.cases.items(): + name = code + + cls.generate_dynamic_test('test_sid_string', name, + code, expected_sid) + + @classmethod + def setUpClass(cls): + super().setUpClass() + + server = os.environ['DC_SERVER'] + host = f'ldap://{server}' + + lp = param.LoadParm() + lp.load(os.environ['SMB_CONF_PATH']) + + creds = Credentials() + creds.guess(lp) + creds.set_username(env_get_var_value('DC_USERNAME')) + creds.set_password(env_get_var_value('DC_PASSWORD')) + + cls.ldb = SamDB(host, credentials=creds, + session_info=system_session(lp), lp=lp) + cls.base_dn = cls.ldb.domain_dn() + cls.schema_dn = cls.ldb.get_schema_basedn().get_linearized() + + def _test_sid_string_with_args(self, code, expected_sid): + random_suffix = random.randint(0, 100000) + timestamp = time.strftime('%s', time.gmtime()) + + class_name = f'my-Sid-String-Class{timestamp}{random_suffix}' + class_ldap_display_name = class_name.replace('-', '') + + class_dn = f'CN={class_name},{self.schema_dn}' + + ldif = f''' +dn: {class_dn} +objectClass: classSchema +cn: {class_name} +governsId: 1.3.6.1.4.1.7165.4.6.2.6.3.{random_suffix} +subClassOf: top +possSuperiors: domainDNS +defaultSecurityDescriptor: O:{code} +''' + try: + self.ldb.add_ldif(ldif) + except ldb.LdbError as err: + num, _ = err.args + self.assertEqual(num, ldb.ERR_UNWILLING_TO_PERFORM) + self.assertIsNone(expected_sid) + return + + # Search for created objectclass + res = self.ldb.search(class_dn, scope=ldb.SCOPE_BASE, + attrs=['defaultSecurityDescriptor']) + self.assertEqual(1, len(res)) + self.assertEqual(res[0].get('defaultSecurityDescriptor', idx=0), + f'O:{code}'.encode('utf-8')) + + ldif = ''' +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +''' + self.ldb.modify_ldif(ldif) + + object_name = f'sddl_{timestamp}_{random_suffix}' + object_dn = f'CN={object_name},{self.base_dn}' + + ldif = f''' +dn: {object_dn} +objectClass: {class_ldap_display_name} +cn: {object_name} +''' + self.ldb.add_ldif(ldif) + + # Search for created object + res = self.ldb.search(object_dn, scope=ldb.SCOPE_BASE, + attrs=['nTSecurityDescriptor']) + self.assertEqual(1, len(res)) + + # Delete the object + delete_force(self.ldb, object_dn) + + data = res[0].get('nTSecurityDescriptor', idx=0) + descriptor = ndr_unpack(security.descriptor, data) + + domain_sid = self.ldb.get_domain_sid() + + if expected_sid is None: + expected_sid = f'{domain_sid}-{security.DOMAIN_RID_ADMINS}' + else: + expected_sid = expected_sid.format(domain_sid=domain_sid) + + owner_sid = str(descriptor.owner_sid) + + self.assertEqual(expected_sid, owner_sid) + + cases = { + 'AA': 'S-1-5-32-579', + 'AC': 'S-1-15-2-1', + 'AN': 'S-1-5-7', + 'AO': 'S-1-5-32-548', + 'AP': '{domain_sid}-525', + 'AS': 'S-1-18-1', + 'AU': 'S-1-5-11', + 'BA': 'S-1-5-32-544', + 'BG': 'S-1-5-32-546', + 'BO': 'S-1-5-32-551', + 'BU': 'S-1-5-32-545', + 'CA': '{domain_sid}-517', + 'CD': 'S-1-5-32-574', + 'CG': 'S-1-3-1', + 'CN': '{domain_sid}-522', + 'CO': 'S-1-3-0', + 'CY': 'S-1-5-32-569', + 'DC': '{domain_sid}-515', + 'DD': '{domain_sid}-516', + 'DG': '{domain_sid}-514', + 'DU': '{domain_sid}-513', + 'EA': '{domain_sid}-519', + 'ED': 'S-1-5-9', + 'EK': '{domain_sid}-527', + 'ER': 'S-1-5-32-573', + 'ES': 'S-1-5-32-576', + 'HA': 'S-1-5-32-578', + 'HI': 'S-1-16-12288', + 'IS': 'S-1-5-32-568', + 'IU': 'S-1-5-4', + 'KA': '{domain_sid}-526', + 'LA': '{domain_sid}-500', + 'LG': '{domain_sid}-501', + 'LS': 'S-1-5-19', + 'LU': 'S-1-5-32-559', + 'LW': 'S-1-16-4096', + 'ME': 'S-1-16-8192', + 'MP': 'S-1-16-8448', + 'MS': 'S-1-5-32-577', + 'MU': 'S-1-5-32-558', + 'NO': 'S-1-5-32-556', + 'NS': 'S-1-5-20', -- Samba Shared Repository