from samba.upgrade import upgrade_from_samba3
from samba.drs_utils import drsuapi_connect
from samba import remove_dc, arcfour_encrypt, string_to_byte_array
+from samba.auth_util import system_session_unix
from samba.dsdb import (
DS_DOMAIN_FUNCTION_2000,
try:
try:
samba.ntacls.setntacl(lp, file.name,
- "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ "O:S-1-5-32G:S-1-5-32",
+ "S-1-5-32",
+ system_session_unix(),
+ "native")
eadb = False
except Exception:
self.logger.info("You are not root or your system does not support xattr, using tdb backend for attributes. ")
try:
try:
samba.ntacls.setntacl(lp, tmpfile.name,
- "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ "O:S-1-5-32G:S-1-5-32",
+ "S-1-5-32",
+ system_session_unix(),
+ "native")
eadb = False
except Exception:
# FIXME: Don't catch all exceptions here
file,
acl,
str(domain_sid),
+ system_session_unix(),
xattr_backend,
eadb_file,
use_ntvfs=use_ntvfs,
- service=service,
- session_info=system_session_unix())
+ service=service)
if use_ntvfs:
logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
file,
acl,
new_domain_sid,
+ system_session_unix(),
xattr_backend,
eadb_file,
use_ntvfs=use_ntvfs,
- service=service,
- session_info=system_session_unix())
+ service=service)
except Exception as e:
raise CommandError("Could not set acl for %s: %s" % (file, e))
from samba.samba3 import libsmb_samba_internal as libsmb
from samba.logger import get_samba_logger
from samba import NTSTATUSError
+from samba.auth_util import system_session_unix
# don't include volumes
SMB_FILE_ATTRIBUTE_FLAGS = libsmb.FILE_ATTRIBUTE_SYSTEM | \
session_info=session_info)
-def setntacl(lp, file, sddl, domsid,
+def setntacl(lp, file, sddl, domsid, session_info,
backend=None, eadbfile=None,
use_ntvfs=True, skip_invalid_chown=False,
- passdb=None, service=None, session_info=None):
+ passdb=None, service=None):
"""
A wrapper for smbd set_nt_acl api.
smbd.set_nt_acl(
file, SECURITY_SECINFO_FLAGS, sd2,
- service=service, session_info=session_info)
+ session_info,
+ service=service)
# and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set
use_ntvfs = True
security.SECINFO_GROUP |
security.SECINFO_DACL |
security.SECINFO_SACL,
- sd, service=service, session_info=session_info)
+ sd,
+ session_info,
+ service=service)
if use_ntvfs:
(backend_obj, dbname) = checkset_backend(lp, backend, eadbfile)
return ntacl_sd.as_sddl(self.dom_sid) if as_sddl else ntacl_sd
- def setntacl(self, path, ntacl_sd):
+ def setntacl(self, path, ntacl_sd, session_info):
# ntacl_sd can be obj or str
- return setntacl(self.lp, path, ntacl_sd, self.dom_sid,
+ return setntacl(self.lp, path, ntacl_sd, self.dom_sid, session_info,
use_ntvfs=self.use_ntvfs)
"""
service = src_service_path.rstrip('/').rsplit('/', 1)[-1]
tempdir = tempfile.mkdtemp()
+ session_info = system_session_unix()
dom_sid_str = samdb_conn.get_domain_sid()
dom_sid = security.dom_sid(dom_sid_str)
dom_sid = security.dom_sid(dom_sid_str)
ntacls_helper = NtaclsHelper(service, smb_conf_path, dom_sid)
+ session_info = system_session_unix()
with tarfile.open(src_tarfile_path) as f:
f.extractall(path=tempdir)
ntacl_sddl_str = _read_ntacl_file(src)
if ntacl_sddl_str:
- ntacls_helper.setntacl(dst, ntacl_sddl_str)
+ ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info)
else:
logger.warning(
'Failed to restore ntacl for directory %s.' % dst
ntacl_sddl_str = _read_ntacl_file(src)
if ntacl_sddl_str:
- ntacls_helper.setntacl(dst, ntacl_sddl_str)
+ ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info)
else:
logger.warning('Failed to restore ntacl for file %s.' % dst
+ ' Please check the permissions are correct')
def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):
- setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
+ session_info = system_session_unix()
+ setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
- setntacl(lp, os.path.join(root, name), acl, domsid,
+ setntacl(lp, os.path.join(root, name), acl, domsid, session_info,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
for name in dirs:
- setntacl(lp, os.path.join(root, name), acl, domsid,
+ setntacl(lp, os.path.join(root, name), acl, domsid, session_info,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
# Set ACL for GPO root folder
root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
- setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
+ session_info = system_session_unix()
+
+ setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
res = samdb.search(base="CN=Policies,CN=System,%s" %(domaindn),
def _setntacl(path):
"""A helper to reuse args"""
return setntacl(
- lp, path, SYSVOL_ACL, str(domainsid),
+ lp, path, SYSVOL_ACL, str(domainsid), session_info,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb,
- service=SYSVOL_SERVICE, session_info=session_info)
+ service=SYSVOL_SERVICE)
# Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
_setntacl(sysvol)
from samba.param import LoadParm
from samba.dcerpc import security
from samba.tests import TestCaseInTempDir, SkipTest
+from samba.auth_util import system_session_unix
NTACL_SDDL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
DOMAIN_SID = "S-1-5-21-2212615479-2695158682-2101375467"
super(NtaclsTests, self).setUp()
self.tempf = os.path.join(self.tempdir, "test")
open(self.tempf, 'w').write("empty")
+ self.session_info = system_session_unix()
def tearDown(self):
os.unlink(self.tempf)
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
- setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID)
+ setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info)
os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
def test_setntacl_getntacl(self):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
- setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID)
+ setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info)
facl = getntacl(lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), NTACL_SDDL)
def test_setntacl_getntacl_param(self):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
- setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, "tdb",
+ setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info, "tdb",
os.path.join(self.tempdir, "eadbtest.tdb"))
facl = getntacl(lp, self.tempf, "tdb", os.path.join(
self.tempdir, "eadbtest.tdb"))
lp = LoadParm()
open(self.tempf, 'w').write("empty")
self.assertRaises(XattrBackendError, setntacl, lp, self.tempf,
- NTACL_SDDL, DOMAIN_SID, "ttdb",
+ NTACL_SDDL, DOMAIN_SID, self.session_info, "ttdb",
os.path.join(self.tempdir, "eadbtest.tdb"))
def test_setntacl_forcenative(self):
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
- DOMAIN_SID, "native")
+ DOMAIN_SID, self.session_info, "native")
def test_setntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
def test_setntacl_smbd_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=True)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
def test_setntacl_smbd_setposixacl_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=True)
# This will invalidate the ACL, as we have a hook!
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
def test_setntacl_invalidate_getntacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=True)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
def test_setntacl_invalidate_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
os.chmod(self.tempf, 0o750)
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the hash
(backend_obj, dbname) = checkset_backend(self.lp, None, None)
def test_setntacl_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=True)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
def test_setntacl_smbd_getntacl_smbd(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
acl = ACL
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
acl = ACL
BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
# This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
(BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
def test_setntacl_smbd_getntacl_smbd_gpo(self):
acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
facl = getntacl(self.lp, self.tempf, direct_db_access=False)
domsid = security.dom_sid(DOM_SID)
self.assertEquals(facl.as_sddl(domsid), acl)
def test_setntacl_getposixacl(self):
acl = ACL
- setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
- session_info=self.get_session_info())
+ setntacl(self.lp, self.tempf, acl, DOM_SID,
+ self.get_session_info(), use_ntvfs=False)
facl = getntacl(self.lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
- setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
- session_info=session_info)
+ setntacl(self.lp, self.tempf, acl, str(domsid),
+ session_info, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
- setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
- session_info=session_info)
+ setntacl(self.lp, self.tempdir, acl, str(domsid),
+ session_info, use_ntvfs=False)
facl = getntacl(self.lp, self.tempdir)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
acl = provision.POLICIES_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
- setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
- session_info=session_info)
+ setntacl(self.lp, self.tempdir, acl, str(domsid),
+ session_info, use_ntvfs=False)
facl = getntacl(self.lp, self.tempdir)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
- setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
- session_info=session_info)
+ setntacl(self.lp, self.tempf, acl, str(domsid),
+ session_info, use_ntvfs=False)
facl = getntacl(self.lp, self.tempf)
self.assertEquals(facl.as_sddl(domsid), acl)
posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
"fname",
"security_info_sent",
"sd",
- "service",
"session_info",
+ "service",
NULL
};
frame = talloc_stackframe();
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siOO|z",
discard_const_p(char *, kwnames),
&fname,
&security_info_sent,
&py_sd,
- &service,
- &py_session)) {
+ &py_session,
+ &service)) {
TALLOC_FREE(frame);
return NULL;
}
return NULL;
}
- if (py_session != Py_None) {
- if (!py_check_dcerpc_type(py_session,
- "samba.dcerpc.auth",
- "session_info")) {
- TALLOC_FREE(frame);
- return NULL;
- }
- session_info = pytalloc_get_type(py_session,
- struct auth_session_info);
- if (!session_info) {
- PyErr_Format(PyExc_TypeError,
- "Expected auth_session_info for session_info argument got %s",
- pytalloc_get_name(py_session));
- return NULL;
- }
+ if (!py_check_dcerpc_type(py_session,
+ "samba.dcerpc.auth",
+ "session_info")) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ session_info = pytalloc_get_type(py_session,
+ struct auth_session_info);
+ if (session_info == NULL) {
+ PyErr_Format(PyExc_TypeError,
+ "Expected auth_session_info for session_info argument got %s",
+ pytalloc_get_name(py_session));
+ return NULL;
}
conn = get_conn_tos(service, session_info);