From 735605a6b0ad3ed98d46d1df920e64879a8c69cc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 10 Dec 2014 14:15:54 +1300 Subject: dsdb: Improve userAccountControl handling We now always check the ACL and invarient rules using the same function The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type This list should only be of the account exclusive account type bits. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam Signed-off-by: Garming Sam Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- source4/dsdb/tests/python/user_account_control.py | 24 +++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'source4/dsdb/tests/python/user_account_control.py') diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py index 00501bbc337..69108835096 100644 --- a/source4/dsdb/tests/python/user_account_control.py +++ b/source4/dsdb/tests/python/user_account_control.py @@ -317,6 +317,16 @@ class UserAccountControlTests(samba.tests.TestCase): self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD) + m = ldb.Message() + m.dn = res[0].dn + m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT|UF_TRUSTED_FOR_DELEGATION), + ldb.FLAG_MOD_REPLACE, "userAccountControl") + try: + self.admin_samdb.modify(m) + self.fail("Unexpectedly able to set userAccountControl to UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT|UF_TRUSTED_FOR_DELEGATION on %s" % m.dn) + except LdbError, (enum, estr): + self.assertEqual(ldb.ERR_OTHER, enum) + m = ldb.Message() m.dn = res[0].dn m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT), @@ -340,7 +350,7 @@ class UserAccountControlTests(samba.tests.TestCase): scope=SCOPE_SUBTREE, attrs=["userAccountControl"]) - self.assertEqual(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT| UF_ACCOUNTDISABLE) + self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT| UF_ACCOUNTDISABLE) def test_uac_bits_set(self): @@ -372,10 +382,9 @@ class UserAccountControlTests(samba.tests.TestCase): # These bits really are privileged priv_bits = set([UF_INTERDOMAIN_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, - UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, - UF_PARTIAL_SECRETS_ACCOUNT]) + UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION]) - invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT]) + invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT]) for bit in bits: m = ldb.Message() @@ -420,7 +429,7 @@ class UserAccountControlTests(samba.tests.TestCase): "description") self.samdb.modify(m) - invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT]) + invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT]) super_priv_bits = set([UF_INTERDOMAIN_TRUST_ACCOUNT]) @@ -483,7 +492,7 @@ class UserAccountControlTests(samba.tests.TestCase): self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod) - invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT]) + invalid_bits = set([UF_TEMP_DUPLICATE_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT]) # These bits are privileged, but authenticated users have that CAR by default, so this is a pain to test priv_to_auth_users_bits = set([UF_PASSWD_NOTREQD, UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED, @@ -491,8 +500,7 @@ class UserAccountControlTests(samba.tests.TestCase): # These bits really are privileged priv_bits = set([UF_INTERDOMAIN_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, - UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, - UF_PARTIAL_SECRETS_ACCOUNT]) + UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION]) for bit in bits: try: -- cgit v1.2.1