Attachment #9933 for bug #46643




    ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
    if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
        fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))

    LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR))
    DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
    CO = security.dom_sid(security.SID_CREATOR_OWNER)

    PAI_filter = False
    PAI = (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)

    if fsacl.type & PAI == PAI:
        PAI_filter = True

        sd = security.descriptor.from_sddl(acl, domainsid)
        sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED
        acl = sd.as_sddl(domainsid) 

        sd3 = security.descriptor()
        sd3.owner_sid = sd.owner_sid
        sd3.group_sid = sd.group_sid
        sd3.type = sd.type
        sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED
        sd3.revision = sd.revision

        sd2 = security.descriptor()
        sd2.owner_sid = sd.owner_sid
        sd2.group_sid = sd.group_sid
        sd2.type = sd.type
        sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED
        sd2.revision = sd.revision
        skip_other_da_aces = False
        for i in range(0, len(sd.dacl.aces)):
            if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
                continue
            if sd.dacl.aces[i].trustee == DA:
                skip_other_da_aces = True
            if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
                continue
            #sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
            sd3.dacl_add(sd.dacl.aces[i])
            sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE
            sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT)
            sd2.dacl_add(sd.dacl.aces[i])
        acl2 = sd2.as_sddl(domainsid) 
        acl3 = sd3.as_sddl(domainsid) 
        #print "ACL1: %s" % acl
        #print "ACL2: %s" % acl2
        #print "ACL3: %s" % acl3
    else:
        sd = security.descriptor.from_sddl(acl, domainsid)

        sd3 = security.descriptor()
        sd3.owner_sid = sd.owner_sid
        sd3.group_sid = sd.group_sid
        sd3.type = sd.type
        sd3.revision = sd.revision

        skip_other_da_aces = False
        for i in range(0, len(sd.dacl.aces)):
            if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
                continue
            if sd.dacl.aces[i].trustee == DA:
                skip_other_da_aces = True
            if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
                continue
            sd3.dacl_add(sd.dacl.aces[i])
        acl3 = sd3.as_sddl(domainsid) 
        acl2 = acl3
        #print "ACL1: %s" % acl
        #print "ACL3: %s" % acl3
    fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 


    if fsacl_sddl_mapped != acl:
        raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl))

    for root, dirs, files in os.walk(path, topdown=False):
        for name in files:

            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
            fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 

            fsacl2 = security.descriptor()
            fsacl2.owner_sid = fsacl.owner_sid
            fsacl2.group_sid = fsacl.group_sid
            fsacl2.type = fsacl.type
            fsacl2.revision = fsacl.revision
            skip_other_da_aces = False
            for i in range(0, len(fsacl.dacl.aces)):
                if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
                    continue
                if fsacl.dacl.aces[i].trustee == DA:
                    skip_other_da_aces = True
                fsacl2.dacl_add(fsacl.dacl.aces[i])
            try:
                fsacl2.dacl_del(CO)
            except:
                pass

            fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) 

            if fsacl_sddl_mapped != acl2:
                raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2))

        for name in dirs:
            fsacl = getntacl(lp, os.path.join(root, name),

            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
            fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 

            fsacl2 = security.descriptor()
            fsacl2.owner_sid = fsacl.owner_sid
            fsacl2.group_sid = fsacl.group_sid
            fsacl2.type = fsacl.type
            fsacl2.revision = fsacl.revision
            skip_other_da_aces = False
            for i in range(0, len(fsacl.dacl.aces)):
                if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
                    continue
                fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
                if fsacl.dacl.aces[i].trustee == DA:
                    skip_other_da_aces = True
                fsacl2.dacl_add(fsacl.dacl.aces[i])
            try:
                fsacl2.dacl_del(CO)
            except:
                pass

            fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) 

            if fsacl_sddl_mapped != acl3:
                raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3))

def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
        direct_db_access):
- 

Return to bug 46643

Lines 1691-1701 def check_dir_acl(path, acl, lp, domainsid, direct_db_access): Link Here

