Esempio n. 1
0
def update_gpo(paths, samdb, names, lp, message, force=0):
    """Create missing GPO file object if needed

    Set ACL correctly also.
    Check ACLs for sysvol/netlogon dirs also
    """
    resetacls = False
    try:
        ntacls.checkset_backend(lp, None, None)
        eadbname = lp.get("posix:eadb")
        if eadbname is not None and eadbname != "":
            try:
                attribute = samba.xattr_tdb.wrap_getxattr(
                    eadbname, paths.sysvol, xattr.XATTR_NTACL_NAME)
            except Exception:
                attribute = samba.xattr_native.wrap_getxattr(
                    paths.sysvol, xattr.XATTR_NTACL_NAME)
        else:
            attribute = samba.xattr_native.wrap_getxattr(
                paths.sysvol, xattr.XATTR_NTACL_NAME)
    except Exception:
        resetacls = True

    if force:
        resetacls = True

    dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid)
    if not os.path.isdir(dir):
        create_gpo_struct(dir)

    if names.policyid_dc is None:
        raise ProvisioningError("Policy ID for Domain controller is missing")
    dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid_dc)
    if not os.path.isdir(dir):
        create_gpo_struct(dir)

    def acl_error(e):
        if os.geteuid() == 0:
            message(ERROR,
                    "Unable to set ACLs on policies related objects: %s" % e)
        else:
            message(
                ERROR, "Unable to set ACLs on policies related objects. "
                "ACLs must be set as root if file system ACLs "
                "(rather than posix:eadb) are used.")

    # We always reinforce acls on GPO folder because they have to be in sync
    # with the one in DS
    try:
        set_gpos_acl(paths.sysvol, names.dnsdomain, names.domainsid,
                     names.domaindn, samdb, lp)
    except TypeError, e:
        acl_error(e)
Esempio n. 2
0
def update_gpo(paths, samdb, names, lp, message, force=0):
    """Create missing GPO file object if needed

    Set ACL correctly also.
    Check ACLs for sysvol/netlogon dirs also
    """
    resetacls = False
    try:
        ntacls.checkset_backend(lp, None, None)
        eadbname = lp.get("posix:eadb")
        if eadbname is not None and eadbname != "":
            try:
                attribute = samba.xattr_tdb.wrap_getxattr(eadbname,
                                paths.sysvol, xattr.XATTR_NTACL_NAME)
            except Exception:
                attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
                                xattr.XATTR_NTACL_NAME)
        else:
            attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
                                xattr.XATTR_NTACL_NAME)
    except Exception:
       resetacls = True

    if force:
        resetacls = True

    dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid)
    if not os.path.isdir(dir):
        create_gpo_struct(dir)

    if names.policyid_dc is None:
        raise ProvisioningError("Policy ID for Domain controller is missing")
    dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid_dc)
    if not os.path.isdir(dir):
        create_gpo_struct(dir)

    def acl_error(e):
        if os.geteuid() == 0:
            message(ERROR, "Unable to set ACLs on policies related objects: %s" % e)
        else:
            message(ERROR, "Unable to set ACLs on policies related objects. "
                    "ACLs must be set as root if file system ACLs "
                    "(rather than posix:eadb) are used.")

    # We always reinforce acls on GPO folder because they have to be in sync
    # with the one in DS
    try:
        set_gpos_acl(paths.sysvol, names.dnsdomain, names.domainsid,
            names.domaindn, samdb, lp)
    except TypeError, e:
        acl_error(e)
Esempio n. 3
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 4
0
    def test_setntacl_invalidate_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 5
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 6
0
    def test_setntacl_invalidate_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 7
0
    def test_setntacl_invalidate_getntacl(self):
        acl = ACL
        setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
                 session_info=self.get_session_info())

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", b"")

        #however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 8
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = ACL
        setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
                 session_info=self.get_session_info())

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", b"")

        #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Esempio n. 9
0
    def test_setntacl_smbd_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        os.chmod(self.tempf, 0o750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # the hash will break, and we return an ACL based only on the mode
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Esempio n. 10
0
    def test_setntacl_smbd_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        os.chmod(self.tempf, 0750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #the hash will break, and we return an ACL based only on the mode
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))