def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
- fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
+ session_info = system_session_unix()
+ fsacl = getntacl(lp, path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
fsacl_sddl = fsacl.as_sddl(domainsid)
if fsacl_sddl != acl:
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
- fsacl = getntacl(lp, os.path.join(root, name),
+ fsacl = getntacl(lp, os.path.join(root, name), session_info,
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
if fsacl is None:
raise ProvisioningError('%s ACL on GPO file %s not found!' %
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
for name in dirs:
- fsacl = getntacl(lp, os.path.join(root, name),
+ fsacl = getntacl(lp, os.path.join(root, name), session_info,
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
if fsacl is None:
raise ProvisioningError('%s ACL on GPO directory %s not found!'
# Set ACL for GPO root folder
root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
- fsacl = getntacl(lp, root_policy_path,
+ session_info = system_session_unix()
+ fsacl = getntacl(lp, root_policy_path, session_info,
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
if fsacl is None:
raise ProvisioningError('DB ACL on policy root %s %s not found!' % (acl_type(direct_db_access), root_policy_path))
raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
# Ensure we can read this directly, and via the smbd VFS
+ session_info = system_session_unix()
for direct_db_access in [True, False]:
# Check the SYSVOL_ACL on the sysvol folder and subfolder (first level)
for dir_path in [os.path.join(sysvol, dnsdomain), netlogon]:
- fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
+ fsacl = getntacl(lp, dir_path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
if fsacl is None:
raise ProvisioningError('%s ACL on sysvol directory %s not found!' % (acl_type(direct_db_access), dir_path))
fsacl_sddl = fsacl.as_sddl(domainsid)
acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID,
self.get_session_info(), use_ntvfs=True)
- facl = getntacl(self.lp, self.tempf, direct_db_access=True)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
# However, this only asks the xattr
self.assertRaises(
- TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
+ TypeError, getntacl, self.lp, self.tempf, self.get_session_info(), direct_db_access=True)
def test_setntacl_invalidate_getntacl(self):
acl = ACL
self.tempf, "system.fake_access_acl", b"")
# however, as this is direct DB access, we do not notice it
- facl = getntacl(self.lp, self.tempf, direct_db_access=True)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
self.tempf, "system.fake_access_acl", b"")
# the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
- facl = getntacl(self.lp, self.tempf)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info())
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
self.tempf, "system.fake_access_acl", b"")
# the hash will break, and we return an ACL based only on the mode
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID,
self.get_session_info(), use_ntvfs=True)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID,
self.get_session_info(), use_ntvfs=False)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
self.get_session_info(), use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info(), BA_gid)
# This should re-calculate an ACL based on the posix details
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
setntacl(self.lp, self.tempf, acl, DOM_SID,
self.get_session_info(), use_ntvfs=False)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
domsid = security.dom_sid(DOM_SID)
self.assertEquals(facl.as_sddl(domsid), acl)
acl = ACL
setntacl(self.lp, self.tempf, acl, DOM_SID,
self.get_session_info(), use_ntvfs=False)
- facl = getntacl(self.lp, self.tempf)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info())
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
def test_setposixacl_getntacl(self):
smbd.set_simple_acl(self.tempf, 0o750, self.get_session_info())
# We don't expect the xattr to be filled in in this case
- self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
+ self.assertRaises(TypeError, getntacl, self.lp, self.tempf, self.get_session_info())
def test_setposixacl_getntacl_smbd(self):
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
smbd.chown(self.tempdir, BA_id, SO_id, self.get_session_info())
smbd.set_simple_acl(self.tempdir, 0o750, self.get_session_info())
- facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempdir, self.get_session_info(), direct_db_access=False)
acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
anysid = security.dom_sid(security.SID_NT_SELF)
user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info(), BA_gid)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
+ facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
domsid = passdb.get_global_sam_sid()
acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
anysid = security.dom_sid(security.SID_NT_SELF)
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempf, acl, str(domsid),
session_info, use_ntvfs=False)
- facl = getntacl(self.lp, self.tempf)
+ facl = getntacl(self.lp, self.tempf, session_info)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempdir, acl, str(domsid),
session_info, use_ntvfs=False)
- facl = getntacl(self.lp, self.tempdir)
+ facl = getntacl(self.lp, self.tempdir, session_info)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempdir, acl, str(domsid),
session_info, use_ntvfs=False)
- facl = getntacl(self.lp, self.tempdir)
+ facl = getntacl(self.lp, self.tempdir, session_info)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempf, acl, str(domsid),
session_info, use_ntvfs=False)
- facl = getntacl(self.lp, self.tempf)
+ facl = getntacl(self.lp, self.tempf, session_info)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)