本文整理汇总了Python中samba.dcerpc.security.dom_sid函数的典型用法代码示例。如果您正苦于以下问题:Python dom_sid函数的具体用法?Python dom_sid怎么用?Python dom_sid使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了dom_sid函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_from_sddl
def test_from_sddl(self):
desc = security.descriptor.from_sddl("O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)", security.dom_sid("S-2-0-0"))
self.assertEquals(desc.group_sid, security.dom_sid('S-2-0-0-512'))
self.assertEquals(desc.owner_sid, security.dom_sid('S-1-5-32-548'))
self.assertEquals(desc.revision, 1)
self.assertEquals(desc.sacl, None)
self.assertEquals(desc.type, 0x8004)示例2: is_sid_valid
def is_sid_valid(sid):
try:
security.dom_sid(sid)
except TypeError:
return False
else:
return True示例3: test_getuser
def test_getuser(self):
user = self.pdb.getsampwnam("root")
self.assertEquals(16, user.acct_ctrl)
self.assertEquals("", user.acct_desc)
self.assertEquals(0, user.bad_password_count)
self.assertEquals(0, user.bad_password_time)
self.assertEquals(0, user.code_page)
self.assertEquals(0, user.country_code)
self.assertEquals("", user.dir_drive)
self.assertEquals("BEDWYR", user.domain)
self.assertEquals("root", user.full_name)
self.assertEquals(dom_sid('S-1-5-21-2470180966-3899876309-2637894779-513'), user.group_sid)
self.assertEquals("\\\\BEDWYR\\root", user.home_dir)
self.assertEquals([-1 for i in range(21)], user.hours)
self.assertEquals(21, user.hours_len)
self.assertEquals(9223372036854775807, user.kickoff_time)
self.assertEquals(None, user.lanman_passwd)
self.assertEquals(9223372036854775807, user.logoff_time)
self.assertEquals(0, user.logon_count)
self.assertEquals(168, user.logon_divs)
self.assertEquals("", user.logon_script)
self.assertEquals(0, user.logon_time)
self.assertEquals("", user.munged_dial)
self.assertEquals('\x87\x8d\x80\x14`l\xda)gzD\xef\xa15?\xc7', user.nt_passwd)
self.assertEquals("", user.nt_username)
self.assertEquals(1125418267, user.pass_can_change_time)
self.assertEquals(1125418267, user.pass_last_set_time)
self.assertEquals(2125418266, user.pass_must_change_time)
self.assertEquals(None, user.plaintext_passwd)
self.assertEquals("\\\\BEDWYR\\root\\profile", user.profile_path)
self.assertEquals(None, user.pw_history)
self.assertEquals(dom_sid("S-1-5-21-2470180966-3899876309-2637894779-1000"), user.user_sid)
self.assertEquals("root", user.username)
self.assertEquals("", user.workstations)示例4: test_setposixacl_group_getntacl_smbd
def test_setposixacl_group_getntacl_smbd(self):
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
smbd.set_simple_acl(self.tempf, 0640, BA_gid)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
domsid = passdb.get_global_sam_sid()
acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))示例5: run
def run(self, use_ntvfs=False, use_s3fs=False,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
path = lp.private_path("secrets.ldb")
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
logger = self.get_logger()
netlogon = lp.get("path", "netlogon")
sysvol = lp.get("path", "sysvol")
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
domain_sid = security.dom_sid(samdb.domain_sid)
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
LA_sid = security.dom_sid(str(domain_sid)
+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
# These assertions correct for current ad_dc selftest
# configuration. When other environments have a broad range of
# groups mapped via passdb, we can relax some of these checks
(LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH):
raise CommandError("SID %s is not mapped to a UID" % LA_sid)
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH):
raise CommandError("SID %s is not mapped to a GID" % BA_sid)
if use_ntvfs:
logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
provision.setsysvolacl(samdb, netlogon, sysvol,
LA_uid, BA_gid, domain_sid,
lp.get("realm").lower(), samdb.domain_dn(),
lp, use_ntvfs=use_ntvfs)示例6: test_setntacl_smbd_setposixacl_group_getntacl_smbd
def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
smbd.set_simple_acl(self.tempf, 0640, BA_gid)
