def _check_metadata(self, metadata, expected):
repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob, metadata[0])
repl_array = []
for o in repl.ctr.array:
repl_array.append((o.attid, o.version))
repl_set = set(repl_array)
expected_set = set(expected)
self.assertEqual(len(repl_set), len(expected),
"Unexpected metadata, missing from expected (%s), extra (%s)), repl: \n%s" % (
str(expected_set.difference(repl_set)),
str(repl_set.difference(expected_set)),
ndr_print(repl)))
i = 0
for o in repl.ctr.array:
e = expected[i]
(attid, version) = e
self.assertEqual(attid, o.attid,
"(LDAP) Wrong attid "
"for expected value %d, wanted 0x%08x got 0x%08x, "
"repl: \n%s"
% (i, attid, o.attid, ndr_print(repl)))
# Allow version to be skipped when it does not matter
if version is not None:
self.assertEqual(o.version, version,
"(LDAP) Wrong version for expected value %d, "
"attid 0x%08x, "
"wanted %d got %d, repl: \n%s"
% (i, o.attid,
version, o.version, ndr_print(repl)))
i = i + 1
def _check_metadata(self, metadata, expected):
repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob, str(metadata[0]))
repl_array = []
for o in repl.ctr.array:
repl_array.append((o.attid, o.version))
repl_set = set(repl_array)
expected_set = set(expected)
self.assertEqual(len(repl_set), len(expected),
"Unexpected metadata, missing from expected (%s), extra (%s)), repl: \n%s" % (
str(expected_set.difference(repl_set)),
str(repl_set.difference(expected_set)),
ndr_print(repl)))
i = 0
for o in repl.ctr.array:
e = expected[i]
(attid, version) = e
self.assertEquals(attid, o.attid,
"(LDAP) Wrong attid "
"for expected value %d, wanted 0x%08x got 0x%08x, "
"repl: \n%s"
% (i, attid, o.attid, ndr_print(repl)))
# Allow version to be skipped when it does not matter
if version is not None:
self.assertEquals(o.version, version,
"(LDAP) Wrong version for expected value %d, "
"attid 0x%08x, "
"wanted %d got %d, repl: \n%s"
% (i, o.attid,
version, o.version, ndr_print(repl)))
i = i + 1
def test_add_remove_name(self):
x = self.get_context()
name = "samba.messaging test-%d" % random.randint(1, 1000000)
x.irpc_add_name(name)
name_list = x.irpc_servers_byname(name)
self.assertEqual(len(name_list), 1)
self.assertEqual(ndr_print(x.server_id), ndr_print(name_list[0]))
x.irpc_remove_name(name)
self.assertRaises(KeyError, x.irpc_servers_byname, name)
def test_add_remove_name(self):
x = self.get_context()
name = "samba.messaging test-%d" % random.randint(1, 1000000)
x.irpc_add_name(name)
name_list = x.irpc_servers_byname(name)
self.assertEqual(len(name_list), 1)
self.assertEqual(ndr_print(x.server_id),
ndr_print(name_list[0]))
x.irpc_remove_name(name)
self.assertRaises(KeyError,
x.irpc_servers_byname, name)
def run(self, file, use_ntvfs=False, use_s3fs=False,
as_sddl=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service)
if as_sddl:
try:
domain_sid = security.dom_sid(samdb.domain_sid)
except:
raise CommandError("Unable to read domain SID from configuration files")
self.outf.write(acl.as_sddl(domain_sid)+"\n")
else:
self.outf.write(ndr_print(acl))
def run(self,
file,
use_ntvfs=False,
use_s3fs=False,
as_sddl=False,
xattr_backend=None,
eadb_file=None,
credopts=None,
sambaopts=None,
versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
domain_sid = get_local_domain_sid(lp)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
acl = getntacl(lp,
file,
system_session_unix(),
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service)
if as_sddl:
self.outf.write(acl.as_sddl(domain_sid) + "\n")
else:
self.outf.write(ndr_print(acl))
def run(self, file, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
dosinfo = getdosinfo(lp, file)
if dosinfo:
self.outf.write(ndr_print(dosinfo))
def run(self, file, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
dosinfo = getdosinfo(lp, file)
if dosinfo:
self.outf.write(ndr_print(dosinfo))
def run(self,
file,
use_ntvfs=False,
use_s3fs=False,
as_sddl=False,
xattr_backend=None,
eadb_file=None,
credopts=None,
sambaopts=None,
versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
is_ad_dc = False
server_role = lp.server_role()
if server_role == "ROLE_ACTIVE_DIRECTORY_DC":
is_ad_dc = True
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
if is_ad_dc:
try:
samdb = SamDB(session_info=system_session(), lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
# ensure we are using the right samba_dsdb passdb backend, no
# matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
acl = getntacl(lp,
file,
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service,
session_info=system_session_unix())
if as_sddl:
try:
if is_ad_dc:
domain_sid = security.dom_sid(samdb.domain_sid)
else:
domain_sid = passdb.get_domain_sid()
except:
raise CommandError("Unable to read domain SID from "
"configuration files")
self.outf.write(acl.as_sddl(domain_sid) + "\n")
else:
self.outf.write(ndr_print(acl))
class cmd_ntacl_get(Command):
"""Get ACLs of a file."""
