Univention Bugzilla – Attachment 9972 Details for
Bug 49293
sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1.diff
1.diff (text/plain), 9.71 KB, created by
Arvid Requate
on 2019-04-15 14:35:04 CEST
(
hide
)
Description:
1.diff
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2019-04-15 14:35:04 CEST
Size:
9.71 KB
patch
obsolete
>--- /usr/lib/python2.7/dist-packages/samba/provision/__init__.py 2019-04-02 10:32:20.000000000 +0200 >+++ __init__.py.patched 2019-04-15 14:29:01.750639642 +0200 >@@ -1672,7 +1672,184 @@ > return True > return False > >-def check_dir_acl(path, acl, lp, domainsid, direct_db_access): >+def check_dir_acl(path, acl_expected_for_gpo, lp, domainsid, direct_db_access): >+ try: >+ fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) >+ fsacl_sddl = fsacl.as_sddl(domainsid) >+ except TypeError as error: >+ return >+ except NTSTATUSError as error: >+ if check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND): >+ print "ERROR: File not found", path >+ return >+ else: >+ raise >+ >+ ## Sanitize "domainsid" to be a security.dom_sid >+ if isinstance(domainsid, str): >+ domainsid = security.dom_sid(domainsid) >+ >+ LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) >+ DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) >+ CO = security.dom_sid(security.SID_CREATOR_OWNER) >+ >+ ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) >+ if fsacl.owner_sid == LA: >+ fsacl.owner_sid = DA >+ >+ """ >+ MS doc about SE_DACL_AUTO_INHERITED of SECURITY_DESCRIPTOR_CONTROL: >+ For Windows 2000 ACLs that support auto-inheritance, this bit is always set. >+ """ >+ ## The default {31B2F340-016D-11D2-945F-00C04FB984F9} and {6AC1786C-016F-11D2-945F-00C04FB984F9} don't have this in Samba >+ ## so mask this difference here to avoid false positives >+ ## >+ ## sysvolreset removes the AI as well, so we always mask this: >+ fsacl.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ fix_P_to_AI = True ## also below in the subdir and file checks >+ >+ fsacl_sddl_mapped = fsacl.as_sddl(domainsid) >+ >+ ## at least in UCS, all base GPO directories have AI set, so expect that >+ sd = security.descriptor.from_sddl(acl_expected_for_gpo, domainsid) >+ sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ acl_expected_for_gpo = sd.as_sddl(domainsid) >+ >+ if fsacl_sddl_mapped != acl_expected_for_gpo: >+ raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl_expected_for_gpo)) >+ >+ ### After the base GPO directory has passed, now fix the FSACLs calculated by dsacl2fsacl to work for the subdirs and files >+ ## copy the security descriptor structure, we have to filter out a few ACEs >+ sd_masked = security.descriptor() >+ sd_masked.owner_sid = sd.owner_sid >+ sd_masked.group_sid = sd.group_sid >+ sd_masked.type = sd.type >+ sd_masked.revision = sd.revision >+ >+ ## the subdirs and files are AI and not P >+ sd_masked.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ sd_masked.type &= ~security.SEC_DESC_DACL_PROTECTED >+ >+ skip_other_da_aces = False >+ for i in range(0, len(sd.dacl.aces)): >+ if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): >+ ## filter out additional ACEs for DA and LA, there is some duplication and ordering issue >+ continue >+ elif sd.dacl.aces[i].trustee in (DA, LA): >+ ## flag first occurrence of DA >+ skip_other_da_aces = True >+ if sd.dacl.aces[i].flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT: >+ ## If GPO says CI then the subobjects must show the inherited flag >+ ## Note: dsacl2fsacl currently always fakes security.SEC_ACE_FLAG_CONTAINER_INHERIT >+ sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE >+ >+ sd_masked.dacl_add(sd.dacl.aces[i]) >+ acl_expected_for_subdir = sd_masked.as_sddl(domainsid) >+ >+ ## Additionally for files MS AD and GPMC don't set the CI and OI flags >+ for i in range(0, len(sd_masked.dacl.aces)): >+ sd_masked.