Univention Bugzilla – Attachment 7890 Details for
Bug 39633
ProvisioningError with 'samba-tool ntacl sysvolcheck'
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck
bug39633.patch (text/plain), 4.81 KB, created by
Julian Hupertz
on 2016-08-17 18:37:13 CEST
(
hide
)
Description:
Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck
Filename:
MIME Type:
Creator:
Julian Hupertz
Created:
2016-08-17 18:37:13 CEST
Size:
4.81 KB
patch
obsolete
>--- samba/provision/__init__.py.orig 2016-08-17 11:34:20.843860051 +0200 >+++ samba/provision/__init__.py 2016-08-17 18:23:58.998801706 +0200 >@@ -1484,12 +1484,17 @@ POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001 > SYSVOL_SERVICE="sysvol" > > def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE): >+ #print path >+ #print acl >+ #print use_ntvfs > setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) > for root, dirs, files in os.walk(path, topdown=False): > for name in files: > setntacl(lp, os.path.join(root, name), acl, domsid, > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) > for name in dirs: >+ #print os.path.join(root, name) >+ #print acl > setntacl(lp, os.path.join(root, name), acl, domsid, > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) > >@@ -1627,8 +1632,23 @@ def acl_type(direct_db_access): > def check_dir_acl(path, acl, lp, domainsid, direct_db_access): > fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > fsacl_sddl = fsacl.as_sddl(domainsid) >- if fsacl_sddl != acl: >- raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) >+ >+ #Main fix starts here / 17-08-2016 / hupertz@univention.de >+ """changed acl in if-statements to acl_sddl""" >+ if isinstance(domainsid, str): >+ sid = security.dom_sid(domainsid) >+ elif isinstance(domainsid, security.dom_sid): >+ sid = domainsid >+ domainsid = str(sid) >+ >+ sd = security.descriptor.from_sddl(acl, sid) >+ if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)): >+ sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) >+ acl_sddl = sd.as_sddl(sid) >+ #Main fix ends here >+ >+ if fsacl_sddl != acl_sddl: >+ raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) > > for root, dirs, files in os.walk(path, topdown=False): > for name in files: >@@ -1636,19 +1656,20 @@ def check_dir_acl(path, acl, lp, domains > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > if fsacl is None: > raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) >- fsacl_sddl = fsacl.as_sddl(domainsid) >- if fsacl_sddl != acl: >- raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) >- >+ fsacl_sddl = fsacl.as_sddl(sid) >+ >+ if fsacl_sddl != acl_sddl: >+ raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) >+ > for name in dirs: > fsacl = getntacl(lp, os.path.join(root, name), > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > if fsacl is None: > raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) >- fsacl_sddl = fsacl.as_sddl(domainsid) >- if fsacl_sddl != acl: >- raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) >+ fsacl_sddl = fsacl.as_sddl(sid) > >+ if fsacl_sddl != acl_sddl: >+ raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) > > def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > direct_db_access): >@@ -1680,8 +1701,12 @@ def check_gpos_acl(sysvol, dnsdomain, do > acl = ndr_unpack(security.descriptor, > str(policy["nTSecurityDescriptor"])).as_sddl() > policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) >- check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, >+ try: >+ check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, > domainsid, direct_db_access) >+ except Exception as e: >+ print e >+ continue > > > def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7890">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 39633
: 7890