sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-05 12:22:11 +03:00
Code Activity

samba-tool: Replace gpo command for removing Sudoers Group Policy

Browse Source 
Replace it with the VGP command for removing
sudoers entries from an xml file.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Feb 14 00:53:41 UTC 2021 on sn-devel-184
This commit is contained in:
David Mulder
2020-12-23 08:09:32 -07:00
committed by Jeremy Allison
parent 430e065fa9
commit 09a8f409e5
3 changed files with 73 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs-xml/manpages/samba-tool.8.xml
View File

@ -934,6 +934,11 @@
<para>List Samba Sudoers Group Policy from the sysvol.</para>
</refsect3>
<refsect3>
<title>gpo manage sudoers remove</title>
<para>Removes a Samba Sudoers Group Policy from the sysvol.</para>
</refsect3>
<refsect2>
<title>group</title>
<para>Manage groups.</para>

69
python/samba/netcmd/gpo.py
View File

@ -1888,7 +1888,74 @@ samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fak
takes_args = ["gpo", "entry"]
def run(self, gpo, entry, H=None, sambaopts=None, credopts=None, versionopts=None):
pass
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
else:
dc_hostname = netcmd_finddc(self.lp, self.creds)
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
# SMB connect to DC
conn = smb_connection(dc_hostname,
'sysvol',
lp=self.lp,
creds=self.creds)
realm = self.lp.get('realm')
vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo,
'MACHINE\\VGP\\VTLA\\Sudo',
'SudoersConfiguration'])
vgp_xml = '\\'.join([vgp_dir, 'manifest.xml'])
try:
xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml)))
policysetting = xml_data.getroot().find('policysetting')
data = policysetting.find('data')
except NTSTATUSError as e:
# STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND,
# STATUS_OBJECT_PATH_NOT_FOUND
if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]:
raise CommandError("The specified entry does not exist")
elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
raise CommandError("The authenticated user does "
"not have sufficient privileges")
raise
entries = {}
for e in data.findall('sudoers_entry'):
command = e.find('command').text
user = e.find('user').text
principals = e.find('listelement').findall('principal')
if len(principals) > 0:
uname = ','.join([u.text if u.attrib['type'] == 'user' \
else '%s%%' % u.text for u in principals])
else:
uname = 'ALL'
nopassword = e.find('password') == None
np_entry = ' NOPASSWD:' if nopassword else ''
p = '%s ALL=(%s)%s %s' % (uname, user, np_entry, command)
entries[p] = e
if entry not in entries.keys():
raise CommandError("Cannot remove '%s' because it does not exist" %
entry)
data.remove(entries[entry])
out = BytesIO()
xml_data.write(out, encoding='UTF-8', xml_declaration=True)
out.seek(0)
try:
create_directory_hier(conn, vgp_dir)
conn.savefile(vgp_xml, out.read())
except NTSTATUSError as e:
if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
raise CommandError("The authenticated user does "
"not have sufficient privileges")
raise
class cmd_sudoers(SuperCommand):
"""Manage Sudoers Group Policy Objects"""

1
selftest/knownfail.d/gpo
View File

@ -1 +0,0 @@
samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_vgp_sudoers_add