Lines 1484-1495
POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001
|
Link Here
|
---|
|
1484 |
SYSVOL_SERVICE="sysvol" |
1484 |
SYSVOL_SERVICE="sysvol" |
1485 |
|
1485 |
|
1486 |
def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE): |
1486 |
def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE): |
|
|
1487 |
#print path |
1488 |
#print acl |
1489 |
#print use_ntvfs |
1487 |
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1490 |
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1488 |
for root, dirs, files in os.walk(path, topdown=False): |
1491 |
for root, dirs, files in os.walk(path, topdown=False): |
1489 |
for name in files: |
1492 |
for name in files: |
1490 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1493 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1491 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1494 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1492 |
for name in dirs: |
1495 |
for name in dirs: |
|
|
1496 |
#print os.path.join(root, name) |
1497 |
#print acl |
1493 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1498 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1494 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1499 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1495 |
|
1500 |
|
Lines 1627-1634
def acl_type(direct_db_access):
|
Link Here
|
---|
|
1627 |
def check_dir_acl(path, acl, lp, domainsid, direct_db_access): |
1632 |
def check_dir_acl(path, acl, lp, domainsid, direct_db_access): |
1628 |
fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1633 |
fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1629 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1634 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1630 |
if fsacl_sddl != acl: |
1635 |
|
1631 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) |
1636 |
#Main fix starts here / 17-08-2016 / hupertz@univention.de |
|
|
1637 |
"""changed acl in if-statements to acl_sddl""" |
1638 |
if isinstance(domainsid, str): |
1639 |
sid = security.dom_sid(domainsid) |
1640 |
elif isinstance(domainsid, security.dom_sid): |
1641 |
sid = domainsid |
1642 |
domainsid = str(sid) |
1643 |
|
1644 |
sd = security.descriptor.from_sddl(acl, sid) |
1645 |
if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)): |
1646 |
sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
1647 |
acl_sddl = sd.as_sddl(sid) |
1648 |
#Main fix ends here |
1649 |
|
1650 |
if fsacl_sddl != acl_sddl: |
1651 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) |
1632 |
|
1652 |
|
1633 |
for root, dirs, files in os.walk(path, topdown=False): |
1653 |
for root, dirs, files in os.walk(path, topdown=False): |
1634 |
for name in files: |
1654 |
for name in files: |
Lines 1636-1654
def check_dir_acl(path, acl, lp, domains
|
Link Here
|
---|
|
1636 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1656 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1637 |
if fsacl is None: |
1657 |
if fsacl is None: |
1638 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1658 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1639 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1659 |
fsacl_sddl = fsacl.as_sddl(sid) |
1640 |
if fsacl_sddl != acl: |
1660 |
|
1641 |
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1661 |
if fsacl_sddl != acl_sddl: |
1642 |
|
1662 |
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
|
|
1663 |
|
1643 |
for name in dirs: |
1664 |
for name in dirs: |
1644 |
fsacl = getntacl(lp, os.path.join(root, name), |
1665 |
fsacl = getntacl(lp, os.path.join(root, name), |
1645 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1666 |
direct_db_access=direct_db_access, service=SYSVOL_SERVICE) |
1646 |
if fsacl is None: |
1667 |
if fsacl is None: |
1647 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1668 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1648 |
fsacl_sddl = fsacl.as_sddl(domainsid) |
1669 |
fsacl_sddl = fsacl.as_sddl(sid) |
1649 |
if fsacl_sddl != acl: |
|
|
1650 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) |
1651 |
|
1670 |
|
|
|
1671 |
if fsacl_sddl != acl_sddl: |
1672 |
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
1652 |
|
1673 |
|
1653 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1674 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1654 |
direct_db_access): |
1675 |
direct_db_access): |
Lines 1680-1687
def check_gpos_acl(sysvol, dnsdomain, do
|
Link Here
|
---|
|
1680 |
acl = ndr_unpack(security.descriptor, |
1701 |
acl = ndr_unpack(security.descriptor, |
1681 |
str(policy["nTSecurityDescriptor"])).as_sddl() |
1702 |
str(policy["nTSecurityDescriptor"])).as_sddl() |
1682 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1703 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1683 |
check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1704 |
try: |
|
|
1705 |
check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1684 |
domainsid, direct_db_access) |
1706 |
domainsid, direct_db_access) |
|
|
1707 |
except Exception as e: |
1708 |
print e |
1709 |
continue |
1685 |
|
1710 |
|
1686 |
|
1711 |
|
1687 |
def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn, |
1712 |
def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn, |