|
1662 |
def check_dir_acl(path, acl, lp, domainsid, direct_db_access): |
1662 |
def check_dir_acl(path, acl, lp, domainsid, direct_db_access): |
1663 |
fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1663 |
fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1664 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1664 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1665 |
if fsacl_sddl != acl: |
1665 |
|
1666 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) |
1666 |
## Sanitize "domainsid" to be a security.dom_sid |
|
|
1667 |
if isinstance(domainsid, str): |
1668 |
domainsid = security.dom_sid(domainsid) |
1669 |
sd = security.descriptor.from_sddl(acl, domainsid) |
1670 |
## Mask AI and P in DACL flags for comparison |
1671 |
sd.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1672 |
acl_sddl_masked = sd.as_sddl(domainsid) |
1673 |
|
1674 |
## Mask AI and P in DACL flags for comparison |
1675 |
fsacl_inheritance_flags = fsacl.type & (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1676 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1677 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1678 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1679 |
|
1680 |
## Mask AI and P in DACL flags for comparison |
1681 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1682 |
fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) |
1683 |
|
1684 |
|
1685 |
if fsacl_sddl_mapped_and_masked != acl_sddl_masked: |
1686 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) |
1667 |
|
1687 |
|
1668 |
for root, dirs, files in os.walk(path, topdown=False): |
1688 |
for root, dirs, files in os.walk(path, topdown=False): |
1669 |
for name in files: |
1689 |
for name in files: |
|
1672 |
if fsacl is None: |
1692 |
if fsacl is None: |
1673 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1693 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1674 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1694 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1675 |
if fsacl_sddl != acl: |
|
|
1676 |
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1677 |
|
1695 |
|
|
|
1696 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1697 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1698 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1699 |
|
1700 |
## Mask AI and P in DACL flags for comparison |
1701 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1702 |
fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) |
1703 |
|
1704 |
print "%s" % fsacl_sddl_mapped_and_masked |
1705 |
print "%s" % acl_sddl_masked |
1706 |
|
1707 |
if fsacl_sddl_mapped_and_masked != acl_sddl_masked: |
1708 |
raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1709 |
|
1678 |
for name in dirs: |
1710 |
for name in dirs: |
1679 |
fsacl = getntacl(lp, os.path.join(root, name), |
1711 |
fsacl = getntacl(lp, os.path.join(root, name), |
1680 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1712 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1681 |
if fsacl is None: |
1713 |
if fsacl is None: |
1682 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1714 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1683 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1715 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1684 |
if fsacl_sddl != acl: |
|
|
1685 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1686 |
|
1716 |
|
|
|
1717 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1718 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1719 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1720 |
|
1721 |
## Mask AI and P in DACL flags for comparison |
1722 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1723 |
fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) |
1724 |
|
1725 |
if fsacl_sddl_mapped_and_masked != acl_sddl_masked: |
1726 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1687 |
|
1727 |
|
1688 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1728 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1689 |
direct_db_access): |
1729 |
direct_db_access): |
|
1715 |
acl = ndr_unpack(security.descriptor, |
1755 |
acl = ndr_unpack(security.descriptor, |
1716 |
str(policy["nTSecurityDescriptor"])).as_sddl() |
1756 |
str(policy["nTSecurityDescriptor"])).as_sddl() |
1717 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1757 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1718 |
check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1758 |
try: |
|
|
1759 |
check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1719 |
domainsid, direct_db_access) |
1760 |
domainsid, direct_db_access) |
|
|
1761 |
except Exception as e: |
1762 |
print e |
1763 |
continue |
1720 |
|
1764 |
|
1721 |
|
1765 |
|
1722 |
def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn, |
1766 |
def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn, |