Attachment #9820 for bug #46643

View | Details | Raw Unified | Return to bug 46643 | Differences between
Collapse All | Expand All




def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
    fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
    fsacl_sddl = fsacl.as_sddl(domainsid)
    
    ## Sanitize "domainsid" to be a security.dom_sid
    if isinstance(domainsid, str):
        domainsid = security.dom_sid(domainsid)
    sd = security.descriptor.from_sddl(acl, domainsid)
    ## Mask AI and P in DACL flags for comparison
    sd.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
    acl_sddl_masked = sd.as_sddl(domainsid)
    
    ## Mask AI and P in DACL flags for comparison
    fsacl_inheritance_flags = fsacl.type & (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
    ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
    if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
        fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))

    ## Mask AI and P in DACL flags for comparison
    fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
    fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 


    if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
        raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

    for root, dirs, files in os.walk(path, topdown=False):
        for name in files:

            if fsacl is None:
                raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
            fsacl_sddl = fsacl.as_sddl(domainsid)
            if fsacl_sddl != acl:
                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))

            ## Mask AI and P in DACL flags for comparison
            fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
            fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 

            print "%s" % fsacl_sddl_mapped_and_masked
            print "%s" % acl_sddl_masked

            if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
                raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
            
        for name in dirs:
            fsacl = getntacl(lp, os.path.join(root, name),
                             direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
            if fsacl is None:
                raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
            fsacl_sddl = fsacl.as_sddl(domainsid)
            if fsacl_sddl != acl:
                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))

            ## Mask AI and P in DACL flags for comparison
            fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
            fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 

            if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
                raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
        direct_db_access):

        acl = ndr_unpack(security.descriptor,
                         str(policy["nTSecurityDescriptor"])).as_sddl()
        policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
        try:
            check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
                      domainsid, direct_db_access)
        except Exception as e:
            print e
            continue


def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,

Return to bug 46643