#!/usr/bin/python from samba.param import LoadParm from samba.dcerpc import security, idmap from samba.auth import system_session from samba.samdb import SamDB from samba.samba3 import param as s3param, passdb from samba import provision def sysvol_dsacl_to_ntacl(): lp = LoadParm() lp.load('/etc/samba/smb.conf') path = lp.private_path("secrets.ldb") netlogon = lp.get("path", "netlogon") sysvol = lp.get("path", "sysvol") try: samdb = SamDB(session_info=system_session(), lp=lp) except Exception, e: print "Unable to open samdb: %s" % (e,) raise "Unable to open samdb: %s" % (e,) use_ntvfs = "smb" in lp.get("server services") domain_sid = security.dom_sid(samdb.domain_sid) s3conf = s3param.get_context() s3conf.load(lp.configfile) # ensure we are using the right samba_dsdb passdb backend, no matter what s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) LA_sid = security.dom_sid(str(domain_sid) +"-"+str(security.DOMAIN_RID_ADMINISTRATOR)) BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) s4_passdb = passdb.PDB(s3conf.get("passdb backend")) # These assertions correct for current plugin_s4_dc selftest # configuration. When other environments have a broad range of # groups mapped via passdb, we can relax some of these checks (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH): raise CommandError("SID %s is not mapped to a UID" % LA_sid) (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH): raise CommandError("SID %s is not mapped to a GID" % BA_sid) s3conf = s3param.get_context() s3conf.load(lp.configfile) # ensure we are using the right samba_dsdb passdb backend, no matter what s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) passdb.reload_static_pdb() # ensure that we init the samba_dsdb backend, so the domain sid is # marked in secrets.tdb s4_passdb = passdb.PDB(s3conf.get("passdb backend")) provision.set_gpos_acl(sysvol, lp.get("realm").lower(), domain_sid, samdb.domain_dn(), samdb, lp, use_ntvfs=use_ntvfs, passdb=s4_passdb) if __name__ == '__main__': sysvol_dsacl_to_ntacl()