Univention Bugzilla – Attachment 5930 Details for
Bug 33751
sysvol-sync: GPO ACL's changes on the master can be overwritten
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
test_gpo_acls.sh
test_gpo_acls.sh (text/plain), 4.73 KB, created by
Arvid Requate
on 2014-05-28 20:28:54 CEST
(
hide
)
Description:
test_gpo_acls.sh
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2014-05-28 20:28:54 CEST
Size:
4.73 KB
patch
obsolete
>#!/bin/bash > >. /usr/share/ucs-test/lib/random.sh > >eval "$(ucr shell)" >tests_domainadmin_account="uid=Administrator,cn=users,$ldap_base" >tests_domainadmin_pwd=univention > >ADMINISTRATOR_NAME=$(univention-ldapsearch -b "$tests_domainadmin_account" uid | ldapsearch-wrapper | grep uid | sed -ne 's/^uid: //p') > >gpo_name=$(random_string) > >### Temporarily disable rsync login for the samba4/sysvol/sync/host >### And temporarily disable regular sysvol sync on this host >deny_ssh_access_for_computers() { > ucr set 'auth/sshd/group/DC Backup Hosts'=no \ > 'auth/sshd/group/DC Slave Hosts'=no \ > 'auth/sshd/group/Computers'=no >} >allow_ssh_access_for_computers() { > ucr set 'auth/sshd/group/DC Backup Hosts'=yes \ > 'auth/sshd/group/DC Slave Hosts'=yes \ > 'auth/sshd/group/Computers'=yes >} >disable_sysvol_sync() { > ucr set samba4/sysvol/sync/cron="# */5 * * * *" > deny_ssh_access_for_computers >} >enable_sysvol_sync() { > ucr set samba4/sysvol/sync/cron="*/5 * * * *" > allow_ssh_access_for_computers >} >trap enable_sysvol_sync EXIT >disable_sysvol_sync > > >### create a new GPO remotely on the samba4/sysvol/sync/host: >test_output=$(samba-tool gpo create "$gpo_name" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" -H "ldap://$samba4_sysvol_sync_host") >gpo_cn=$(sed -n "s/GPO '$gpo_name' created as \(.*\)$/\1/p" <<<"$test_output") >echo "Test GPO created: $gpo_cn" > > >### Replicate the new GPO to the local system >/usr/share/univention-samba4/scripts/sysvol-sync.sh > >### for additional fun add an additional test file to the GPO dir on the samba4/sysvol/sync/host: >smbclient "//$samba4_sysvol_sync_host/sysvol" \ > -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" \ > -c "put /etc/hosts $domainname/Policies/$gpo_cn/testfile1" > > >### Now modify the ACLs on the local GPO copy >gpo_path="/var/lib/samba/sysvol/$domainname/Policies/$gpo_cn" >gpo_facl=$(getfacl "$gpo_path") >gpo_fattr=$(getfattr -d -m - "$gpo_path") >gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") > > >test_account=join-backup >test_account_sid=$(univention-s4search samaccountname="$test_account" objectSid | ldapsearch-wrapper | sed -n 's/^objectSid: //p') > >### Update the NTACLs on the local SYSVOL share via SMB >new_gpo_ntacl="${gpo_ntacl}(A;OICI;0x001200a9;;;$test_account_sid)" >smbcacls //localhost/sysvol "$domainname/Policies/$gpo_cn" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" -S "$new_gpo_ntacl" --sddl > >new_gpo_modification_time=$(stat --printf '%y' "$gpo_path") >new_gpo_metadata_change_time=$(stat --printf '%z' "$gpo_path") >new_gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") ## get in canonical order >new_gpo_facl=$(getfacl "$gpo_path") >new_gpo_fattr=$(getfattr -d -m - "$gpo_path") > >if [ "$new_gpo_ntacl" = "$gpo_ntacl" ]; then > echo "NTACL set via SMB failed" > exit 1 >fi > >### Updating the DS ACLs is a bit useless here, but this is how we could do it: ># test_output=$(univention-s4search "(&(objectClass=groupPolicyContainer)(cn=$gpo_cn))" nTSecurityDescriptor | ldapsearch-wrapper) ># gpo_dn=$(sed -n "s/^dn: //p" <<"$test_output") ># gpo_sd=$(sed -n "s/^nTSecurityDescriptor: //p" <<"$test_output") ># new_gpo_sd="${gpo_sd}(A;CI;RPLCRC;;;$test_account_sid)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;$test_account_sid)" ># ldbmodify -H /var/lib/samba/private/sam.ldb "(&(objectClass=groupPolicyContainer)(cn=$gpo_cn))" <<%EOF ># dn: $gpo_dn ># changetype: modify ># nTSecurityDescriptor: $new_gpo_sd ># %EOF > >### Now replicate the GPO again to the local system >/usr/share/univention-samba4/scripts/sysvol-sync.sh > >## verify that the testfile1 has been copied to the local system: >if ! [ -f "$gpo_path/testfile1" ]; then > echo "The GPO has not been copied to the local server" > exit 1 >fi > >test_gpo_modification_time=$(stat --printf '%y' "$gpo_path") >test_gpo_metadata_change_time=$(stat --printf '%z' "$gpo_path") >test_gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") >test_gpo_facl=$(getfacl "$gpo_path") >test_gpo_fattr=$(getfattr -d -m - "$gpo_path") >echo "Old GPO modification time: $new_gpo_modification_time" >echo "New GPO modification time: $test_gpo_modification_time" >echo "Old GPO metadata time: $new_gpo_metadata_change_time" >echo "New GPO metadata time: $test_gpo_metadata_change_time" > >if ! [ "$test_gpo_ntacl" = "$new_gpo_ntacl" ]; then > echo "The GPO NTACL has been modified" > exit 1 >fi >if ! [ "$test_gpo_facl" = "$new_gpo_facl" ]; then > echo "The GPO fACL has been modified" > exit 1 >fi >if ! [ "$test_gpo_fattr" = "$new_gpo_fattr" ]; then > echo "The GPO fattrs have been modified" > exit 1 >fi > >## Cleanup >samba-tool gpo del "$gpo_name" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" >rm -rf "$gpo_path" >univention-install cifs-utils >tmp_dir=$(mktemp -d) >mount -t cifs -o user="$ADMINISTRATOR_NAME" -o password="$tests_domainadmin_pwd" "//$samba4_sysvol_sync_host/sysvol" "$tmp_dir" >rm -rf "$tmp_dir/$domainname/Policies/$gpo_cn" >umount "$tmp_dir"
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5930">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 33751
:
5701
|
5731
|
5743
| 5930