bÈ`ddlZddlZddlZddlZddlmZddlmZddlZddl m Z ddl m Z m Z ddlmZddlmZmZddlmZmZdd lmZddlmZddlZdd lmZmZmZdd lm Z m!Z!d Z"hd Z#dZ$dZ%dZ&ej'Z(ej)Z*ej+Z,ej-Z.ej/Z0ej1Z2ej3Z4 e5n#e6$rdZ5YnwxYwdZ7e7d dZ8d dZ9 d!dZ:GddeZ;eGdde;ZdZ?e?dS)"N)SamDB)system_session)SDUtils)DONT_USE_KERBEROS Credentials) FEATURE_SEAL)SubunitOptions TestProgram)TestCaseldb_err)DynamicTestCase)c_REDc_GREEN c_DARK_YELLOW)UF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONz$f3a64788-5306-11d1-a9c5-0000f80367c1>dn dNSHostNamesAMAccountNameservicePrincipalNameTFreportc6ddl}|dS)Nr)pdb set_trace)rs 6/usr/lib/python3/dist-packages/samba/tests/ldap_spn.py breakpointrAs  ctjd}tj|}||tj|}||t |a|t|dddtj |dd| \}}t|d kr(|tjd |a|t"a|d at&a|ja|jadS) Nz&python3 ldap_spn.py [options]z--colour store_truezuse colour text)actionhelpdefaultz--filterz"only run tests matching this regex)r!r)optparse OptionParseroptions SambaOptionsadd_option_groupCredentialsOptionsr subunitopts add_optionsysstdoutisatty parse_argslen print_usageexit get_loadparmLPget_credentialsCREDSSERVER get_realmREALMcolour COLOUR_TEXTfilterFILTER)parser sambaoptscredoptsoptsargss rinitrCFsf  "022F$V,,I I&&&)&11H H%%% ((K K((( j,!j//11333 j'KLLL""$$JD$ 4yyA~~     ! !B  $ $R ( (E !WF OO  E+K [FFFrcts|S|dkrt|S|dkrt|St|S)Nerrorpass)r;rrr)xstates r colour_textrIlsH  Qxx qzz   rcv|t}t}nd}tdtt||S)Nzldap://)urllp session_info credentials)r6rrr7r4)credssessions r get_samdbrQwsI } "" 'v''%" $ $ $$r samba123@cPt}|||||t|t|t | t tz| td|d|}|ddd}|||||rMt#|}||} |D]&} dt&d| d} || | 't+| } | S) NCN=,r#r)userouz (OA;CI;WP;z;;))rO)r set_username set_password set_domainr6 get_domain set_realmr8set_workstationget_workstationset_gensec_featuresget_gensec_featuresrset_kerberos_statersplitnewuserrget_object_sidSPN_GUID dacl_add_acerQ) samdbouusernamewriteable_objectspasswordrOdnstrshort_ousd_utilssidobjmod unpriv_samdbs radd_unpriv_userrss MME x    x    U%%''((( OOEOO%%&&& %//11222 e7799LHIII ./// !( ! !R ! !ExxQ"H MM(HXM666,5>>%%e,,$ , ,C555c555C  ! !#s + + + +5)))L rcLeZdZdZedZdZdZdZdZ dZ dZ d S) LdapSpnTestBaseFct|ddrdS|jD]T^}}trtjt|s&tjdd|}|d|||UdS)N _disabledFz\W+_test_spn)getattrcasesr=researchsubgenerate_dynamic_test)clsdocrowsnames rsetUpDynamicTestCasesz%LdapSpnTestBase.setUpDynamicTestCasess 3 U + +  F) C CJC$ y--6&#s++D  % %j$c B B B B  C Crctd|D}|D]>}d|vr|dd\}}nd}t|d||?dS)Nc3&K|] }|dV dS)rN.0rs r z0LdapSpnTestBase.setup_objects..s&))qad))))))r:r#dcadd_)setrbrz)selfrobjectsrobjtypes r setup_objectszLdapSpnTestBase.setup_objectss))D))))) 2 2Dd{{ $ 3 2 2  +GD*** + +D 1 1 1 1  2 2rc@dji_td|D}|D]r}|dkr |dkrd}d}n:d|ddz}fd|dD}t jj||j|<sdS) N*c3&K|] }|dV dS)Nrrs rrz.LdapSpnTestBase.setup_users..s&--1!A$------rnobodywrites_rUrxc6g|]}j|dS)r)r)rrGrs r z/LdapSpnTestBase.setup_users..s$$N$N$NAT\!_Q%7$N$N$Nr)rguserdbsrreplacerbrsrh)rr permissionspuserrjs` r setup_userszLdapSpnTestBase.setup_userss   -------  A AACxxBww$(!! 