#!/bin/bash . /usr/share/ucs-test/lib/random.sh eval "$(ucr shell)" tests_domainadmin_account="uid=Administrator,cn=users,$ldap_base" tests_domainadmin_pwd=univention ADMINISTRATOR_NAME=$(univention-ldapsearch -b "$tests_domainadmin_account" uid | ldapsearch-wrapper | grep uid | sed -ne 's/^uid: //p') gpo_name=$(random_string) ### Temporarily disable rsync login for the samba4/sysvol/sync/host ### And temporarily disable regular sysvol sync on this host deny_ssh_access_for_computers() { ucr set 'auth/sshd/group/DC Backup Hosts'=no \ 'auth/sshd/group/DC Slave Hosts'=no \ 'auth/sshd/group/Computers'=no } allow_ssh_access_for_computers() { ucr set 'auth/sshd/group/DC Backup Hosts'=yes \ 'auth/sshd/group/DC Slave Hosts'=yes \ 'auth/sshd/group/Computers'=yes } disable_sysvol_sync() { ucr set samba4/sysvol/sync/cron="# */5 * * * *" deny_ssh_access_for_computers } enable_sysvol_sync() { ucr set samba4/sysvol/sync/cron="*/5 * * * *" allow_ssh_access_for_computers } trap enable_sysvol_sync EXIT disable_sysvol_sync ### create a new GPO remotely on the samba4/sysvol/sync/host: test_output=$(samba-tool gpo create "$gpo_name" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" -H "ldap://$samba4_sysvol_sync_host") gpo_cn=$(sed -n "s/GPO '$gpo_name' created as \(.*\)$/\1/p" <<<"$test_output") echo "Test GPO created: $gpo_cn" ### Replicate the new GPO to the local system /usr/share/univention-samba4/scripts/sysvol-sync.sh ### for additional fun add an additional test file to the GPO dir on the samba4/sysvol/sync/host: smbclient "//$samba4_sysvol_sync_host/sysvol" \ -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" \ -c "put /etc/hosts $domainname/Policies/$gpo_cn/testfile1" ### Now modify the ACLs on the local GPO copy gpo_path="/var/lib/samba/sysvol/$domainname/Policies/$gpo_cn" gpo_facl=$(getfacl "$gpo_path") gpo_fattr=$(getfattr -d -m - "$gpo_path") gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") test_account=join-backup test_account_sid=$(univention-s4search samaccountname="$test_account" objectSid | ldapsearch-wrapper | sed -n 's/^objectSid: //p') ### Update the NTACLs on the local SYSVOL share via SMB new_gpo_ntacl="${gpo_ntacl}(A;OICI;0x001200a9;;;$test_account_sid)" smbcacls //localhost/sysvol "$domainname/Policies/$gpo_cn" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" -S "$new_gpo_ntacl" --sddl new_gpo_modification_time=$(stat --printf '%y' "$gpo_path") new_gpo_metadata_change_time=$(stat --printf '%z' "$gpo_path") new_gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") ## get in canonical order new_gpo_facl=$(getfacl "$gpo_path") new_gpo_fattr=$(getfattr -d -m - "$gpo_path") if [ "$new_gpo_ntacl" = "$gpo_ntacl" ]; then echo "NTACL set via SMB failed" exit 1 fi ### Updating the DS ACLs is a bit useless here, but this is how we could do it: # test_output=$(univention-s4search "(&(objectClass=groupPolicyContainer)(cn=$gpo_cn))" nTSecurityDescriptor | ldapsearch-wrapper) # gpo_dn=$(sed -n "s/^dn: //p" <<"$test_output") # gpo_sd=$(sed -n "s/^nTSecurityDescriptor: //p" <<"$test_output") # new_gpo_sd="${gpo_sd}(A;CI;RPLCRC;;;$test_account_sid)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;$test_account_sid)" # ldbmodify -H /var/lib/samba/private/sam.ldb "(&(objectClass=groupPolicyContainer)(cn=$gpo_cn))" <<%EOF # dn: $gpo_dn # changetype: modify # nTSecurityDescriptor: $new_gpo_sd # %EOF ### Now replicate the GPO again to the local system /usr/share/univention-samba4/scripts/sysvol-sync.sh ## verify that the testfile1 has been copied to the local system: if ! [ -f "$gpo_path/testfile1" ]; then echo "The GPO has not been copied to the local server" exit 1 fi test_gpo_modification_time=$(stat --printf '%y' "$gpo_path") test_gpo_metadata_change_time=$(stat --printf '%z' "$gpo_path") test_gpo_ntacl=$(samba-tool ntacl get --as-sddl "$gpo_path") test_gpo_facl=$(getfacl "$gpo_path") test_gpo_fattr=$(getfattr -d -m - "$gpo_path") echo "Old GPO modification time: $new_gpo_modification_time" echo "New GPO modification time: $test_gpo_modification_time" echo "Old GPO metadata time: $new_gpo_metadata_change_time" echo "New GPO metadata time: $test_gpo_metadata_change_time" if ! [ "$test_gpo_ntacl" = "$new_gpo_ntacl" ]; then echo "The GPO NTACL has been modified" exit 1 fi if ! [ "$test_gpo_facl" = "$new_gpo_facl" ]; then echo "The GPO fACL has been modified" exit 1 fi if ! [ "$test_gpo_fattr" = "$new_gpo_fattr" ]; then echo "The GPO fattrs have been modified" exit 1 fi ## Cleanup samba-tool gpo del "$gpo_name" -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" rm -rf "$gpo_path" univention-install cifs-utils tmp_dir=$(mktemp -d) mount -t cifs -o user="$ADMINISTRATOR_NAME" -o password="$tests_domainadmin_pwd" "//$samba4_sysvol_sync_host/sysvol" "$tmp_dir" rm -rf "$tmp_dir/$domainname/Policies/$gpo_cn" umount "$tmp_dir"