def changedom_sids(file):
if verbose:
self.outf.write("file: %s\n" % file)
try:
acl = getntacl(lp,
file,
system_session_unix(),
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service)
except Exception as e:
raise CommandError("Could not get acl for %s: %s" % (file, e))
orig_sddl = acl.as_sddl(domain_sid)
if verbose:
self.outf.write("before:\n%s\n" % orig_sddl)
def replace_domain_sid(sid):
(dom, rid) = sid.split()
if dom == old_domain_sid:
return security.dom_sid("%s-%i" % (new_domain_sid, rid))
return sid
acl.owner_sid = replace_domain_sid(acl.owner_sid)
acl.group_sid = replace_domain_sid(acl.group_sid)
if acl.sacl:
for ace in acl.sacl.aces:
ace.trustee = replace_domain_sid(ace.trustee)
if acl.dacl:
for ace in acl.dacl.aces:
ace.trustee = replace_domain_sid(ace.trustee)
new_sddl = acl.as_sddl(domain_sid)
if verbose:
self.outf.write("after:\n%s\n" % new_sddl)
if orig_sddl == new_sddl:
if verbose:
self.outf.write("nothing to do\n")
return True
try:
setntacl(lp,
file,
acl,
new_domain_sid,
system_session_unix(),
xattr_backend,
eadb_file,
use_ntvfs=use_ntvfs,
service=service)
except Exception as e:
raise CommandError("Could not set acl for %s: %s" % (file, e))
def run(self,
file,
use_ntvfs=False,
use_s3fs=False,
as_sddl=False,
xattr_backend=None,
eadb_file=None,
credopts=None,
sambaopts=None,
versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
domain_sid = get_local_domain_sid(lp)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
acl = getntacl(lp,
file,
system_session_unix(),
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service)
if as_sddl:
self.outf.write(acl.as_sddl(domain_sid) + "\n")
else:
self.outf.write(ndr_print(acl))
def run(self,
acl,
file,
use_ntvfs=False,
use_s3fs=False,
quiet=False,
xattr_backend=None,
eadb_file=None,
credopts=None,
sambaopts=None,
versionopts=None,
service=None):
logger = self.get_logger()
lp = sambaopts.get_loadparm()
domain_sid = get_local_domain_sid(lp)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
setntacl(lp,
file,
acl,
str(domain_sid),
system_session_unix(),
xattr_backend,
eadb_file,
use_ntvfs=use_ntvfs,
service=service)
if use_ntvfs:
logger.warning(
"Please note that POSIX permissions have NOT been changed, only the stored NT ACL"
)
def test_smbd_create_file(self):
"""
A smoke test for smbd.create_file and smbd.unlink API
"""
filepath = os.path.join(self.service_root, 'a-file')
smbd.create_file(filepath, system_session_unix(), self.service)
self.assertTrue(os.path.isfile(filepath))
mode = os.stat(filepath).st_mode
# This works in conjunction with the TEST_UMASK in smbd_base
# to ensure that permissions are not related to the umask
# but instead the smb.conf settings
self.assertEqual(mode & 0o777, 0o644)
# As well as checking that unlink works, this removes the
# fake xattrs from the dev/inode based DB
smbd.unlink(filepath, system_session_unix(), self.service)
self.assertFalse(os.path.isfile(filepath))
def backup_offline(src_service_path, dest_tarfile_path, samdb_conn,
smb_conf_path):
"""
Backup files and ntacls to a tarfile for a service
"""
service = src_service_path.rstrip('/').rsplit('/', 1)[-1]
tempdir = tempfile.mkdtemp()
session_info = system_session_unix()
dom_sid_str = samdb_conn.get_domain_sid()
dom_sid = security.dom_sid(dom_sid_str)
ntacls_helper = NtaclsHelper(service, smb_conf_path, dom_sid)
for dirpath, dirnames, filenames in os.walk(src_service_path):
# each dir only cares about its direct children
rel_dirpath = os.path.relpath(dirpath, start=src_service_path)
dst_dirpath = os.path.join(tempdir, rel_dirpath)
# create sub dirs and NTACL file
for dirname in dirnames:
src = os.path.join(dirpath, dirname)
dst = os.path.join(dst_dirpath, dirname)
# mkdir with metadata
smbd.mkdir(dst, session_info, service)
ntacl_sddl_str = ntacls_helper.getntacl(src,
session_info,
as_sddl=True)
_create_ntacl_file(dst, ntacl_sddl_str)
