Univention Bugzilla – Attachment 7237 Details for
Bug 39674
Inconsistent sysvol ACLs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
reset-sysvol-acls.py
reset-sysvol-acls.py (text/plain), 4.27 KB, created by
Stefan Gohmann
on 2015-10-31 07:48 CET
(
hide
)
Description:
reset-sysvol-acls.py
Filename:
MIME Type:
Creator:
Stefan Gohmann
Created:
2015-10-31 07:48 CET
Size:
4.27 KB
patch
obsolete
>#!/usr/bin/python ># ># Listener module to set reset the sysvol ACLs for a specified GPO ># ># Copyright 2015 Univention GmbH ># ># http://www.univention.de/ ># ># All rights reserved. ># ># The source code of this program is made available ># under the terms of the GNU Affero General Public License version 3 ># (GNU AGPL V3) as published by the Free Software Foundation. ># ># Binary versions of this program provided by Univention to you as ># well as other copyrighted, protected or trademarked materials like ># Logos, graphics, fonts, specific documentations and configurations, ># cryptographic keys etc. are subject to a license agreement between ># you and Univention and not subject to the GNU AGPL V3. ># ># In the case you use this program under the terms of the GNU AGPL V3, ># the program is provided in the hope that it will be useful, ># but WITHOUT ANY WARRANTY; without even the implied warranty of ># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ># GNU Affero General Public License for more details. ># ># You should have received a copy of the GNU Affero General Public ># License with the Debian GNU/Linux or Univention distribution in file ># /usr/share/common-licenses/AGPL-3; if not, see ># <http://www.gnu.org/licenses/>. ># -*- coding: utf-8 -*- > >__package__ = '' # workaround for PEP 366 > >import listener > >from samba.param import LoadParm >from samba.dcerpc import security, idmap >from samba.ntacls import setntacl, dsacl2fsacl >from samba.samdb import SamDB >from samba.samba3 import param as s3param, passdb >from samba.ndr import ndr_pack, ndr_unpack >from samba import provision >import ldb >import univention.debug as ud > >import os >import sys > >from samba.auth import system_session >import samba >import optparse >import os.path > >name = 'reset-sysvol-acls' >description = 'Reset the sysvol ACLs for a changed GPO' >filter = '(objectClass=msGPOContainer)' > >def reset_sysvol_acl(gpo): > lp = LoadParm() > path = lp.private_path("secrets.ldb") > sysvol = '/var/lib/samba/sysvol' > samdb = SamDB(session_info=system_session(), lp=lp) > > domain_sid = security.dom_sid(samdb.domain_sid) > > s3conf = s3param.get_context() > s3conf.load(lp.configfile) > s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) > > s4_passdb = passdb.PDB(s3conf.get("passdb backend")) > > if gpo[0] != '{' and gpo[-1] != '}': > gpo = '{%s}' % gpo > policy_path = os.path.join(sysvol, lp.get("realm").lower(), 'Policies', gpo) > if not os.path.exists(policy_path): > ud.debug(ud.LISTENER, ud.WARN, 'Policy not found: %s' % policy_path) > return > > res = samdb.search(base="CN=Policies,CN=System,%s"%(samdb.domain_dn()), > attrs=["cn", "nTSecurityDescriptor"], > expression="cn=%s" % (gpo), scope=ldb.SCOPE_ONELEVEL) > > for policy in res: > acl = ndr_unpack(security.descriptor, > str(policy["nTSecurityDescriptor"])).as_sddl() > ud.debug(ud.LISTENER, ud.PROCESS, 'Resetting ACLs for: %s' % policy_path) > acls = dsacl2fsacl(acl, domain_sid) > setntacl(lp, policy_path, acls, str(domain_sid), > use_ntvfs=False, skip_invalid_chown=True, > passdb=s4_passdb, service=provision.SYSVOL_SERVICE) > for root, dirs, files in os.walk(policy_path, topdown=False): > for name in files: > ud.debug(ud.LISTENER, ud.PROCESS, 'Resetting ACLs for: %s' % os.path.join(root, name)) > setntacl(lp, os.path.join(root, name), acls, str(domain_sid), > use_ntvfs=False, skip_invalid_chown=True, > passdb=s4_passdb, service=provision.SYSVOL_SERVICE) > for name in dirs: > ud.debug(ud.LISTENER, ud.PROCESS, 'Resetting ACLs for: %s' % os.path.join(root, name)) > setntacl(lp, os.path.join(root, name), acls, str(domain_sid), > use_ntvfs=False, skip_invalid_chown=True, > passdb=s4_passdb, service=provision.SYSVOL_SERVICE) > >def handler(dn, new, old): > # TODO: We could check if the nTSecurityDescriptor value has been changed > # but currently it is not synchronized in every environment > if new and new.get('cn'): > listener.setuid(0) > try: > reset_sysvol_acl(new.get('cn')[0]) > finally: > listener.unsetuid() > >if __name__ == '__main__': > parser = optparse.OptionParser("$prog [options] <host>") > parser.add_option("-g", "--gpo", dest="gpo") > opts, args = parser.parse_args() > ud.init('stdout', ud.NO_FLUSH, ud.NO_FUNCTION) > ud.set_level(ud.LISTENER, ud.PROCESS) > if not opts.gpo: > print >> sys.stderr, "Option -g or --gpo needed" > sys.exit(1) > > reset_sysvol_acl(opts.gpo)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7237">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 39674
: 7237 |
7238