from samba import param
from samba import glue
from samba.misc import messageEltFlagToString
-from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join,set_gpo_acl,getpolicypath,create_gpo_struct
+from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join,set_gpo_acl,getpolicypath,create_gpo_struct
from samba.provisionexceptions import ProvisioningError
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security
def update_gpo(paths,creds,session,names):
- """Create missing GPO file object if needed
+ """Create missing GPO file object if needed
- Set ACL correctly also.
- """
- dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid)
- if not os.path.isdir(dir):
- create_gpo_struct(dir)
-
- dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid_dc)
- if not os.path.isdir(dir):
- create_gpo_struct(dir)
- samdb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
- set_gpo_acl(path.sysvol,names.dnsdomain,names.domainsid,names.domaindn,samdb,lp)
-
-def updateOEMInfo(paths,creds,session,names):
- sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
+ Set ACL correctly also.
+ """
+ dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid)
+ if not os.path.isdir(dir):
+ create_gpo_struct(dir)
+
+ dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid_dc)
+ if not os.path.isdir(dir):
+ create_gpo_struct(dir)
+ samdb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
+ set_gpo_acl(paths.sysvol, names.dnsdomain, names.domainsid,
+ names.domaindn, samdb, lp)
+
+def updateOEMInfo(paths, creds, session,names):
+ sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp,
+ options=["modules:samba_dsdb"])
res = sam_ldb.search(expression="(objectClass=*)",base=str(names.rootdn),
scope=SCOPE_BASE, attrs=["dn","oEMInformation"])
if len(res) > 0:
delta = Message()
delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
descr = get_schema_descriptor(names.domainsid)
- delta["oEMInformation"] = MessageElement(info, FLAG_MOD_REPLACE, "oEMInformation" )
+ delta["oEMInformation"] = MessageElement(info, FLAG_MOD_REPLACE,
+ "oEMInformation" )
sam_ldb.modify(delta)
import registry
import urllib
import shutil
-import string
import ldb
"SIDGENERATOR_LINE": sid_generator_line,
"PRIVATEDIR_LINE": privatedir_line,
"LOCKDIR_LINE": lockdir_line,
- "POSIXEADB_LINE": posixeadb_line
+ "POSIXEADB_LINE": posixeadb_line
})
"NTDSGUID": names.ntdsguid,
"DNSPASS_B64": b64encode(dnspass),
})
-def getpolicypath(sysvolpath,dnsdomain,guid):
- if string.find(guid,"{",0,1) == -1:
- guid = "{%s}"%guid
- policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid )
+
+def getpolicypath(sysvolpath, dnsdomain, guid):
+ if guid[0] != "{":
+ guid = "{%s}" % guid
+ policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid)
return policy_path
def create_gpo_struct(policy_path):
os.makedirs(os.path.join(policy_path, "MACHINE"), 0755)
os.makedirs(os.path.join(policy_path, "USER"), 0755)
-def setup_gpo(sysvolpath,dnsdomain,policyguid,policyguid_dc):
-
+def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid)
create_gpo_struct(policy_path)
SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
-def set_dir_acl(path,acl,lp,domsid):
- setntacl(lp,path,acl,domsid)
- for root, dirs, files in os.walk(path, topdown=False):
- for name in files:
- setntacl(lp,os.path.join(root, name),acl,domsid)
- for name in dirs:
- setntacl(lp,os.path.join(root, name),acl,domsid)
-
-def set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp):
- # Set ACL for GPO
- policy_path = os.path.join(sysvol, dnsdomain, "Policies")
- set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
- res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
- attrs=["cn","nTSecurityDescriptor"],
- expression="", scope=ldb.SCOPE_ONELEVEL)
- for policy in res:
- acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
- policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"]))
- set_dir_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
-
-def setsysvolacl(samdb,netlogon,sysvol,gid,domainsid,dnsdomain,domaindn,lp):
- canchown = 1
- try:
- os.chown(sysvol,-1,gid)
- except:
- canchown = 0
-
- setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
- for root, dirs, files in os.walk(sysvol, topdown=False):
- for name in files:
- if canchown:
- os.chown(os.path.join(root, name),-1,gid)
- setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
- for name in dirs:
- if canchown:
- os.chown(os.path.join(root, name),-1,gid)
- setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
- set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp)
-
-
+def set_dir_acl(path, acl, lp, domsid):
+ setntacl(lp, path, acl, domsid)
+ for root, dirs, files in os.walk(path, topdown=False):
+ for name in files:
+ setntacl(lp, os.path.join(root, name), acl, domsid)
+ for name in dirs:
+ setntacl(lp, os.path.join(root, name), acl, domsid)
+
+
+def set_gpo_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp):
+ # Set ACL for GPO
+ policy_path = os.path.join(sysvol, dnsdomain, "Policies")
+ set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL, str(domainsid)),
+ lp, str(domainsid))
+ res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
+ attrs=["cn","nTSecurityDescriptor"],
+ expression="", scope=ldb.SCOPE_ONELEVEL)
+ for policy in res:
+ acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
+ policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"]))
+ set_dir_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+
+def setsysvolacl(samdb, netlogon, sysvol, gid, domainsid, dnsdomain, domaindn,
+ lp):
+ try:
+ os.chown(sysvol,-1,gid)
+ except:
+ canchown = False
+ else:
+ canchown = True
+
+ setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
+ for root, dirs, files in os.walk(sysvol, topdown=False):
+ for name in files:
+ if canchown:
+ os.chown(os.path.join(root, name),-1,gid)
+ setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
+ for name in dirs:
+ if canchown:
+ os.chown(os.path.join(root, name),-1,gid)
+ setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
+ set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp)
def provision(setup_dir, message, session_info,