2014-01-31 13:27:05 +13:00
# Reads important GPO parameters and updates Samba
# Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
2020-08-28 08:38:41 -06:00
import os , shutil
2018-01-08 07:17:29 -07:00
import errno
2017-05-25 07:27:27 -06:00
import tdb
2014-01-31 13:27:05 +13:00
sys . path . insert ( 0 , " bin/python " )
from samba import NTSTATUSError
2020-08-20 15:51:47 -06:00
from configparser import ConfigParser
2020-07-04 13:53:34 +12:00
from io import StringIO
2020-09-11 14:29:46 -06:00
from samba . common import get_bytes
2017-02-24 14:19:48 -07:00
from abc import ABCMeta , abstractmethod
2017-06-08 11:47:57 -06:00
import xml . etree . ElementTree as etree
2017-11-21 03:44:12 -07:00
import re
2018-03-29 08:32:02 -06:00
from samba . net import Net
from samba . dcerpc import nbt
2018-12-14 10:37:11 +13:00
from samba . samba3 import libsmb_samba_internal as libsmb
from samba . samba3 import param as s3param
2018-03-29 08:32:02 -06:00
import samba . gpo as gpo
2018-06-13 14:45:09 -06:00
from samba . param import LoadParm
from uuid import UUID
2018-01-08 07:17:29 -07:00
from tempfile import NamedTemporaryFile
2018-08-09 09:47:38 -06:00
from samba . dcerpc import preg
from samba . dcerpc import misc
from samba . ndr import ndr_pack , ndr_unpack
2020-06-03 14:02:37 +02:00
from samba . credentials import SMB_SIGNING_REQUIRED
2017-06-08 11:47:57 -06:00
2017-06-12 16:00:38 -06:00
try :
from enum import Enum
GPOSTATE = Enum ( ' GPOSTATE ' , ' APPLY ENFORCE UNAPPLY ' )
except ImportError :
class GPOSTATE :
APPLY = 1
ENFORCE = 2
UNAPPLY = 3
2018-07-30 18:20:39 +12:00
2017-06-08 11:47:57 -06:00
class gp_log :
''' Log settings overwritten by gpo apply
2017-11-20 10:28:33 +13:00
The gp_log is an xml file that stores a history of gpo changes ( and the
original setting value ) .
2017-06-08 11:47:57 -06:00
The log is organized like so :
< gp >
< user name = " KDC-1$ " >
< applylog >
< guid count = " 0 " value = " { 31B2F340-016D-11D2-945F-00C04FB984F9} " / >
< / applylog >
< guid value = " { 31B2F340-016D-11D2-945F-00C04FB984F9} " >
< gp_ext name = " System Access " >
< attribute name = " minPwdAge " > - 864000000000 < / attribute >
< attribute name = " maxPwdAge " > - 36288000000000 < / attribute >
< attribute name = " minPwdLength " > 7 < / attribute >
< attribute name = " pwdProperties " > 1 < / attribute >
< / gp_ext >
< gp_ext name = " Kerberos Policy " >
< attribute name = " ticket_lifetime " > 1 d < / attribute >
< attribute name = " renew_lifetime " / >
< attribute name = " clockskew " > 300 < / attribute >
< / gp_ext >
< / guid >
< / user >
< / gp >
2017-11-20 10:28:33 +13:00
Each guid value contains a list of extensions , which contain a list of
attributes . The guid value represents a GPO . The attributes are the values
of those settings prior to the application of the GPO .
The list of guids is enclosed within a user name , which represents the user
the settings were applied to . This user may be the samaccountname of the
local computer , which implies that these are machine policies .
The applylog keeps track of the order in which the GPOs were applied , so
that they can be rolled back in reverse , returning the machine to the state
prior to policy application .