199S##6#66$N$N$N$N$N$N$N!-dj$'4.?AADLOO A Arcx t|}t|d}t|d}tr^tjt dt dd|dtjt|_ |j |_ | ddddd |_i|_d |jd |j |_||j j|jd g|j |j||||t-|D]\}}t/|d kr |\}} } } } n|\}} } } t0j} |j| } d|vr|dd\}}nd}|j|\}}d|i}t9| t:r|| n| |d<t?| }|!tDstGd|tDz ddD]}t9|$|tJr(||&dtN||<Rt9|$|tPrd||D||<t0j)*| || }| tVur | ,|nF#t0j-$r4}t d|dzd|dt]|dYd}~ d}~wwxYw|/d|dzd| dtaj1|d|d|d|d T| tdur | ,|u#t0j-$rW}|/d|dzd |d!t]|d"| dtaj1|d|d|Yd}~d}~wwxYw| tfur |j ,|t d|dzd|d#td$dd"taj1|d| E#t0j-$r\}t d|dzd|d#td%dd&t]|d"taj1|d| Yd}~d}~wwxYw| thurl ti| ,|#t0j-$r4}t d|dzd|d't]|dYd}~ d}~wwxYw | ,|n#t0j-$r}}|j5d(| krYd}~e|/d|dzd|d)t]| d*t]|d"| dtaj1|d|d|Yd}~nd}~wwxYw|/d|dzd|d)t]| d"| dtaj1|d|d|dS)+NrErF z ##########u starting «u» .r#?zOU=rUz tree_delete:1rrrrzunexpected attr z. Casefold typo?)rrx.dnsnamecJg|] }|dt!S)rr)formatr9)rrGs rrz7LdapSpnTestBase._test_spn_with_args..s,IIIqAHH\%\\H::IIIrzrow z of 'z' failed as expected with z:  z on z should fail (rWz of z failed with z: z' SUCCEEDEDFAILEDz with z' FAILED with rz' should have failed with z: not )6rIr;r,stderrflushprintrr-rQrgget_default_basednbase_dnidrsplitshort_idrrh addCleanupdelete create_ourr enumerater0ldbFLAG_MOD_REPLACErrb isinstancedictupdaterkeysissubsetRELEVANT_ATTRS ValueErrorgetstrrr9listMessage from_dictbadmodifyLdbErrorr failpprintpformatokrrrB)rrrcdocedocpdocirowrpdatarightsexpectedoprgrrrmrkmsges r_test_spn_with_argsz#LdapSpnTestBase._test_spn_with_argss2 33((3''   J      $ h//1It1I1I1I J J J J     [[ z4466  ((a003CRC8  :::4<::  )47_4EFFF TW%%% 4    ooV NV NFAs3xx1}}25/T68RR.1+T68)L(Eczz"yya00 ,s+KBr A$%% 1,0()qvvxx==D==00 3 "2D>4I"2"2"2333= J JaeeAhh,,JQ4;;|E||;<>WWY),Y$AY$$Y)cBd|d|j}|dt}|j|dt t tz||d| |j |||f|j |<dS)NrTz,OU=Domain Controllers,rcomputer)r objectclassuserAccountControl dnsHostName carLicense) rr9lowerrgaddrrrrr remove_objectrrrrrs radd_dczLdapSpnTestBase.add_dcFs >4 > > > >##E##))++ %"%&=&?'@#A#A"''))       *D111 '] Trcd|d|j}|j|||d|d||j||df|j|<dS)NrTrUr)rrsamAccountNamerr)rhrgrrrrr)rrrs radd_userzLdapSpnTestBase.add_userTs #4 # #$' # # "!''))       *D111 $Z Trct|j|\}}|j|dSN)rpoprgrrs rrzLdapSpnTestBase.remove_object`s7l&&t,, G "rN) __name__ __module__ __qualname__rw classmethodrrrrrrrrrrrurusICC[C222AAABkNkNkNZ + + + ( ( (rruc V eZdZdZgddddeffddddeffddddeffd dddefdd deffd dddefdd deffd dddefdd deffd dddefdd deeffddddefdd deeffddddefdd deeffddddefdddeeffddddefdddeeffddddefdddeeffddddefdddeffddddefdddeffddddefdddefdddeffddddefdddefdddeffddddefdddefdddeffd