Attachment #7890 for bug #39633

View | Details | Raw Unified | Return to bug 39633
Collapse All | Expand All

(-)samba/provision/__init__.py.orig (-10 / +35 lines)

Lines 1484-1495 POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001	Link Here

1484

SYSVOL_SERVICE="sysvol"

1484

SYSVOL_SERVICE="sysvol"

1485

1486

def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):

1486

def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):

1487

    #print path

1488

    #print acl

1489

    #print use_ntvfs

1487

    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1490

    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1488

    for root, dirs, files in os.walk(path, topdown=False):

1491

    for root, dirs, files in os.walk(path, topdown=False):

1489

        for name in files:

1492

        for name in files:

1490

            setntacl(lp, os.path.join(root, name), acl, domsid,

1493

            setntacl(lp, os.path.join(root, name), acl, domsid,

1491

                    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1494

                    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1492

        for name in dirs:

1495

        for name in dirs:

1496

            #print os.path.join(root, name)

1497

            #print acl

1493

            setntacl(lp, os.path.join(root, name), acl, domsid,

1498

            setntacl(lp, os.path.join(root, name), acl, domsid,

1494

                    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1499

                    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

1495

1500

Lines 1627-1634 def acl_type(direct_db_access):	Link Here

1627

def check_dir_acl(path, acl, lp, domainsid, direct_db_access):

1632

def check_dir_acl(path, acl, lp, domainsid, direct_db_access):

1628

    fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1633

    fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1629

    fsacl_sddl = fsacl.as_sddl(domainsid)

1634

    fsacl_sddl = fsacl.as_sddl(domainsid)

1630

    if fsacl_sddl != acl:

1635

1631

        raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

1636

    #Main fix starts here / 17-08-2016 / hupertz@univention.de

1637

    """changed acl in if-statements to acl_sddl"""

1638

    if isinstance(domainsid, str):

1639

        sid = security.dom_sid(domainsid)

1640

    elif isinstance(domainsid, security.dom_sid):

1641

        sid = domainsid

1642

        domainsid = str(sid)

1643

1644

    sd = security.descriptor.from_sddl(acl, sid)

1645

    if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)):

1646

    	sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR))

1647

    acl_sddl = sd.as_sddl(sid)

1648

    #Main fix ends here

1649

1650

    if fsacl_sddl != acl_sddl:

1651

	raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl))

1632

1652

1633

    for root, dirs, files in os.walk(path, topdown=False):

1653

    for root, dirs, files in os.walk(path, topdown=False):

1634

        for name in files:

1654

        for name in files:

Lines 1636-1654 def check_dir_acl(path, acl, lp, domains	Link Here

1636

                             direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1656

                             direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1637

            if fsacl is None:

1657

            if fsacl is None:

1638

                raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))

1658

                raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))

1639

            fsacl_sddl = fsacl.as_sddl(domainsid)

1659

            fsacl_sddl = fsacl.as_sddl(sid)

1640

            if fsacl_sddl != acl:

1660

1641

                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

1661

            if fsacl_sddl != acl_sddl:

1642

1662

                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl))

1663

1643

        for name in dirs:

1664

        for name in dirs:

1644

            fsacl = getntacl(lp, os.path.join(root, name),

1665

            fsacl = getntacl(lp, os.path.join(root, name),

1645

                             direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1666

                             direct_db_access=direct_db_access, service=SYSVOL_SERVICE)

1646

            if fsacl is None:

1667

            if fsacl is None:

1647

                raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))

1668

                raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))

1648

            fsacl_sddl = fsacl.as_sddl(domainsid)

1669

            fsacl_sddl = fsacl.as_sddl(sid)

1649

            if fsacl_sddl != acl:

1650

                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

1651

1670

1671

            if fsacl_sddl != acl_sddl:

1672

                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl))

1652

1673

1653

def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,

1674

def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,

1654

        direct_db_access):

1675

        direct_db_access):

Lines 1680-1687 def check_gpos_acl(sysvol, dnsdomain, do	Link Here

1680

        acl = ndr_unpack(security.descriptor,

1701

        acl = ndr_unpack(security.descriptor,

1681

                         str(policy["nTSecurityDescriptor"])).as_sddl()

1702

                         str(policy["nTSecurityDescriptor"])).as_sddl()

1682

        policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))

1703

        policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))

1683

        check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,

1704

        try:

1705

	    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,

1684

                      domainsid, direct_db_access)

1706

                      domainsid, direct_db_access)

1707

        except Exception as e:

1708

            print e

1709

            continue

1685

1710

1686

1711

1687

def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,

1712

def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,

Return to bug 39633