# This should re-calculate an ACL based on the posix details
facl = getntacl(self.lp,self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))示例7: __init__
def __init__(self, samdb, fix=False,
add_update_container=True):
"""
:param samdb: LDB database
:param fix: Apply the update if the container is missing
:param add_update_container: Add the container at the end of the change
:raise DomainUpdateException:
"""
self.samdb = samdb
self.fix = fix
self.add_update_container = add_update_container
# TODO: In future we should check for inconsistencies when it claims it has been done
self.check_update_applied = False
self.config_dn = self.samdb.get_config_basedn()
self.domain_dn = self.samdb.domain_dn()
self.schema_dn = self.samdb.get_schema_basedn()
self.sd_utils = sd_utils.SDUtils(samdb)
self.domain_sid = security.dom_sid(samdb.get_domain_sid())
self.domainupdate_container = self.samdb.get_root_basedn()
if not self.domainupdate_container.add_child("CN=Operations,CN=DomainUpdates,CN=System"):
raise DomainUpdateException("Failed to add domain update container child")
self.revision_object = self.samdb.get_root_basedn()
if not self.revision_object.add_child("CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System"):
raise DomainUpdateException("Failed to add revision object child")示例8: setUp
def setUp(self):
super(UserAccountControlTests, self).setUp()
self.admin_creds = creds
self.admin_samdb = SamDB(url=ldaphost,
session_info=system_session(),
credentials=self.admin_creds, lp=lp)
self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
self.base_dn = self.admin_samdb.domain_dn()
self.unpriv_user = "testuser1"
self.unpriv_user_pw = "[email protected]"
self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)
delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
res = self.admin_samdb.search("CN=%s,CN=Users,%s" % (self.unpriv_user, self.admin_samdb.domain_dn()),
scope=SCOPE_BASE,
attrs=["objectSid"])
self.assertEqual(1, len(res))
self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
self.unpriv_user_dn = res[0].dn
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, self.unpriv_creds)
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn)
self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
self.add_computer_ldap("testcomputer-t")
self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd)
self.computernames = ["testcomputer-0"]
# Get the SD of the template account, then force it to match
# what we expect for SeMachineAccountPrivilege accounts, so we
# can confirm we created the accounts correctly
self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
for ace in self.sd_reference_modify.dacl.aces:
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP
# Now reconnect without domain admin rights
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)示例9: establish_trust
def establish_trust(self, another_domain, trustdom_secret):
"""
Establishes trust between our and another domain
Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call
trustdom_secret -- shared secred used for the trust
"""
if self.info['name'] == another_domain.info['name']:
# Check that NetBIOS names do not clash
raise errors.ValidationError(name=u'AD Trust Setup',
error=_('the IPA server and the remote domain cannot share the same '
'NetBIOS name: %s') % self.info['name'])
self.generate_auth(trustdom_secret)
info = lsa.TrustDomainInfoInfoEx()
info.domain_name.string = another_domain.info['dns_domain']
info.netbios_name.string = another_domain.info['name']
info.sid = security.dom_sid(another_domain.info['sid'])
info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
try:
dname = lsa.String()
dname.string = another_domain.info['dns_domain']
res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
except RuntimeError, e:
pass示例10: get_trusted_domain_object_sid
def get_trusted_domain_object_sid(self, object_name):
result = pysss_nss_idmap.getsidbyname(object_name)
if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
return object_sid
# Else, we are going to contact AD DC LDAP
components = normalize_name(object_name)
if not ('domain' in components or 'flatname' in components):
