sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

provision: No longer use the wheel group in new AD Domains

Browse Source 
The issue here is that if we set S-1-5-32-544 (administrators) to a
GID only, then users cannot force a mandetory profile to be owned by
administrators (which is a requirement).

There is no particularly useful reason for us to enforce this matching
a system group.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett
2012-10-16 13:08:22 +11:00
parent b557f34c80
commit 9eb022c8c6
6 changed files with 29 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
source4/scripting/python/samba/netcmd/domain.py
View File

@ -186,8 +186,6 @@ class cmd_domain_provision(Command):
help="choose 'root' unix username"),
Option("--nobody", type="string", metavar="USERNAME",
help="choose 'nobody' user"),
Option("--wheel", type="string", metavar="GROUPNAME",
help="choose 'wheel' privileged group"),
Option("--users", type="string", metavar="GROUPNAME",
help="choose 'users' group"),
Option("--quiet", help="Be quiet", action="store_true"),
@ -237,7 +235,6 @@ class cmd_domain_provision(Command):
ldapadminpass=None,
root=None,
nobody=None,
wheel=None,
users=None,
quiet=None,
blank=None,
@ -393,7 +390,7 @@ class cmd_domain_provision(Command):
krbtgtpass=krbtgtpass, machinepass=machinepass,
dns_backend=dns_backend, dns_forwarder=dns_forwarder,
dnspass=dnspass, root=root, nobody=nobody,
wheel=wheel, users=users,
users=users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
backend_type=ldap_backend_type,
ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,

39
source4/scripting/python/samba/provision/__init__.py
View File

@ -240,12 +240,16 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
else:
names.policyid_dc = None
res9 = idmapdb.search(expression="(cn=%s)" %
(security.SID_BUILTIN_ADMINISTRATORS),
attrs=["xidNumber"])
res9 = idmapdb.search(expression="(cn=%s-%s)" %
(str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR),
attrs=["xidNumber", "type"])
if len(res9) != 1:
raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
names.wheel_gid = res9[0]["xidNumber"]
raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
if res9[0]["type"][0] == "ID_TYPE_BOTH":
names.root_gid = res9[0]["xidNumber"][0]
else:
names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid
return names
@ -683,7 +687,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
users_gid, wheel_gid):
users_gid, root_gid):
"""setup reasonable name mappings for sam names to unix names.
:param samdb: SamDB object.
@ -693,10 +697,9 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
:param root_uid: uid of the UNIX root user.
:param nobody_uid: uid of the UNIX nobody user.
:param users_gid: gid of the UNIX users group.
:param wheel_gid: gid of the UNIX wheel group.
:param root_gid: gid of the UNIX root group.
"""
idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
@ -1640,7 +1643,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
policyguid_dc)
if not skip_sysvolacl:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
paths.wheel_gid, domainsid, names.dnsdomain,
paths.root_gid, domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
logger.info("Setting acl on sysvol skipped")
@ -1772,7 +1775,7 @@ def provision(logger, session_info, credentials, smbconf=None,
krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
dns_backend=None, dns_forwarder=None, dnspass=None,
invocationid=None, machinepass=None, ntdsguid=None,
root=None, nobody=None, users=None, wheel=None, backup=None, aci=None,
root=None, nobody=None, users=None, backup=None, aci=None,
serverrole=None, dom_for_fun_level=None, backend_type=None,
sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
@ -1802,10 +1805,8 @@ def provision(logger, session_info, credentials, smbconf=None,
root_uid = findnss_uid([root or "root"])
nobody_uid = findnss_uid([nobody or "nobody"])
users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
if wheel is None:
wheel_gid = findnss_gid(["wheel", "adm"])
else:
wheel_gid = findnss_gid([wheel])
root_gid = pwd.getpwuid(root_uid).pw_gid
try:
bind_gid = findnss_gid(["bind", "named"])
except KeyError:
@ -1868,7 +1869,7 @@ def provision(logger, session_info, credentials, smbconf=None,
paths.bind_gid = bind_gid
paths.root_uid = root_uid;
paths.wheel_gid = wheel_gid
paths.root_gid = root_gid
if hostip is None:
logger.info("Looking up IPv4 addresses")
@ -1919,7 +1920,7 @@ def provision(logger, session_info, credentials, smbconf=None,
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
try:
try:
smbd.set_simple_acl(file.name, 0755, wheel_gid)
smbd.set_simple_acl(file.name, 0755, root_gid)
except Exception:
if not smbd.have_posix_acls():
# This clue is only strictly correct for RPM and
@ -1929,7 +1930,7 @@ def provision(logger, session_info, credentials, smbconf=None,
raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.")
try:
smbd.chown(file.name, root_uid, wheel_gid)
smbd.chown(file.name, root_uid, root_gid)
except Exception:
raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.")
finally:
@ -1993,7 +1994,7 @@ def provision(logger, session_info, credentials, smbconf=None,
setup_name_mappings(idmap, sid=str(domainsid),
root_uid=root_uid, nobody_uid=nobody_uid,
users_gid=users_gid, wheel_gid=wheel_gid)
users_gid=users_gid, root_gid=root_gid)
logger.info("Setting up SAM db")
samdb = setup_samdb(paths.samdb, session_info,
@ -2093,7 +2094,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
serverdn=None, domain=None, hostname=None, domainsid=None,
adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
dns_backend=None, root=None, nobody=None, users=None, wheel=None,
dns_backend=None, root=None, nobody=None, users=None,
backup=None, serverrole=None, ldap_backend=None,
ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False):