dddefdddefddd!effd"dddefddd#efddd#effd$dddefdddefdddeffd%dddefdd&defdddeffd'dddefdd&defddd#effd(dddefdd&defdddeffd)dddefdddeffd*dddefdddeffd+dddefdddeeffd,dddefdddeeffd-dddefdddeeffd.dddefdddeeffd/d0ddefdddeffd1d0ddefdddeffd2d0ddefddd3effd4d0ddefd5d&deffd6d0ddefd5d&deffd7d0ddefd5d&d8effd9d0ddefd5d&deffd:dddefddd#effd;dddefd5ddeffddd?defdd@deffdAdd?defdd@deffdBdd?defdd@deffdCddDdefddEdeffdFd0dEdefd5dDdeffdGddHdIidefddJdefddJdefddHdKidefddJdefddLdeffdMddHdNidefddOdefddOdefddHdPidefddOdefddQdefddRdeffdSddIdefddTdefddUdefddVdefd0dWdeffgdXddYdefddZdefdd[defdd\defdd]defdd^deefdd_deefdd`defddadefddbdefddcdefddddeefddedeefddfdefddgdefddhdefddidefddjdefddkdefddldefddmdefd0dndefd0dodefddodefddpdefddqdefddrdefddsdefddtdefddudefddvdefddwdeefddxdefddydefddydefddzdefdd{defdd|deefdd}deefdd~defdddefdddefdddefdddefdddefdddefdddefdddefdddefRddddefdddefdddefdddeffddddefddHdKidefdddefdddefdddeffddddefdddeffddddefdddeffddddefdddeffddddefddHdKidefdddefdddefdddeffdddHdIidefdddefddHdKidefdddefdddefdddeffZ dS) LdapSpnTestuMake sure we can't add clashing servicePrincipalNames. This would be possible using sPNMappings aliases — for example, if the mapping maps host/ to cifs/, we should not be able to add different addresses for each. zadd one as adminAhost/{dnsname}rzadd one as rightful userzattempt to add one as nobodyrzadd and replace as adminzhost/x.{dnsname}zreplace as rightful userz attempt to replace one as nobodyzadd second as adminzadd second as rightful userzattempt to add second as nobodyz.add the same one twice, simple duplicate errorz)simple duplicate attributes, as non-adminz+add the same one twice, identical duplicatez%add a conflict, host first, as nobodyhost/z.{dnsname}Bcifs/z.{dnsname}z(add a conflict, service first, as nobodycifs/{dnsname}z(three way conflict, host first, as adminCwww/z.{dnsname}z6three way conflict, host first, with sufficient rightszB,AC,Az0three way conflict, host first, adding duplicatez=three way conflict, host first, adding duplicate, full rightszC,B,Az7three way conflict, host first, with other write rightsA,Bz)three way conflict, host first, as nobodyz,three way conflict, services first, as admin www/{dnsname}z=three way conflict, services first, with service write rightsz,three way conflict, service first, as nobodyzreplace host before specificz&replace host after specific, as nobodyz!non-conflict host before specificz non-conflict host after specificz,non-conflict host before specific, non-adminz+non-conflict host after specific, as nobodyz,add a conflict, host first on user, as adminuser:Cz/add a conflict, host first on user, host rightsz/add a conflict, host first on user, both rightsB,Cz'add a conflict, host first both on useruser:Dz4add a conflict, host first both on user, host rightsz4add a conflict, host first both on user, both rightszC,Dz2add a conflict, host first both on user, as nobodyz2add a conflict, host first, with both write rightsz4add a conflict, host first, second on user, as adminz7add a conflict, host first, second on user, with rightszA,Dznonsense SPNs, part 1, as adminza-b-c/{dnsname}zrrrrrrrrrrrrr /{dnsname}znonsense SPNs, part 1, as userz nonsense SPNs, part 1, as nobodyzadd a conflict, using portz dns/{dnsname}zdns/{dnsname}:53z&add a conflict, using port, port firstzthree part spnsr {dnsname}'cifs/{dnsname}/DomainDNSZones.