s4: utils recreate in python setntacl and getntacl

setntacl is able to set NTACL attribute from command line
  getntacl now use getopt for parsing command line option and is also able to
  dump the acl in the SDDL format.

source4/scripting/python/samba/netcmd/__init__.py

@@ -143,3 +143,5 @@ from samba.netcmd.enableaccount import cmd_enableaccount
 commands["enableaccount"] = cmd_enableaccount()
 from samba.netcmd.newuser import cmd_newuser
 commands["newuser"] = cmd_newuser()
+from samba.netcmd.ntacl import cmd_acl
+commands["acl"] = cmd_acl()

source4/scripting/python/samba/netcmd/ntacl.py

@@ -0,0 +1,119 @@
+#!/usr/bin/python
+#
+# Manipulate file NT ACLs
+#
+# Copyright Matthieu Patou 2010 <mat@matws.net>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.credentials import DONT_USE_KERBEROS
+import samba.getopt as options
+from samba.dcerpc import security
+from samba.ntacls import setntacl, getntacl
+from samba import Ldb
+from samba.ndr import ndr_unpack
+
+from ldb import SCOPE_BASE
+import ldb
+import os
+import sys
+
+from samba.auth import system_session
+from samba.netcmd import (
+    Command,
+	SuperCommand,
+    CommandError,
+    Option,
+    )
+
+class cmd_acl_set(Command):
+    """Set ACLs on a file"""
+    synopsis = "%prog set <acl> <file> [--xattr-backend=native|tdb] [--eadb-file=file] [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+        }
+
+    takes_options = [
+        Option("--quiet", help="Be quiet", action="store_true"),
+        Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
+               choices=["native","tdb"]),
+        Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+		]
+
+    takes_args = ["acl","file"]
+
+    def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None,
+            credopts=None, sambaopts=None, versionopts=None):
+		lp = sambaopts.get_loadparm()
+		creds = credopts.get_credentials(lp)
+		path = os.path.join(lp.get("private dir"), lp.get("sam database") or "samdb.ldb")
+		creds = credopts.get_credentials(lp)
+		creds.set_kerberos_state(DONT_USE_KERBEROS)
+		try:
+			ldb = Ldb(path, session_info=system_session(), credentials=creds,lp=lp)
+		except:
+			print "Unable to read domain SID from configuration files"
+			sys.exit(1)
+		attrs = ["objectSid"]
+		print lp.get("realm")
+		res = ldb.search(expression="(objectClass=*)",base="DC=%s"%lp.get("realm").lower().replace(".",",DC="), scope=SCOPE_BASE, attrs=attrs)
+		if len(res) !=0:
+			domainsid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+			setntacl(lp,file,acl,str(domainsid),xattr_backend,eadb_file)
+		else:
+			print "Unable to read domain SID from configuration files"
+			sys.exit(1)
+
+class cmd_acl_get(Command):
+    """Set ACLs on a file"""
+    synopsis = "%prog get <file> [--as-sddl] [--xattr-backend=native|tdb] [--eadb-file=file] [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+        }
+
+    takes_options = [
+        Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
+        Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
+               choices=["native","tdb"]),
+        Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+        ]
+
+    takes_args = ["file"]
+
+    def run(self, file, as_sddl=False,xattr_backend=None,eadb_file=None,
+            credopts=None, sambaopts=None, versionopts=None):
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+	acl = getntacl(lp,file,xattr_backend,eadb_file)
+        if as_sddl:
+            anysid=security.dom_sid(security.SID_NT_SELF)
+            print acl.info.as_sddl(anysid)
+        else:
+            acl.dump()
+
+
+class cmd_acl(SuperCommand):
+    """NT ACLs manipulation"""
+
+    subcommands = {}
+    subcommands["set"] = cmd_acl_set()
+    subcommands["get"] = cmd_acl_get()
+

source4/scripting/python/samba/ntacls.py

@@ -63,8 +63,8 @@ def setntacl(lp,file,sddl,domsid,backend=None,eadbfile=None):
 		raise
 	ntacl=xattr.NTACL()
 	ntacl.version = 1
-	anysid=security.dom_sid(domsid)
-	sd = security.descriptor.from_sddl(sddl, anysid)
+	sid=security.dom_sid(domsid)
+	sd = security.descriptor.from_sddl(sddl, sid)
 	ntacl.info = sd
 	eadbname = lp.get("posix:eadb")
 	if eadbname != None  and eadbname != "":
@@ -135,8 +135,8 @@ def ldapmask2filemask(ldm):
 # for files. It's used for Policy object provision
 
 def dsacl2fsacl(dssddl,domsid):
-	anysid = security.dom_sid(domsid)
-	ref = security.descriptor.from_sddl(dssddl,anysid)
+	sid = security.dom_sid(domsid)
+	ref = security.descriptor.from_sddl(dssddl,sid)
 	fdescr = security.descriptor()
 	fdescr.owner_sid = ref.owner_sid
 	fdescr.group_sid = ref.group_sid
@@ -155,4 +155,4 @@ def dsacl2fsacl(dssddl,domsid):
 			ace.access_mask =  ldapmask2filemask(ace.access_mask)
 			fdescr.dacl_add(ace)
 
-	return fdescr.as_sddl(anysid)
+	return fdescr.as_sddl(sid)