summaryrefslogtreecommitdiff
path: root/python
Commit message (Collapse)AuthorAgeFilesLines
* tests/krb5: Add tests for authentication policiesJoseph Sutton2023-05-183-0/+6591
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying whether PA-DATA types are to be checkedJoseph Sutton2023-05-182-50/+61
| | | | | | | | | | | Not all tests are intended to test that the correct PA-DATA types are returned. This parameter allows us to skip checking for cases where we don’t care. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow server and workstation accounts to perform a SamLogonJoseph Sutton2023-05-181-0/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying machine credentials to _test_samlogon()Joseph Sutton2023-05-181-9/+11
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘server’ to ‘dc_server’Joseph Sutton2023-05-181-3/+3
| | | | | | | This makes it more clear that this is in fact the DC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply ↵Joseph Sutton2023-05-181-24/+81
| | | | | | | | | e-data Certain clients rely on this behaviour. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Improve edata checkingJoseph Sutton2023-05-183-24/+71
| | | | | | | | | | | | Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA and fall back to METHOD_DATA if that fails. The environment variable EXPECT_NT_STATUS indicates that the KDC supports returning a status code in the e-data field. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused importJoseph Sutton2023-05-181-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Clean up codeJoseph Sutton2023-05-182-3/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Remove unused variablesJoseph Sutton2023-05-184-33/+24
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Run in interactive mode if no args are suppliedJoseph Sutton2023-05-161-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python:tests: Remove unused variablesJoseph Sutton2023-05-161-6/+6
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Remove unnecessary variableJoseph Sutton2023-05-161-9/+9
| | | | | | | It is conciser to use ‘r’ to refer to update_forest_info.entries[i]. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Use result of setup_local_server() instead of object fieldJoseph Sutton2023-05-161-4/+4
| | | | | | | The code is clearer if we consistently refer to the same variables. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pyglue: use Py_ssize_t in random data generation functionsDmitry Antipov2023-05-161-21/+22
| | | | | | | | | | | | | | Prefer 'Py_ssize_t' over 'int' in random data generation functions to match both Python and (internally used through the library layer) GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data size is known. Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Fixed comments to correctly match the new check for just negative numbers]
* samba-tool domain join: Allow "ad dc functional level" to change whichAndrew Bartlett2023-05-161-2/+7
| | | | | | | level we claim to be during an AD join Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* samba-tool domain provision: Use "ad dc functional level" to control max ↵Joseph Sutton2023-05-162-5/+7
| | | | | | | | | | | functional level This allows the DC to self-declare a higher level and so allow a 2016 domain to be created, for testing and controlled implementation purposes. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* python: Add function to get the functional level as a python intger from ↵Andrew Bartlett2023-05-161-0/+21
| | | | | | | | | smb.conf The lp.get() returns the normalised string from the enum handler Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* samba-tool domain provision: Use common functional_level.string_to_level()Andrew Bartlett2023-05-161-8/+5
| | | | | | | This is instead of manually parsing the functional level strings. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* python: Move helper functions for functional levels into a new fileAndrew Bartlett2023-05-165-55/+78
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* gp: get_gpo() should re-raise the Exception, not returnDavid Mulder2023-05-091-1/+1
| | | | | | | | | | | | If we return from this failure, then `new_gpo` is set to `None` and we will fail in some obscure way within a CSE later (since we append `None` to the GPO list). Instead, re-raise the Exception so we see that an error happened when fetching the GPO. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Improve _test_samr_change_password() methodJoseph Sutton2023-05-052-17/+116
| | | | | | | | | | | | | Instead of using anonymous credentials, we now connect using the passed-in credentials. We now correctly construct nt_password and nt_verifier so as to successfully change the password, instead of having to distinguish between a WRONG_PASSWORD error and an error caused by the password change being disallowed. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Don’t delete silo until all tests have finishedJoseph Sutton2023-05-051-2/+2
| | | | | | | | | It’s possible that we reuse the same silo across multiple tests. In that case, we should not delete it until we are sure we have finished with it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Add remove_attribute() helper functionJoseph Sutton2023-05-051-0/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Have set_forced_key() also set the NT hashJoseph Sutton2023-05-051-1/+9
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Make _tgs_req() more configurableJoseph Sutton2023-05-051-8/+19
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Make use of check_tgs_reply()Joseph Sutton2023-05-051-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying an encoded security descriptorJoseph Sutton2023-05-051-3/+4
| | | | | | | | | | | If we get a string, we’ll still assume it’s a DN and create a security descriptor using it. This is useful in cases where we don’t have a DN (e.g., the account is not created yet). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘objectclass’ to use correct caseJoseph Sutton2023-05-051-1/+1
| | | | | | | | This means that tests can now specify values for ‘objectClass’ in additional_details which override the default value. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’Joseph Sutton2023-05-052-16/+16
| | | | | | | Make it clear that this relates to authentication, not authorization. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Create account cache key only if neededJoseph Sutton2023-05-051-2/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Delete non-resuable accounts as soon as possibleJoseph Sutton2023-05-051-6/+21
| | | | | | | This helps to mitigate Samba’s slow account deletion. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Refactor _test_samlogon()Joseph Sutton2023-05-051-21/+24
| | | | | | | | Move logic specific to the Network logon into that branch, so it’s easier to see what’s going on. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python/samba: Fix invalid escape sequenceJoseph Sutton2023-05-051-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow setting a servicePrincipalName on a user accountJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Fix parameter defaultJoseph Sutton2023-05-051-1/+1
| | | | | | | | Now that add_dollar is honoured for all account types, we don’t want to pass add_dollar=True for user accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused parameterJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Test that the salt for a managed service account is computed ↵Joseph Sutton2023-05-051-0/+142
| | | | | | | correctly Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow creating managed service accountsJoseph Sutton2023-05-051-0/+8
| | | | | | | These will be useful for testing authentication policies. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Always heed the add_dollar parameterJoseph Sutton2023-05-051-3/+6
| | | | | | | | Not just if the account to be created is a computer. This allows us to create other types of accounts with a trailing dollar. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused importJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unneeded assertionsJoseph Sutton2023-05-051-5/+5
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow creating an account with an assigned policy or siloJoseph Sutton2023-05-051-1/+11
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Add method to create an authentication policyJoseph Sutton2023-05-051-0/+103
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Generify protected users test methodsJoseph Sutton2023-05-053-49/+56
| | | | | | | | We can reuse them to test accounts restricted authentication in some form or another. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Handle NT hashes being disabledJoseph Sutton2023-05-057-34/+65
| | | | | | | | If NT hashes are disabled, we should not expect the RC4 enctype to be available for non-computer accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Pass client credentials down into kdc_exchange_dictJoseph Sutton2023-05-0512-160/+198
| | | | | | | These are useful inside the test infrastructure. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove test for OemChangePasswordUser2()Joseph Sutton2023-05-051-20/+1
| | | | | | | | We don’t implement this anymore (since commit 0f53bfe7230c5e76f7ceb8baf98a9ef38a35356f). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Split out functions for testing logons and password changesJoseph Sutton2023-05-052-103/+102
| | | | | | | This allows their use for testing other forms of restricted accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python:descriptor: add missing schema 2019 aces in builtin and dns partitionStefan Metzmacher2023-05-051-0/+8
| | | | | | | | | | | | Note 'samba-tool domain functionalprep' won't fix them in the database, while a fresh provision will add these. This is needed in order that 'samba-tool dbcheck --reset-well-known-acls' won't reset them after a modern provision and will fix them on an old domain. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status