mirror of
https://github.com/samba-team/samba.git
synced 2024-12-28 07:21:54 +03:00
e9caf7d063
This script walks the schema, configuration and domain partitions of the locally installed Ldb and a remote hosts and compares the descriptors disregarding the difference in domain SID. The goal is to make sure a freshly provisioned Samba has the correct descriptors so ACLs work correctly. It outputs the descriptors in short SDDL, where the correct SIDs are to be replaced during provisioning. Optionally it can be output as an LDIF file with the current local domain and domain SIDs.
154 lines
6.0 KiB
Python
Executable File
154 lines
6.0 KiB
Python
Executable File
#!/usr/bin/python
|
|
#
|
|
# Unix SMB/CIFS implementation.
|
|
# A script to compare differences of security descriotors between
|
|
# a remote host and the local Ldb
|
|
# Needs the local domain, the remote domain, IP of the remote host
|
|
# Username and password for the remote domain, must be at least
|
|
# Domain Administrator
|
|
#
|
|
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
|
|
# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
|
|
#
|
|
# Based on the original in EJS:
|
|
# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import getopt
|
|
import optparse
|
|
import sys
|
|
import os
|
|
import base64
|
|
import re
|
|
|
|
sys.path.insert(0, "bin/python")
|
|
|
|
import samba
|
|
from samba.auth import system_session
|
|
import samba.getopt as options
|
|
from samba import param
|
|
from samba.ndr import ndr_pack, ndr_unpack
|
|
from samba.dcerpc import security
|
|
from samba import Ldb
|
|
from samba.samdb import SamDB
|
|
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
|
|
|
|
parser = optparse.OptionParser("get-descriptor [options]")
|
|
sambaopts = options.SambaOptions(parser)
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
|
|
parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
|
|
help="set local domain")
|
|
parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
|
|
help="set remote domain")
|
|
parser.add_option("--host", type="string", metavar="HOST",
|
|
help="Ip of the remote host used for comparison")
|
|
parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
|
|
|
|
lp = sambaopts.get_loadparm()
|
|
creds = credopts.get_credentials(lp)
|
|
|
|
opts = parser.parse_args()[0]
|
|
|
|
class DescrGetter:
|
|
def __init__(self, localdomain, remotedomain):
|
|
self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
|
|
self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
|
|
options=["modules:paged_searches"])
|
|
self.local_domain = localdomain.replace(".", ",DC=")
|
|
self.local_domain = "DC=" + self.local_domain
|
|
self.remote_domain = remotedomain.replace(".", ",DC=")
|
|
self.remote_domain = "DC=" + self.remote_domain
|
|
self.local_map = {}
|
|
self.remote_map = {}
|
|
|
|
def get_domain_local_sid(self):
|
|
res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
|
|
self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
|
|
|
|
def get_domain_remote_sid(self):
|
|
res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
|
|
self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
|
|
|
|
def add_to_ldif(self, dn, descr):
|
|
ldif_entry = ["dn: " + dn,
|
|
"changetype: modify",
|
|
"replace: nTSecurityDescriptor",
|
|
"nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr))]
|
|
|
|
for line in ldif_entry:
|
|
length = 79
|
|
if len(line) <= length + 1:
|
|
print line
|
|
else:
|
|
for i in range(len(line) / length + 1):
|
|
if i == 0:
|
|
l = line[i * length:((i + 1) * length)]
|
|
else:
|
|
l = " " + line[(i * length):((i + 1) * length)]
|
|
print l
|
|
print "\n"
|
|
|
|
def write_as_sddl(self, dn, descr):
|
|
print dn
|
|
print descr + "\n"
|
|
|
|
def read_descr_by_base(self, search_base):
|
|
res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
|
|
for entry in res:
|
|
dn = entry["dn"].__str__().replace(self.local_domain, "")
|
|
|
|
if "nTSecurityDescriptor" in entry:
|
|
desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
|
|
self.local_map[dn] = desc_obj
|
|
|
|
res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
|
|
for entry in res:
|
|
dn = entry["dn"].__str__().replace(self.remote_domain, "")
|
|
|
|
if "nTSecurityDescriptor" in entry:
|
|
desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
|
|
self.remote_map[dn] = desc_obj
|
|
|
|
def read_desc(self):
|
|
self.read_descr_by_base("CN=Schema,CN=Configuration,")
|
|
self.read_descr_by_base("CN=Configuration,")
|
|
self.read_descr_by_base("")
|
|
|
|
def write_desc_to_ldif(self):
|
|
key_list_local = self.local_map.keys()
|
|
key_list_remote = self.remote_map.keys()
|
|
for key in key_list_remote:
|
|
if key in key_list_local:
|
|
sddl = self.remote_map[key].as_sddl(self.remote_sid)
|
|
sddl_local = self.local_map[key].as_sddl(self.local_sid)
|
|
if sddl != sddl_local:
|
|
descr = security.descriptor.from_sddl(sddl, self.local_sid)
|
|
if opts.as_ldif:
|
|
self.add_to_ldif(key + self.local_domain, descr)
|
|
else:
|
|
self.write_as_sddl(key, descr.as_sddl(self.local_sid))
|
|
|
|
def run(self):
|
|
self.get_domain_local_sid()
|
|
self.get_domain_remote_sid()
|
|
self.read_desc()
|
|
self.write_desc_to_ldif()
|
|
|
|
desc = DescrGetter(opts.local_domain, opts.remote_domain)
|
|
desc.run()
|