2017-06-08 11:47:57 -06:00
'''
def __init__ ( self , user , gpostore , db_log = None ) :
''' Initialize the gp_log
2017-11-20 10:28:33 +13:00
param user - the username ( or machine name ) that policies are
being applied to
param gpostore - the GPOStorage obj which references the tdb which
contains gp_logs
2017-06-08 11:47:57 -06:00
param db_log - ( optional ) a string to initialize the gp_log
'''
2017-06-12 16:00:38 -06:00
self . _state = GPOSTATE . APPLY
2017-06-08 11:47:57 -06:00
self . gpostore = gpostore
self . username = user
if db_log :
self . gpdb = etree . fromstring ( db_log )
else :
self . gpdb = etree . Element ( ' gp ' )
2017-11-20 06:41:19 -07:00
self . user = user
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % user )
if user_obj is None :
user_obj = etree . SubElement ( self . gpdb , ' user ' )
user_obj . attrib [ ' name ' ] = user
2017-06-08 11:47:57 -06:00
2017-06-12 16:00:38 -06:00
def state ( self , value ) :
''' Policy application state
param value - APPLY , ENFORCE , or UNAPPLY
2017-11-20 10:28:33 +13:00
The behavior of the gp_log depends on whether we are applying policy ,
enforcing policy , or unapplying policy . During an apply , old settings
are recorded in the log . During an enforce , settings are being applied
but the gp_log does not change . During an unapply , additions to the log
should be ignored ( since function calls to apply settings are actually
2017-06-12 16:00:38 -06:00
reverting policy ) , but removals from the log are allowed .
'''
# If we're enforcing, but we've unapplied, apply instead
if value == GPOSTATE . ENFORCE :
2017-11-20 06:41:19 -07:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
apply_log = user_obj . find ( ' applylog ' )
2017-06-12 16:00:38 -06:00
if apply_log is None or len ( apply_log ) == 0 :
self . _state = GPOSTATE . APPLY
else :
self . _state = value
else :
self . _state = value
2017-06-08 11:47:57 -06:00
def set_guid ( self , guid ) :
''' Log to a different GPO guid
2017-11-20 10:28:33 +13:00
param guid - guid value of the GPO from which we ' re applying
policy
2017-06-08 11:47:57 -06:00
'''
2017-11-20 06:41:19 -07:00
self . guid = guid
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
obj = user_obj . find ( ' guid[@value= " %s " ] ' % guid )
if obj is None :
obj = etree . SubElement ( user_obj , ' guid ' )
obj . attrib [ ' value ' ] = guid
2017-06-12 16:00:38 -06:00
if self . _state == GPOSTATE . APPLY :
2017-11-20 06:41:19 -07:00
apply_log = user_obj . find ( ' applylog ' )
2017-06-12 16:00:38 -06:00
if apply_log is None :
2017-11-20 06:41:19 -07:00
apply_log = etree . SubElement ( user_obj , ' applylog ' )
2018-05-15 08:37:08 -06:00
prev = apply_log . find ( ' guid[@value= " %s " ] ' % guid )
if prev is None :
item = etree . SubElement ( apply_log , ' guid ' )
2018-07-30 18:18:25 +12:00
item . attrib [ ' count ' ] = ' %d ' % ( len ( apply_log ) - 1 )
2018-05-15 08:37:08 -06:00
item . attrib [ ' value ' ] = guid
2017-06-08 11:47:57 -06:00
def store ( self , gp_ext_name , attribute , old_val ) :
''' Store an attribute in the gp_log
param gp_ext_name - Name of the extension applying policy
param attribute - The attribute being modified
2017-11-20 10:28:33 +13:00
param old_val - The value of the attribute prior to policy
application
2017-06-08 11:47:57 -06:00
'''
2017-06-12 16:00:38 -06:00
if self . _state == GPOSTATE . UNAPPLY or self . _state == GPOSTATE . ENFORCE :
return None
2017-11-20 06:41:19 -07:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 11:47:57 -06:00
if ext is None :
2017-11-20 06:41:19 -07:00
ext = etree . SubElement ( guid_obj , ' gp_ext ' )
2017-06-08 11:47:57 -06:00
ext . attrib [ ' name ' ] = gp_ext_name
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is None :
attr = etree . SubElement ( ext , ' attribute ' )
attr . attrib [ ' name ' ] = attribute
2017-12-01 11:18:55 -07:00
attr . text = old_val
2017-06-08 11:47:57 -06:00
def retrieve ( self , gp_ext_name , attribute ) :
''' Retrieve a stored attribute from the gp_log
param gp_ext_name - Name of the extension which applied policy
param attribute - The attribute being retrieved
2017-11-20 10:28:33 +13:00
return - The value of the attribute prior to policy
application
2017-06-08 11:47:57 -06:00
'''
2017-11-20 06:41:19 -07:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 11:47:57 -06:00
if ext is not None :
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is not None :
return attr . text
return None
2018-05-17 15:56:15 -06:00
def get_applied_guids ( self ) :
''' Return a list of applied ext guids
return - List of guids for gpos that have applied settings
to the system .