8
source4/scripting/python/samba/tests/posixacl.py
View File

@ -147,7 +147,7 @@ class PosixAclMappingTests(TestCase):
(LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
self.assertEquals(LA_type, idmap.ID_TYPE_UID)
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
self.assertEquals(BA_type, idmap.ID_TYPE_GID)
self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
(SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
(SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
@ -194,7 +194,7 @@ class PosixAclMappingTests(TestCase):
# user::rwx
# user:root:rwx (selftest user actually)
# group::rwx
# group:wheel:rwx
# group:Local Admins:rwx
# group:3000000:r-x
# group:3000001:rwx
# group:3000002:r-x
@ -274,7 +274,7 @@ class PosixAclMappingTests(TestCase):
(LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
self.assertEquals(LA_type, idmap.ID_TYPE_UID)
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
self.assertEquals(BA_type, idmap.ID_TYPE_GID)
self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
(SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
(SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
@ -327,7 +327,7 @@ class PosixAclMappingTests(TestCase):
# user::rwx
# user:root:rwx (selftest user actually)
# group::rwx
# group:wheel:rwx
# group:Local Admins:rwx
# group:3000000:r-x
# group:3000001:rwx
# group:3000002:r-x

2
source4/scripting/python/samba/upgrade.py
View File

@ -908,7 +908,7 @@ Please fix this account before attempting to upgrade again
if result.server_role == "active directory domain controller":
setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
result.paths.root_uid, result.paths.wheel_gid,
result.paths.root_uid, result.paths.root_gid,
security.dom_sid(result.domainsid), result.names.dnsdomain,
result.names.domaindn, result.lp, use_ntvfs)

4
source4/scripting/python/samba/upgradehelpers.py
View File

@ -251,7 +251,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
invocationid=names.invocation, adminpass=names.adminpass,
krbtgtpass=None, machinepass=None, dnspass=None, root=None,
nobody=None, wheel=None, users=None,
nobody=None, users=None,
serverrole="domain controller",
backend_type=None, ldapadminpass=None, ol_mmr_urls=None,
slapd_path=None,
@ -615,7 +615,7 @@ def update_gpo(paths, samdb, names, lp, message, force=0):
if resetacls:
try:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid,
setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.root_gid,
names.domainsid, names.dnsdomain, names.domaindn, lp)
except TypeError, e:
acl_error(e)