samba-tool: Add a gpo command for adding VGP Files Group Policy

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index faefa55037d920f1c4ebacae2dbc346e23d3d071..343acbc34a901e74e79b38d76ee25e7ead47d5f9 100644 (file)
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -904,6 +904,11 @@
        <para>List VGP Files Group Policy from the sysvol</para>
 </refsect3>
 
+<refsect3>
+       <title>gpo manage files add</title>
+       <para>Add VGP Files Group Policy to the sysvol</para>
+</refsect3>
+
 <refsect2>
        <title>group</title>
        <para>Manage groups.</para>

diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 198ffe351efc8bd3c9388a38dbe3bd0fe1debe23..81676971f0e590943d68e11070a26a0c8db54733 100644 (file)
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -2585,7 +2585,88 @@ samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.
 
     def run(self, gpo, source, target, user, group, mode, H=None,
             sambaopts=None, credopts=None, versionopts=None):
-        pass
+        self.lp = sambaopts.get_loadparm()
+        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+        if not os.path.exists(source):
+            raise CommandError("Source '%s' does not exist" % source)
+
+        # We need to know writable DC to setup SMB connection
+        if H and H.startswith('ldap://'):
+            dc_hostname = H[7:]
+            self.url = H
+        else:
+            dc_hostname = netcmd_finddc(self.lp, self.creds)
+            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+        # SMB connect to DC
+        conn = smb_connection(dc_hostname,
+                              'sysvol',
+                              lp=self.lp,
+                              creds=self.creds)
+
+        realm = self.lp.get('realm')
+        vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo,
+                             'MACHINE\\VGP\\VTLA\\Unix\\Files'])
+        vgp_xml = '\\'.join([vgp_dir, 'manifest.xml'])
+        try:
+            xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml)))
+            policy = xml_data.getroot().find('policysetting')
+            data = policy.find('data')
+        except NTSTATUSError as e:
+            # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND,
+            # STATUS_OBJECT_PATH_NOT_FOUND
+            if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]:
+                # The file doesn't exist, so create the xml structure
+                xml_data = ET.ElementTree(ET.Element('vgppolicy'))
+                policysetting = ET.SubElement(xml_data.getroot(),
+                                              'policysetting')
+                pv = ET.SubElement(policysetting, 'version')
+                pv.text = '1'
+                name = ET.SubElement(policysetting, 'name')
+                name.text = 'Files'
+                description = ET.SubElement(policysetting, 'description')
+                description.text = 'Represents file data to set/copy on clients'
+                data = ET.SubElement(policysetting, 'data')
+            elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+                raise CommandError("The authenticated user does "
+                                   "not have sufficient privileges")
+            else:
+                raise
+
+        file_properties = ET.SubElement(data, 'file_properties')
+        source_elm = ET.SubElement(file_properties, 'source')
+        source_elm.text = os.path.basename(source)
+        target_elm = ET.SubElement(file_properties, 'target')
+        target_elm.text = target
+        user_elm = ET.SubElement(file_properties, 'user')
+        user_elm.text = user
+        group_elm = ET.SubElement(file_properties, 'group')
+        group_elm.text = group
+        for ptype, shift in [('user', 6), ('group', 3), ('other', 0)]:
+            permissions = ET.SubElement(file_properties, 'permissions')
+            permissions.set('type', ptype)
+            if int(mode, 8) & (0o4 << shift):
+                ET.SubElement(permissions, 'read')
+            if int(mode, 8) & (0o2 << shift):
+                ET.SubElement(permissions, 'write')
+            if int(mode, 8) & (0o1 << shift):
+                ET.SubElement(permissions, 'execute')
+
+        out = BytesIO()
+        xml_data.write(out, encoding='UTF-8', xml_declaration=True)
+        out.seek(0)
+        source_data = open(source, 'rb').read()
+        sysvol_source = '\\'.join([vgp_dir, os.path.basename(source)])
+        try:
+            create_directory_hier(conn, vgp_dir)
+            conn.savefile(vgp_xml, out.read())
+            conn.savefile(sysvol_source, source_data)
+        except NTSTATUSError as e:
+            if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+                raise CommandError("The authenticated user does "
+                                   "not have sufficient privileges")
+            raise
 
 class cmd_files(SuperCommand):
     """Manage Files Group Policy Objects"""

diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
deleted file mode 100644 (file)
index 960b8e5..0000000
--- a/selftest/knownfail.d/gpo
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_files_add