sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-04 08:22:08 +03:00
Code Activity

s4-samba-tool: fixed the gpo command to use the right DN for access checks

Browse Source
This commit is contained in:
Andrew Tridgell
2011-01-13 15:09:03 +11:00
parent a38854f74b
commit a0bc538a8f
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
source4/scripting/python/samba/netcmd/gpo.py
View File

@ -180,7 +180,6 @@ class cmd_list(Command):
session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn, session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn,
session_info_flags=session_info_flags) session_info_flags=session_info_flags)
print dir(session)
token = session.security_token token = session.security_token
gpos = [] gpos = []
@ -188,7 +187,7 @@ class cmd_list(Command):
inherit = True inherit = True
dn = ldb.Dn(self.samdb, str(user_dn)).parent() dn = ldb.Dn(self.samdb, str(user_dn)).parent()
while True: while True:
msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions', 'ntSecurityDescriptor'])[0] msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
if 'gPLink' in msg: if 'gPLink' in msg:
glist = parse_gplink(msg['gPLink'][0]) glist = parse_gplink(msg['gPLink'][0])
for g in glist: for g in glist:
@ -197,17 +196,27 @@ class cmd_list(Command):
if g['options'] & dsdb.GPLINK_OPT_DISABLE: if g['options'] & dsdb.GPLINK_OPT_DISABLE:
continue continue
secdesc_ndr = msg['ntSecurityDescriptor'][0] try:
gmsg = self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE,
attrs=['flags', 'ntSecurityDescriptor'])
except Exception:
print "Failed to fetch gpo object %s" % g['dn']
continue
secdesc_ndr = gmsg[0]['ntSecurityDescriptor'][0]
secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr) secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr)
try: try:
samba.security.access_check(secdesc, token, dcerpc.security.SEC_RIGHTS_FILE_READ) samba.security.access_check(secdesc, token,
dcerpc.security.SEC_STD_READ_CONTROL |
dcerpc.security.SEC_ADS_LIST |
dcerpc.security.SEC_ADS_READ_PROP)
except RuntimeError: except RuntimeError:
print "Failed access check on %s" % msg.dn print "Failed access check on %s" % msg.dn
continue continue
# check the flags on the GPO # check the flags on the GPO
flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0)) flags = int(attr_default(gmsg[0], 'flags', 0))
if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE): if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE):
continue continue
if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE): if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE):