1 # implement samba_tool gpo commands
3 # Copyright Andrew Tridgell 2010
4 # Copyright Amitay Isaacs 2011-2012 <amitay@gmail.com>
6 # based on C implementation by Guenther Deschner and Wilco Baan Hofman
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 import samba.getopt as options
26 import xml.etree.ElementTree as ET
29 from samba.auth import system_session
30 from samba.netcmd import (
36 from samba.samdb import SamDB
37 from samba import dsdb
38 from samba.dcerpc import security
39 from samba.ndr import ndr_unpack
42 from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
43 from samba.netcmd.common import netcmd_finddc
44 from samba import policy
46 from samba import NTSTATUSError
48 from samba.ntacls import dsacl2fsacl
49 from samba.dcerpc import nbt
50 from samba.net import Net
51 from samba.gp_parse import GPParser, GPNoParserException
52 from samba.gp_parse.gp_pol import GPPolParser
53 from samba.gp_parse.gp_ini import (
59 from samba.gp_parse.gp_csv import GPAuditCsvParser
60 from samba.gp_parse.gp_inf import GptTmplInfParser
61 from samba.gp_parse.gp_aas import GPAasParser
64 def samdb_connect(ctx):
65 '''make a ldap connection to the server'''
67 ctx.samdb = SamDB(url=ctx.url,
68 session_info=system_session(),
69 credentials=ctx.creds, lp=ctx.lp)
70 except Exception as e:
71 raise CommandError("LDAP connection to %s failed " % ctx.url, e)
74 def attr_default(msg, attrname, default):
75 '''get an attribute from a ldap msg with a default'''
77 return msg[attrname][0]
81 def gpo_flags_string(value):
82 '''return gpo flags string'''
83 flags = policy.get_gpo_flags(value)
91 def gplink_options_string(value):
92 '''return gplink options string'''
93 options = policy.get_gplink_options(value)
97 ret = ' '.join(options)
101 def parse_gplink(gplink):
102 '''parse a gPLink into an array of dn and options'''
104 a = gplink.split(']')
109 if len(d) != 2 or not d[0].startswith("[LDAP://"):
110 raise RuntimeError("Badly formed gPLink '%s'" % g)
111 ret.append({ 'dn' : d[0][8:], 'options' : int(d[1])})
115 def encode_gplink(gplist):
116 '''Encode an array of dn and options into gPLink string'''
119 ret += "[LDAP://%s;%d]" % (g['dn'], g['options'])
123 def dc_url(lp, creds, url=None, dc=None):
124 '''If URL is not specified, return URL for writable DC.
125 If dc is provided, use that to construct ldap URL'''
130 dc = netcmd_finddc(lp, creds)
131 except Exception as e:
132 raise RuntimeError("Could not find a DC for domain", e)
137 def get_gpo_dn(samdb, gpo):
138 '''Construct the DN for gpo'''
140 dn = samdb.get_default_basedn()
141 dn.add_child(ldb.Dn(samdb, "CN=Policies,CN=System"))
142 dn.add_child(ldb.Dn(samdb, "CN=%s" % gpo))
146 def get_gpo_info(samdb, gpo=None, displayname=None, dn=None,
147 sd_flags=security.SECINFO_OWNER|security.SECINFO_GROUP|security.SECINFO_DACL|security.SECINFO_SACL):
148 '''Get GPO information using gpo, displayname or dn'''
150 policies_dn = samdb.get_default_basedn()
151 policies_dn.add_child(ldb.Dn(samdb, "CN=Policies,CN=System"))
153 base_dn = policies_dn
154 search_expr = "(objectClass=groupPolicyContainer)"
155 search_scope = ldb.SCOPE_ONELEVEL
158 search_expr = "(&(objectClass=groupPolicyContainer)(name=%s))" % ldb.binary_encode(gpo)
160 if displayname is not None:
161 search_expr = "(&(objectClass=groupPolicyContainer)(displayname=%s))" % ldb.binary_encode(displayname)
165 search_scope = ldb.SCOPE_BASE
168 msg = samdb.search(base=base_dn, scope=search_scope,
169 expression=search_expr,
170 attrs=['nTSecurityDescriptor',
176 controls=['sd_flags:1:%d' % sd_flags])
177 except Exception as e:
179 mesg = "Cannot get information for GPO %s" % gpo
181 mesg = "Cannot get information for GPOs"
182 raise CommandError(mesg, e)
187 def get_gpo_containers(samdb, gpo):
188 '''lists dn of containers for a GPO'''
190 search_expr = "(&(objectClass=*)(gPLink=*%s*))" % gpo
192 msg = samdb.search(expression=search_expr, attrs=['gPLink'])
193 except Exception as e:
194 raise CommandError("Could not find container(s) with GPO %s" % gpo, e)
199 def del_gpo_link(samdb, container_dn, gpo):
200 '''delete GPO link for the container'''
201 # Check if valid Container DN and get existing GPlinks
203 msg = samdb.search(base=container_dn, scope=ldb.SCOPE_BASE,
204 expression="(objectClass=*)",
206 except Exception as e:
207 raise CommandError("Container '%s' does not exist" % container_dn, e)
210 gpo_dn = str(get_gpo_dn(samdb, gpo))
212 gplist = parse_gplink(msg['gPLink'][0])
214 if g['dn'].lower() == gpo_dn.lower():
219 raise CommandError("No GPO(s) linked to this container")
222 raise CommandError("GPO '%s' not linked to this container" % gpo)
227 gplink_str = encode_gplink(gplist)
228 m['r0'] = ldb.MessageElement(gplink_str, ldb.FLAG_MOD_REPLACE, 'gPLink')
230 m['d0'] = ldb.MessageElement(msg['gPLink'][0], ldb.FLAG_MOD_DELETE, 'gPLink')
233 except Exception as e:
234 raise CommandError("Error removing GPO from container", e)
238 '''Parse UNC string into a hostname, a service, and a filepath'''
239 if unc.startswith('\\\\') and unc.startswith('//'):
240 raise ValueError("UNC doesn't start with \\\\ or //")
241 tmp = unc[2:].split('/', 2)
244 tmp = unc[2:].split('\\', 2)
247 raise ValueError("Invalid UNC string: %s" % unc)
250 def find_parser(name, flags=re.IGNORECASE):
251 if re.match('fdeploy1\.ini$', name, flags=flags):
252 return GPFDeploy1IniParser()
253 if re.match('audit\.csv$', name, flags=flags):
254 return GPAuditCsvParser()
255 if re.match('GptTmpl\.inf$', name, flags=flags):
256 return GptTmplInfParser()
257 if re.match('GPT\.INI$', name, flags=flags):
258 return GPTIniParser()
259 if re.match('scripts.ini$', name, flags=flags):
260 return GPScriptsIniParser()
261 if re.match('psscripts.ini$', name, flags=flags):
262 return GPScriptsIniParser()
263 if re.match('.*\.ini$', name, flags=flags):
265 if re.match('.*\.pol$', name, flags=flags):
267 if re.match('.*\.aas$', name, flags=flags):
273 def backup_directory_remote_to_local(conn, remotedir, localdir):
274 SUFFIX = '.SAMBABACKUP'
275 if not os.path.isdir(localdir):
277 r_dirs = [ remotedir ]
278 l_dirs = [ localdir ]
283 dirlist = conn.list(r_dir, attribs=attr_flags)
286 r_name = r_dir + '\\' + e['name']
287 l_name = os.path.join(l_dir, e['name'])
289 if e['attrib'] & smb.FILE_ATTRIBUTE_DIRECTORY:
290 r_dirs.append(r_name)
291 l_dirs.append(l_name)
294 data = conn.loadfile(r_name)
295 with file(l_name + SUFFIX, 'w') as f:
298 parser = find_parser(e['name'])
300 parser.write_xml(l_name + '.xml')
303 attr_flags = smb.FILE_ATTRIBUTE_SYSTEM | \
304 smb.FILE_ATTRIBUTE_DIRECTORY | \
305 smb.FILE_ATTRIBUTE_ARCHIVE | \
306 smb.FILE_ATTRIBUTE_HIDDEN
308 def copy_directory_remote_to_local(conn, remotedir, localdir):
309 if not os.path.isdir(localdir):
311 r_dirs = [ remotedir ]
312 l_dirs = [ localdir ]
317 dirlist = conn.list(r_dir, attribs=attr_flags)
320 r_name = r_dir + '\\' + e['name']
321 l_name = os.path.join(l_dir, e['name'])
323 if e['attrib'] & smb.FILE_ATTRIBUTE_DIRECTORY:
324 r_dirs.append(r_name)
325 l_dirs.append(l_name)
328 data = conn.loadfile(r_name)
329 open(l_name, 'w').write(data)
332 def copy_directory_local_to_remote(conn, localdir, remotedir,
333 ignore_existing=False):
334 if not conn.chkpath(remotedir):
335 conn.mkdir(remotedir)
336 l_dirs = [ localdir ]
337 r_dirs = [ remotedir ]
342 dirlist = os.listdir(l_dir)
345 l_name = os.path.join(l_dir, e)
346 r_name = r_dir + '\\' + e
348 if os.path.isdir(l_name):
349 l_dirs.append(l_name)
350 r_dirs.append(r_name)
353 except NTSTATUSError:
354 if not ignore_existing:
357 data = open(l_name, 'r').read()
358 conn.savefile(r_name, data)
361 def create_directory_hier(conn, remotedir):
362 elems = remotedir.replace('/', '\\').split('\\')
365 path = path + '\\' + e
366 if not conn.chkpath(path):
370 class cmd_listall(Command):
373 synopsis = "%prog [options]"
375 takes_optiongroups = {
376 "sambaopts": options.SambaOptions,
377 "versionopts": options.VersionOptions,
378 "credopts": options.CredentialsOptions,
382 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
383 metavar="URL", dest="H")
386 def run(self, H=None, sambaopts=None, credopts=None, versionopts=None):
388 self.lp = sambaopts.get_loadparm()
389 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
391 self.url = dc_url(self.lp, self.creds, H)
395 msg = get_gpo_info(self.samdb, None)
398 self.outf.write("GPO : %s\n" % m['name'][0])
399 self.outf.write("display name : %s\n" % m['displayName'][0])
400 self.outf.write("path : %s\n" % m['gPCFileSysPath'][0])
401 self.outf.write("dn : %s\n" % m.dn)
402 self.outf.write("version : %s\n" % attr_default(m, 'versionNumber', '0'))
403 self.outf.write("flags : %s\n" % gpo_flags_string(int(attr_default(m, 'flags', 0))))
404 self.outf.write("\n")
407 class cmd_list(Command):
408 """List GPOs for an account."""
