def changedom_sids(file): if verbose: self.outf.write("file: %s\n" % file) try: acl = getntacl(lp, file, system_session_unix(), xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service) except Exception as e: raise CommandError("Could not get acl for %s: %s" % (file, e)) orig_sddl = acl.as_sddl(domain_sid) if verbose: self.outf.write("before:\n%s\n" % orig_sddl) def replace_domain_sid(sid): (dom, rid) = sid.split() if dom == old_domain_sid: return security.dom_sid("%s-%i" % (new_domain_sid, rid)) return sid acl.owner_sid = replace_domain_sid(acl.owner_sid) acl.group_sid = replace_domain_sid(acl.group_sid) if acl.sacl: for ace in acl.sacl.aces: ace.trustee = replace_domain_sid(ace.trustee) if acl.dacl: for ace in acl.dacl.aces: ace.trustee = replace_domain_sid(ace.trustee) new_sddl = acl.as_sddl(domain_sid) if verbose: self.outf.write("after:\n%s\n" % new_sddl) if orig_sddl == new_sddl: if verbose: self.outf.write("nothing to do\n") return True try: setntacl(lp, file, acl, new_domain_sid, system_session_unix(), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service) except Exception as e: raise CommandError("Could not set acl for %s: %s" % (file, e))
def run(self, file, use_ntvfs=False, use_s3fs=False, as_sddl=False, xattr_backend=None, eadb_file=None, credopts=None, sambaopts=None, versionopts=None, service=None): lp = sambaopts.get_loadparm() domain_sid = get_local_domain_sid(lp) if not use_ntvfs and not use_s3fs: use_ntvfs = "smb" in lp.get("server services") elif use_s3fs: use_ntvfs = False acl = getntacl(lp, file, system_session_unix(), xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service) if as_sddl: self.outf.write(acl.as_sddl(domain_sid) + "\n") else: self.outf.write(ndr_print(acl))
def run(self, acl, file, use_ntvfs=False, use_s3fs=False, quiet=False, xattr_backend=None, eadb_file=None, credopts=None, sambaopts=None, versionopts=None, service=None): logger = self.get_logger() lp = sambaopts.get_loadparm() domain_sid = get_local_domain_sid(lp) if not use_ntvfs and not use_s3fs: use_ntvfs = "smb" in lp.get("server services") elif use_s3fs: use_ntvfs = False setntacl(lp, file, acl, str(domain_sid), system_session_unix(), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service) if use_ntvfs: logger.warning( "Please note that POSIX permissions have NOT been changed, only the stored NT ACL" )
def test_smbd_create_file(self): """ A smoke test for smbd.create_file and smbd.unlink API """ filepath = os.path.join(self.service_root, 'a-file') smbd.create_file(filepath, system_session_unix(), self.service) self.assertTrue(os.path.isfile(filepath)) mode = os.stat(filepath).st_mode # This works in conjunction with the TEST_UMASK in smbd_base # to ensure that permissions are not related to the umask # but instead the smb.conf settings self.assertEqual(mode & 0o777, 0o644) # As well as checking that unlink works, this removes the # fake xattrs from the dev/inode based DB smbd.unlink(filepath, system_session_unix(), self.service) self.assertFalse(os.path.isfile(filepath))
def backup_offline(src_service_path, dest_tarfile_path, samdb_conn, smb_conf_path): """ Backup files and ntacls to a tarfile for a service """ service = src_service_path.rstrip('/').rsplit('/', 1)[-1] tempdir = tempfile.mkdtemp() session_info = system_session_unix() dom_sid_str = samdb_conn.get_domain_sid() dom_sid = security.dom_sid(dom_sid_str) ntacls_helper = NtaclsHelper(service, smb_conf_path, dom_sid) for dirpath, dirnames, filenames in os.walk(src_service_path): # each dir only cares about its direct children rel_dirpath = os.path.relpath(dirpath, start=src_service_path) dst_dirpath = os.path.join(tempdir, rel_dirpath) # create sub dirs and NTACL file for dirname in dirnames: src = os.path.join(dirpath, dirname) dst = os.path.join(dst_dirpath, dirname) # mkdir with metadata smbd.mkdir(dst, session_info, service) ntacl_sddl_str = ntacls_helper.getntacl(src, session_info, as_sddl=True) _create_ntacl_file(dst, ntacl_sddl_str) # create files and NTACL file, then copy data for filename in filenames: src = os.path.join(dirpath, filename) dst = os.path.join(dst_dirpath, filename) # create an empty file with metadata smbd.create_file(dst, session_info, service) ntacl_sddl_str = ntacls_helper.getntacl(src, session_info, as_sddl=True) _create_ntacl_file(dst, ntacl_sddl_str) # now put data in with open(src, 'rb') as src_file: data = src_file.read() with open(dst, 'wb') as dst_file: dst_file.write(data) # add all files in tempdir to tarfile without a top folder with tarfile.open(name=dest_tarfile_path, mode='w:gz') as tar: for name in os.listdir(tempdir): path = os.path.join(tempdir, name) tar.add(path, arcname=name) shutil.rmtree(tempdir)
def test_compare_getntacl(self): """ Ntacls get from different ways should be the same """ file_name = 'file0.txt' file_path = os.path.join(self.service_root, file_name) sd0 = self.smb_helper.get_acl(file_name, as_sddl=True) sd1 = self.ntacls_helper.getntacl(file_path, system_session_unix(), as_sddl=True, direct_db_access=False) sd2 = self.ntacls_helper.getntacl(file_path, system_session_unix(), as_sddl=True, direct_db_access=True) self.assertEqual(sd0, sd1) self.assertEqual(sd1, sd2)
def test_smbd_mkdir(self): """ A smoke test for smbd.mkdir API """ dirpath = os.path.join(self.service_root, 'a-dir') smbd.mkdir(dirpath, system_session_unix(), self.service) mode = os.stat(dirpath).st_mode # This works in conjunction with the TEST_UMASK in smbd_base # to ensure that permissions are not related to the umask # but instead the smb.conf settings self.assertEqual(mode & 0o777, 0o755) self.assertTrue(os.path.isdir(dirpath))
def get_session_info(self, domsid=DOM_SID): """ Get session_info for setntacl. """ return system_session_unix()
def setUp(self): super(NtaclsTests, self).setUp() self.tempf = os.path.join(self.tempdir, "test") open(self.tempf, 'w').write("empty") self.session_info = system_session_unix()
def backup_restore(src_tarfile_path, dst_service_path, samdb_conn, smb_conf_path): """ Restore files and ntacls from a tarfile to a service """ logger = get_samba_logger() service = dst_service_path.rstrip('/').rsplit('/', 1)[-1] tempdir = tempfile.mkdtemp() # src files dom_sid_str = samdb_conn.get_domain_sid() dom_sid = security.dom_sid(dom_sid_str) ntacls_helper = NtaclsHelper(service, smb_conf_path, dom_sid) session_info = system_session_unix() with tarfile.open(src_tarfile_path) as f: f.extractall(path=tempdir) # e.g.: /tmp/tmpRNystY/{dir1,dir1.NTACL,...file1,file1.NTACL} for dirpath, dirnames, filenames in os.walk(tempdir): rel_dirpath = os.path.relpath(dirpath, start=tempdir) dst_dirpath = os.path.normpath( os.path.join(dst_service_path, rel_dirpath)) for dirname in dirnames: if not dirname.endswith('.NTACL'): src = os.path.join(dirpath, dirname) dst = os.path.join(dst_dirpath, dirname) if not os.path.isdir(dst): # dst must be absolute path for smbd API smbd.mkdir(dst, session_info, service) ntacl_sddl_str = _read_ntacl_file(src) if ntacl_sddl_str: ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info) else: logger.warning( 'Failed to restore ntacl for directory %s.' % dst + ' Please check the permissions are correct') for filename in filenames: if not filename.endswith('.NTACL'): src = os.path.join(dirpath, filename) dst = os.path.join(dst_dirpath, filename) if not os.path.isfile(dst): # dst must be absolute path for smbd API smbd.create_file(dst, session_info, service) ntacl_sddl_str = _read_ntacl_file(src) if ntacl_sddl_str: ntacls_helper.setntacl(dst, ntacl_sddl_str, session_info) else: logger.warning('Failed to restore ntacl for file %s.' % dst + ' Please check the permissions are correct') # now put data in with open(src, 'rb') as src_file: data = src_file.read() with open(dst, 'wb') as dst_file: dst_file.write(data) shutil.rmtree(tempdir)