from samba.common import get_string
try:
from ldb import LdbError
+ from samba import Ldb
from samba.samdb import SamDB
except ImportError:
pass
"""
def load_ldb(self):
+ private_dir = self.lp.get("private dir")
+ privilege_ldb_path = os.path.join(private_dir, "privilege.ldb")
+ print("privilege_ldb_path[%s]" % privilege_ldb_path)
try:
- private_dir = lp.get("private dir")
- privilege_ldb_path = os.path.join(paths.private_dir, "privilege.ldb")
self.privileges_ldb = Ldb(privilege_ldb_path,
session_info=system_session(),
lp=self.lp)
except (NameError, LdbError):
raise Exception('Failed to load SamDB for assigning Group Policy')
- apply_map = { 'MinimumPasswordAge': 'minPwdAge',
- 'MaximumPasswordAge': 'maxPwdAge',
- 'MinimumPasswordLength': 'minPwdLength',
- 'PasswordComplexity': 'pwdProperties' }
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
if self.lp.get('server role') != 'active directory domain controller':
return
self.load_ldb()
inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ print("process_group_policy(%s)" % str(self))
for guid, settings in deleted_gpo_list:
+ print("deleted_gpo_list: guid[%s]"% guid)
self.gp_db.set_guid(guid)
for section in settings.keys():
+ print("deleted_gpo_list: section[%s]"% section)
if section == str(self):
for att, value in settings[section].items():
- update_samba, _ = self.mapper().get(att)
- update_samba(att, value)
+ print("DELETE: att[%s] value[%s]" % (att, value))
self.gp_db.delete(section, att)
self.gp_db.commit()
+ sid_rights = {}
for gpo in changed_gpo_list:
+ print("changed_gpo_list: gpo.name[%s] gpo.file_sys_path[%s]" % (
+ gpo.name, gpo.file_sys_path))
if gpo.file_sys_path:
self.gp_db.set_guid(gpo.name)
path = os.path.join(gpo.file_sys_path, inf_file)
+ print("path[%s]" % path)
inf_conf = self.parse(path)
+ print("inf_conf[%s]" % inf_conf)
if not inf_conf:
continue
for section in inf_conf.sections():
+ print("changed: section[%s]"% section)
if section == str(self):
for key, value in inf_conf.items(section):
- if key not in gp_access_ext.apply_map:
- continue
- att = gp_access_ext.apply_map[key]
- (update_samba, value_func) = self.mapper().get(att)
- update_samba(att, value_func(value))
- self.gp_db.commit()
-
- def ch_minPwdAge(self, attribute, val):
- old_val = self.ldb.get_minPwdAge()
- log.info('KDC Minimum Password age was changed from %s to %s'
- % (old_val, val))
- self.gp_db.store(str(self), attribute, str(old_val))
- self.ldb.set_minPwdAge(val)
-
- def ch_maxPwdAge(self, attribute, val):
- old_val = self.ldb.get_maxPwdAge()
- log.info('KDC Maximum Password age was changed from %s to %s'
- % (old_val, val))
- self.gp_db.store(str(self), attribute, str(old_val))
- self.ldb.set_maxPwdAge(val)
-
- def ch_minPwdLength(self, attribute, val):
- old_val = self.ldb.get_minPwdLength()
- log.info('KDC Minimum Password length was changed from %s to %s'
- % (old_val, val))
- self.gp_db.store(str(self), attribute, str(old_val))
- self.ldb.set_minPwdLength(val)
-
- def ch_pwdProperties(self, attribute, val):
- old_val = self.ldb.get_pwdProperties()
- log.info('KDC Password Properties were changed from %s to %s'
- % (old_val, val))
- self.gp_db.store(str(self), attribute, str(old_val))
- self.ldb.set_pwdProperties(val)
-
- def mapper(self):
- """ldap value : samba setter"""
- return {"minPwdAge": (self.ch_minPwdAge, days2rel_nttime),
- "maxPwdAge": (self.ch_maxPwdAge, days2rel_nttime),
- # Could be none, but I like the method assignment in
- # update_samba
- "minPwdLength": (self.ch_minPwdLength, lambda val: val),
- "pwdProperties": (self.ch_pwdProperties, lambda val: val),
-
- }
+ print("PARSE: key[%s] value[%s]" % (key, value))
+ sids = value.split(',')
+ for _sid in sids:
+ print("_sid[%s]" % (_sid))
+ sid = _sid.split('*')
+ sid = sid[1]
+ print("sid[%s] => %s" % (sid, key))
+ if sid not in sid_rights:
+ sid_rights[sid] = {}
+ sid_rights[sid][key] = True
+
+ for sid in sid_rights.keys():
+ print("sid[%s] => %s" % (sid, sid_rights[sid].keys()))
+ add_ldif = """dn: sid=%s
+changetype: add
+objectClass: privilege
+objectSid: %s
+""" % (sid, sid)
+ modify_ldif = """dn: sid=%s
+changetype: modify
+replace: gpoPrivilege
+""" % (sid)
+ for right in sid_rights[sid].keys():
+ add_ldif += "gpoPrivilege: %s\n" % right
+ modify_ldif += "gpoPrivilege: %s\n" % right
+
+ try:
+ print("modify_ldif: %s" % modify_ldif)
+ self.privileges_ldb.modify_ldif(modify_ldif)
+ except LdbError as e:
+ print("LdbError[%s]" % e)
+ print("add_ldif: %s" % add_ldif)
+ self.privileges_ldb.modify_ldif(add_ldif)
+
+ self.gp_db.commit()
def __str__(self):
return 'Privilege Rights'
if str(self) in inf_conf.sections():
section = str(self)
output[section] = {k: v for k, v in inf_conf.items(section)
- if gp_access_ext.apply_map.get(k)}
+ if True}
return output