mirror of
https://github.com/samba-team/samba.git
synced 2025-06-21 03:17:08 +03:00
8f909199c4
This will reset the NT ACL on the sysvol share to the default from provision, with GPO objects matching the LDAP ACL (as required). Andrew Bartlett
191 lines
7.0 KiB
Python
191 lines
7.0 KiB
Python
# Manipulate file NT ACLs
|
|
#
|
|
# Copyright Matthieu Patou 2010 <mat@matws.net>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from samba.credentials import DONT_USE_KERBEROS
|
|
import samba.getopt as options
|
|
from samba.dcerpc import security, idmap
|
|
from samba.ntacls import setntacl, getntacl
|
|
from samba import Ldb
|
|
from samba.ndr import ndr_unpack
|
|
from samba.samdb import SamDB
|
|
from samba.samba3 import param as s3param, passdb, smbd
|
|
from samba import provision
|
|
|
|
from ldb import SCOPE_BASE
|
|
import os
|
|
|
|
from samba.auth import system_session
|
|
from samba.netcmd import (
|
|
Command,
|
|
CommandError,
|
|
SuperCommand,
|
|
Option,
|
|
)
|
|
|
|
|
|
|
|
class cmd_ntacl_set(Command):
|
|
"""Set ACLs on a file"""
|
|
|
|
synopsis = "%prog <acl> <file> [options]"
|
|
|
|
takes_optiongroups = {
|
|
"sambaopts": options.SambaOptions,
|
|
"credopts": options.CredentialsOptions,
|
|
"versionopts": options.VersionOptions,
|
|
}
|
|
|
|
takes_options = [
|
|
Option("--quiet", help="Be quiet", action="store_true"),
|
|
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
|
|
choices=["native","tdb"]),
|
|
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
|
|
]
|
|
|
|
takes_args = ["acl","file"]
|
|
|
|
def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None,
|
|
credopts=None, sambaopts=None, versionopts=None):
|
|
lp = sambaopts.get_loadparm()
|
|
path = lp.private_path("secrets.ldb")
|
|
creds = credopts.get_credentials(lp)
|
|
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|
try:
|
|
ldb = Ldb(path, session_info=system_session(), credentials=creds,
|
|
lp=lp)
|
|
except Exception, e:
|
|
raise CommandError("Unable to read domain SID from configuration files", e)
|
|
attrs = ["objectSid"]
|
|
res = ldb.search(expression="(objectClass=*)",
|
|
base="flatname=%s,cn=Primary Domains" % lp.get("workgroup"),
|
|
scope=SCOPE_BASE, attrs=attrs)
|
|
if len(res) !=0:
|
|
domainsid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
|
|
setntacl(lp, file, acl, str(domainsid), xattr_backend, eadb_file)
|
|
else:
|
|
raise CommandError("Unable to read domain SID from configuration files")
|
|
|
|
|
|
|
|
class cmd_ntacl_get(Command):
|
|
"""Set ACLs on a file"""
|
|
synopsis = "%prog <file> [options]"
|
|
|
|
takes_optiongroups = {
|
|
"sambaopts": options.SambaOptions,
|
|
"credopts": options.CredentialsOptions,
|
|
"versionopts": options.VersionOptions,
|
|
}
|
|
|
|
takes_options = [
|
|
Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
|
|
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
|
|
choices=["native","tdb"]),
|
|
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
|
|
]
|
|
|
|
takes_args = ["file"]
|
|
|
|
def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None,
|
|
credopts=None, sambaopts=None, versionopts=None):
|
|
lp = sambaopts.get_loadparm()
|
|
acl = getntacl(lp, file, xattr_backend, eadb_file)
|
|
if as_sddl:
|
|
anysid = security.dom_sid(security.SID_NT_SELF)
|
|
self.outf.write(acl.info.as_sddl(anysid)+"\n")
|
|
else:
|
|
acl.dump()
|
|
|
|
|
|
class cmd_ntacl_sysvolreset(Command):
|
|
"""Reset sysvol ACLs to defaults (including correct ACLs on GPOs)"""
|
|
synopsis = "%prog <file> [options]"
|
|
|
|
takes_optiongroups = {
|
|
"sambaopts": options.SambaOptions,
|
|
"credopts": options.CredentialsOptions,
|
|
"versionopts": options.VersionOptions,
|
|
}
|
|
|
|
takes_options = [
|
|
Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"),
|
|
Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server", action="store_true")
|
|
]
|
|
|
|
def run(self, use_ntvfs=False, use_s3fs=False,
|
|
credopts=None, sambaopts=None, versionopts=None):
|
|
lp = sambaopts.get_loadparm()
|
|
path = lp.private_path("secrets.ldb")
|
|
creds = credopts.get_credentials(lp)
|
|
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|
logger = self.get_logger()
|
|
|
|
netlogon = lp.get("path", "netlogon")
|
|
sysvol = lp.get("path", "sysvol")
|
|
try:
|
|
samdb = SamDB(session_info=system_session(),
|
|
lp=lp)
|
|
except Exception, e:
|
|
raise CommandError("Unable to open samdb:", e)
|
|
|
|
if not use_ntvfs and not use_s3fs:
|
|
use_ntvfs = "smb" in lp.get("server services")
|
|
elif use_s3fs:
|
|
use_ntvfs = False
|
|
|
|
domain_sid = security.dom_sid(samdb.domain_sid)
|
|
|
|
s3conf = s3param.get_context()
|
|
s3conf.load(lp.configfile)
|
|
# ensure we are using the right samba4 passdb backend, no matter what
|
|
s3conf.set("passdb backend", "samba4:%s" % samdb.url)
|
|
|
|
LA_sid = security.dom_sid(str(domain_sid)
|
|
+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
|
|
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
|
|
|
|
s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
|
|
|
|
# These assertions correct for current plugin_s4_dc selftest
|
|
# configuration. When other environments have a broad range of
|
|
# groups mapped via passdb, we can relax some of these checks
|
|
(LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
|
|
if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH):
|
|
raise CommandError("SID %s is not mapped to a UID" % LA_sid)
|
|
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
|
|
if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH):
|
|
raise CommandError("SID %s is not mapped to a GID" % BA_sid)
|
|
|
|
if use_ntvfs:
|
|
logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
|
|
|
|
provision.setsysvolacl(samdb, netlogon, sysvol,
|
|
LA_uid, BA_gid, domain_sid,
|
|
lp.get("realm").lower(), samdb.domain_dn(),
|
|
lp, use_ntvfs=use_ntvfs)
|
|
|
|
|
|
class cmd_ntacl(SuperCommand):
|
|
"""NT ACLs manipulation"""
|
|
|
|
subcommands = {}
|
|
subcommands["set"] = cmd_ntacl_set()
|
|
subcommands["get"] = cmd_ntacl_get()
|
|
subcommands["sysvolreset"] = cmd_ntacl_sysvolreset()
|
|
|