410 synopsis = "%prog <username> [options]"
412 takes_args = ['username']
413 takes_optiongroups = {
414 "sambaopts": options.SambaOptions,
415 "versionopts": options.VersionOptions,
416 "credopts": options.CredentialsOptions,
420 Option("-H", "--URL", help="LDB URL for database or target server",
421 type=str, metavar="URL", dest="H")
424 def run(self, username, H=None, sambaopts=None, credopts=None, versionopts=None):
426 self.lp = sambaopts.get_loadparm()
427 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
429 self.url = dc_url(self.lp, self.creds, H)
434 msg = self.samdb.search(expression='(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User))' %
435 (ldb.binary_encode(username),ldb.binary_encode(username)))
438 raise CommandError("Failed to find account %s" % username)
440 # check if its a computer account
442 msg = self.samdb.search(base=user_dn, scope=ldb.SCOPE_BASE, attrs=['objectClass'])[0]
443 is_computer = 'computer' in msg['objectClass']
445 raise CommandError("Failed to find objectClass for user %s" % username)
447 session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
448 AUTH_SESSION_INFO_AUTHENTICATED )
450 # When connecting to a remote server, don't look up the local privilege DB
451 if self.url is not None and self.url.startswith('ldap'):
452 session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
454 session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn,
455 session_info_flags=session_info_flags)
457 token = session.security_token
462 dn = ldb.Dn(self.samdb, str(user_dn)).parent()
464 msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
466 glist = parse_gplink(msg['gPLink'][0])
468 if not inherit and not (g['options'] & dsdb.GPLINK_OPT_ENFORCE):
470 if g['options'] & dsdb.GPLINK_OPT_DISABLE:
474 sd_flags=security.SECINFO_OWNER|security.SECINFO_GROUP|security.SECINFO_DACL
475 gmsg = self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE,
476 attrs=['name', 'displayName', 'flags',
477 'nTSecurityDescriptor'],
478 controls=['sd_flags:1:%d' % sd_flags])
479 secdesc_ndr = gmsg[0]['nTSecurityDescriptor'][0]
480 secdesc = ndr_unpack(security.descriptor, secdesc_ndr)
482 self.outf.write("Failed to fetch gpo object with nTSecurityDescriptor %s\n" %
487 samba.security.access_check(secdesc, token,
488 security.SEC_STD_READ_CONTROL |
489 security.SEC_ADS_LIST |
490 security.SEC_ADS_READ_PROP)
492 self.outf.write("Failed access check on %s\n" % msg.dn)
495 # check the flags on the GPO
496 flags = int(attr_default(gmsg[0], 'flags', 0))
497 if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE):
499 if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE):
501 gpos.append((gmsg[0]['displayName'][0], gmsg[0]['name'][0]))
503 # check if this blocks inheritance
504 gpoptions = int(attr_default(msg, 'gPOptions', 0))
505 if gpoptions & dsdb.GPO_BLOCK_INHERITANCE:
508 if dn == self.samdb.get_default_basedn():
517 self.outf.write("GPOs for %s %s\n" % (msg_str, username))
519 self.outf.write(" %s %s\n" % (g[0], g[1]))
522 class cmd_show(Command):
523 """Show information for a GPO."""
525 synopsis = "%prog <gpo> [options]"
527 takes_optiongroups = {
528 "sambaopts": options.SambaOptions,
529 "versionopts": options.VersionOptions,
530 "credopts": options.CredentialsOptions,
536 Option("-H", help="LDB URL for database or target server", type=str)
539 def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None):
541 self.lp = sambaopts.get_loadparm()
542 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
544 self.url = dc_url(self.lp, self.creds, H)
549 msg = get_gpo_info(self.samdb, gpo)[0]
551 raise CommandError("GPO '%s' does not exist" % gpo)
554 secdesc_ndr = msg['nTSecurityDescriptor'][0]
555 secdesc = ndr_unpack(security.descriptor, secdesc_ndr)
556 secdesc_sddl = secdesc.as_sddl()
558 secdesc_sddl = "<hidden>"
560 self.outf.write("GPO : %s\n" % msg['name'][0])
561 self.outf.write("display name : %s\n" % msg['displayName'][0])
562 self.outf.write("path : %s\n" % msg['gPCFileSysPath'][0])
563 self.outf.write("dn : %s\n" % msg.dn)
564 self.outf.write("version : %s\n" % attr_default(msg, 'versionNumber', '0'))
565 self.outf.write("flags : %s\n" % gpo_flags_string(int(attr_default(msg, 'flags', 0))))
566 self.outf.write("ACL : %s\n" % secdesc_sddl)
567 self.outf.write("\n")
570 class cmd_getlink(Command):
571 """List GPO Links for a container."""
