sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

samba_upgradeprovision: Remove inherited ACEs before comparing the SDs

Browse Source 
This avoids changing an SD when it is not really required.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett
2013-02-17 22:44:56 +11:00
committed by Stefan Metzmacher
parent 5074b98714
commit 9b8d5bba50
2 changed files with 65 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
python/samba/upgradehelpers.py
View File

@ -33,7 +33,7 @@ from samba.provision import (provision_paths_from_lp,
getpolicypath, set_gpos_acl, create_gpo_struct,
FILL_FULL, provision, ProvisioningError,
setsysvolacl, secretsdb_self_join)
from samba.dcerpc import xattr, drsblobs
from samba.dcerpc import xattr, drsblobs, security
from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.ndr import ndr_unpack
from samba.samdb import SamDB
@ -346,6 +346,46 @@ def chunck_sddl(sddl):
return hash
def get_clean_sd(sd):
"""Get the SD without difference between 2 sddl
This function split the textual representation of ACL into smaller
chunck in order to not to report a simple permutation as a difference
:param refsddl: First sddl to compare
:param cursddl: Second sddl to compare
:param checkSacl: If false we skip the sacl checks
:return: A string that explain difference between sddls
"""
sd_clean = security.descriptor()
sd_clean.owner_sid = sd.owner_sid
sd_clean.group_sid = sd.group_sid
sd_clean.type = sd.type
sd_clean.revision = sd.revision
aces = []
if sd.sacl is not None:
aces = sd.sacl.aces
for i in range(0, len(aces)):
ace = aces[i]
if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
sd_clean.sacl_add(ace)
continue
aces = []
if sd.dacl is not None:
aces = sd.dacl.aces
for i in range(0, len(aces)):
ace = aces[i]
if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
sd_clean.dacl_add(ace)
continue
return sd_clean
def get_diff_sds(refsd, cursd, domainsid, checkSacl = True):
"""Get the difference between 2 sd
@ -358,8 +398,8 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl = True):
:return: A string that explain difference between sddls
"""
cursddl = cursd.as_sddl(domainsid)
refsddl = refsd.as_sddl(domainsid)
cursddl = get_clean_sd(cursd).as_sddl(domainsid)
refsddl = get_clean_sd(refsd).as_sddl(domainsid)
txt = ""
hash_cur = chunck_sddl(cursddl)