'''
guids = [ ]
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
if user_obj is not None :
apply_log = user_obj . find ( ' applylog ' )
2018-08-29 16:39:51 +12:00
if apply_log is not None :
guid_objs = apply_log . findall ( ' guid[@count] ' )
guids_by_count = [ ( g . get ( ' count ' ) , g . get ( ' value ' ) )
for g in guid_objs ]
guids_by_count . sort ( reverse = True )
guids . extend ( guid for count , guid in guids_by_count )
2018-05-17 15:56:15 -06:00
return guids
def get_applied_settings ( self , guids ) :
''' Return a list of applied ext guids
return - List of tuples containing the guid of a gpo , then
a dictionary of policies and their values prior
policy application . These are sorted so that the
most recently applied settings are removed first .
'''
ret = [ ]
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
for guid in guids :
guid_settings = user_obj . find ( ' guid[@value= " %s " ] ' % guid )
exts = guid_settings . findall ( ' gp_ext ' )
settings = { }
for ext in exts :
attr_dict = { }
attrs = ext . findall ( ' attribute ' )
for attr in attrs :
attr_dict [ attr . attrib [ ' name ' ] ] = attr . text
settings [ ext . attrib [ ' name ' ] ] = attr_dict
ret . append ( ( guid , settings ) )
return ret
2017-06-08 11:47:57 -06:00
def delete ( self , gp_ext_name , attribute ) :
''' Remove an attribute from the gp_log
2017-11-20 10:28:33 +13:00
param gp_ext_name - name of extension from which to remove the
attribute
2017-06-08 11:47:57 -06:00
param attribute - attribute to remove
'''
2017-11-20 06:41:19 -07:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 11:47:57 -06:00
if ext is not None :
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is not None :
ext . remove ( attr )
if len ( ext ) == 0 :
2017-11-20 06:41:19 -07:00
guid_obj . remove ( ext )
2017-06-08 11:47:57 -06:00
def commit ( self ) :
''' Write gp_log changes to disk '''
self . gpostore . store ( self . username , etree . tostring ( self . gpdb , ' utf-8 ' ) )
2018-07-30 18:20:39 +12:00
2017-06-08 11:47:57 -06:00
class GPOStorage :
def __init__ ( self , log_file ) :
if os . path . isfile ( log_file ) :
self . log = tdb . open ( log_file )
2017-05-25 07:27:27 -06:00
else :
2018-08-29 13:30:59 +12:00
self . log = tdb . Tdb ( log_file , 0 , tdb . DEFAULT , os . O_CREAT | os . O_RDWR )
2017-05-25 07:27:27 -06:00
2017-06-08 11:47:57 -06:00
def start ( self ) :
self . log . transaction_start ( )
def get_int ( self , key ) :
2017-05-25 07:27:27 -06:00
try :
2018-11-06 19:55:22 +00:00
return int ( self . log . get ( get_bytes ( key ) ) )
2017-05-25 07:27:27 -06:00
except TypeError :
2017-06-08 11:47:57 -06:00
return None
def get ( self , key ) :
2018-11-06 19:55:22 +00:00
return self . log . get ( get_bytes ( key ) )
2017-06-08 11:47:57 -06:00
def get_gplog ( self , user ) :
2018-11-06 19:55:22 +00:00