573 synopsis = "%prog <container_dn> [options]"
575 takes_optiongroups = {
576 "sambaopts": options.SambaOptions,
577 "versionopts": options.VersionOptions,
578 "credopts": options.CredentialsOptions,
581 takes_args = ['container_dn']
584 Option("-H", help="LDB URL for database or target server", type=str)
587 def run(self, container_dn, H=None, sambaopts=None, credopts=None,
590 self.lp = sambaopts.get_loadparm()
591 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
593 self.url = dc_url(self.lp, self.creds, H)
598 msg = self.samdb.search(base=container_dn, scope=ldb.SCOPE_BASE,
599 expression="(objectClass=*)",
602 raise CommandError("Container '%s' does not exist" % container_dn)
605 self.outf.write("GPO(s) linked to DN %s\n" % container_dn)
606 gplist = parse_gplink(msg['gPLink'][0])
608 msg = get_gpo_info(self.samdb, dn=g['dn'])
609 self.outf.write(" GPO : %s\n" % msg[0]['name'][0])
610 self.outf.write(" Name : %s\n" % msg[0]['displayName'][0])
611 self.outf.write(" Options : %s\n" % gplink_options_string(g['options']))
612 self.outf.write("\n")
614 self.outf.write("No GPO(s) linked to DN=%s\n" % container_dn)
617 class cmd_setlink(Command):
618 """Add or update a GPO link to a container."""
620 synopsis = "%prog <container_dn> <gpo> [options]"
622 takes_optiongroups = {
623 "sambaopts": options.SambaOptions,
624 "versionopts": options.VersionOptions,
625 "credopts": options.CredentialsOptions,
628 takes_args = ['container_dn', 'gpo']
631 Option("-H", help="LDB URL for database or target server", type=str),
632 Option("--disable", dest="disabled", default=False, action='store_true',
633 help="Disable policy"),
634 Option("--enforce", dest="enforced", default=False, action='store_true',
635 help="Enforce policy")
638 def run(self, container_dn, gpo, H=None, disabled=False, enforced=False,
639 sambaopts=None, credopts=None, versionopts=None):
641 self.lp = sambaopts.get_loadparm()
642 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
644 self.url = dc_url(self.lp, self.creds, H)
650 gplink_options |= dsdb.GPLINK_OPT_DISABLE
652 gplink_options |= dsdb.GPLINK_OPT_ENFORCE
654 # Check if valid GPO DN
656 msg = get_gpo_info(self.samdb, gpo=gpo)[0]
658 raise CommandError("GPO '%s' does not exist" % gpo)
659 gpo_dn = str(get_gpo_dn(self.samdb, gpo))
661 # Check if valid Container DN
663 msg = self.samdb.search(base=container_dn, scope=ldb.SCOPE_BASE,
664 expression="(objectClass=*)",
667 raise CommandError("Container '%s' does not exist" % container_dn)
669 # Update existing GPlinks or Add new one
670 existing_gplink = False
672 gplist = parse_gplink(msg['gPLink'][0])
673 existing_gplink = True
676 if g['dn'].lower() == gpo_dn.lower():
677 g['options'] = gplink_options
681 raise CommandError("GPO '%s' already linked to this container" % gpo)
683 gplist.insert(0, { 'dn' : gpo_dn, 'options' : gplink_options })
686 gplist.append({ 'dn' : gpo_dn, 'options' : gplink_options })
688 gplink_str = encode_gplink(gplist)
691 m.dn = ldb.Dn(self.samdb, container_dn)
694 m['new_value'] = ldb.MessageElement(gplink_str, ldb.FLAG_MOD_REPLACE, 'gPLink')
696 m['new_value'] = ldb.MessageElement(gplink_str, ldb.FLAG_MOD_ADD, 'gPLink')
700 except Exception as e:
701 raise CommandError("Error adding GPO Link", e)
703 self.outf.write("Added/Updated GPO link\n")
704 cmd_getlink().run(container_dn, H, sambaopts, credopts, versionopts)
707 class cmd_dellink(Command):
708 """Delete GPO link from a container."""
710 synopsis = "%prog <container_dn> <gpo> [options]"
712 takes_optiongroups = {
713 "sambaopts": options.SambaOptions,
714 "versionopts": options.VersionOptions,
715 "credopts": options.CredentialsOptions,
718 takes_args = ['container', 'gpo']
721 Option("-H", help="LDB URL for database or target server", type=str),
724 def run(self, container, gpo, H=None, sambaopts=None, credopts=None,
727 self.lp = sambaopts.get_loadparm()
728 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
730 self.url = dc_url(self.lp, self.creds, H)
736 get_gpo_info(self.samdb, gpo=gpo)[0]
738 raise CommandError("GPO '%s' does not exist" % gpo)
740 container_dn = ldb.Dn(self.samdb, container)
741 del_gpo_link(self.samdb, container_dn, gpo)
742 self.outf.write("Deleted GPO link.\n")
743 cmd_getlink().run(container_dn, H, sambaopts, credopts, versionopts)
746 class cmd_listcontainers(Command):
747 """List all linked containers for a GPO."""
