def _set_smb_permissions(self, conn, duri, sddl):
logging.debug('Setting CIFs permissions for %s' % duri)
# Generate secuity descriptor from SDDL
dom_sid = self.get_domain_sid()
fsacl = dsacl2fsacl(sddl, dom_sid)
fssd = security.descriptor.from_sddl(fsacl, dom_sid)
# Set ACL
sio = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL)
conn.set_acl(duri, fssd, sio)
def _set_smb_permissions(self, conn, duri, sddl):
logging.debug('Setting CIFs permissions for %s' % duri)
# Generate secuity descriptor from SDDL
dom_sid = self.get_domain_sid()
fsacl = dsacl2fsacl(sddl, dom_sid)
fssd = security.descriptor.from_sddl(fsacl, dom_sid)
# Set ACL
sio = (security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL |
security.SECINFO_PROTECTED_DACL)
conn.set_acl(duri, fssd, sio)
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
self.url = dc_url(self.lp, self.creds, H)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
else:
dc_hostname = netcmd_finddc(self.lp, self.creds)
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, None)
for m in msg:
# verify UNC path
unc = m['gPCFileSysPath'][0]
try:
[dom_name, service, sharepath] = parse_unc(unc)
except ValueError:
raise CommandError("Invalid GPO path (%s)" % unc)
# SMB connect to DC
try:
conn = smb.SMB(dc_hostname,
service,
lp=self.lp,
creds=self.creds)
except Exception:
raise CommandError("Error connecting to '%s' using SMB" %
dc_hostname)
fs_sd = conn.get_acl(
sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
raise CommandError(
"Invalid GPO ACL %s on path (%s), should be %s" %
(fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
self.url = dc_url(self.lp, self.creds, H)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
else:
dc_hostname = netcmd_finddc(self.lp, self.creds)
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, None)
for m in msg:
# verify UNC path
unc = m['gPCFileSysPath'][0]
try:
[dom_name, service, sharepath] = parse_unc(unc)
except ValueError:
raise CommandError("Invalid GPO path (%s)" % unc)
# SMB connect to DC
try:
conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
except Exception:
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
"objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL)
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL)
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
m = ldb.Message()
m.dn = gpo_dn
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly")
self.samdb.add(m)
# Copy GPO files over SMB
create_directory_hier(conn, sharepath)
copy_directory_local_to_remote(conn, gpodir, sharepath)
# Get new security descriptor
msg = get_gpo_info(self.samdb, gpo=gpo)[0]
ds_sd_ndr = msg['ntSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
fs_sd = security.descriptor(dsacl2fsacl(ds_sd, self.samdb.get_domain_sid()))
# Set ACL
conn.set_acl(sharepath, fs_sd)
except:
self.samdb.transaction_cancel()
raise
else:
self.samdb.transaction_commit()
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
class cmd_gpo(SuperCommand):
"""Group Policy Object (GPO) management"""
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '%s'" % displayname)
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{%s}" % guid.upper()
realm = cldap_ret.dns_domain
unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '%s' does not exist" % tmpdir)
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception as e:
raise CommandError("Error Creating GPO files", e)
# Connect to DC over SMB
[dom_name, service, sharepath] = parse_unc(unc_path)
try:
conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
except Exception as e:
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e)
self.samdb.transaction_start()
try:
# Add cn=<guid>
gpo_dn = get_gpo_dn(self.samdb, gpo)
m = ldb.Message()
m.dn = gpo_dn
m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=User,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=Machine,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL )
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL |
security.SECINFO_PROTECTED_DACL )
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
m = ldb.Message()
m.dn = gpo_dn
m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName")
m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath")
m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber")
m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion")
m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
controls=["permissive_modify:0"]
self.samdb.modify(m, controls=controls)
except Exception:
self.samdb.transaction_cancel()
