def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) # Check if valid GPO try: msg = get_gpo_info(self.samdb, gpo=gpo)[0] unc_path = msg['gPCFileSysPath'][0] except Exception: raise CommandError("GPO '{0!s}' does not exist".format(gpo)) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception, e: raise CommandError("Error connecting to '{0!s}' using SMB".format(dc_hostname), e)
def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) # Check if valid GPO try: msg = get_gpo_info(self.samdb, gpo=gpo)[0] unc_path = msg['gPCFileSysPath'][0] except Exception: raise CommandError("GPO '%s' does not exist" % gpo) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception, e: raise CommandError( "Error connecting to '%s' using SMB" % dc_hostname, e)
def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) # Check if valid GPO try: msg = get_gpo_info(self.samdb, gpo=gpo)[0] unc_path = msg['gPCFileSysPath'][0] except Exception: raise CommandError("GPO '%s' does not exist" % gpo) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception as e: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e) self.samdb.transaction_start() try: # Check for existing links msg = get_gpo_containers(self.samdb, gpo) if len(msg): self.outf.write("GPO %s is linked to containers\n" % gpo) for m in msg: del_gpo_link(self.samdb, m['dn'], gpo) self.outf.write(" Removed link from %s.\n" % m['dn']) # Remove LDAP entries gpo_dn = get_gpo_dn(self.samdb, gpo) self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))) self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))) self.samdb.delete(gpo_dn) # Remove GPO files conn.deltree(sharepath) except Exception: self.samdb.transaction_cancel() raise else: self.samdb.transaction_commit() self.outf.write("GPO %s deleted.\n" % gpo)
def dc_url(lp, creds, url=None, dc=None): '''If URL is not specified, return URL for writable DC. If dc is provided, use that to construct ldap URL''' if url is None: if dc is None: try: dc = netcmd_finddc(lp, creds) except Exception, e: raise RunTimeError("Could not find a DC for domain", e) url = 'ldap://' + dc
def dc_url(lp, creds, url=None, dc=None): '''If URL is not specified, return URL for writable DC. If dc is provided, use that to construct ldap URL''' if url is None: if dc is None: try: dc = netcmd_finddc(lp, creds) except Exception, e: raise RuntimeError("Could not find a DC for domain", e) url = 'ldap://' + dc
def run(self, gpo, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) try: msg = get_gpo_info(self.samdb, gpo)[0] except Exception: raise CommandError("GPO '%s' does not exist" % gpo) # verify UNC path unc = msg['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) # Copy GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temoprary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) copy_directory_remote_to_local(conn, sharepath, gpodir) except Exception as e: # FIXME: Catch more specific exception raise CommandError("Error copying GPO from DC", e) self.outf.write('GPO copied to %s\n' % gpodir)
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, H) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, None) for m in msg: # verify UNC path unc = m['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) fs_sd = conn.get_acl( sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED) ds_sd_ndr = m['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid) if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl): raise CommandError( "Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, url=H) dc_hostname = netcmd_finddc(self.lp, self.creds) samdb_connect(self) msg = get_gpo_info(self.samdb, displayname=displayname) if msg.count > 0: raise CommandError("A GPO already existing with name '%s'" % displayname) # Create new GUID guid = str(uuid.uuid4()) gpo = "{%s}" % guid.upper() realm = self.lp.get('realm') unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo) # Create GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temporary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError( "GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) os.mkdir(os.path.join(gpodir, "Machine")) os.mkdir(os.path.join(gpodir, "User")) gpt_contents = "[General]\r\nVersion=0\r\n" file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents) except Exception, e: raise CommandError("Error Creating GPO files", e)
def run(self, gpo, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, H, dc=dc_hostname) samdb_connect(self) try: msg = get_gpo_info(self.samdb, gpo)[0] except Exception, e: raise CommandError("GPO %s does not exist" % gpo)
def run(self, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, H) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) msg = get_gpo_info(self.samdb, None) for m in msg: # verify UNC path unc = m['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED) ds_sd_ndr = m['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor domain_sid = security.dom_sid(self.samdb.get_domain_sid()) expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid) if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl): raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) self.url = dc_url(self.lp, self.creds, H) dc_hostname = netcmd_finddc(self.lp, self.creds) samdb_connect(self) msg = get_gpo_info(self.samdb, displayname=displayname) if msg.count > 0: raise CommandError("A GPO already existing with name '%s'" % displayname) # Create new GUID guid = str(uuid.uuid4()) gpo = "{%s}" % guid.upper() realm = self.lp.get('realm') unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo) # Create GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temporary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) os.mkdir(os.path.join(gpodir, "Machine")) os.mkdir(os.path.join(gpodir, "User")) gpt_contents = "[General]\r\nVersion=0\r\n" file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents) except Exception, e: raise CommandError("Error Creating GPO files", e)
def run(self, gpo, H=None, tmpdir=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) try: msg = get_gpo_info(self.samdb, gpo)[0] except Exception: raise CommandError("GPO '%s' does not exist" % gpo) # verify UNC path unc = msg['gPCFileSysPath'][0] try: [dom_name, service, sharepath] = parse_unc(unc) except ValueError: raise CommandError("Invalid GPO path (%s)" % unc) # SMB connect to DC try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) # Copy GPT if tmpdir is None: tmpdir = "/tmp" if not os.path.isdir(tmpdir): raise CommandError("Temoprary directory '%s' does not exist" % tmpdir) localdir = os.path.join(tmpdir, "policy") if not os.path.isdir(localdir): os.mkdir(localdir) gpodir = os.path.join(localdir, gpo) if os.path.isdir(gpodir): raise CommandError( "GPO directory '%s' already exists, refusing to overwrite" % gpodir) try: os.mkdir(gpodir) copy_directory_remote_to_local(conn, sharepath, gpodir) except Exception, e: # FIXME: Catch more specific exception raise CommandError("Error copying GPO from DC", e)
def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) # We need to know writable DC to setup SMB connection if H and H.startswith('ldap://'): dc_hostname = H[7:] self.url = H else: dc_hostname = netcmd_finddc(self.lp, self.creds) self.url = dc_url(self.lp, self.creds, dc=dc_hostname) samdb_connect(self) # Check if valid GPO try: msg = get_gpo_info(self.samdb, gpo=gpo)[0] unc_path = msg['gPCFileSysPath'][0] except Exception: raise CommandError("GPO '%s' does not exist" % gpo) # Connect to DC over SMB [dom_name, service, sharepath] = parse_unc(unc_path) try: conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds) except Exception as e: raise CommandError( "Error connecting to '%s' using SMB" % dc_hostname, e) self.samdb.transaction_start() try: # Check for existing links msg = get_gpo_containers(self.samdb, gpo) if len(msg): self.outf.write("GPO %s is linked to containers\n" % gpo) for m in msg: del_gpo_link(self.samdb, m['dn'], gpo) self.outf.write(" Removed link from %s.\n" % m['dn']) # Remove LDAP entries gpo_dn = get_gpo_dn(self.samdb, gpo) self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))) self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))) self.samdb.delete(gpo_dn) # Remove GPO files conn.deltree(sharepath) except Exception: self.samdb.transaction_cancel() raise else: self.samdb.transaction_commit() self.outf.write("GPO %s deleted.\n" % gpo)