749 synopsis = "%prog <gpo> [options]"
751 takes_optiongroups = {
752 "sambaopts": options.SambaOptions,
753 "versionopts": options.VersionOptions,
754 "credopts": options.CredentialsOptions,
760 Option("-H", help="LDB URL for database or target server", type=str)
763 def run(self, gpo, H=None, sambaopts=None, credopts=None,
766 self.lp = sambaopts.get_loadparm()
767 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
769 self.url = dc_url(self.lp, self.creds, H)
773 msg = get_gpo_containers(self.samdb, gpo)
775 self.outf.write("Container(s) using GPO %s\n" % gpo)
777 self.outf.write(" DN: %s\n" % m['dn'])
779 self.outf.write("No Containers using GPO %s\n" % gpo)
782 class cmd_getinheritance(Command):
783 """Get inheritance flag for a container."""
785 synopsis = "%prog <container_dn> [options]"
787 takes_optiongroups = {
788 "sambaopts": options.SambaOptions,
789 "versionopts": options.VersionOptions,
790 "credopts": options.CredentialsOptions,
793 takes_args = ['container_dn']
796 Option("-H", help="LDB URL for database or target server", type=str)
799 def run(self, container_dn, H=None, sambaopts=None, credopts=None,
802 self.lp = sambaopts.get_loadparm()
803 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
805 self.url = dc_url(self.lp, self.creds, H)
810 msg = self.samdb.search(base=container_dn, scope=ldb.SCOPE_BASE,
811 expression="(objectClass=*)",
812 attrs=['gPOptions'])[0]
814 raise CommandError("Container '%s' does not exist" % container_dn)
817 if 'gPOptions' in msg:
818 inheritance = int(msg['gPOptions'][0])
820 if inheritance == dsdb.GPO_BLOCK_INHERITANCE:
821 self.outf.write("Container has GPO_BLOCK_INHERITANCE\n")
823 self.outf.write("Container has GPO_INHERIT\n")
826 class cmd_setinheritance(Command):
827 """Set inheritance flag on a container."""
829 synopsis = "%prog <container_dn> <block|inherit> [options]"
831 takes_optiongroups = {
832 "sambaopts": options.SambaOptions,
833 "versionopts": options.VersionOptions,
834 "credopts": options.CredentialsOptions,
837 takes_args = [ 'container_dn', 'inherit_state' ]
840 Option("-H", help="LDB URL for database or target server", type=str)
843 def run(self, container_dn, inherit_state, H=None, sambaopts=None, credopts=None,
846 if inherit_state.lower() == 'block':
847 inheritance = dsdb.GPO_BLOCK_INHERITANCE
848 elif inherit_state.lower() == 'inherit':
849 inheritance = dsdb.GPO_INHERIT
851 raise CommandError("Unknown inheritance state (%s)" % inherit_state)
853 self.lp = sambaopts.get_loadparm()
854 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
856 self.url = dc_url(self.lp, self.creds, H)
860 msg = self.samdb.search(base=container_dn, scope=ldb.SCOPE_BASE,
861 expression="(objectClass=*)",
862 attrs=['gPOptions'])[0]
864 raise CommandError("Container '%s' does not exist" % container_dn)
867 m.dn = ldb.Dn(self.samdb, container_dn)
869 if 'gPOptions' in msg:
870 m['new_value'] = ldb.MessageElement(str(inheritance), ldb.FLAG_MOD_REPLACE, 'gPOptions')
872 m['new_value'] = ldb.MessageElement(str(inheritance), ldb.FLAG_MOD_ADD, 'gPOptions')
876 except Exception as e:
877 raise CommandError("Error setting inheritance state %s" % inherit_state, e)
880 class cmd_fetch(Command):
881 """Download a GPO."""
