def add_group_from_mapping_entry(samdb, groupmap, logger):
"""Add or modify group from group mapping entry
param samdb: Samba4 SAM database
param groupmap: Groupmap entry
param logger: Logger object
"""
# First try to see if we already have this entry
try:
msg = samdb.search(base='<SID=%s>' % str(groupmap.sid),
scope=ldb.SCOPE_BASE)
found = True
except ldb.LdbError as e1:
(ecode, emsg) = e1.args
if ecode == ldb.ERR_NO_SUCH_OBJECT:
found = False
else:
raise ldb.LdbError(ecode, emsg)
if found:
logger.warn(
'Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
else:
if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
# In a lot of Samba3 databases, aliases are marked as well known groups
(group_dom_sid, rid) = groupmap.sid.split()
if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
return
m = ldb.Message()
# We avoid using the format string to avoid needing to escape the CN values
m.dn = ldb.Dn(samdb, "CN=X,CN=Users")
m.dn.set_component(0, "CN", groupmap.nt_name)
m.dn.add_base(samdb.get_default_basedn())
m['objectClass'] = ldb.MessageElement('group', ldb.FLAG_MOD_ADD,
'objectClass')
m['objectSid'] = ldb.MessageElement(ndr_pack(groupmap.sid),
ldb.FLAG_MOD_ADD, 'objectSid')
m['sAMAccountName'] = ldb.MessageElement(groupmap.nt_name,
ldb.FLAG_MOD_ADD,
'sAMAccountName')
if groupmap.comment:
m['description'] = ldb.MessageElement(groupmap.comment,
ldb.FLAG_MOD_ADD,
'description')
# Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
m['groupType'] = ldb.MessageElement(
str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP), ldb.FLAG_MOD_ADD,
'groupType')
try:
samdb.add(m, controls=["relax:0"])
except ldb.LdbError as e:
logger.warn('Could not add group name=%s (%s)', groupmap.nt_name,
str(e))
def search_samdb(self, s4_dns=None, ldapfilter=None):
search_result = []
if s4_dns:
if not type(s4_dns) in (type(()), type([])):
raise ValueError(
"'s4_dns' is of type %s, must be list or tuple" %
type(s4_dns))
if not ldapfilter:
ldapfilter = '(objectClass=*)'
error_dns = []
missing_dns = []
for targetdn in s4_dns:
guid = None
try:
res = self.samdb.search(targetdn,
scope=ldb.SCOPE_BASE,
expression=ldapfilter,
attrs=["objectGuid", "uSNChanged"])
for msg in res:
guid_blob = msg.get("objectGuid", idx=0)
guid = ndr_unpack(misc.GUID, guid_blob)
usn = msg.get("uSNChanged", idx=0)
search_result.append((targetdn, guid, usn))
if not guid:
missing_dns.append(targetdn)
except ldb.LdbError as ex:
error_dns.append((targetdn, ex.args[1]))
if error_dns:
raise ldb.LdbError(1, error_dns, [r[0] for r in search_result])
if missing_dns:
raise GuidNotFound(1, missing_dns,
[r[0] for r in search_result])
else:
guid = None
res = self.samdb.search(expression=ldapfilter,
attrs=["objectGuid", "uSNChanged"])
for msg in res:
guid_blob = msg.get("objectGuid", idx=0)
guid = ndr_unpack(misc.GUID, guid_blob)
usn = msg.get("uSNChanged", idx=0)
search_result.append((str(msg.dn), guid, usn))
if not guid:
raise GuidNotFound(2, "No match")
return search_result
def add_group_from_mapping_entry(samdb, groupmap, logger):
"""Add or modify group from group mapping entry
param samdb: Samba4 SAM database
param groupmap: Groupmap entry
param logger: Logger object
"""
# First try to see if we already have this entry
try:
msg = samdb.search(base='<SID=%s>' % str(groupmap.sid),
scope=ldb.SCOPE_BASE)
found = True
except ldb.LdbError, (ecode, emsg):
if ecode == ldb.ERR_NO_SUCH_OBJECT:
found = False
else:
raise ldb.LdbError(ecode, emsg)
