Lines 1496-1528
def set_nt_acl_wrapper(lp, file, sddl, domsid, backend=None, eadbfile=None,
|
Link Here
|
---|
|
1496 |
raise |
1496 |
raise |
1497 |
|
1497 |
|
1498 |
|
1498 |
|
1499 |
def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE): |
1499 |
def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE, logger=None, resume_on_error=False): |
1500 |
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1500 |
set_nt_acl_wrapper(lp, path, acl, domsid, use_ntvfs=use_ntvfs, |
|
|
1501 |
skip_invalid_chown=True, passdb=passdb, service=service, |
1502 |
logger=logger, resume_on_error=resume_on_error) |
1501 |
for root, dirs, files in os.walk(path, topdown=False): |
1503 |
for root, dirs, files in os.walk(path, topdown=False): |
1502 |
for name in files: |
1504 |
for name in files: |
1503 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1505 |
set_nt_acl_wrapper(lp, os.path.join(root, name), acl, domsid, |
1504 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1506 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
|
|
1507 |
passdb=passdb, service=service, logger=logger, |
1508 |
resume_on_error=resume_on_error) |
1505 |
for name in dirs: |
1509 |
for name in dirs: |
1506 |
setntacl(lp, os.path.join(root, name), acl, domsid, |
1510 |
set_nt_acl_wrapper(lp, os.path.join(root, name), acl, domsid, |
1507 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) |
1511 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
|
|
1512 |
passdb=passdb, service=service, logger=logger, |
1513 |
resume_on_error=resume_on_error) |
1508 |
|
1514 |
|
1509 |
|
1515 |
|
1510 |
def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb): |
1516 |
def set_gpos_acl(sysvol, logger, dnsdomain, domainsid, domaindn, samdb, lp, |
|
|
1517 |
use_ntvfs, passdb, resume_on_error): |
1511 |
"""Set ACL on the sysvol/<dnsname>/Policies folder and the policy |
1518 |
"""Set ACL on the sysvol/<dnsname>/Policies folder and the policy |
1512 |
folders beneath. |
1519 |
folders beneath. |
1513 |
|
1520 |
|
1514 |
:param sysvol: Physical path for the sysvol folder |
1521 |
:param sysvol: Physical path for the sysvol folder |
|
|
1522 |
:param logger: Logger object |
1515 |
:param dnsdomain: The DNS name of the domain |
1523 |
:param dnsdomain: The DNS name of the domain |
1516 |
:param domainsid: The SID of the domain |
1524 |
:param domainsid: The SID of the domain |
1517 |
:param domaindn: The DN of the domain (ie. DC=...) |
1525 |
:param domaindn: The DN of the domain (ie. DC=...) |
1518 |
:param samdb: An LDB object on the SAM db |
1526 |
:param samdb: An LDB object on the SAM db |
1519 |
:param lp: an LP object |
1527 |
:param lp: an LP object |
|
|
1528 |
:param resume_on_error: A boolean that indicates if the function should |
1529 |
only log a NTSTATUSError and continue. |
1520 |
""" |
1530 |
""" |
1521 |
|
1531 |
|
1522 |
# Set ACL for GPO root folder |
1532 |
# Set ACL for GPO root folder |
1523 |
root_policy_path = os.path.join(sysvol, dnsdomain, "Policies") |
1533 |
root_policy_path = os.path.join(sysvol, dnsdomain, "Policies") |
1524 |
setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), |
1534 |
set_nt_acl_wrapper(lp, root_policy_path, POLICIES_ACL, str(domainsid), |
1525 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) |
1535 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
|
|
1536 |
passdb=passdb, service=SYSVOL_SERVICE, logger=logger, |
1537 |
resume_on_error=resume_on_error) |
1526 |
|
1538 |
|
1527 |
res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn), |
1539 |
res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn), |
1528 |
attrs=["cn", "nTSecurityDescriptor"], |
1540 |
attrs=["cn", "nTSecurityDescriptor"], |
Lines 1534-1547
def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, p
|
Link Here
|
---|
|
1534 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1546 |
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) |
1535 |
set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1547 |
set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, |
1536 |
str(domainsid), use_ntvfs, |
1548 |
str(domainsid), use_ntvfs, |
1537 |
passdb=passdb) |
1549 |
passdb=passdb, logger=logger, |
|
|
1550 |
resume_on_error=resume_on_error) |
1538 |
|
1551 |
|
1539 |
|
1552 |
|
1540 |
def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain, |
1553 |
def setsysvolacl(samdb, logger, netlogon, sysvol, uid, gid, domainsid, |
1541 |
domaindn, lp, use_ntvfs): |
1554 |
dnsdomain, domaindn, lp, use_ntvfs, resume_on_error): |
1542 |
"""Set the ACL for the sysvol share and the subfolders |
1555 |
"""Set the ACL for the sysvol share and the subfolders |
1543 |
|
1556 |
|
1544 |
:param samdb: An LDB object on the SAM db |
1557 |