883 synopsis = "%prog <gpo> [options]"
885 takes_optiongroups = {
886 "sambaopts": options.SambaOptions,
887 "versionopts": options.VersionOptions,
888 "credopts": options.CredentialsOptions,
894 Option("-H", help="LDB URL for database or target server", type=str),
895 Option("--tmpdir", help="Temporary directory for copying policy files", type=str)
898 def run(self, gpo, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None):
900 self.lp = sambaopts.get_loadparm()
901 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
903 # We need to know writable DC to setup SMB connection
904 if H and H.startswith('ldap://'):
908 dc_hostname = netcmd_finddc(self.lp, self.creds)
909 self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
913 msg = get_gpo_info(self.samdb, gpo)[0]
915 raise CommandError("GPO '%s' does not exist" % gpo)
918 unc = msg['gPCFileSysPath'][0]
920 [dom_name, service, sharepath] = parse_unc(unc)
922 raise CommandError("Invalid GPO path (%s)" % unc)
926 conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
928 raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
933 if not os.path.isdir(tmpdir):
934 raise CommandError("Temoprary directory '%s' does not exist" % tmpdir)
936 localdir = os.path.join(tmpdir, "policy")
937 if not os.path.isdir(localdir):
940 gpodir = os.path.join(localdir, gpo)
941 if os.path.isdir(gpodir):
942 raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)
946 copy_directory_remote_to_local(conn, sharepath, gpodir)
947 except Exception as e:
948 # FIXME: Catch more specific exception
949 raise CommandError("Error copying GPO from DC", e)
950 self.outf.write('GPO copied to %s\n' % gpodir)
953 class cmd_backup(Command):
956 synopsis = "%prog <gpo> [options]"
958 takes_optiongroups = {
959 "sambaopts": options.SambaOptions,
960 "versionopts": options.VersionOptions,
961 "credopts": options.CredentialsOptions,
967 Option("-H", help="LDB URL for database or target server", type=str),
968 Option("--tmpdir", help="Temporary directory for copying policy files", type=str)
971 def run(self, gpo, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None):
973 self.lp = sambaopts.get_loadparm()
974 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
976 # We need to know writable DC to setup SMB connection
977 if H and H.startswith('ldap://'):
981 dc_hostname = netcmd_finddc(self.lp, self.creds)
982 self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
986 msg = get_gpo_info(self.samdb, gpo)[0]
988 raise CommandError("GPO '%s' does not exist" % gpo)
991 unc = msg['gPCFileSysPath'][0]
993 [dom_name, service, sharepath] = parse_unc(unc)
995 raise CommandError("Invalid GPO path (%s)" % unc)
999 conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
1001 raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
1006 if not os.path.isdir(tmpdir):
1007 raise CommandError("Temoprary directory '%s' does not exist" % tmpdir)
1009 localdir = os.path.join(tmpdir, "policy")
1010 if not os.path.isdir(localdir):
1013 gpodir = os.path.join(localdir, gpo)
1014 if os.path.isdir(gpodir):
1015 raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)
1019 backup_directory_remote_to_local(conn, sharepath, gpodir)
1020 except Exception as e:
1021 # FIXME: Catch more specific exception
1022 raise CommandError("Error copying GPO from DC", e)
1023 self.outf.write('GPO copied to %s\n' % gpodir)
1026 class cmd_create(Command):
1027 """Create an empty GPO."""
1029 synopsis = "%prog <displayname> [options]"
1031 takes_optiongroups = {
1032 "sambaopts": options.SambaOptions,
1033 "versionopts": options.VersionOptions,
1034 "credopts": options.CredentialsOptions,
1037 takes_args = ['displayname']
1040 Option("-H", help="LDB URL for database or target server", type=str),
1041 Option("--tmpdir", help="Temporary directory for copying policy files", type=str)
1044 def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
1047 self.lp = sambaopts.get_loadparm()
1048 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
1050 net = Net(creds=self.creds, lp=self.lp)
1052 # We need to know writable DC to setup SMB connection
1053 if H and H.startswith('ldap://'):
1056 flags = (nbt.NBT_SERVER_LDAP |
1058 nbt.NBT_SERVER_WRITABLE)
1059 cldap_ret = net.finddc(address=dc_hostname, flags=flags)
1061 flags = (nbt.NBT_SERVER_LDAP |
1063 nbt.NBT_SERVER_WRITABLE)
1064 cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
1065 dc_hostname = cldap_ret.pdc_dns_name
1066 self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
1070 msg = get_gpo_info(self.samdb, displayname=displayname)
1072 raise CommandError("A GPO already existing with name '%s'" % displayname)
1075 guid = str(uuid.uuid4())
1076 gpo = "{%s}" % guid.upper()
1080 realm = cldap_ret.dns_domain
1081 unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
1086 if not os.path.isdir(tmpdir):
1087 raise CommandError("Temporary directory '%s' does not exist" % tmpdir)
1088 self.tmpdir = tmpdir
1090 localdir = os.path.join(tmpdir, "policy")
1091 if not os.path.isdir(localdir):
1094 gpodir = os.path.join(localdir, gpo)