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT) >+ try: >+ ## also filter out ACE for CO, not present for GPT.INI of new GPOs created via GPMC >+ sd_masked.dacl_del(CO) >+ except: >+ pass >+ acl_expected_for_file = sd_masked.as_sddl(domainsid) >+ sd_masked.type &= ~security.SEC_DESC_DACL_AUTO_INHERIT_REQ >+ acl_expected_for_registry_pol = sd_masked.as_sddl(domainsid) >+ >+ #print "ACL GPO: %s" % acl_expected_for_gpo >+ #print "ACL DIR: %s" % acl_expected_for_subdir >+ #print "ACL FILE: %s" % acl_expected_for_file >+ >+ for root, dirs, files in os.walk(path, topdown=False): >+ for name in files: >+ fsacl = getntacl(lp, os.path.join(root, name), >+ direct_db_access=direct_db_access, service=SYSVOL_SERVICE) >+ if fsacl is None: >+ raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) >+ >+ ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) >+ if fsacl.owner_sid == LA: >+ fsacl.owner_sid = DA >+ >+ ## Mask current differences between Samba and MS AD & GPMC >+ fsacl_masked = security.descriptor() >+ fsacl_masked.owner_sid = fsacl.owner_sid >+ fsacl_masked.group_sid = fsacl.group_sid >+ fsacl_masked.type = fsacl.type >+ fsacl_masked.revision = fsacl.revision >+ >+ if fix_P_to_AI: >+ fsacl_masked.type &= ~security.SEC_DESC_DACL_PROTECTED >+ fsacl_masked.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ >+ skip_other_da_aces = False >+ for i in range(0, len(fsacl.dacl.aces)): >+ if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): >+ ## filter out additional ACEs for DA and LA, there is some duplication and ordering issue >+ continue >+ elif fsacl.dacl.aces[i].trustee in (DA, LA): >+ ## flag first occurrence of DA >+ skip_other_da_aces = True >+ if str(fsacl.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: >+ ## filter out ACE for CO, not present for GPT.INI of new GPOs created via GPMC >+ continue >+ if fix_P_to_AI: >+ fsacl.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE >+ ## The OI and CI flags don't make sense for files and are neither set by MS AD nor MS GPMC >+ fsacl.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT) >+ fsacl_masked.dacl_add(fsacl.dacl.aces[i]) >+ >+ fsacl_sddl_mapped = fsacl_masked.as_sddl(domainsid) >+ >+ if name in ("GPT.INI", "GptTmpl.inf", "comment.cmtx"): >+ if fsacl_sddl_mapped != acl_expected_for_file: >+ raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl_expected_for_file)) >+ else: >+ if fsacl_sddl_mapped != acl_expected_for_registry_pol: >+ raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl_expected_for_registry_pol)) >+ >+ for name in dirs: >+ fsacl = getntacl(lp, os.path.join(root, name), >+ direct_db_access=direct_db_access, service=SYSVOL_SERVICE) >+ if fsacl is None: >+ raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) >+ >+ ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) >+ if fsacl.owner_sid == LA: >+ fsacl.owner_sid = DA >+ >+ ## Mask current differences between Samba and MS AD & GPMC >+ fsacl_masked = security.descriptor() >+ fsacl_masked.owner_sid = fsacl.owner_sid >+ fsacl_masked.group_sid = fsacl.group_sid >+ fsacl_masked.type = fsacl.type >+ fsacl_masked.revision = fsacl.revision >+ >+ if fix_P_to_AI: >+ fsacl_masked.type &= ~security.SEC_DESC_DACL_PROTECTED >+ fsacl_masked.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ >+ skip_other_da_aces = False >+ for i in range(0, len(fsacl.dacl.aces)): >+ if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): >+ ## filter out additional ACEs for DA and LA, there is some duplication and ordering issue >+ continue >+ elif fsacl.dacl.aces[i].trustee == DA: >+ ## flag first occurrence of DA >+ skip_other_da_aces = True >+ if fix_P_to_AI: >+ fsacl.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE >+ fsacl_masked.dacl_add(fsacl.dacl.aces[i]) >+ >+ fsacl_sddl_mapped = fsacl_masked.as_sddl(domainsid) >+ >+ if fsacl_sddl_mapped != acl_expected_for_subdir: >+ raise ProvisioningError('%s NTACL of GPO subdirectory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl_expected_for_subdir)) >+ >+ >+def check_dir_acl_orig(path, acl, lp, domainsid, direct_db_access): > try: > fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > fsacl_sddl = fsacl.as_sddl(domainsid)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9972">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 49293
: 9972 |
10103
|
10145