return gp_log ( user , self , self . log . get ( get_bytes ( user ) ) )
2017-06-08 11:47:57 -06:00
def store ( self , key , val ) :
2018-11-06 19:55:22 +00:00
self . log . store ( get_bytes ( key ) , get_bytes ( val ) )
2017-06-08 11:47:57 -06:00
def cancel ( self ) :
self . log . transaction_cancel ( )
2017-05-25 07:27:27 -06:00
2017-06-08 11:47:57 -06:00
def delete ( self , key ) :
2018-11-06 19:55:22 +00:00
self . log . delete ( get_bytes ( key ) )
2017-05-25 07:27:27 -06:00
def commit ( self ) :
2017-06-08 11:47:57 -06:00
self . log . transaction_commit ( )
2017-05-25 07:27:27 -06:00
def __del__ ( self ) :
2017-06-08 11:47:57 -06:00
self . log . close ( )
2017-05-25 07:27:27 -06:00
2018-07-30 18:20:39 +12:00
2014-01-31 13:27:05 +13:00
class gp_ext ( object ) :
2017-02-24 14:19:48 -07:00
__metaclass__ = ABCMeta
2018-05-16 10:58:29 -06:00
def __init__ ( self , logger , lp , creds , store ) :
2018-03-29 09:07:53 -06:00
self . logger = logger
2018-05-16 10:58:29 -06:00
self . lp = lp
self . creds = creds
self . gp_db = store . get_gplog ( creds . get_username ( ) )
2018-03-29 09:07:53 -06:00
2018-05-09 13:16:38 -06:00
@abstractmethod
def process_group_policy ( self , deleted_gpo_list , changed_gpo_list ) :
pass
2017-02-24 14:19:48 -07:00
@abstractmethod
2018-03-29 08:05:21 -06:00
def read ( self , policy ) :
2017-02-24 14:19:48 -07:00
pass
2014-01-31 13:27:05 +13:00
2018-05-16 10:58:29 -06:00
def parse ( self , afile ) :
2018-05-16 10:37:09 -06:00
local_path = self . lp . cache_path ( ' gpo_cache ' )
data_file = os . path . join ( local_path , check_safe_path ( afile ) . upper ( ) )
if os . path . exists ( data_file ) :
2018-08-09 09:47:38 -06:00
return self . read ( data_file )
2018-05-16 10:37:09 -06:00
return None
2018-03-29 08:05:21 -06:00
2017-06-08 11:47:57 -06:00
@abstractmethod
def __str__ ( self ) :
pass
2014-01-31 13:27:05 +13:00
2020-07-06 08:25:23 -06:00
@abstractmethod
def rsop ( self , gpo ) :
return { }
2018-07-30 18:20:39 +12:00
2018-03-29 08:25:05 -06:00
class gp_inf_ext ( gp_ext ) :
2018-08-09 09:47:38 -06:00
def read ( self , data_file ) :
2020-07-06 08:13:57 -06:00
policy = open ( data_file , ' rb ' ) . read ( )
2020-08-20 15:51:47 -06:00
inf_conf = ConfigParser ( interpolation = None )
2018-07-30 18:18:03 +12:00
inf_conf . optionxform = str
2018-03-29 08:25:05 -06:00
try :
2020-07-06 08:13:57 -06:00
inf_conf . readfp ( StringIO ( policy . decode ( ) ) )
except UnicodeDecodeError :
2018-03-29 08:25:05 -06:00
inf_conf . readfp ( StringIO ( policy . decode ( ' utf-16 ' ) ) )
2018-05-17 16:23:51 -06:00
return inf_conf
2018-03-29 08:25:05 -06:00
2018-07-30 18:21:29 +12:00
2018-08-09 09:47:38 -06:00
class gp_pol_ext ( gp_ext ) :
def read ( self , data_file ) :
raw = open ( data_file , ' rb ' ) . read ( )
return ndr_unpack ( preg . file , raw )
2020-11-03 10:44:27 -07:00
class gp_xml_ext ( gp_ext ) :