1095 self.gpodir = gpodir
1096 if os.path.isdir(gpodir):
1097 raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)
1101 os.mkdir(os.path.join(gpodir, "Machine"))
1102 os.mkdir(os.path.join(gpodir, "User"))
1103 gpt_contents = "[General]\r\nVersion=0\r\n"
1104 open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
1105 except Exception as e:
1106 raise CommandError("Error Creating GPO files", e)
1108 # Connect to DC over SMB
1109 [dom_name, service, sharepath] = parse_unc(unc_path)
1110 self.sharepath = sharepath
1112 conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
1113 except Exception as e:
1114 raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e)
1118 self.samdb.transaction_start()
1121 gpo_dn = get_gpo_dn(self.samdb, gpo)
1125 m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass")
1128 # Add cn=User,cn=<guid>
1130 m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
1131 m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
1134 # Add cn=Machine,cn=<guid>
1136 m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
1137 m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
1140 # Get new security descriptor
1141 ds_sd_flags = ( security.SECINFO_OWNER |
1142 security.SECINFO_GROUP |
1143 security.SECINFO_DACL )
1144 msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
1145 ds_sd_ndr = msg['nTSecurityDescriptor'][0]
1146 ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
1148 # Create a file system security descriptor
1149 domain_sid = security.dom_sid(self.samdb.get_domain_sid())
1150 sddl = dsacl2fsacl(ds_sd, domain_sid)
1151 fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
1153 # Copy GPO directory
1154 create_directory_hier(conn, sharepath)
1157 sio = ( security.SECINFO_OWNER |
1158 security.SECINFO_GROUP |
1159 security.SECINFO_DACL |
1160 security.SECINFO_PROTECTED_DACL )
1161 conn.set_acl(sharepath, fs_sd, sio)
1163 # Copy GPO files over SMB
1164 copy_directory_local_to_remote(conn, gpodir, sharepath)
1168 m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName")
1169 m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath")
1170 m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber")
1171 m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion")
1172 m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
1173 controls=["permissive_modify:0"]
1174 self.samdb.modify(m, controls=controls)
1176 self.samdb.transaction_cancel()
1179 self.samdb.transaction_commit()
1181 self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
1184 class cmd_restore(cmd_create):
1185 """Restore a GPO to a new container."""
1187 synopsis = "%prog <displayname> <backup location> [options]"
1189 takes_optiongroups = {
1190 "sambaopts": options.SambaOptions,
1191 "versionopts": options.VersionOptions,
1192 "credopts": options.CredentialsOptions,
1195 takes_args = ['displayname', 'backup']
1198 Option("-H", help="LDB URL for database or target server", type=str),
1199 Option("--tmpdir", help="Temporary directory for copying policy files", type=str),
1200 Option("--entities", help="File defining XML entities to insert into DOCTYPE header", type=str)
1203 def restore_from_backup_to_local_dir(self, sourcedir, targetdir, dtd_header=''):
1204 SUFFIX = '.SAMBABACKUP'
1206 if not os.path.exists(targetdir):
1209 l_dirs = [ sourcedir ]
1210 r_dirs = [ targetdir ]
1212 l_dir = l_dirs.pop()
1213 r_dir = r_dirs.pop()
1215 dirlist = os.listdir(l_dir)
1217 l_name = os.path.join(l_dir, e)
1218 r_name = os.path.join(r_dir, e)
1220 if os.path.isdir(l_name):
1221 l_dirs.append(l_name)
1222 r_dirs.append(r_name)
1223 if not os.path.exists(r_name):
1226 if l_name.endswith('.xml'):
1227 # Restore the xml file if possible
1229 # Get the filename to find the parser
1230 to_parse = os.path.basename(l_name)[:-4]
1232 parser = find_parser(to_parse)
1234 with open(l_name, 'r') as ltemp:
1236 # Load the XML file with the DTD (entity) header
1237 parser.load_xml(ET.fromstring(dtd_header + data))
1239 # Write out the substituted files in the output
1240 # location, ready to copy over.
1241 parser.write_binary(r_name[:-4])
1243 except GPNoParserException:
1244 # In the failure case, we fallback
1245 original_file = l_name[:-4] + SUFFIX
1246 shutil.copy2(original_file, r_name[:-4])
1248 self.outf.write('WARNING: No such parser for %s\n' % to_parse)
1249 self.outf.write('WARNING: Falling back to simple copy-restore.\n')
1252 traceback.print_exc()
1254 # In the failure case, we fallback
1255 original_file = l_name[:-4] + SUFFIX
1256 shutil.copy2(original_file, r_name[:-4])
1258 self.outf.write('WARNING: Error during parsing for %s\n' % l_name)
1259 self.outf.write('WARNING: Falling back to simple copy-restore.\n')
1261 def run(self, displayname, backup, H=None, tmpdir=None, entities=None, sambaopts=None, credopts=None,
1266 if not os.path.exists(backup):
1267 raise CommandError("Backup directory does not exist %s" % backup)
1269 if entities is not None:
1270 # DOCTYPE name is meant to match root element, but ElementTree does
1271 # not seem to care, so this seems to be enough.