synopsis = "%prog <file> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
choices=["native","tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"),
Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true")
]
takes_args = ["file"]
def run(self, file, use_ntvfs=False, use_s3fs=False,
as_sddl=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception, e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs)
if as_sddl:
try:
domain_sid = security.dom_sid(samdb.domain_sid)
except:
raise CommandError("Unable to read domain SID from configuration files")
self.outf.write(acl.as_sddl(domain_sid)+"\n")
else:
self.outf.write(ndr_print(acl))
def update_ftinfo(self, another_domain):
"""
Updates forest trust information in this forest corresponding
to the another domain's information.
"""
try:
if another_domain.ftinfo_records:
ftinfo = self.generate_ftinfo(another_domain)
# Set forest trust information -- we do it only against AD DC as
# smbd already has the information about itself
ldname = lsa.StringLarge()
ldname.string = another_domain.info['dns_domain']
collision_info = self._pipe.lsaRSetForestTrustInformation(self._policy_handle,
ldname,
lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
ftinfo, 0)
if collision_info:
root_logger.error("When setting forest trust information, got collision info back:\n%s" % (ndr_print(collision_info)))
except RuntimeError, e:
# We can ignore the error here -- setting up name suffix routes may fail
pass
def calculate_supplementalCredentials(ucs_krb5key, old_supplementalCredentials):
old_krb = {}
if old_supplementalCredentials:
sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, old_supplementalCredentials)
for p in sc.sub.packages:
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: parsing %s blob" % p.name)
if p.name == "Primary:Kerberos":
krb_blob = binascii.unhexlify(p.data)
try:
krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
assert krb.version == 3
old_krb['ctr3'] = krb.ctr
for k in krb.ctr.keys:
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: ctr3.key.keytype: %s" % k.keytype)
except:
ud.debug(ud.LDAP, ud.ERROR, "calculate_supplementalCredentials: ndr_unpack of S4 Primary:Kerberos blob failed. Traceback:")
traceback.print_exc()
ud.debug(ud.LDAP, ud.ERROR, "calculate_supplementalCredentials: Continuing anyway, Primary:Kerberos (DES keys) blob will be missing in supplementalCredentials ctr3.old_keys.")
elif p.name == "Primary:Kerberos-Newer-Keys":
krb_blob = binascii.unhexlify(p.data)
try:
krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
assert krb.version == 4
old_krb['ctr4'] = krb.ctr
for k in krb.ctr.keys:
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: ctr4.key.keytype: %s" % k.keytype)
except:
ud.debug(ud.LDAP, ud.ERROR, "calculate_supplementalCredentials: ndr_unpack of S4 Primary:Kerberos-Newer-Keys blob failed. Traceback:")
traceback.print_exc()
ud.debug(ud.LDAP, ud.ERROR, "calculate_supplementalCredentials: Continuing anyway, Primary:Kerberos-Newer-Keys (AES and DES keys) blob will be missing in supplementalCredentials ctr4.old_keys.")
