sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code
c9902b0574
samba-mirror/python/samba/netcmd/dsacl.py

284 lines
11 KiB
Python
Raw Normal View History

Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
# Manipulate ACLs on directory objects
#
# Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import samba.getopt as options
from samba.dcerpc import security
from samba.samdb import SamDB
from samba.ndr import ndr_unpack, ndr_pack
s4-python: Remove duplicate definition of GUID_DRS_* constants.
2010-04-04 01:18:23 +04:00
from samba.dcerpc.security import (
GUID_DRS_ALLOCATE_RIDS, GUID_DRS_CHANGE_DOMAIN_MASTER,
GUID_DRS_CHANGE_INFR_MASTER, GUID_DRS_CHANGE_PDC,
GUID_DRS_CHANGE_RID_MASTER, GUID_DRS_CHANGE_SCHEMA_MASTER,
GUID_DRS_GET_CHANGES, GUID_DRS_GET_ALL_CHANGES,
GUID_DRS_GET_FILTERED_ATTRIBUTES, GUID_DRS_MANAGE_TOPOLOGY,
GUID_DRS_MONITOR_TOPOLOGY, GUID_DRS_REPL_SYNCRONIZE,
GUID_DRS_RO_REPL_SECRET_SYNC)
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
import ldb
s4-python: Remove duplicate definition of GUID_DRS_* constants.
2010-04-04 01:18:23 +04:00
from ldb import SCOPE_BASE
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
import re
from samba.auth import system_session
from samba.netcmd import (
Command,
CommandError,
SuperCommand,
Option,
PEP8: fix E123: closing bracket does not match indentation of opening bracket's line Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:14:37 +03:00
)
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
def find_trustee_sid(samdb, trusteedn):
res = samdb.search(base=trusteedn, expression="(objectClass=*)",
scope=SCOPE_BASE)
assert(len(res) == 1)
return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
def modify_descriptor(samdb, object_dn, desc, controls=None):
assert(isinstance(desc, security.descriptor))
m = ldb.Message()
m.dn = ldb.Dn(samdb, object_dn)
m["nTSecurityDescriptor"] = ldb.MessageElement(
(ndr_pack(desc)), ldb.FLAG_MOD_REPLACE,
"nTSecurityDescriptor")
samdb.modify(m)
def read_descriptor(samdb, object_dn):
res = samdb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["nTSecurityDescriptor"])
# we should theoretically always have an SD
assert(len(res) == 1)
desc = res[0]["nTSecurityDescriptor"][0]
return ndr_unpack(security.descriptor, desc)
def get_domain_sid(samdb):
res = samdb.search(base=samdb.domain_dn(),
expression="(objectClass=*)", scope=SCOPE_BASE)
return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
samba-tool: Added "dsacl" command Added "dsacl" command to substitute "acl ds" Signed-off-by: Amitay Isaacs <amitay@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-31 01:09:53 +04:00
class cmd_dsacl_set(Command):
samba-tool: Unify usage messages. Karolin Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Mon Oct 8 14:26:52 CEST 2012 on sn-devel-104
2012-10-08 14:32:58 +04:00
"""Modify access list on a directory object."""
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
samba-tool: Don't require full prog line to be in synopsis.
2011-10-14 01:27:22 +04:00
synopsis = "%prog [options]"
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
car_help = """ The access control right to allow or deny """
Revert "samba-tool: moved takes_optiongroups definition to Command base class" This reverts commit f6fa8684896b8f3f9f8b7bd3742c99906973274c. This keeps the main command class fairly slim, and makes it a bit more obvious where the arguments to run() are coming from. Conflicts: source4/scripting/python/samba/netcmd/__init__.py source4/scripting/python/samba/netcmd/domain.py source4/scripting/python/samba/netcmd/gpo.py source4/scripting/python/samba/netcmd/newuser.py source4/scripting/python/samba/netcmd/testparm.py source4/scripting/python/samba/netcmd/user.py source4/scripting/python/samba/tests/samba_tool/__init__.py
2012-02-06 19:33:38 +04:00
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
PEP8: fix E123: closing bracket does not match indentation of opening bracket's line Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:14:37 +03:00
}
Revert "samba-tool: moved takes_optiongroups definition to Command base class" This reverts commit f6fa8684896b8f3f9f8b7bd3742c99906973274c. This keeps the main command class fairly slim, and makes it a bit more obvious where the arguments to run() are coming from. Conflicts: source4/scripting/python/samba/netcmd/__init__.py source4/scripting/python/samba/netcmd/domain.py source4/scripting/python/samba/netcmd/gpo.py source4/scripting/python/samba/netcmd/newuser.py source4/scripting/python/samba/netcmd/testparm.py source4/scripting/python/samba/netcmd/user.py source4/scripting/python/samba/tests/samba_tool/__init__.py
2012-02-06 19:33:38 +04:00
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
takes_options = [
samba-tool: add -H or --URL where necessary To improve consistency, I've made sure all the commands take either a -H or --URL when specifying a URL Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-25 19:56:10 +04:00
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
Option("--car", type="choice", choices=["change-rid",
"change-pdc",
"change-infrastructure",
"change-schema",
"change-naming",
"allocate_rids",
"get-changes",
"get-changes-all",
"get-changes-filtered",
"topology-manage",
"topology-monitor",
"repl-sync",
"ro-repl-secret-sync"],
help=car_help),
Option("--action", type="choice", choices=["allow", "deny"],
PEP8: fix E127: continuation line over-indented for visual indent Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:15:34 +03:00
help="""Deny or allow access"""),
s4-python: Simplify code, improve formatting.