1273 dtd_header = '<!DOCTYPE foobar [\n'
1275 if not os.path.exists(entities):
1276 raise CommandError("Entities file does not exist %s" %
1278 with open(entities, 'r') as entities_file:
1279 entities_content = entities_file.read()
1281 # Do a basic regex test of the entities file format
1282 if re.match('(\s*<!ENTITY\s*[a-zA-Z0-9_]+\s*.*?>)+\s*\Z',
1283 entities_content, flags=re.MULTILINE) is None:
1284 raise CommandError("Entities file does not appear to "
1285 "conform to format\n"
1286 'e.g. <!ENTITY entity "value">')
1287 dtd_header += entities_content.strip()
1289 dtd_header += '\n]>\n'
1291 super(cmd_restore, self).run(displayname, H, tmpdir, sambaopts,
1292 credopts, versionopts)
1295 # Iterate over backup files and restore with DTD
1296 self.restore_from_backup_to_local_dir(backup, self.gpodir,
1299 # Copy GPO files over SMB
1300 copy_directory_local_to_remote(self.conn, self.gpodir,
1302 ignore_existing=True)
1304 except Exception as e:
1306 traceback.print_exc()
1307 self.outf.write(str(e) + '\n')
1309 self.outf.write("Failed to restore GPO -- deleting...\n")
1311 cmd.run(self.gpo_name, H, sambaopts, credopts, versionopts)
1313 raise CommandError("Failed to restore: %s" % e)
1316 class cmd_del(Command):
1319 synopsis = "%prog <gpo> [options]"
1321 takes_optiongroups = {
1322 "sambaopts": options.SambaOptions,
1323 "versionopts": options.VersionOptions,
1324 "credopts": options.CredentialsOptions,
1327 takes_args = ['gpo']
1330 Option("-H", help="LDB URL for database or target server", type=str),
1333 def run(self, gpo, H=None, sambaopts=None, credopts=None,
1336 self.lp = sambaopts.get_loadparm()
1337 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
1339 # We need to know writable DC to setup SMB connection
1340 if H and H.startswith('ldap://'):
1344 dc_hostname = netcmd_finddc(self.lp, self.creds)
1345 self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
1349 # Check if valid GPO
1351 msg = get_gpo_info(self.samdb, gpo=gpo)[0]
1352 unc_path = msg['gPCFileSysPath'][0]
1354 raise CommandError("GPO '%s' does not exist" % gpo)
1356 # Connect to DC over SMB
1357 [dom_name, service, sharepath] = parse_unc(unc_path)
1359 conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
1360 except Exception as e:
1361 raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e)
1363 self.samdb.transaction_start()
1365 # Check for existing links
1366 msg = get_gpo_containers(self.samdb, gpo)
1369 self.outf.write("GPO %s is linked to containers\n" % gpo)
1371 del_gpo_link(self.samdb, m['dn'], gpo)
1372 self.outf.write(" Removed link from %s.\n" % m['dn'])
1374 # Remove LDAP entries
1375 gpo_dn = get_gpo_dn(self.samdb, gpo)
1376 self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))
1377 self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)))
1378 self.samdb.delete(gpo_dn)
1381 conn.deltree(sharepath)
1384 self.samdb.transaction_cancel()
1387 self.samdb.transaction_commit()
1389 self.outf.write("GPO %s deleted.\n" % gpo)
1392 class cmd_aclcheck(Command):
1393 """Check all GPOs have matching LDAP and DS ACLs."""
1395 synopsis = "%prog [options]"
1397 takes_optiongroups = {
1398 "sambaopts": options.SambaOptions,
1399 "versionopts": options.VersionOptions,
1400 "credopts": options.CredentialsOptions,
1404 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
1405 metavar="URL", dest="H")
1408 def run(self, H=None, sambaopts=None, credopts=None, versionopts=None):
1410 self.lp = sambaopts.get_loadparm()
1411 self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
1413 self.url = dc_url(self.lp, self.creds, H)
1415 # We need to know writable DC to setup SMB connection
1416 if H and H.startswith('ldap://'):
1420 dc_hostname = netcmd_finddc(self.lp, self.creds)
1421 self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
1425 msg = get_gpo_info(self.samdb, None)
1429 unc = m['gPCFileSysPath'][0]
1431 [dom_name, service, sharepath] = parse_unc(unc)
1433 raise CommandError("Invalid GPO path (%s)" % unc)
1437 conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
1439 raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
1441 fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
1443 ds_sd_ndr = m['nTSecurityDescriptor'][0]
1444 ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
1446 # Create a file system security descriptor
1447 domain_sid = security.dom_sid(self.samdb.get_domain_sid())
1448 expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
1450 if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
1451 raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
1454 class cmd_gpo(SuperCommand):
1455 """Group Policy Object (GPO) management."""
1458 subcommands["listall"] = cmd_listall()
1459 subcommands["list"] = cmd_list()
1460 subcommands["show"] = cmd_show()
1461 subcommands["getlink"] = cmd_getlink()
1462 subcommands["setlink"] = cmd_setlink()
1463 subcommands["dellink"] = cmd_dellink()
1464 subcommands["listcontainers"] = cmd_listcontainers()
1465 subcommands["getinheritance"] = cmd_getinheritance()
1466 subcommands["setinheritance"] = cmd_setinheritance()
1467 subcommands["fetch"] = cmd_fetch()
1468 subcommands["create"] = cmd_create()
1469 subcommands["del"] = cmd_del()
1470 subcommands["aclcheck"] = cmd_aclcheck()
1471 subcommands["backup"] = cmd_backup()
1472 subcommands["restore"] = cmd_restore()