sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-20 16:23:51 +03:00
Code Activity

samba-tool: Replace gpo command for adding Sudoers Group Policy

Browse Source 
Replace it with the VGP command for adding
sudoers entries in an xml file.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
David Mulder
2020-12-22 13:34:19 -07:00
committed by Jeremy Allison
parent 7f3c2b69be
commit 30e0ba2ed8
3 changed files with 85 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
python/samba/netcmd/gpo.py
View File

@@ -1708,7 +1708,86 @@ fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL
def run(self, gpo, command, user, users, groups=None, passwd=None,
H=None, sambaopts=None, credopts=None, versionopts=None):
pass
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
else:
dc_hostname = netcmd_finddc(self.lp, self.creds)
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
# SMB connect to DC
conn = smb_connection(dc_hostname,
'sysvol',
lp=self.lp,
creds=self.creds)
realm = self.lp.get('realm')
vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo,
'MACHINE\\VGP\\VTLA\\Sudo',
'SudoersConfiguration'])
vgp_xml = '\\'.join([vgp_dir, 'manifest.xml'])
try:
xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml)))
policysetting = xml_data.getroot().find('policysetting')
data = policysetting.find('data')
except NTSTATUSError as e:
# STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND,
# STATUS_OBJECT_PATH_NOT_FOUND
if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]:
# The file doesn't exist, so create the xml structure
xml_data = ET.ElementTree(ET.Element('vgppolicy'))
policysetting = ET.SubElement(xml_data.getroot(),
'policysetting')
pv = ET.SubElement(policysetting, 'version')
pv.text = '1'
name = ET.SubElement(policysetting, 'name')
name.text = 'Sudo Policy'
description = ET.SubElement(policysetting, 'description')
description.text = 'Sudoers File Configuration Policy'
apply_mode = ET.SubElement(policysetting, 'apply_mode')
apply_mode.text = 'merge'
data = ET.SubElement(policysetting, 'data')
load_plugin = ET.SubElement(data, 'load_plugin')
load_plugin.text = 'true'
elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
raise CommandError("The authenticated user does "
"not have sufficient privileges")
else:
raise
sudoers_entry = ET.SubElement(data, 'sudoers_entry')
if passwd:
ET.SubElement(sudoers_entry, 'password')
command_elm = ET.SubElement(sudoers_entry, 'command')
command_elm.text = command
user_elm = ET.SubElement(sudoers_entry, 'user')
user_elm.text = user
listelement = ET.SubElement(sudoers_entry, 'listelement')
for u in users.split(','):
principal = ET.SubElement(listelement, 'principal')
principal.text = u
principal.attrib['type'] = 'user'
if groups is not None:
for g in groups.split():
principal = ET.SubElement(listelement, 'principal')
principal.text = g
principal.attrib['type'] = 'group'
out = BytesIO()
xml_data.write(out, encoding='UTF-8', xml_declaration=True)
out.seek(0)
try:
create_directory_hier(conn, vgp_dir)
conn.savefile(vgp_xml, out.read())
except NTSTATUSError as e:
if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
raise CommandError("The authenticated user does "
"not have sufficient privileges")
raise
class cmd_list_sudoers(Command):
"""List Samba Sudoers Group Policy from the sysvol