krb5_aes256 = ''
krb5_aes128 = ''
krb5_des_md5 = ''
krb5_des_crc = ''
krb_ctr3_salt = ''
krb_ctr4_salt = ''
for k in ucs_krb5key:
(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
key_data = keyblock.keyvalue()
saltstring = salt.saltvalue()
enctype = keyblock.keytype()
enctype_id = enctype.toint()
if enctype_id not in krb5_context.etype_ids:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ignoring unsupported krb5_keytype: (%d)" % (enctype_id,))
continue
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))
if enctype_id == 18:
krb5_aes256 = key_data
if not krb_ctr4_salt:
krb_ctr4_salt = saltstring
elif enctype_id == 17:
krb5_aes128 = key_data
if not krb_ctr4_salt:
krb_ctr4_salt = saltstring
elif enctype_id == 3:
krb5_des_md5 = key_data
if not krb_ctr3_salt:
krb_ctr3_salt = saltstring
elif enctype_id == 1:
krb5_des_crc = key_data
if not krb_ctr3_salt:
krb_ctr3_salt = saltstring
# build new drsblobs.supplementalCredentialsBlob
sc_blob = None
cred_List = []
package_names = []
# Primary:Kerberos-Newer-Keys : AES keys
if krb5_aes256 or krb5_aes128:
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: building Primary:Kerberos-Newer-Keys blob")
kerberosKey4list = []
if krb5_aes256:
assert len(krb5_aes256) == 32
next_key = drsblobs.package_PrimaryKerberosKey4()
next_key.keytype = 18
next_key.value = krb5_aes256
next_key.value_len = len(krb5_aes256)
kerberosKey4list.append(next_key)
if krb5_aes128:
assert len(krb5_aes128) == 16
next_key = drsblobs.package_PrimaryKerberosKey4()
next_key.keytype = 17
next_key.value = krb5_aes128
next_key.value_len = len(krb5_aes128)
kerberosKey4list.append(next_key)
if krb5_des_md5:
assert len(krb5_des_md5) == 8
next_key = drsblobs.package_PrimaryKerberosKey4()
next_key.keytype = 3
next_key.value = krb5_des_md5
next_key.value_len = len(krb5_des_md5)
kerberosKey4list.append(next_key)
if krb5_des_crc:
assert len(krb5_des_crc) == 8
next_key = drsblobs.package_PrimaryKerberosKey4()
next_key.keytype = 1
next_key.value = krb5_des_crc
next_key.value_len = len(krb5_des_crc)
kerberosKey4list.append(next_key)
salt4 = drsblobs.package_PrimaryKerberosString()
salt4.string = krb_ctr4_salt
ctr4 = drsblobs.package_PrimaryKerberosCtr4()
ctr4.salt = salt4
ctr4.num_keys = len(kerberosKey4list)
ctr4.keys = kerberosKey4list
if old_krb.get('ctr4'):
# Backup old_keys to s4_old_keys
s4_num_old_keys = old_krb['ctr4'].num_old_keys
s4_old_keys = []
for key in old_krb['ctr4'].old_keys:
s4_old_keys.append(key)
# keys -> old_keys
if len(old_krb['ctr4'].keys) != ctr4.num_keys:
cleaned_old_keys = []
for key in old_krb['ctr4'].keys:
if key.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) to include the arc4 hash
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys filtering keytype %s from old_keys" % key.keytype)
continue
else: # TODO: can we do something better at this point to make old_keys == num_keys ?
cleaned_old_keys.append(key)
ctr4.old_keys = cleaned_old_keys
ctr4.num_old_keys = len(cleaned_old_keys)
else:
ctr4.old_keys = old_krb['ctr4'].keys
ctr4.num_old_keys = old_krb['ctr4'].num_keys
# s4_old_keys -> older_keys
if ctr4.num_old_keys != ctr4.num_older_keys:
cleaned_older_keys = []
for key in s4_old_keys:
if key.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) to include the arc4 hash
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys filtering keytype %s from older_keys" % key.keytype)
continue
else: # TODO: can we do something better at this point to make old_keys == num_keys ?
cleaned_older_keys.append(key)
ctr4.older_keys = cleaned_older_keys
ctr4.num_older_keys = len(cleaned_older_keys)
else:
ctr4.older_keys = s4_old_keys
ctr4.num_older_keys = s4_num_old_keys
if ctr4.num_old_keys != 0 and ctr4.num_old_keys != ctr4.num_keys:
# TODO: Recommended policy is to fill up old_keys to match num_keys, this will result in a traceback, can we do something better?
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys num_keys = %s" % ctr4.num_keys)
for k in ctr4.keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr4.key.keytype: %s" % k.keytype)
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys num_old_keys = %s" % ctr4.num_old_keys)
for k in ctr4.old_keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr4.old_key.keytype: %s" % k.keytype)
if ctr4.num_older_keys != 0 and ctr4.num_older_keys != ctr4.num_old_keys:
# TODO: Recommended policy is to fill up old_keys to match num_keys, this will result in a traceback, can we do something better?