# create files and NTACL file, then copy data
for filename in filenames:
src = os.path.join(dirpath, filename)
dst = os.path.join(dst_dirpath, filename)
# create an empty file with metadata
smbd.create_file(dst, session_info, service)
ntacl_sddl_str = ntacls_helper.getntacl(src,
session_info,
as_sddl=True)
_create_ntacl_file(dst, ntacl_sddl_str)
# now put data in
with open(src, 'rb') as src_file:
data = src_file.read()
with open(dst, 'wb') as dst_file:
dst_file.write(data)
# add all files in tempdir to tarfile without a top folder
with tarfile.open(name=dest_tarfile_path, mode='w:gz') as tar:
for name in os.listdir(tempdir):
path = os.path.join(tempdir, name)
tar.add(path, arcname=name)
shutil.rmtree(tempdir)
def test_compare_getntacl(self):
"""
Ntacls get from different ways should be the same
"""
file_name = 'file0.txt'
file_path = os.path.join(self.service_root, file_name)
sd0 = self.smb_helper.get_acl(file_name, as_sddl=True)
sd1 = self.ntacls_helper.getntacl(file_path,
system_session_unix(),
as_sddl=True,
direct_db_access=False)
sd2 = self.ntacls_helper.getntacl(file_path,
system_session_unix(),
as_sddl=True,
direct_db_access=True)
self.assertEqual(sd0, sd1)
self.assertEqual(sd1, sd2)
def test_smbd_mkdir(self):
"""
A smoke test for smbd.mkdir API
"""
dirpath = os.path.join(self.service_root, 'a-dir')
smbd.mkdir(dirpath, system_session_unix(), self.service)
mode = os.stat(dirpath).st_mode
# This works in conjunction with the TEST_UMASK in smbd_base
# to ensure that permissions are not related to the umask
# but instead the smb.conf settings
self.assertEqual(mode & 0o777, 0o755)
self.assertTrue(os.path.isdir(dirpath))
def get_session_info(self, domsid=DOM_SID):
"""
Get session_info for setntacl.
"""
return system_session_unix()
def setUp(self):
super(NtaclsTests, self).setUp()
self.tempf = os.path.join(self.tempdir, "test")
open(self.tempf, 'w').write("empty")
self.session_info = system_session_unix()
def backup_restore(src_tarfile_path, dst_service_path, samdb_conn,
smb_conf_path):
"""
Restore files and ntacls from a tarfile to a service
"""
logger = get_samba_logger()
service = dst_service_path.rstrip('/').rsplit('/', 1)[-1]
tempdir = tempfile.mkdtemp() # src files
dom_sid_str = samdb_conn.get_domain_sid()
dom_sid = security.dom_sid(dom_sid_str)
ntacls_helper = NtaclsHelper(service, smb_conf_path, dom_sid)
session_info = system_session_unix()
with tarfile.open(src_tarfile_path) as f:
f.extractall(path=tempdir)
# e.g.: /tmp/tmpRNystY/{dir1,dir1.NTACL,...file1,file1.NTACL}
for dirpath, dirnames, filenames in os.walk(tempdir):
rel_dirpath = os.path.relpath(dirpath, start=tempdir)
dst_dirpath = os.path.normpath(
os.path.join(dst_service_path, rel_dirpath))
for dirname in dirnames:
if not dirname.endswith('.NTACL'):
src = os.path.join(dirpath, dirname)
dst = os.path.join(dst_dirpath, dirname)
if not os.path.isdir(dst):
# dst must be absolute path for smbd API
smbd.mkdir(dst, session_info, service)
ntacl_sddl_str = _read_ntacl_file(src)
if ntacl_sddl_str:
ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info)
else:
logger.warning(
'Failed to restore ntacl for directory %s.' % dst +
' Please check the permissions are correct')
for filename in filenames:
if not filename.endswith('.NTACL'):
src = os.path.join(dirpath, filename)
dst = os.path.join(dst_dirpath, filename)
if not os.path.isfile(dst):
# dst must be absolute path for smbd API
smbd.create_file(dst, session_info, service)
ntacl_sddl_str = _read_ntacl_file(src)
if ntacl_sddl_str:
ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info)
else:
logger.warning('Failed to restore ntacl for file %s.' %
dst +
' Please check the permissions are correct')
# now put data in
with open(src, 'rb') as src_file:
data = src_file.read()
with open(dst, 'wb') as dst_file:
dst_file.write(data)
shutil.rmtree(tempdir)
