def packet_cldap_3(packet, conversation, context):
# searchRequest
net = Net(creds=context.creds, lp=context.lp)
net.finddc(domain=context.lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE))
return True
def packet_cldap_3(packet, conversation, context):
# searchRequest
net = Net(creds=context.creds, lp=context.lp)
net.finddc(domain=context.lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE))
return True
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '{0!s}'".format(displayname))
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{{{0!s}}}".format(guid.upper())
realm = cldap_ret.dns_domain
unc_path = "\\\\{0!s}\\sysvol\\{1!s}\\Policies\\{2!s}".format(realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '{0!s}' does not exist".format(tmpdir))
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError("GPO directory '{0!s}' already exists, refusing to overwrite".format(gpodir))
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception, e:
raise CommandError("Error Creating GPO files", e)
def netcmd_get_domain_infos_via_cldap(lp, creds, address=None):
'''Return domain informations (CLDAP record) of the ldap-capable
DC with the specified address'''
net = Net(creds=creds, lp=lp)
cldap_ret = net.finddc(address=address,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
return cldap_ret
def netcmd_finddc(lp, creds):
'''return domain-name of a writable/ldap-capable DC for the domain.'''
net = Net(creds=creds, lp=lp)
realm = lp.get('realm')
cldap_ret = net.finddc(realm,
nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
return cldap_ret.pdc_dns_name
def netcmd_get_domain_infos_via_cldap(lp, creds, address=None):
'''Return domain information (CLDAP record) of the ldap-capable
DC with the specified address'''
net = Net(creds=creds, lp=lp)
cldap_ret = net.finddc(address=address,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
return cldap_ret
def get_ldb_url(lp, creds, names):
if names.serverrole == "member server":
net = Net(creds, lp)
dc = net.finddc(domain=names.dnsdomain, flags=nbt.NBT_SERVER_LDAP)
url = "ldap://" + dc.pdc_dns_name
else:
url = lp.samdb_url()
return url
def netcmd_finddc(lp, creds, realm=None):
"""Return domain-name of a writable/ldap-capable DC for the default
domain (parameter "realm" in smb.conf) unless another realm has been
specified as argument"""
net = Net(creds=creds, lp=lp)
if realm is None:
realm = lp.get("realm")
cldap_ret = net.finddc(domain=realm, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
return cldap_ret.pdc_dns_name
def get_ldb_url(lp, creds, names):
if names.serverrole == "member server":
net = Net(creds, lp)
dc = net.finddc(domain=names.dnsdomain, flags=nbt.NBT_SERVER_LDAP)
url = "ldap://" + dc.pdc_dns_name
else:
url = lp.samdb_url()
return url
def netcmd_finddc(lp, creds, realm=None):
'''Return domain-name of a writable/ldap-capable DC for the default
domain (parameter "realm" in smb.conf) unless another realm has been
specified as argument'''
net = Net(creds=creds, lp=lp)
if realm is None:
realm = lp.get('realm')
cldap_ret = net.finddc(domain=realm,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
return cldap_ret.pdc_dns_name
def finddc(self, realm=None, flags=None):
if not realm:
realm = self.realm
if not flags:
flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE
net = Net(creds=self.creds, lp=self.lp)
ret = net.finddc(domain=realm, flags=flags)
return ret.pdc_dns_name
def __init__(self, lp, creds):
self.lp = lp
self.creds = creds
self.realm = lp.get('realm')
net = Net(creds=creds, lp=lp)
cldap_ret = net.finddc(domain=self.realm, flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
self.l = ldap.initialize('ldap://%s' % cldap_ret.pdc_dns_name)
if self.__kinit_for_gssapi():
auth_tokens = ldap.sasl.gssapi('')
self.l.sasl_interactive_bind_s('', auth_tokens)
else:
self.l.bind_s('%s@%s' % (creds.get_username(), self.realm) if not self.realm in creds.get_username() else creds.get_username(), creds.get_password())
def __domain_name(server):
global cldap_ret, cldap_server
if not cldap_ret or not strcasecmp(server, cldap_server):
try:
net = Net(Credentials())
cldap_ret = net.finddc(address=server,
flags=(nbt.NBT_SERVER_LDAP
| nbt.NBT_SERVER_DS))
cldap_server = server
except NTSTATUSError as e:
ycpbuiltins.y2error(str(e))
return cldap_ret.dns_domain if cldap_ret else server
def net_lookup(domain):
global cldap_ret
net = Net(Credentials())
cldap_ret = net.finddc(domain=domain, flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
def run(self,
displayname,
H=None,
tmpdir=None,
sambaopts=None,
credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '%s'" %
displayname)
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{%s}" % guid.upper()
realm = cldap_ret.dns_domain
unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '%s' does not exist" %
tmpdir)
