def _set_smb_permissions(self, conn, duri, sddl): logging.debug('Setting CIFs permissions for %s' % duri) # Generate secuity descriptor from SDDL dom_sid = self.get_domain_sid() fsacl = dsacl2fsacl(sddl, dom_sid) fssd = security.descriptor.from_sddl(fsacl, dom_sid) # Set ACL sio = (security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL) conn.set_acl(duri, fssd, sio)
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, H) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, None) for m in msg: # verify UNC path unc = m['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) fs_sd = conn.get_acl( sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED) ds_sd_ndr = m['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid) if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl): raise CommandError( "Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, H) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, None) for m in msg: # verify UNC path unc = m['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED) ds_sd_ndr = m['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid) if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl): raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Get new security descriptor ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL) msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0] ds_sd_ndr = msg['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) sddl = dsacl2fsacl(ds_sd, domain_sid) fs_sd = security.descriptor.from_sddl(sddl, domain_sid) # Copy GPO directory create_directory_hier(conn, sharepath) # Set ACL sio = (security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL) conn.set_acl(sharepath, fs_sd, sio) # Copy GPO files over SMB copy_directory_local_to_remote(conn, gpodir, sharepath) m = ldb.Message() m.dn = gpo_dn
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly") self.samdb.add(m) # Copy GPO files over SMB create_directory_hier(conn, sharepath) copy_directory_local_to_remote(conn, gpodir, sharepath) # Get new security descriptor msg = get_gpo_info(self.samdb, gpo=gpo)[0] ds_sd_ndr = msg['ntSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor fs_sd = security.descriptor(dsacl2fsacl(ds_sd, self.samdb.get_domain_sid())) # Set ACL conn.set_acl(sharepath, fs_sd) except: self.samdb.transaction_cancel() raise else: self.samdb.transaction_commit() self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo)) class cmd_gpo(SuperCommand): """Group Policy Object (GPO) management"""
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) net = Net(creds=self.creds, lp=self.lp) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) cldap_ret = net.finddc(address=dc_hostname, flags=flags) else: flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags) dc_hostname = cldap_ret.pdc_dns_name self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, displayname=displayname) if msg.count > 0: raise CommandError("A GPO already existing with name '%s'" % displayname) # Create new GUID guid = str(uuid.uuid4()) gpo = "{%s}" % guid.upper() realm = cldap_ret.dns_domain unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo) # Create GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temporary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) os.mkdir(os.path.join(gpodir, "Machine")) os.mkdir(os.path.join(gpodir, "User")) gpt_contents = "[General]\r\nVersion=0\r\n" open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents) except Exception as e: raise CommandError("Error Creating GPO files", e) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception as e: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e) self.samdb.transaction_start() try: # Add cn=<guid> gpo_dn = get_gpo_dn(self.samdb, gpo) m = ldb.Message() m.dn = gpo_dn m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Add cn=User,cn=<guid> m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Add cn=Machine,cn=<guid> m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Get new security descriptor ds_sd_flags = ( security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL ) msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0] ds_sd_ndr = msg['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) sddl = dsacl2fsacl(ds_sd, domain_sid) fs_sd = security.descriptor.from_sddl(sddl, domain_sid) # Copy GPO directory create_directory_hier(conn, sharepath) # Set ACL sio = ( security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL ) conn.set_acl(sharepath, fs_sd, sio) # Copy GPO files over SMB copy_directory_local_to_remote(conn, gpodir, sharepath) m = ldb.Message() m.dn = gpo_dn m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName") m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath") m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber") m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion") m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags") controls=["permissive_modify:0"] self.samdb.modify(m, controls=controls) except Exception: self.samdb.transaction_cancel() raise else: self.samdb.transaction_commit() self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=Machine,{0!s}".format(str(gpo_dn))) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Get new security descriptor ds_sd_flags = ( security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL ) msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0] ds_sd_ndr = msg['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) sddl = dsacl2fsacl(ds_sd, domain_sid) fs_sd = security.descriptor.from_sddl(sddl, domain_sid) # Copy GPO directory create_directory_hier(conn, sharepath) # Set ACL sio = ( security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL ) conn.set_acl(sharepath, fs_sd, sio) # Copy GPO files over SMB copy_directory_local_to_remote(conn, gpodir, sharepath)
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) net = Net(creds=self.creds, lp=self.lp) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) cldap_ret = net.finddc(address=dc_hostname, flags=flags) else: flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags) dc_hostname = cldap_ret.pdc_dns_name self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, displayname=displayname) if msg.count > 0: raise CommandError("A GPO already existing with name '%s'" % displayname) # Create new GUID guid = str(uuid.uuid4()) gpo = "{%s}" % guid.upper() realm = cldap_ret.dns_domain unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo) # Create GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temporary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError( "GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) os.mkdir(os.path.join(gpodir, "Machine")) os.mkdir(os.path.join(gpodir, "User")) gpt_contents = "[General]\r\nVersion=0\r\n" open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents) except Exception as e: raise CommandError("Error Creating GPO files", e) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception as e: raise CommandError( "Error connecting to '%s' using SMB" % dc_hostname, e) self.samdb.transaction_start() try: # Add cn=<guid> gpo_dn = get_gpo_dn(self.samdb, gpo) m = ldb.Message() m.dn = gpo_dn m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Add cn=User,cn=<guid> m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Add cn=Machine,cn=<guid> m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") self.samdb.add(m) # Get new security descriptor ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL) msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0] ds_sd_ndr = msg['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) sddl = dsacl2fsacl(ds_sd, domain_sid) fs_sd = security.descriptor.from_sddl(sddl, domain_sid) # Copy GPO directory create_directory_hier(conn, sharepath) # Set ACL sio = (security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL) conn.set_acl(sharepath, fs_sd, sio) # Copy GPO files over SMB copy_directory_local_to_remote(conn, gpodir, sharepath) m = ldb.Message() m.dn = gpo_dn m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName") m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath") m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber") m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion") m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags") controls = ["permissive_modify:0"] self.samdb.modify(m, controls=controls) except Exception: self.samdb.transaction_cancel() raise else: self.samdb.transaction_commit() self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly") self.samdb.add(m) # Copy GPO files over SMB create_directory_hier(conn, sharepath) copy_directory_local_to_remote(conn, gpodir, sharepath) # Get new security descriptor msg = get_gpo_info(self.samdb, gpo=gpo)[0] ds_sd_ndr = msg['ntSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor fs_sd = security.descriptor( dsacl2fsacl(ds_sd, self.samdb.get_domain_sid())) # Set ACL conn.set_acl(sharepath, fs_sd) self.samdb.transaction_commit() except Exception, e: self.samdb.transaction_cancel() raise RuntimeError("Error adding GPO to AD", e) self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo)) class cmd_gpo(SuperCommand): """Group Policy Object (GPO) management"""