# No domain or realm specified, ambiguous search
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Ambiguous search, user domain was not specified'))
attrs = ['objectSid']
filter = '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' \
% dict(name=components['name'])
scope = _ldap.SCOPE_SUBTREE
entries = self.get_trusted_domain_objects(components.get('domain'),
components.get('flatname'), filter, attrs, scope)
if len(entries) > 1:
# Treat non-unique entries as invalid
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a unique object'))
sid = self.__sid_to_str(entries[0][1]['objectSid'][0])
try:
test_sid = security.dom_sid(sid)
return unicode(test_sid)
except TypeError, e:
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for the object'))示例11: get_sid_trusted_domain_object
def get_sid_trusted_domain_object(self, object_name):
"""Returns SID for the trusted domain object (user or group only)"""
if not self.domain:
# our domain is not configured or self.is_configured() never run
return None
if not self._domains:
self._domains = self.get_trusted_domains()
if len(self._domains) == 0:
# Our domain is configured but no trusted domains are configured
return None
components = normalize_name(object_name)
if not ('domain' in components or 'flatname' in components):
# No domain or realm specified, ambiguous search
return False
entry = None
if 'domain' in components and components['domain'] in self._domains:
# Now we have a name to check against our list of trusted domains
entry = self.resolve_against_gc(components['domain'], components['name'])
elif 'flatname' in components:
# Flatname was specified, traverse through the list of trusted
# domains first to find the proper one
for domain in self._domains:
if self._domains[domain][0] == components['flatname']:
entry = self.resolve_against_gc(domain, components['name'])
if entry:
break
if entry:
try:
test_sid = security.dom_sid(entry)
return unicode(test_sid)
except TypeError, e:
return False示例12: setUp
def setUp(self):
super(SitesBaseTests, self).setUp()
self.ldb = SamDB(ldaphost, credentials=creds,
session_info=system_session(lp), lp=lp)
self.base_dn = self.ldb.domain_dn()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.configuration_dn = self.ldb.get_config_basedn().get_linearized()示例13: test_duplicate_objectSIDs_not_allowed_on_local_objects
def test_duplicate_objectSIDs_not_allowed_on_local_objects(self):
dom_sid = self.samdb.get_domain_sid()
rid = self.allocate_rid()
sid_str = str(dom_sid) + "-" + rid
sid = ndr_pack(security.dom_sid(sid_str))
basedn = self.samdb.get_default_basedn()
cn = "dsdb_test_01"
dn = "cn=%s,cn=Users,%s" % (cn, basedn)
self.samdb.add({
"dn": dn,
"objectClass": "user",
"objectSID": sid})
self.samdb.delete(dn)
try:
self.samdb.add({
"dn": dn,
"objectClass": "user",
"objectSID": sid})
self.fail("No exception should get LDB_ERR_CONSTRAINT_VIOLATION")
except ldb.LdbError as e:
(code, msg) = e.args
if code != ldb.ERR_CONSTRAINT_VIOLATION:
self.fail("Got %d - %s should have got "
"LDB_ERR_CONSTRAINT_VIOLATION"
% (code, msg))示例14: setUp
def setUp(self):
super(SpeedTest, self).setUp()
self.ldb_admin = ldb
self.base_dn = ldb.domain_dn()
self.domain_sid = security.dom_sid(ldb.get_domain_sid())
self.user_pass = "[email protected]"
print "baseDN: %s" % self.base_dn示例15: dsacl2fsacl
def dsacl2fsacl(dssddl, domsid):
"""
This function takes an the SDDL representation of a DS
ACL and return the SDDL representation of this ACL adapted
for files. It's used for Policy object provision
"""
sid = security.dom_sid(domsid)
ref = security.descriptor.from_sddl(dssddl, sid)
fdescr = security.descriptor()
fdescr.owner_sid = ref.owner_sid
fdescr.group_sid = ref.group_sid
fdescr.type = ref.type
fdescr.revision = ref.revision
fdescr.sacl = ref.sacl
aces = ref.dacl.aces
for i in range(0, len(aces)):
ace = aces[i]
if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
# if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
if str(ace.trustee) == security.SID_CREATOR_OWNER:
# For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
ace.access_mask = ldapmask2filemask(ace.access_mask)
fdescr.dacl_add(ace)
return fdescr.as_sddl(sid)