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError(
"GPO directory '%s' already exists, refusing to overwrite" %
gpodir)
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception as e:
raise CommandError("Error Creating GPO files", e)
# Connect to DC over SMB
[dom_name, service, sharepath] = parse_unc(unc_path)
try:
conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
except Exception as e:
raise CommandError(
"Error connecting to '%s' using SMB" % dc_hostname, e)
self.samdb.transaction_start()
try:
# Add cn=<guid>
gpo_dn = get_gpo_dn(self.samdb, gpo)
m = ldb.Message()
m.dn = gpo_dn
m['a01'] = ldb.MessageElement("groupPolicyContainer",
ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=User,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
"objectClass")
self.samdb.add(m)
# Add cn=Machine,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
"objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL)
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL)
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
m = ldb.Message()
m.dn = gpo_dn
m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE,
"displayName")
m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE,
"gPCFileSysPath")
m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE,
"versionNumber")
m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE,
"gpcFunctionalityVersion")
m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
controls = ["permissive_modify:0"]
self.samdb.modify(m, controls=controls)
except Exception:
self.samdb.transaction_cancel()
raise
else:
self.samdb.transaction_commit()
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
def get_dc_hostname(creds, lp):
net = Net(creds=creds, lp=lp)
cldap_ret = net.finddc(domain=lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
return cldap_ret.pdc_dns_name
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '%s'" % displayname)
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{%s}" % guid.upper()
realm = cldap_ret.dns_domain
unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '%s' does not exist" % tmpdir)
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception as e:
raise CommandError("Error Creating GPO files", e)
# Connect to DC over SMB
[dom_name, service, sharepath] = parse_unc(unc_path)
try:
conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
except Exception as e:
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e)
self.samdb.transaction_start()
try:
# Add cn=<guid>
gpo_dn = get_gpo_dn(self.samdb, gpo)
m = ldb.Message()
m.dn = gpo_dn
m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=User,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=Machine,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL )
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL |
security.SECINFO_PROTECTED_DACL )
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
m = ldb.Message()
m.dn = gpo_dn
m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName")
m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath")
m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber")
m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion")
m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
controls=["permissive_modify:0"]
self.samdb.modify(m, controls=controls)
except Exception:
self.samdb.transaction_cancel()
raise
else:
self.samdb.transaction_commit()
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
action='store',
dest='name',
help='The sAMAccountName of the object to manipulate')
(opts, args) = parser.parse_args()
if opts.__dict__['name'] is None:
parser.error('Parameter --sAMAccountName is required')
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
realm = lp.get('realm')
net = Net(creds)
cldap_ret = net.finddc(domain=realm,
flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE))
host = cldap_ret.pdc_dns_name
ldb = samdb.SamDB(url='ldap://%s' % host,
lp=lp,
credentials=creds,
session_info=system_session())
domain_sid = security.dom_sid(ldb.get_domain_sid())
s = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, creds)
samr_handle = s.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
samr_domain = s.OpenDomain(samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
domain_sid)
try:
def run(self,
displayname,
H=None,
tmpdir=None,
sambaopts=None,
credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '%s'" %
displayname)
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{%s}" % guid.upper()
realm = cldap_ret.dns_domain
unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '%s' does not exist" %
tmpdir)
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError(
"GPO directory '%s' already exists, refusing to overwrite" %
gpodir)
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception, e:
raise CommandError("Error Creating GPO files", e)
