From 35380fa6a5bcf84827a007332f83ac7f84ffacbb Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@samba.org>
Date: Thu, 16 Mar 2023 15:31:33 -0600
Subject: [PATCH] gpupdate: Use winbind separator in PAM Access Policies

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224
---
 python/samba/gp/vgp_access_ext.py | 18 ++++++++++++++----
 selftest/knownfail.d/gpo          |  1 -
 2 files changed, 14 insertions(+), 5 deletions(-)
 delete mode 100644 selftest/knownfail.d/gpo

diff --git a/python/samba/gp/vgp_access_ext.py b/python/samba/gp/vgp_access_ext.py
index c41bc6781760..4748352d14a5 100644
--- a/python/samba/gp/vgp_access_ext.py
+++ b/python/samba/gp/vgp_access_ext.py
@@ -82,6 +82,7 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                 deny_conf = self.parse(path)
                 entries = []
                 policy_files = []
+                winbind_sep = self.lp.get('winbind separator')
                 if allow_conf:
                     policy = allow_conf.find('policysetting')
                     data = policy.find('data')
@@ -90,7 +91,9 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                         adobject = listelement.find('adobject')
                         name = adobject.find('name').text
                         domain = adobject.find('domain').text
-                        entries.append('+:%s\\%s:ALL' % (domain, name))
+                        entries.append('+:%s%s%s:ALL' % (domain,
+                                                         winbind_sep,
+                                                         name))
                     if len(allow_listelements) > 0:
                         log.info('Adding an implicit deny ALL because an allow'
                                  ' entry is present')
@@ -102,7 +105,9 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                         adobject = listelement.find('adobject')
                         name = adobject.find('name').text
                         domain = adobject.find('domain').text
-                        entries.append('-:%s\\%s:ALL' % (domain, name))
+                        entries.append('-:%s%s%s:ALL' % (domain,
+                                                         winbind_sep,
+                                                         name))
                         if len(allow_listelements) > 0:
                             log.warn("Deny entry '%s' is meaningless with "
                                      "allow present" % entries[-1])
@@ -143,6 +148,7 @@ def rsop(self, gpo):
             path = os.path.join(gpo.file_sys_path, deny)
             deny_conf = self.parse(path)
             entries = []
+            winbind_sep = self.lp.get('winbind separator')
             if allow_conf:
                 policy = allow_conf.find('policysetting')
                 data = policy.find('data')
@@ -153,7 +159,9 @@ def rsop(self, gpo):
                     domain = adobject.find('domain').text
                     if str(self) not in output.keys():
                         output[str(self)] = []
-                    output[str(self)].append('+:%s\\%s:ALL' % (name, domain))
+                    output[str(self)].append('+:%s%s%s:ALL' % (name,
+                                                               winbind_sep,
+                                                               domain))
                 if len(allow_listelements) > 0:
                     output[str(self)].append('-:ALL:ALL')
             if deny_conf:
@@ -165,5 +173,7 @@ def rsop(self, gpo):
                     domain = adobject.find('domain').text
                     if str(self) not in output.keys():
                         output[str(self)] = []
-                    output[str(self)].append('-:%s\\%s:ALL' % (name, domain))
+                    output[str(self)].append('-:%s%s%s:ALL' % (name,
+                                                               winbind_sep,
+                                                               domain))
         return output
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
deleted file mode 100644
index 1ad05a14aa47..000000000000
--- a/selftest/knownfail.d/gpo
+++ /dev/null
@@ -1 +0,0 @@
-samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access