2010-04-08 20:57:09 +04:00
Option("--objectdn", help="DN of the object whose SD to modify",
PEP8: fix E128: continuation line under-indented for visual indent Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:16:12 +03:00
type="string"),
s4-python: Simplify code, improve formatting.
2010-04-08 20:57:09 +04:00
Option("--trusteedn", help="DN of the entity that gets access",
PEP8: fix E128: continuation line under-indented for visual indent Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:16:12 +03:00
type="string"),
s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format Useful for testing purposes. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Thu Feb 10 15:28:04 CET 2011 on sn-devel-104
2011-02-10 16:04:23 +03:00
Option("--sddl", help="An ACE or group of ACEs to be added on the object",
PEP8: fix E128: continuation line under-indented for visual indent Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:16:12 +03:00
type="string"),
PEP8: fix E123: closing bracket does not match indentation of opening bracket's line Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:14:37 +03:00
]
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
def add_ace(self, samdb, object_dn, new_ace):
s4-python: Simplify code, improve formatting.
2010-04-08 20:57:09 +04:00
"""Add new ace explicitly."""
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc = read_descriptor(samdb, object_dn)
new_ace = security.descriptor.from_sddl("D:" + new_ace, get_domain_sid(samdb))
python: use raw string for regex with escape Python regards 'GPT\.INI$' as a string containing an invalid escape sequence '\.', which is ignored (i.e. treated as the literal sequence of those 2 characters), but only after Python has grumbled to itself, and to you if you enabled DeprecationWarnings. The proper thing to do here is use r-strings, like r'GPT\.INI$', which tell Python that all backslashes are literal. Alternatively (as we do once in this patch), the backslash can itself be escaped ('\\'). There are more problems of this nature in the build scripts. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
2020-02-07 01:25:27 +03:00
new_ace_list = re.findall(r"\(.*?\)",new_ace.as_sddl())
Update dsacl.py - add_ace to handle/verify sddl parameter correct Test for samba-tool dsacl set --sddl parmeter Update tests.py - add dsacl (dsacl.py / samba-tool dsacl set) test Signed-off-by: <Martin Krämer mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-26 12:17:25 +03:00
for new_ace in new_ace_list:
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc_sddl = desc.as_sddl(get_domain_sid(samdb))
Update dsacl.py - add_ace to handle/verify sddl parameter correct Test for samba-tool dsacl set --sddl parmeter Update tests.py - add dsacl (dsacl.py / samba-tool dsacl set) test Signed-off-by: <Martin Krämer mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-26 12:17:25 +03:00
# TODO add bindings for descriptor manipulation and get rid of this
python: use raw string for regex with escape Python regards 'GPT\.INI$' as a string containing an invalid escape sequence '\.', which is ignored (i.e. treated as the literal sequence of those 2 characters), but only after Python has grumbled to itself, and to you if you enabled DeprecationWarnings. The proper thing to do here is use r-strings, like r'GPT\.INI$', which tell Python that all backslashes are literal. Alternatively (as we do once in this patch), the backslash can itself be escaped ('\\'). There are more problems of this nature in the build scripts. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
2020-02-07 01:25:27 +03:00
desc_aces = re.findall(r"\(.*?\)", desc_sddl)
Update dsacl.py - add_ace to handle/verify sddl parameter correct Test for samba-tool dsacl set --sddl parmeter Update tests.py - add dsacl (dsacl.py / samba-tool dsacl set) test Signed-off-by: <Martin Krämer mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-26 12:17:25 +03:00
for ace in desc_aces:
if ("ID" in ace):
desc_sddl = desc_sddl.replace(ace, "")
if new_ace in desc_sddl:
continue
if desc_sddl.find("(") >= 0:
desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
else:
desc_sddl = desc_sddl + new_ace