{dnsname} y.{dnsname})cifs/y.{dnsname}/DomainDNSZones.{dnsname}zthree part nonsense spnsbeanzcifs/bean/DomainDNSZones.beanzy.beanzcifs/y.bean/DomainDNSZones.beanzhost/bean/beanzone part spns (no slashes)cifszcifs/rhostz dodgy spnsz \/{dnsname}zcifs/\\{dnsname}zcifs/\\\{dnsname}zcifs/\\\{dnsname}/ucīfs/\\\{dnsname}/u cifs/sficucifs/\\\{dnsname}rz / z / / z / / / z /* and so on */ u ¯\_(ツ)_/¯u ¯\_(つ)_/¯u ¯\_(㋡)_/¯z//z //z/host/{dnsname}z /host/x.y.zz/ /x.y.zz / / shost/z /hostu /HōSTu /ħØştz /H0STu /НoSTz /hostu /hostu 2/HōST/⌷[ ][]¨(z (//)z ///z /\//z\//z\\/\\/z|//|z\/\/\\rz:/:z:/:80u:/:( ツz:/:/:scifs/\example.coms:/s :/b/b/b/bs a@b/a@b/a@bs a/a@b/a@bz%empty part spns (consecutive slashes)zcifs//{dnsname}zcifs/zzzy.{dnsname}/z/host/zzzy.{dnsname}ztoo many spn partsz"cifs/{dnsname}/{dnsname}/{dnsname}zcifs/{dnsname}/{dnsname}/zcifs/y.{dnsname}/{dnsname}/toopzhost/{dnsname}/a/b/cz$add a conflict, host first, as adminz2add a conflict, host first, with host write rightsz8add a conflict, service first, with service write rightsz5adding dNSHostName after cifs with no old dNSHostNamecifs/y.{dnsname}host/y.{dnsname}zchanging dNSHostName after cifsN) rrr__doc__rdeniedrr constraintr{rrrrres$F   b ) F  $ b ) F  ( V , F  $ b ) !3 + F  $ b ) !3 + F & , b ) !2v . 'F 0  b ) !3C 0 1F 8 ' b ) !3C 0 9F @ + b ) !2vs 3 AF J : b ) c3 / KF R 5 b ) c3 / SF \ 7 b ) c3 / ]F f 1 !3 + !2v . gF p 4 b ) V , qF | 4 !3 + !3 +  #r * }F F B !3 + !5" -  % , GF P < !3 + !5" - !5# . QF Z I !3 + !5" - !7C 0 [F f C !3 + !5" - !5# . gF r 5 !3 + !3 +  "f - sF ~ 8 b ) R ( j 1 F H I b ) R (  , IF T 8 b ) R ( V , UF ^ ( b ) b ) _F f 2 b ) V , gF p - b ) b# . qF x , b ) b# . yF @ 8 b ) b# . AF H 7 b ) VS 1 IF R 8 $c2 . b ) SF Z ; $c2 . f - [F b ; $c2 .  + cF j 3 $c2 . OS" - kF r @ $c2 . OS& 1 sF z @ $c2 . OUB / {F B > $c2 . OR 0 CF J > !3 + !5" - KF T @ b ) $c2 . UF \ C b ) $eR 0 ]F f +  #r * )3 3 gF n *  #r * )3 3 oF v ,  "f - )2v 6 wF @ & R ( !3 + AF H 2 &R 0 OS" - IF P  {+S" 5 8#r B 8#z J }-sB 7 8#r B :C L  QF ` $ v&R 0 .R 8 .Z @ x(#r 2 .R 8 0#z B b ) aF t & {C , vsJ ' wR sC $ FC ,  uF D; ; ~sB ' ; #S" - ;  #S" -;  $c2 .;  %sJ 7;  }c:s 3;  %sJ <;  tS* %;  wR ; z3 #!; " }c: .#; $ "CS 1%; & b# .'; , j 1-; . j 1/; 0 tS* %1; 2 uc2 3; 4  #r *5; 6 }c2 &7; 8 z3 #9; : wR ;; < Hc2 &=; > Hc2 &?; @ xj )A; B y#z *C; D {C ,E; F xb !G; H y#r "I; J y#r "K; L }c2 &M; N %sB /O; P wR %Q; R vsJ 'S; T xj )U; V xj )W; X vsB Y; Z y#r "[; \ vsB $]; ^ y#r3 '_; b sC $c; d uc2 e; f wR g; h z3 #i; j wR k; l 4c2 >m; n $c2 .o; p b )q; r ~sB 's; t |S" %u; ; EF | 1  #r *  #s + %sB / %sB /  }F H  3S# > }-sB 7 *C 5 0#s ; %sC 0  I F V 0 !3 + !3 + W F ^ > !3 + !3 / _ F f D b ) f - g F n A b ) }-sB 7 j 1 !3 + !3 +  o F | + {+S" 5 b ) }-sB 7 b ) !3 , !3 ,  } F EEErrc'eZdZdejvZddddefdddeffddd defdd deffd dd defdd deffd dd defdd d effddd defdddeffddd defdddefddd gdeffddddidefdd defdddidefdd defddde fddde ffddddefdddeffddddefdddeffddd defdd defdd deffd dd defdd defdd deffd!dd defdd defdd dee fdd dee ffd"dd#defdd defdd defdd deffd$dd#defdd defdd d%efdd d%effd&dd defdd dee fdddee fdd'dee fdd(dee fdddee fdd dee fdd dee fdddee fdd(dee ff d)dd defdd dee fdddee fdd'dee fdd(dee fdddee fdd dee fdd dee fdddee fdd(dee ff d*dddefdddefd+d,d+effd-dddefddde fd+d,d.effd/dd defdd d efdd defdd defd+dd0efd+dd1efdd d efdd2defd+dd+efdd defdd de fdd d0e fd+dd+ee fdd dee fdd defd+dd1ee fdd d effd3dd defddd0efd+d d0e ffd4dd defdddefd+d d0e ffd5dd defdddefd+d d+e ffd6dd defdd dee fddd0efdd d e fdddee fdd d efd+d d+e fd+d d1eff d7dd d8efdddefd+d d8e ffgZ d9S):LdapSpnSambaOnlyTestSAMBA_SELFTESTz5add a conflict, host first, with service write rightsrrrrrz5add a conflict, service first, with host write rightsrrz'add a conflict, service first, as adminz5add a conflict, service first, with both write rightsrz7add a conflict, host first both on user, service rightsrrrDz)add a conflict, along with a re-added SPNzcifs/heeble.example.netzchanging dNSHostName after hostrrrr r z!mystery dnsname clash, host firstzhost/heeble.example.netzwww/heeble.example.netz mystery dnsname clash, www firstzreplace as adminz replace as non-admin with rightsz,replace vial delete as non-admin with rightsz#replace as non-admin without rightszcifs/bzreplace as nobodyrzaccumulate and delete as adminzwww/...zhost/...z&accumulate and delete with user rightsz9three way conflict, host first, with partial write rightsrrz;three way conflict, host first, with partial write rights 2rz.three way conflict sandwich, sufficient rightszA,B,Crzldap/{dnsname}z8three way conflict, service first, with all write rightsz9three way conflict, service first, just sufficient rightsz9three way conflict, service first, with host write rightsz9three way conflict, service first, with both write rightsz7three way conflict, services first, with partial rightszA,CN) rrrosenvironrwrrrrrrr{rrrrrs! 2I @ !3 + !3 /  A b ) j 1  3 b ) j 1  A b )  3  C $c2 . OS& 1  5 b ) (#r 2 )+; b ) c3 /   !: / 4 s-022368N P %s+S" 5 +S13 C +S13 C %s+S" 5  , {+S" 5 8#r B }-sB 7 8#r B :C L -sJ ? +S* = 5# EEErrc<tttdS)N)modulerA)r rr*rrrmainrsxk222222rr)NrR)@r,rrr| samba.samdbr samba.authrrsamba.sd_utilsrsamba.credentialsrr samba.gensecrsamba.tests.subunitrunr r samba.testsr r r samba.getoptgetoptr&r$ samba.colourrrr samba.dsdbrrrerrrrERR_OPERATIONS_ERRORoperrERR_INSUFFICIENT_ACCESS_RIGHTSrERR_CONSTRAINT_VIOLATIONrERR_ENTRY_ALREADY_EXISTSexists FLAG_MOD_ADDrrrFLAG_MOD_DELETErr NameErrorrCrIrQrsrurrrrrrrr0sA& %%%%%% """"""<<<<<<<<%%%%%%>>>>>>>>))))))))''''''6666666666 2       +  ) %   JJ   F $ $ $ $'+(:AAAAAhAAAHYYYYY/YYYx jjjjj?jjjZ%%%%%?%%%P333s%B((B32B3