def read ( self , data_file ) :
raw = open ( data_file , ' rb ' ) . read ( )
try :
return etree . fromstring ( raw . decode ( ) )
except UnicodeDecodeError :
return etree . fromstring ( raw . decode ( ' utf-16 ' ) )
2018-03-29 08:32:02 -06:00
''' Fetch the hostname of a writable DC '''
2018-07-30 18:20:39 +12:00
2018-03-29 08:32:02 -06:00
def get_dc_hostname ( creds , lp ) :
net = Net ( creds = creds , lp = lp )
cldap_ret = net . finddc ( domain = lp . get ( ' realm ' ) , flags = ( nbt . NBT_SERVER_LDAP |
2018-07-30 18:16:12 +12:00
nbt . NBT_SERVER_DS ) )
2018-03-29 08:32:02 -06:00
return cldap_ret . pdc_dns_name
2018-07-30 18:21:29 +12:00
2018-03-29 08:32:02 -06:00
''' Fetch a list of GUIDs for applicable GPOs '''
2018-07-30 18:20:39 +12:00
2018-03-29 08:32:02 -06:00
def get_gpo_list ( dc_hostname , creds , lp ) :
gpos = [ ]
ads = gpo . ADS_STRUCT ( dc_hostname , lp , creds )
if ads . connect ( ) :
gpos = ads . get_gpo_list ( creds . get_username ( ) )
return gpos
2018-01-08 07:17:29 -07:00
def cache_gpo_dir ( conn , cache , sub_dir ) :
loc_sub_dir = sub_dir . upper ( )
local_dir = os . path . join ( cache , loc_sub_dir )
try :
os . makedirs ( local_dir , mode = 0o755 )
except OSError as e :
if e . errno != errno . EEXIST :
raise
for fdata in conn . list ( sub_dir ) :
2018-12-14 10:37:11 +13:00
if fdata [ ' attrib ' ] & libsmb . FILE_ATTRIBUTE_DIRECTORY :
2018-01-08 07:17:29 -07:00
cache_gpo_dir ( conn , cache , os . path . join ( sub_dir , fdata [ ' name ' ] ) )
else :
local_name = fdata [ ' name ' ] . upper ( )
f = NamedTemporaryFile ( delete = False , dir = local_dir )
fname = os . path . join ( sub_dir , fdata [ ' name ' ] ) . replace ( ' / ' , ' \\ ' )
f . write ( conn . loadfile ( fname ) )
f . close ( )
os . rename ( f . name , os . path . join ( local_dir , local_name ) )
def check_safe_path ( path ) :
dirs = re . split ( ' /| \\ \\ ' , path )
2021-03-09 11:13:40 -07:00
if ' sysvol ' in path . lower ( ) :
ldirs = re . split ( ' /| \\ \\ ' , path . lower ( ) )
dirs = dirs [ ldirs . index ( ' sysvol ' ) + 1 : ]
2018-07-30 18:22:34 +12:00
if ' .. ' not in dirs :
2018-01-08 07:17:29 -07:00
return os . path . join ( * dirs )
raise OSError ( path )
2018-07-30 18:20:39 +12:00
2018-01-08 07:17:29 -07:00
def check_refresh_gpo_list ( dc_hostname , lp , creds , gpos ) :
2018-12-14 10:37:11 +13:00
# the SMB bindings rely on having a s3 loadparm
s3_lp = s3param . get_context ( )
s3_lp . load ( lp . configfile )
2020-06-03 14:02:37 +02:00
# Force signing for the connection
saved_signing_state = creds . get_smb_signing ( )
creds . set_smb_signing ( SMB_SIGNING_REQUIRED )
2020-05-28 18:11:31 +02:00
conn = libsmb . Conn ( dc_hostname , ' sysvol ' , lp = s3_lp , creds = creds )
2020-06-03 14:02:37 +02:00
# Reset signing state
creds . set_smb_signing ( saved_signing_state )
2018-01-08 07:17:29 -07:00
