sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-07-30 19:42:05 +03:00
Code Activity

s4: Set acls correctly on all sysvol and scripts shares

Browse Source
This commit is contained in:
Matthieu Patou
2009-11-22 20:50:30 +03:00
committed by Andrew Bartlett
parent 9b70979bc9
commit e78626dc2e
2 changed files with 51 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
source4/scripting/python/samba/provision.py
View File

@ -828,16 +828,8 @@ def setup_self_join(samdb, names,
"DNSPASS_B64": b64encode(dnspass), "DNSPASS_B64": b64encode(dnspass),
}) })
def set_gpo_acl(path,acl,setfileacl):
if setfileacl:
setntacl(path,acl)
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
setntacl(os.path.join(root, name),acl)
for name in dirs:
setntacl(os.path.join(root, name),acl)
def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl): def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid):
policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies", policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
"{" + policyguid + "}") "{" + policyguid + "}")
os.makedirs(policy_path, 0755) os.makedirs(policy_path, 0755)
@ -853,20 +845,6 @@ def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl):
"[General]\r\nVersion=2") "[General]\r\nVersion=2")
os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
# call setntacl ...
res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid,names.domaindn),
attrs=["nTSecurityDescriptor"],
expression="", scope=SCOPE_BASE)
assert(len(res) > 0)
acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
set_gpo_acl(policy_path_dc,dsacl2fsacl(acl),setfileacl)
res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid_dc,names.domaindn),
attrs=["nTSecurityDescriptor"],
expression="", scope=SCOPE_BASE)
assert(len(res) > 0)
acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
set_gpo_acl(policy_path,dsacl2fsacl(acl),setfileacl)
def setup_samdb(path, setup_path, session_info, provision_backend, lp, def setup_samdb(path, setup_path, session_info, provision_backend, lp,
@ -1075,6 +1053,43 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
FILL_FULL = "FULL" FILL_FULL = "FULL"
FILL_NT4SYNC = "NT4SYNC" FILL_NT4SYNC = "NT4SYNC"
FILL_DRS = "DRS" FILL_DRS = "DRS"
SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
def set_gpo_acl(path,acl):
setntacl(path,acl)
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
setntacl(os.path.join(root, name),acl)
for name in dirs:
setntacl(os.path.join(root, name),acl)
def setdiracl(samdb,names,netlogon,sysvol,gid,domainsid):
acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
os.chown(sysvol,-1,gid)
setntacl(sysvol,acl)
for root, dirs, files in os.walk(sysvol, topdown=False):
for name in files:
os.chown(os.path.join(root, name),-1,gid)
setntacl(os.path.join(root, name),acl)
for name in dirs:
os.chown(os.path.join(root, name),-1,gid)
setntacl(os.path.join(root, name),acl)
# Set ACL for GPO
policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
set_gpo_acl(policy_path,dsacl2fsacl(acl))
res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
attrs=["cn","nTSecurityDescriptor"],
expression="", scope=SCOPE_ONELEVEL)
security.dom_sid("S-1-5-21-1")
for policy in res:
acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
policy_path = os.path.join(sysvol, names.dnsdomain, "Policies",
str(policy["cn"]))
set_gpo_acl(policy_path,dsacl2fsacl(acl))
def provision(setup_dir, message, session_info, def provision(setup_dir, message, session_info,
@ -1292,8 +1307,6 @@ def provision(setup_dir, message, session_info,
(paths.smbconf, setup_path("provision.smb.conf.dc"))) (paths.smbconf, setup_path("provision.smb.conf.dc")))
assert(paths.sysvol is not None) assert(paths.sysvol is not None)
# Set up group policies (domain policy and domain controller policy)
setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl)
if not os.path.isdir(paths.netlogon): if not os.path.isdir(paths.netlogon):
os.makedirs(paths.netlogon, 0755) os.makedirs(paths.netlogon, 0755)
@ -1303,6 +1316,12 @@ def provision(setup_dir, message, session_info,
root_uid=root_uid, nobody_uid=nobody_uid, root_uid=root_uid, nobody_uid=nobody_uid,
users_gid=users_gid, wheel_gid=wheel_gid) users_gid=users_gid, wheel_gid=wheel_gid)
setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
if setfileacl:
setdiracl(samdb,names,paths.netlogon,paths.sysvol,wheel_gid,domainsid)
# Set up group policies (domain policy and domain controller policy)
message("Setting up sam.ldb rootDSE marking as synchronized") message("Setting up sam.ldb rootDSE marking as synchronized")
setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif")) setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))

9
source4/setup/provision
View File

@ -110,7 +110,7 @@ parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH",
help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.")
parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true")
parser.add_option("--setfileacl", help="Set NT ACL on files", action="store_true") parser.add_option("--nosetfileacl", help="Do not set NT ACL on files (set by default)", action="store_true")
parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true") parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true")
opts = parser.parse_args()[0] opts = parser.parse_args()[0]
@ -202,6 +202,11 @@ if opts.blank:
elif opts.partitions_only: elif opts.partitions_only:
samdb_fill = FILL_DRS samdb_fill = FILL_DRS
setfileacl = True
if opts.nosetfileacl:
setfileacl = False
session = system_session() session = system_session()
provision(setup_dir, message, provision(setup_dir, message,
session, creds, smbconf=smbconf, targetdir=opts.targetdir, session, creds, smbconf=smbconf, targetdir=opts.targetdir,
@ -220,4 +225,4 @@ provision(setup_dir, message,
backend_type=opts.ldap_backend_type, backend_type=opts.ldap_backend_type,
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls, ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path, slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,setfileacl=opts.setfileacl) nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,setfileacl=setfileacl)