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc = security.descriptor.from_sddl(desc_sddl, get_domain_sid(samdb))
modify_descriptor(samdb, object_dn, desc)
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
samba-tool dsacl: Mark old and new descriptor output correctly Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-21 05:33:01 +03:00
def print_acl(self, samdb, object_dn, new=False):
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc = read_descriptor(samdb, object_dn)
desc_sddl = desc.as_sddl(get_domain_sid(samdb))
samba-tool dsacl: Mark old and new descriptor output correctly Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-21 05:33:01 +03:00
if new:
self.outf.write("new descriptor for %s:\n" % object_dn)
else:
self.outf.write("old descriptor for %s:\n" % object_dn)
samba-tool: Use self.outf in a few more places. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Oct 13 05:06:52 CEST 2011 on sn-devel-104
2011-10-13 02:36:44 +04:00
self.outf.write(desc_sddl + "\n")
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format Useful for testing purposes. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Thu Feb 10 15:28:04 CET 2011 on sn-devel-104
2011-02-10 16:04:23 +03:00
def run(self, car, action, objectdn, trusteedn, sddl,
samba-tool: add -H or --URL where necessary To improve consistency, I've made sure all the commands take either a -H or --URL when specifying a URL Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-25 19:56:10 +04:00
H=None, credopts=None, sambaopts=None, versionopts=None):
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format Useful for testing purposes. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Thu Feb 10 15:28:04 CET 2011 on sn-devel-104
2011-02-10 16:04:23 +03:00
if sddl is None and (car is None or action is None
or objectdn is None or trusteedn is None):
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
return self.usage()
samba-tool: add -H or --URL where necessary To improve consistency, I've made sure all the commands take either a -H or --URL when specifying a URL Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-25 19:56:10 +04:00
samdb = SamDB(url=H, session_info=system_session(),
PEP8: fix E128: continuation line under-indented for visual indent Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:16:12 +03:00
credentials=creds, lp=lp)
PEP8: fix E203: whitespace before ':' Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-07-30 09:17:14 +03:00
cars = {'change-rid': GUID_DRS_CHANGE_RID_MASTER,
'change-pdc': GUID_DRS_CHANGE_PDC,
'change-infrastructure': GUID_DRS_CHANGE_INFR_MASTER,
'change-schema': GUID_DRS_CHANGE_SCHEMA_MASTER,
'change-naming': GUID_DRS_CHANGE_DOMAIN_MASTER,
'allocate_rids': GUID_DRS_ALLOCATE_RIDS,
'get-changes': GUID_DRS_GET_CHANGES,
'get-changes-all': GUID_DRS_GET_ALL_CHANGES,
'get-changes-filtered': GUID_DRS_GET_FILTERED_ATTRIBUTES,
'topology-manage': GUID_DRS_MANAGE_TOPOLOGY,
'topology-monitor': GUID_DRS_MONITOR_TOPOLOGY,
'repl-sync': GUID_DRS_REPL_SYNCRONIZE,
'ro-repl-secret-sync': GUID_DRS_RO_REPL_SECRET_SYNC,
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
}
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
sid = find_trustee_sid(samdb, trusteedn)
s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format Useful for testing purposes. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Thu Feb 10 15:28:04 CET 2011 on sn-devel-104
2011-02-10 16:04:23 +03:00
if sddl:
new_ace = sddl
elif action == "allow":
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
new_ace = "(OA;;CR;%s;;%s)" % (cars[car], str(sid))
elif action == "deny":
new_ace = "(OD;;CR;%s;;%s)" % (cars[car], str(sid))
else:
raise CommandError("Wrong argument '%s'!" % action)
samba-tool dsacl: Mark old and new descriptor output correctly Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-21 05:33:01 +03:00
self.print_acl(samdb, objectdn)
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
self.add_ace(samdb, objectdn, new_ace)
samba-tool dsacl: Mark old and new descriptor output correctly Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-21 05:33:01 +03:00
self.print_acl(samdb, objectdn, new=True)
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
s4-python: Simplify code, improve formatting.