cache_path = lp . cache_path ( ' gpo_cache ' )
for gpo in gpos :
if not gpo . file_sys_path :
continue
cache_gpo_dir ( conn , cache_path , check_safe_path ( gpo . file_sys_path ) )
2018-07-30 18:20:39 +12:00
2018-05-15 14:00:07 -06:00
def get_deleted_gpos_list ( gp_db , gpos ) :
applied_gpos = gp_db . get_applied_guids ( )
current_guids = set ( [ p . name for p in gpos ] )
deleted_gpos = [ guid for guid in applied_gpos if guid not in current_guids ]
return gp_db . get_applied_settings ( deleted_gpos )
2018-01-08 07:17:29 -07:00
def gpo_version ( lp , path ) :
# gpo.gpo_get_sysvol_gpt_version() reads the GPT.INI from a local file,
# read from the gpo client cache.
gpt_path = lp . cache_path ( os . path . join ( ' gpo_cache ' , path ) )
return int ( gpo . gpo_get_sysvol_gpt_version ( gpt_path ) [ 1 ] )
2018-07-30 18:20:39 +12:00
2018-05-16 09:54:38 -06:00
def apply_gp ( lp , creds , logger , store , gp_extensions , force = False ) :
2018-03-29 08:32:02 -06:00
gp_db = store . get_gplog ( creds . get_username ( ) )
dc_hostname = get_dc_hostname ( creds , lp )
gpos = get_gpo_list ( dc_hostname , creds , lp )
2018-05-15 14:00:07 -06:00
del_gpos = get_deleted_gpos_list ( gp_db , gpos )
2018-01-08 07:17:29 -07:00
try :
check_refresh_gpo_list ( dc_hostname , lp , creds , gpos )
except :
2018-07-30 18:22:01 +12:00
logger . error ( ' Failed downloading gpt cache from \' %s \' using SMB '
2018-07-30 18:16:12 +12:00
% dc_hostname )
2018-01-08 07:17:29 -07:00
return
2018-03-29 08:32:02 -06:00
2018-05-16 09:54:38 -06:00
if force :
changed_gpos = gpos
gp_db . state ( GPOSTATE . ENFORCE )
else :
changed_gpos = [ ]
for gpo_obj in gpos :
if not gpo_obj . file_sys_path :
continue
guid = gpo_obj . name
path = check_safe_path ( gpo_obj . file_sys_path ) . upper ( )
version = gpo_version ( lp , path )
if version != store . get_int ( guid ) :
logger . info ( ' GPO %s has changed ' % guid )
changed_gpos . append ( gpo_obj )
gp_db . state ( GPOSTATE . APPLY )
2018-05-09 13:16:38 -06:00
store . start ( )
for ext in gp_extensions :
try :
2020-08-06 17:25:47 -06:00
ext = ext ( logger , lp , creds , store )
2018-05-15 14:00:07 -06:00
ext . process_group_policy ( del_gpos , changed_gpos )
2018-05-09 13:16:38 -06:00
except Exception as e :
logger . error ( ' Failed to apply extension %s ' % str ( ext ) )
logger . error ( ' Message was: ' + str ( e ) )
continue
for gpo_obj in gpos :
if not gpo_obj . file_sys_path :
continue
guid = gpo_obj . name
path = check_safe_path ( gpo_obj . file_sys_path ) . upper ( )
version = gpo_version ( lp , path )
2018-03-29 08:32:02 -06:00
store . store ( guid , ' %i ' % version )
2018-05-09 13:16:38 -06:00
store . commit ( )
2018-03-29 08:32:02 -06:00
2018-07-30 18:20:39 +12:00
2018-07-13 14:45:06 -06:00
def unapply_gp ( lp , creds , logger , store , gp_extensions ) :
2018-03-29 08:32:02 -06:00
gp_db = store . get_gplog ( creds . get_username ( ) )
