#!/usr/bin/python # # Unix SMB/CIFS implementation. # A script to compare differences of security descriotors between # a remote host and the local Ldb # Needs the local domain, the remote domain, IP of the remote host # Username and password for the remote domain, must be at least # Domain Administrator # # Copyright (C) Jelmer Vernooij 2007-2008 # Copyright (C) Nadezhda Ivanova 2009 # # Based on the original in EJS: # Copyright (C) Andrew Tridgell 2005 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import getopt import optparse import sys import os import base64 import re sys.path.insert(0, "bin/python") import samba from samba.auth import system_session import samba.getopt as options from samba import param from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba import Ldb from samba.samdb import SamDB from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError parser = optparse.OptionParser("get-descriptor [options]") sambaopts = options.SambaOptions(parser) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN", help="set local domain") parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN", help="set remote domain") parser.add_option("--host", type="string", metavar="HOST", help="Ip of the remote host used for comparison") parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true") lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) opts = parser.parse_args()[0] class DescrGetter: def __init__(self, localdomain, remotedomain): self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"]) self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp, options=["modules:paged_searches"]) self.local_domain = localdomain.replace(".", ",DC=") self.local_domain = "DC=" + self.local_domain self.remote_domain = remotedomain.replace(".", ",DC=") self.remote_domain = "DC=" + self.remote_domain self.local_map = {} self.remote_map = {} def get_domain_local_sid(self): res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE) self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) def get_domain_remote_sid(self): res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE) self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) def add_to_ldif(self, dn, descr): ldif_entry = ["dn: " + dn, "changetype: modify", "replace: nTSecurityDescriptor", "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr))] for line in ldif_entry: length = 79 if len(line) <= length + 1: print line else: for i in range(len(line) / length + 1): if i == 0: l = line[i * length:((i + 1) * length)] else: l = " " + line[(i * length):((i + 1) * length)] print l print "\n" def write_as_sddl(self, dn, descr): print dn print descr + "\n" def read_descr_by_base(self, search_base): res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) for entry in res: dn = entry["dn"].__str__().replace(self.local_domain, "") if "nTSecurityDescriptor" in entry: desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) self.local_map[dn] = desc_obj res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) for entry in res: dn = entry["dn"].__str__().replace(self.remote_domain, "") if "nTSecurityDescriptor" in entry: desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) self.remote_map[dn] = desc_obj def read_desc(self): self.read_descr_by_base("CN=Schema,CN=Configuration,") self.read_descr_by_base("CN=Configuration,") self.read_descr_by_base("") def write_desc_to_ldif(self): key_list_local = self.local_map.keys() key_list_remote = self.remote_map.keys() for key in key_list_remote: if key in key_list_local: sddl = self.remote_map[key].as_sddl(self.remote_sid) sddl_local = self.local_map[key].as_sddl(self.local_sid) if sddl != sddl_local: descr = security.descriptor.from_sddl(sddl, self.local_sid) if opts.as_ldif: self.add_to_ldif(key + self.local_domain, descr) else: self.write_as_sddl(key, descr.as_sddl(self.local_sid)) def run(self): self.get_domain_local_sid() self.get_domain_remote_sid() self.read_desc() self.write_desc_to_ldif() desc = DescrGetter(opts.local_domain, opts.remote_domain) desc.run()