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys num_old_keys = %s" % ctr4.num_old_keys)
for k in ctr4.old_keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr4.old_key.keytype: %s" % k.keytype)
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos-Newer-Keys num_older_keys = %s" % ctr4.num_older_keys)
for k in ctr4.older_keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr4.older_key.keytype: %s" % k.keytype)
krb_Primary_Kerberos_Newer = drsblobs.package_PrimaryKerberosBlob()
krb_Primary_Kerberos_Newer.version = 4
krb_Primary_Kerberos_Newer.ctr = ctr4
krb_blob_Primary_Kerberos_Newer = ndr_pack(krb_Primary_Kerberos_Newer)
creddata_Primary_Kerberos_Newer = binascii.hexlify(krb_blob_Primary_Kerberos_Newer)
credname_Primary_Kerberos_Newer = "Primary:Kerberos-Newer-Keys"
cred_Primary_Kerberos_Newer = drsblobs.supplementalCredentialsPackage()
cred_Primary_Kerberos_Newer.name = credname_Primary_Kerberos_Newer
cred_Primary_Kerberos_Newer.name_len = len(credname_Primary_Kerberos_Newer)
cred_Primary_Kerberos_Newer.data = creddata_Primary_Kerberos_Newer
cred_Primary_Kerberos_Newer.data_len = len(creddata_Primary_Kerberos_Newer)
cred_Primary_Kerberos_Newer.reserved = 1
cred_List.append(cred_Primary_Kerberos_Newer)
package_names.append('Kerberos-Newer-Keys')
# Primary:Kerberos : MD5 and CRC keys
if krb5_des_md5 or krb5_des_crc:
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: building Primary:Kerberos blob")
kerberosKey3list = []
if krb5_des_md5:
next_key = drsblobs.package_PrimaryKerberosKey3()
next_key.keytype = 3
next_key.value = krb5_des_md5
next_key.value_len = len(krb5_des_md5)
kerberosKey3list.append(next_key)
if krb5_des_crc:
next_key = drsblobs.package_PrimaryKerberosKey3()
next_key.keytype = 1
next_key.value = krb5_des_crc
next_key.value_len = len(krb5_des_crc)
kerberosKey3list.append(next_key)
salt = drsblobs.package_PrimaryKerberosString()
salt.string = krb_ctr3_salt
ctr3 = drsblobs.package_PrimaryKerberosCtr3()
ctr3.salt = salt
ctr3.num_keys = len(kerberosKey3list)
ctr3.keys = kerberosKey3list
if old_krb.get('ctr3'):
# keys -> old_keys
if len(old_krb['ctr3'].keys) != ctr3.num_keys:
cleaned_ctr3_old_keys = []
for key in old_krb['ctr3'].keys:
if key.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) to include the arc4 hash
ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: Primary:Kerberos filtering keytype %s from old_keys" % key.keytype)
continue
else: # TODO: can we do something better at this point to make old_keys == num_keys ?
cleaned_ctr3_old_keys.append(key)
ctr3.old_keys = cleaned_ctr3_old_keys
ctr3.num_old_keys = len(cleaned_ctr3_old_keys)
else:
ctr3.old_keys = old_krb['ctr3'].keys
ctr3.num_old_keys = old_krb['ctr3'].num_keys
if ctr3.num_old_keys != 0 and ctr3.num_old_keys != ctr3.num_keys:
# TODO: Recommended policy is to fill up old_keys to match num_keys, this will result in a traceback, can we do something better?
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos num_keys = %s" % ctr3.num_keys)
for k in ctr3.keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr3.key.keytype: %s" % k.keytype)
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos num_old_keys = %s" % ctr3.num_old_keys)
for k in ctr3.old_keys:
ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr3.old_key.keytype: %s" % k.keytype)
krb = drsblobs.package_PrimaryKerberosBlob()
krb.version = 3
krb.ctr = ctr3
krb3_blob = ndr_pack(krb)
creddata_Primary_Kerberos = binascii.hexlify(krb3_blob)
credname_Primary_Kerberos = "Primary:Kerberos"
cred_Primary_Kerberos = drsblobs.supplementalCredentialsPackage()
cred_Primary_Kerberos.name = credname_Primary_Kerberos
cred_Primary_Kerberos.name_len = len(credname_Primary_Kerberos)
cred_Primary_Kerberos.data = creddata_Primary_Kerberos
cred_Primary_Kerberos.data_len = len(creddata_Primary_Kerberos)
cred_Primary_Kerberos.reserved = 1
cred_List.append(cred_Primary_Kerberos)
package_names.append('Kerberos')
if package_names:
krb_blob_Packages = '\0'.join(package_names).encode('utf-16le')
cred_PackagesBlob_data = binascii.hexlify(krb_blob_Packages).upper()
cred_PackagesBlob_name = "Packages"
cred_PackagesBlob = drsblobs.supplementalCredentialsPackage()
cred_PackagesBlob.name = cred_PackagesBlob_name
cred_PackagesBlob.name_len = len(cred_PackagesBlob_name)
cred_PackagesBlob.data = cred_PackagesBlob_data
cred_PackagesBlob.data_len = len(cred_PackagesBlob_data)
cred_PackagesBlob.reserved = 2
cred_List.insert(-1, cred_PackagesBlob)
sub = drsblobs.supplementalCredentialsSubBlob()
sub.num_packages = len(cred_List)
sub.packages = cred_List
sub.signature = drsblobs.SUPPLEMENTAL_CREDENTIALS_SIGNATURE
sub.prefix = drsblobs.SUPPLEMENTAL_CREDENTIALS_PREFIX
sc = drsblobs.supplementalCredentialsBlob()
sc.sub = sub
sc_blob = ndr_pack(sc)
ud.debug(ud.LDAP, ud.ALL, "calculate_supplementalCredentials: sc:\n%s" % ndr_print(sc))
return sc_blob