gp_db . state ( GPOSTATE . UNAPPLY )
2018-05-17 16:48:47 -06:00
# Treat all applied gpos as deleted
del_gpos = gp_db . get_applied_settings ( gp_db . get_applied_guids ( ) )
store . start ( )
for ext in gp_extensions :
try :
2020-08-06 17:25:47 -06:00
ext = ext ( logger , lp , creds , store )
2018-05-17 16:48:47 -06:00
ext . process_group_policy ( del_gpos , [ ] )
except Exception as e :
logger . error ( ' Failed to unapply extension %s ' % str ( ext ) )
logger . error ( ' Message was: ' + str ( e ) )
continue
store . commit ( )
2018-03-29 08:32:02 -06:00
2018-07-30 18:20:39 +12:00
2020-07-06 08:25:23 -06:00
def __rsop_vals ( vals , level = 4 ) :
if type ( vals ) == dict :
ret = [ ' ' * level + ' [ %s ] = %s ' % ( k , __rsop_vals ( v , level + 2 ) )
for k , v in vals . items ( ) ]
return ' \n ' . join ( ret )
elif type ( vals ) == list :
ret = [ ' ' * level + ' [ %s ] ' % __rsop_vals ( v , level + 2 ) for v in vals ]
return ' \n ' . join ( ret )
else :
return vals
gpo: Pass necessary parameters to rsop
These parameters were missed by mistake when exts
were modified to be initialized within the rsop
command. Fixes an exception thrown when executing
samba-gpupdate --rsop:
Traceback (most recent call last):
File "/usr/sbin/samba-gpupdate", line 99, in <module>
rsop(lp, creds, gp_extensions, opts.target)
File "/usr/lib64/python3.8/site-packages/samba/gpclass.py", line 512, in rsop
ext = ext(logger, lp, creds, store)
NameError: name 'logger' is not defined
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 13:25:44 -06:00
def rsop ( lp , creds , logger , store , gp_extensions , target ) :
2020-07-06 08:25:23 -06:00
dc_hostname = get_dc_hostname ( creds , lp )
gpos = get_gpo_list ( dc_hostname , creds , lp )
check_refresh_gpo_list ( dc_hostname , lp , creds , gpos )
print ( ' Resultant Set of Policy ' )
print ( ' %s Policy \n ' % target )
2020-08-28 08:38:41 -06:00
term_width = shutil . get_terminal_size ( fallback = ( 120 , 50 ) ) [ 0 ]
2020-07-06 08:25:23 -06:00
for gpo in gpos :
2021-02-26 09:43:30 -07:00
if gpo . display_name . strip ( ) == ' Local Policy ' :
continue # We never apply local policy
2020-07-06 08:25:23 -06:00
print ( ' GPO: %s ' % gpo . display_name )
print ( ' = ' * term_width )
for ext in gp_extensions :
2020-08-06 17:25:47 -06:00
ext = ext ( logger , lp , creds , store )
2021-02-26 09:43:30 -07:00
cse_name_m = re . findall ( " ' ([ \ w \ .]+) ' " , str ( type ( ext ) ) )
if len ( cse_name_m ) > 0 :
cse_name = cse_name_m [ - 1 ] . split ( ' . ' ) [ - 1 ]
else :
cse_name = ext . __module__ . split ( ' . ' ) [ - 1 ]
print ( ' CSE: %s ' % cse_name )
2020-07-06 08:25:23 -06:00
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
for section , settings in ext . rsop ( gpo ) . items ( ) :
print ( ' Policy Type: %s ' % section )
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