raise
else:
self.samdb.transaction_commit()
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,{0!s}".format(str(gpo_dn)))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL )
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = ( security.SECINFO_OWNER |
security.SECINFO_GROUP |
security.SECINFO_DACL |
security.SECINFO_PROTECTED_DACL )
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
def run(self,
displayname,
H=None,
tmpdir=None,
sambaopts=None,
credopts=None,
versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
net = Net(creds=self.creds, lp=self.lp)
# We need to know writable DC to setup SMB connection
if H and H.startswith('ldap://'):
dc_hostname = H[7:]
self.url = H
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(address=dc_hostname, flags=flags)
else:
flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE)
cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
dc_hostname = cldap_ret.pdc_dns_name
self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
samdb_connect(self)
msg = get_gpo_info(self.samdb, displayname=displayname)
if msg.count > 0:
raise CommandError("A GPO already existing with name '%s'" %
displayname)
# Create new GUID
guid = str(uuid.uuid4())
gpo = "{%s}" % guid.upper()
realm = cldap_ret.dns_domain
unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)
# Create GPT
if tmpdir is None:
tmpdir = "/tmp"
if not os.path.isdir(tmpdir):
raise CommandError("Temporary directory '%s' does not exist" %
tmpdir)
localdir = os.path.join(tmpdir, "policy")
if not os.path.isdir(localdir):
os.mkdir(localdir)
gpodir = os.path.join(localdir, gpo)
if os.path.isdir(gpodir):
raise CommandError(
"GPO directory '%s' already exists, refusing to overwrite" %
gpodir)
try:
os.mkdir(gpodir)
os.mkdir(os.path.join(gpodir, "Machine"))
os.mkdir(os.path.join(gpodir, "User"))
gpt_contents = "[General]\r\nVersion=0\r\n"
open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
except Exception as e:
raise CommandError("Error Creating GPO files", e)
# Connect to DC over SMB
[dom_name, service, sharepath] = parse_unc(unc_path)
try:
conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
except Exception as e:
raise CommandError(
"Error connecting to '%s' using SMB" % dc_hostname, e)
self.samdb.transaction_start()
try:
# Add cn=<guid>
gpo_dn = get_gpo_dn(self.samdb, gpo)
m = ldb.Message()
m.dn = gpo_dn
m['a01'] = ldb.MessageElement("groupPolicyContainer",
ldb.FLAG_MOD_ADD, "objectClass")
self.samdb.add(m)
# Add cn=User,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
"objectClass")
self.samdb.add(m)
# Add cn=Machine,cn=<guid>
m = ldb.Message()
m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
"objectClass")
self.samdb.add(m)
# Get new security descriptor
ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL)
msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
ds_sd_ndr = msg['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
sddl = dsacl2fsacl(ds_sd, domain_sid)
fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
# Set ACL
sio = (security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL)
conn.set_acl(sharepath, fs_sd, sio)
# Copy GPO files over SMB
copy_directory_local_to_remote(conn, gpodir, sharepath)
m = ldb.Message()
m.dn = gpo_dn
m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE,
"displayName")
m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE,
"gPCFileSysPath")
m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE,
"versionNumber")
m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE,
"gpcFunctionalityVersion")
m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
controls = ["permissive_modify:0"]
self.samdb.modify(m, controls=controls)
except Exception:
self.samdb.transaction_cancel()
raise
else:
self.samdb.transaction_commit()
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD,
"showInAdvancedViewOnly")
self.samdb.add(m)
# Copy GPO files over SMB
create_directory_hier(conn, sharepath)
copy_directory_local_to_remote(conn, gpodir, sharepath)
# Get new security descriptor
msg = get_gpo_info(self.samdb, gpo=gpo)[0]
ds_sd_ndr = msg['ntSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
fs_sd = security.descriptor(
dsacl2fsacl(ds_sd, self.samdb.get_domain_sid()))
# Set ACL
conn.set_acl(sharepath, fs_sd)
self.samdb.transaction_commit()
except Exception, e:
self.samdb.transaction_cancel()
raise RuntimeError("Error adding GPO to AD", e)
self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
class cmd_gpo(SuperCommand):
"""Group Policy Object (GPO) management"""
