Skip to content

netcmd: redo the samba-tool auth policy and silo commands to use sub-commands

Rob van der Linderequested to merge
samba-team/devel/samba:robcat/redo-claims-commands into master

Redo the samba-tool auth policy and silo commands to use sub-commands instead, just like the service-account group-msa-membership sub-commands.

Rationale: After having done the samba-tool commands for group managed service accounts, we used subcommands instead for adding/removing/viewing the group-msa-membership fields, this turned out to be a lot better, and the base command could still be used to set the SDDL. It would be nice if we did the claims commands like this.

When we added the special helpers for "by group", "by silo", "device group" and "device silo" for generating SDDL for the fields user-allowed-to-authenticate-to, computer-allowed-to-authenticate-to, service-allowed-to-authenticate-from, etc. it quickly made the commands for managing authentication policies quite complex/convoluted and more difficult to maintain and extend later. Also, the logic was repeated in the create and update commands adding to the complexity.

By turning them into subcommands instead, it moves that functionality to individual commands, making the base commands tidy again. It makes the code a lot easier to read, and extend as well if we wanted to add more than just those.

The mutally exclusisve or "similar" args check just becomes a check between two arguments now. Either --by-group or --by-silo but not both, etc.

New command structure:

samba-tool domain auth policy computer-allowed-to-authenticate-to set --name=<policy> --by-group=<group>
samba-tool domain auth policy computer-allowed-to-authenticate-to set --name=<policy> --by-silo=<silo>
samba-tool domain auth policy service-allowed-to-authenticate-to set --name=<policy> --by-group=<group>
samba-tool domain auth policy service-allowed-to-authenticate-to set --name=<policy> --by-silo=<silo>
samba-tool domain auth policy user-allowed-to-authenticate-to set --name=<policy> --by-group=<group>
samba-tool domain auth policy user-allowed-to-authenticate-to set --name=<policy> --by-silo=<silo>
samba-tool domain auth policy service-allowed-to-authenticate-from set --name=<policy> --device-group=<group>
samba-tool domain auth policy service-allowed-to-authenticate-from set --name=<policy> --device-silo=<silo>
samba-tool domain auth policy user-allowed-to-authenticate-from set --name=<policy> --device-group=<group>
samba-tool domain auth policy user-allowed-to-authenticate-from set --name=<policy> --device-silo=<silo>

The new design also allows for a show command later alongside set.

The base command can be continued to be used to set raw SDDL:

samba-tool domain auth policy modify --name=<policy> --computer-allowed-to-authenticate-to=<SDDL>
samba-tool domain auth policy modify --name=<policy> --service-allowed-to-authenticate-to=<SDDL>
samba-tool domain auth policy modify --name=<policy> --user-allowed-to-authenticate-to=<SDDL>
samba-tool domain auth policy modify --name=<policy> --service-allowed-to-authenticate-from=<SDDL>
samba-tool domain auth policy modify --name=<policy> --user-allowed-to-authenticate-from=<SDDL>

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Rob van der Linde

Merge request reports