print ( __rsop_vals ( settings ) )
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
print ( ' %s \n ' % ( ' = ' * term_width ) )
2018-06-13 14:45:09 -06:00
def parse_gpext_conf ( smb_conf ) :
lp = LoadParm ( )
if smb_conf is not None :
lp . load ( smb_conf )
else :
lp . load_default ( )
ext_conf = lp . state_path ( ' gpext.conf ' )
2020-08-20 15:51:47 -06:00
parser = ConfigParser ( interpolation = None )
2018-06-13 14:45:09 -06:00
parser . read ( ext_conf )
return lp , parser
2018-07-30 18:20:39 +12:00
2018-06-13 14:45:09 -06:00
def atomic_write_conf ( lp , parser ) :
ext_conf = lp . state_path ( ' gpext.conf ' )
2018-11-06 19:55:22 +00:00
with NamedTemporaryFile ( mode = " w+ " , delete = False , dir = os . path . dirname ( ext_conf ) ) as f :
2018-06-13 14:45:09 -06:00
parser . write ( f )
os . rename ( f . name , ext_conf )
2018-07-30 18:20:39 +12:00
2018-06-13 14:45:09 -06:00
def check_guid ( guid ) :
# Check for valid guid with curly braces
if guid [ 0 ] != ' { ' or guid [ - 1 ] != ' } ' or len ( guid ) != 38 :
return False
try :
UUID ( guid , version = 4 )
except ValueError :
return False
return True
2018-07-30 18:20:39 +12:00
2018-06-13 14:45:09 -06:00
def register_gp_extension ( guid , name , path ,
smb_conf = None , machine = True , user = True ) :
# Check that the module exists
if not os . path . exists ( path ) :
return False
if not check_guid ( guid ) :
return False
lp , parser = parse_gpext_conf ( smb_conf )
2018-07-30 18:22:34 +12:00
if guid not in parser . sections ( ) :
2018-06-13 14:45:09 -06:00
parser . add_section ( guid )
parser . set ( guid , ' DllName ' , path )
parser . set ( guid , ' ProcessGroupPolicy ' , name )
2018-11-06 19:55:22 +00:00
parser . set ( guid , ' NoMachinePolicy ' , " 0 " if machine else " 1 " )
parser . set ( guid , ' NoUserPolicy ' , " 0 " if user else " 1 " )
2018-06-13 14:45:09 -06:00
atomic_write_conf ( lp , parser )
return True
2018-06-13 14:46:05 -06:00
2018-07-30 18:20:39 +12:00
2018-06-13 14:46:30 -06:00
def list_gp_extensions ( smb_conf = None ) :
_ , parser = parse_gpext_conf ( smb_conf )
results = { }
for guid in parser . sections ( ) :
results [ guid ] = { }
results [ guid ] [ ' DllName ' ] = parser . get ( guid , ' DllName ' )
results [ guid ] [ ' ProcessGroupPolicy ' ] = \
parser . get ( guid , ' ProcessGroupPolicy ' )
results [ guid ] [ ' MachinePolicy ' ] = \
not int ( parser . get ( guid , ' NoMachinePolicy ' ) )
results [ guid ] [ ' UserPolicy ' ] = not int ( parser . get ( guid , ' NoUserPolicy ' ) )
return results
2018-07-30 18:20:39 +12:00
2018-06-13 14:46:05 -06:00
def unregister_gp_extension ( guid , smb_conf = None ) :
if not check_guid ( guid ) :
return False
lp , parser = parse_gpext_conf ( smb_conf )
if guid in parser . sections ( ) :
parser . remove_section ( guid )
atomic_write_conf ( lp , parser )
return True