(-)a/__init__.py (-8 / +112 lines)
1691	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)	1691	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
1692	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):	1692	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
1693	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))	1693	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
		1694
		1695	LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR))
		1696	DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
		1697	CO = security.dom_sid(security.SID_CREATOR_OWNER)
		1698
		1699	PAI_filter = False
		1700	PAI = (security.SEC_DESC_DACL_AUTO_INHERITED \| security.SEC_DESC_DACL_PROTECTED)
		1701
		1702	if fsacl.type & PAI == PAI:
		1703	PAI_filter = True
		1704
		1705	sd = security.descriptor.from_sddl(acl, domainsid)
		1706	sd.type \|= security.SEC_DESC_DACL_AUTO_INHERITED
		1707	acl = sd.as_sddl(domainsid)
		1708
		1709	sd3 = security.descriptor()
		1710	sd3.owner_sid = sd.owner_sid
		1711	sd3.group_sid = sd.group_sid
		1712	sd3.type = sd.type
		1713	sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED
		1714	sd3.revision = sd.revision
		1715
		1716	sd2 = security.descriptor()
		1717	sd2.owner_sid = sd.owner_sid
		1718	sd2.group_sid = sd.group_sid
		1719	sd2.type = sd.type
		1720	sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED
		1721	sd2.revision = sd.revision
		1722	skip_other_da_aces = False
		1723	for i in range(0, len(sd.dacl.aces)):
		1724	if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
		1725	continue
		1726	if sd.dacl.aces[i].trustee == DA:
		1727	skip_other_da_aces = True
		1728	if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
		1729	continue
		1730	#sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
		1731	sd3.dacl_add(sd.dacl.aces[i])
		1732	sd.dacl.aces[i].flags \|= security.SEC_ACE_FLAG_INHERITED_ACE
		1733	sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT \| security.SEC_ACE_FLAG_CONTAINER_INHERIT)
		1734	sd2.dacl_add(sd.dacl.aces[i])
		1735	acl2 = sd2.as_sddl(domainsid)
		1736	acl3 = sd3.as_sddl(domainsid)
		1737	#print "ACL1: %s" % acl
		1738	#print "ACL2: %s" % acl2
		1739	#print "ACL3: %s" % acl3
		1740	else:
		1741	sd = security.descriptor.from_sddl(acl, domainsid)
		1742
		1743	sd3 = security.descriptor()
		1744	sd3.owner_sid = sd.owner_sid
		1745	sd3.group_sid = sd.group_sid
		1746	sd3.type = sd.type
		1747	sd3.revision = sd.revision
		1748
		1749	skip_other_da_aces = False
		1750	for i in range(0, len(sd.dacl.aces)):
		1751	if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
		1752	continue
		1753	if sd.dacl.aces[i].trustee == DA:
		1754	skip_other_da_aces = True
		1755	if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
		1756	continue
		1757	sd3.dacl_add(sd.dacl.aces[i])
1758	acl3 = sd3.as_sddl(domainsid)
1759	acl2 = acl3
1760	#print "ACL1: %s" % acl
1761	#print "ACL3: %s" % acl3
1694	fsacl_sddl_mapped = fsacl.as_sddl(domainsid)	1762	fsacl_sddl_mapped = fsacl.as_sddl(domainsid)
1695		1763
1696		1764
1697	if fsacl_sddl_mapped != acl:	1765	if fsacl_sddl_mapped != acl:
1698	raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl))	1766	raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl))
1699		1767
1700	for root, dirs, files in os.walk(path, topdown=False):	1768	for root, dirs, files in os.walk(path, topdown=False):
1701	for name in files:	1769	for name in files:
Lines 1708-1717 def check_dir_acl(path, acl, lp, domainsid, direct_db_access): Link Here
1708	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)	1776	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
1709	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):	1777	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
1710	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))	1778	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
1711	fsacl_sddl_mapped = fsacl.as_sddl(domainsid)
1712		1779
1713	if fsacl_sddl_mapped != acl:	1780	fsacl2 = security.descriptor()
1714	raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))	1781	fsacl2.owner_sid = fsacl.owner_sid
		1782	fsacl2.group_sid = fsacl.group_sid
		1783	fsacl2.type = fsacl.type
		1784	fsacl2.revision = fsacl.revision
		1785	skip_other_da_aces = False
		1786	for i in range(0, len(fsacl.dacl.aces)):
		1787	if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
		1788	continue
		1789	if fsacl.dacl.aces[i].trustee == DA:
		1790	skip_other_da_aces = True
		1791	fsacl2.dacl_add(fsacl.dacl.aces[i])
		1792	try:
		1793	fsacl2.dacl_del(CO)
		1794	except:
		1795	pass
		1796
		1797	fsacl_sddl_mapped = fsacl2.as_sddl(domainsid)
		1798
		1799	if fsacl_sddl_mapped != acl2:
		1800	raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2))
1715		1801
1716	for name in dirs:	1802	for name in dirs:
1717	fsacl = getntacl(lp, os.path.join(root, name),	1803	fsacl = getntacl(lp, os.path.join(root, name),
Lines 1723-1732 def check_dir_acl(path, acl, lp, domainsid, direct_db_access): Link Here
1723	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)	1809	## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
1724	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):	1810	if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
1725	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))	1811	fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
1726	fsacl_sddl_mapped = fsacl.as_sddl(domainsid)
1727		1812
1728	if fsacl_sddl_mapped != acl:	1813	fsacl2 = security.descriptor()
1729	raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))	1814	fsacl2.owner_sid = fsacl.owner_sid
		1815	fsacl2.group_sid = fsacl.group_sid
		1816	fsacl2.type = fsacl.type
		1817	fsacl2.revision = fsacl.revision
		1818	skip_other_da_aces = False
		1819	for i in range(0, len(fsacl.dacl.aces)):
		1820	if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
		1821	continue
		1822	fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
		1823	if fsacl.dacl.aces[i].trustee == DA:
		1824	skip_other_da_aces = True
		1825	fsacl2.dacl_add(fsacl.dacl.aces[i])
		1826	try:
		1827	fsacl2.dacl_del(CO)
		1828	except:
		1829	pass
		1830
		1831	fsacl_sddl_mapped = fsacl2.as_sddl(domainsid)
		1832
		1833	if fsacl_sddl_mapped != acl3:
		1834	raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3))
1730		1835
1731	def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,	1836	def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1732	direct_db_access):	1837	direct_db_access):
1733	-