mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
b59fc43523
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
155 lines
6.1 KiB
Python
Executable File
155 lines
6.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
#
|
|
# Unix SMB/CIFS implementation.
|
|
# A script to compare differences of security descriotors between
|
|
# a remote host and the local Ldb
|
|
# Needs the local domain, the remote domain, IP of the remote host
|
|
# Username and password for the remote domain, must be at least
|
|
# Domain Administrator
|
|
#
|
|
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
|
|
# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
|
|
#
|
|
# Based on the original in EJS:
|
|
# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import optparse
|
|
import sys
|
|
import base64
|
|
|
|
sys.path.insert(0, "bin/python")
|
|
|
|
import samba
|
|
from samba.auth import system_session
|
|
import samba.getopt as options
|
|
from samba.ndr import ndr_pack, ndr_unpack
|
|
from samba.dcerpc import security
|
|
from samba import Ldb
|
|
from samba.samdb import SamDB
|
|
from ldb import SCOPE_SUBTREE, SCOPE_BASE
|
|
|
|
parser = optparse.OptionParser("get-descriptors [options]")
|
|
sambaopts = options.SambaOptions(parser)
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
|
|
parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
|
|
help="set local domain")
|
|
parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
|
|
help="set remote domain")
|
|
parser.add_option("--host", type="string", metavar="HOST",
|
|
help="Ip of the remote host used for comparison")
|
|
parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
|
|
|
|
lp = sambaopts.get_loadparm()
|
|
creds = credopts.get_credentials(lp)
|
|
|
|
opts = parser.parse_args()[0]
|
|
|
|
if not opts.host or not opts.localdomain or not opts.remote_domain:
|
|
parser.print_usage()
|
|
sys.exit(1)
|
|
|
|
class DescrGetter:
|
|
|
|
def __init__(self, localdomain, remotedomain):
|
|
self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
|
|
self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
|
|
options=["modules:paged_searches"])
|
|
self.local_domain = localdomain.replace(".", ",DC=")
|
|
self.local_domain = "DC=" + self.local_domain
|
|
self.remote_domain = remotedomain.replace(".", ",DC=")
|
|
self.remote_domain = "DC=" + self.remote_domain
|
|
self.local_map = {}
|
|
self.remote_map = {}
|
|
|
|
def get_domain_local_sid(self):
|
|
res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
|
|
self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
|
|
|
|
def get_domain_remote_sid(self):
|
|
res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
|
|
self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
|
|
|
|
def add_to_ldif(self, dn, descr):
|
|
ldif_entry = ["dn: " + dn,
|
|
"changetype: modify",
|
|
"replace: nTSecurityDescriptor",
|
|
"nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr)).decode('utf8')]
|
|
|
|
for line in ldif_entry:
|
|
length = 79
|
|
if len(line) <= length + 1:
|
|
print(line)
|
|
else:
|
|
for i in range(len(line) / length + 1):
|
|
if i == 0:
|
|
l = line[i * length:((i + 1) * length)]
|
|
else:
|
|
l = " " + line[(i * length):((i + 1) * length)]
|
|
print(l)
|
|
print("\n")
|
|
|
|
def write_as_sddl(self, dn, descr):
|
|
print(dn)
|
|
print(descr + "\n")
|
|
|
|
def read_descr_by_base(self, search_base):
|
|
res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
|
|
for entry in res:
|
|
dn = entry["dn"].__str__().replace(self.local_domain, "")
|
|
|
|
if "nTSecurityDescriptor" in entry:
|
|
desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
|
|
self.local_map[dn] = desc_obj
|
|
|
|
res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
|
|
for entry in res:
|
|
dn = entry["dn"].__str__().replace(self.remote_domain, "")
|
|
|
|
if "nTSecurityDescriptor" in entry:
|
|
desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
|
|
self.remote_map[dn] = desc_obj
|
|
|
|
def read_desc(self):
|
|
self.read_descr_by_base("CN=Schema,CN=Configuration,")
|
|
self.read_descr_by_base("CN=Configuration,")
|
|
self.read_descr_by_base("")
|
|
|
|
def write_desc_to_ldif(self):
|
|
key_list_local = self.local_map.keys()
|
|
key_list_remote = self.remote_map.keys()
|
|
for key in key_list_remote:
|
|
if key in key_list_local:
|
|
sddl = self.remote_map[key].as_sddl(self.remote_sid)
|
|
sddl_local = self.local_map[key].as_sddl(self.local_sid)
|
|
if sddl != sddl_local:
|
|
descr = security.descriptor.from_sddl(sddl, self.local_sid)
|
|
if opts.as_ldif:
|
|
self.add_to_ldif(key + self.local_domain, descr)
|
|
else:
|
|
self.write_as_sddl(key, descr.as_sddl(self.local_sid))
|
|
|
|
def run(self):
|
|
self.get_domain_local_sid()
|
|
self.get_domain_remote_sid()
|
|
self.read_desc()
|
|
self.write_desc_to_ldif()
|
|
|
|
desc = DescrGetter(opts.local_domain, opts.remote_domain)
|
|
desc.run()
|