:param samdb: An LDB object on the SAM db |
|
|
1558 |
:param logger: Logger object |
1545 |
:param netlogon: Physical path for the netlogon folder |
1559 |
:param netlogon: Physical path for the netlogon folder |
1546 |
:param sysvol: Physical path for the sysvol folder |
1560 |
:param sysvol: Physical path for the sysvol folder |
1547 |
:param uid: The UID of the "Administrator" user |
1561 |
:param uid: The UID of the "Administrator" user |
Lines 1549-1554
def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
|
Link Here
|
---|
|
1549 |
:param domainsid: The SID of the domain |
1563 |
:param domainsid: The SID of the domain |
1550 |
:param dnsdomain: The DNS name of the domain |
1564 |
:param dnsdomain: The DNS name of the domain |
1551 |
:param domaindn: The DN of the domain (ie. DC=...) |
1565 |
:param domaindn: The DN of the domain (ie. DC=...) |
|
|
1566 |
:param resume_on_error: A boolean that indicates if the function should |
1567 |
only log a NTSTATUSError and continue. |
1552 |
""" |
1568 |
""" |
1553 |
s4_passdb = None |
1569 |
s4_passdb = None |
1554 |
|
1570 |
|
Lines 1611-1635
def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
|
Link Here
|
---|
|
1611 |
canchown = True |
1627 |
canchown = True |
1612 |
|
1628 |
|
1613 |
# Set the SYSVOL_ACL on the sysvol folder and subfolder (first level) |
1629 |
# Set the SYSVOL_ACL on the sysvol folder and subfolder (first level) |
1614 |
setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, |
1630 |
set_nt_acl_wrapper(lp, sysvol, SYSVOL_ACL, str(domainsid), |
1615 |
skip_invalid_chown=True, passdb=s4_passdb, |
1631 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
1616 |
service=SYSVOL_SERVICE) |
1632 |
passdb=s4_passdb, service=SYSVOL_SERVICE, logger=logger, |
|
|
1633 |
resume_on_error=resume_on_error) |
1617 |
for root, dirs, files in os.walk(sysvol, topdown=False): |
1634 |
for root, dirs, files in os.walk(sysvol, topdown=False): |
1618 |
for name in files: |
1635 |
for name in files: |
1619 |
if use_ntvfs and canchown: |
1636 |
if use_ntvfs and canchown: |
1620 |
os.chown(os.path.join(root, name), -1, gid) |
1637 |
os.chown(os.path.join(root, name), -1, gid) |
1621 |
setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid), |
1638 |
set_nt_acl_wrapper(lp, os.path.join(root, name), SYSVOL_ACL, |
1622 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
1639 |
str(domainsid), use_ntvfs=use_ntvfs, |
1623 |
passdb=s4_passdb, service=SYSVOL_SERVICE) |
1640 |
skip_invalid_chown=True, passdb=s4_passdb, |
|
|
1641 |
service=SYSVOL_SERVICE, logger=logger, |
1642 |
resume_on_error=resume_on_error) |
1624 |
for name in dirs: |
1643 |
for name in dirs: |
1625 |
if use_ntvfs and canchown: |
1644 |
if use_ntvfs and canchown: |
1626 |
os.chown(os.path.join(root, name), -1, gid) |
1645 |
os.chown(os.path.join(root, name), -1, gid) |
1627 |
setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid), |
1646 |
set_nt_acl_wrapper(lp, os.path.join(root, name), SYSVOL_ACL, |
1628 |
use_ntvfs=use_ntvfs, skip_invalid_chown=True, |
1647 |
str(domainsid), use_ntvfs=use_ntvfs, |
1629 |
passdb=s4_passdb, service=SYSVOL_SERVICE) |
1648 |
skip_invalid_chown=True, passdb=s4_passdb, |
|
|
1649 |
service=SYSVOL_SERVICE, logger=logger, |
1650 |
resume_on_error=resume_on_error) |
1630 |
|
1651 |
|
1631 |
# Set acls on Policy folder and policies folders |
1652 |
# Set acls on Policy folder and policies folders |
1632 |
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) |
1653 |
set_gpos_acl(sysvol, logger, dnsdomain, domainsid, domaindn, samdb, lp, |
|
|
1654 |
use_ntvfs, passdb=s4_passdb, resume_on_error=resume_on_error) |
1633 |
|
1655 |
|
1634 |
def acl_type(direct_db_access): |
1656 |
def acl_type(direct_db_access): |
1635 |
if direct_db_access: |
1657 |
if direct_db_access: |
Lines 1824-1832
def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
Link Here
|
---|
|
1824 |
# Continue setting up sysvol for GPO. This appears to require being |
1846 |
# Continue setting up sysvol for GPO. This appears to require being |
1825 |
# outside a transaction. |
1847 |
# outside a transaction. |
1826 |
if not skip_sysvolacl: |
1848 |
if not skip_sysvolacl: |
1827 |
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, |
1849 |
setsysvolacl(samdb, logger, paths.netlogon, paths.sysvol, |
1828 |
paths.root_gid, names.domainsid, names.dnsdomain, |
1850 |
paths.root_uid, paths.root_gid, names.domainsid, |
1829 |
names.domaindn, lp, use_ntvfs) |
1851 |
names.dnsdomain, names.domaindn, lp, use_ntvfs, |
|
|
1852 |
resume_on_error=False) |
1830 |
else: |
1853 |
else: |
1831 |
logger.info("Setting acl on sysvol skipped") |
1854 |
logger.info("Setting acl on sysvol skipped") |
1832 |
|
1855 |
|