2010-04-08 20:57:09 +04:00
Add command "samba-tool dsacl get" This code is very equal to "samba-tool dsacl set", except it only prints out the current sddl of an object. Signed-off-by: Martin Krämer <mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-09 18:13:58 +03:00
class cmd_dsacl_get(Command):
"""Print access list on a directory object."""
synopsis = "%prog [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
Option("--objectdn", help="DN of the object whose SD to modify",
type="string"),
]
def print_acl(self, samdb, object_dn):
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc = read_descriptor(samdb, object_dn)
desc_sddl = desc.as_sddl(get_domain_sid(samdb))
Add command "samba-tool dsacl get" This code is very equal to "samba-tool dsacl set", except it only prints out the current sddl of an object. Signed-off-by: Martin Krämer <mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-09 18:13:58 +03:00
self.outf.write("descriptor for %s:\n" % object_dn)
self.outf.write(desc_sddl + "\n")
def run(self, objectdn,
H=None, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
self.print_acl(samdb, objectdn)
samba-tool dsacl: Add subcommand to delete ACEs A new subcommand has been added to samba-tool dsacl to delete one or multiple ACEs from the security descriptor of an object. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-14 02:29:34 +03:00
class cmd_dsacl_delete(Command):
"""Delete an access list entry on a directory object."""
synopsis = "%prog [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
Option("--objectdn", help="DN of the object whose SD to modify",
type="string"),
Option("--sddl", help="An ACE or group of ACEs to be deleted from the object",
type="string"),
]
def print_acl(self, samdb, object_dn, new=False):
samba-tool dsacl: Create helper functions to remove code duplication Make multiple methods of dsacl command classes separate helper functions to avoid code duplication. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-15 11:08:47 +03:00
desc = read_descriptor(samdb, object_dn)
desc_sddl = desc.as_sddl(get_domain_sid(samdb))
samba-tool dsacl: Add subcommand to delete ACEs A new subcommand has been added to samba-tool dsacl to delete one or multiple ACEs from the security descriptor of an object. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-14 02:29:34 +03:00
if new:
self.outf.write("new descriptor for %s:\n" % object_dn)
else:
self.outf.write("old descriptor for %s:\n" % object_dn)
self.outf.write(desc_sddl + "\n")
def run(self, objectdn, sddl, H=None, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if sddl is None or objectdn is None:
return self.usage()
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
self.print_acl(samdb, objectdn)
self.delete_ace(samdb, objectdn, sddl)
self.print_acl(samdb, objectdn, new=True)
def delete_ace(self, samdb, object_dn, delete_aces):
"""Delete ace explicitly."""
desc = read_descriptor(samdb, object_dn)
domsid = get_domain_sid(samdb)
delete_aces = security.descriptor.from_sddl("D:" + delete_aces, domsid).dacl.aces
for ace in delete_aces:
if ace in desc.dacl.aces:
desc.dacl_del_ace(ace)
else:
sddl = ace.as_sddl(domsid)
self.outf.write("WARNING: (%s) was not found in the current security descriptor.\n" % sddl)
modify_descriptor(samdb, object_dn, desc)
samba-tool: Added "dsacl" command Added "dsacl" command to substitute "acl ds" Signed-off-by: Amitay Isaacs <amitay@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-31 01:09:53 +04:00
class cmd_dsacl(SuperCommand):
samba-tool: Some more unifications... in the usage message. Karolin
2012-10-09 13:53:21 +04:00
"""DS ACLs manipulation."""
Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed to this, which is "net acl ds" ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --help show this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos
2010-03-16 14:06:08 +03:00
subcommands = {}
samba-tool: Added "dsacl" command Added "dsacl" command to substitute "acl ds" Signed-off-by: Amitay Isaacs <amitay@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-31 01:09:53 +04:00
subcommands["set"] = cmd_dsacl_set()
Add command "samba-tool dsacl get" This code is very equal to "samba-tool dsacl set", except it only prints out the current sddl of an object. Signed-off-by: Martin Krämer <mk.maddin@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-01-09 18:13:58 +03:00
subcommands["get"] = cmd_dsacl_get()
samba-tool dsacl: Add subcommand to delete ACEs A new subcommand has been added to samba-tool dsacl to delete one or multiple ACEs from the security descriptor of an object. Signed-off-by: Christian Merten <christian@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-14 02:29:34 +03:00
subcommands["delete"] = cmd_dsacl_delete()
Copy Permalink