|
1686 |
return |
1686 |
return |
1687 |
else: |
1687 |
else: |
1688 |
raise |
1688 |
raise |
1689 |
"""changed acl in if-statements to acl_sddl""" |
1689 |
|
|
|
1690 |
## Sanitize "domainsid" to be a string and "sid" to be the security.dom_sid |
1690 |
if isinstance(domainsid, str): |
1691 |
if isinstance(domainsid, str): |
1691 |
sid = security.dom_sid(domainsid) |
1692 |
sid = security.dom_sid(domainsid) |
1692 |
elif isinstance(domainsid, security.dom_sid): |
1693 |
elif isinstance(domainsid, security.dom_sid): |
1693 |
sid = domainsid |
1694 |
sid = domainsid |
1694 |
domainsid = str(sid) |
1695 |
domainsid = str(sid) |
1695 |
|
1696 |
|
|
|
1697 |
## Mask AI and P in DACL flags for comparison |
1698 |
fsacl_type_tmp = fsacl.type |
1699 |
fsacl_owner_sid_tmp = fsacl.owner_sid |
1700 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1701 |
## If DA in filesystem then treat it as LA for comparison (workaround for sysvolcheck, GPMC against Samba 4.7 seems to write this?) |
1702 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)): |
1703 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
1704 |
fsacl_sddl_filtered = fsacl.as_sddl(sid) |
1705 |
fsacl.type = fsacl_type_tmp |
1706 |
fsacl.owner_sid = fsacl_owner_sid_tmp |
1707 |
|
1696 |
sd = security.descriptor.from_sddl(acl, sid) |
1708 |
sd = security.descriptor.from_sddl(acl, sid) |
|
|
1709 |
acl_sddl = sd.as_sddl(sid) |
1710 |
## Mask AI and P in DACL flags for comparison |
1711 |
sd.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1712 |
## If DA in DSACL then treat it as LA for comparison (this seems to be what sysvolreset does) |
1697 |
if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)): |
1713 |
if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)): |
1698 |
sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
1714 |
sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
1699 |
acl_sddl = sd.as_sddl(sid) |
1715 |
acl_sddl_filtered = sd.as_sddl(sid) |
1700 |
|
1716 |
|
1701 |
if fsacl_sddl != acl_sddl: |
1717 |
if fsacl_sddl_filtered != acl_sddl_filtered: |
1702 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) |
1718 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) |
1703 |
|
1719 |
|
|
|
1720 |
## similar to dsacl2fsacl: Mask the OI CI and ID in ACE flags for comparison |
1721 |
aces = sd.dacl.aces |
1722 |
for i in range(0, len(aces)): |
1723 |
ace = aces[i] |
1724 |
if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K: |
1725 |
ace.flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT | security.SEC_ACE_FLAG_INHERITED_ACE) |
1726 |
acl_sddl_filtered = sd.as_sddl(sid) |
1727 |
|
1704 |
for root, dirs, files in os.walk(path, topdown=False): |
1728 |
for root, dirs, files in os.walk(path, topdown=False): |
1705 |
for name in files: |
1729 |
for name in files: |
1706 |
fsacl = getntacl(lp, os.path.join(root, name), |
1730 |
fsacl = getntacl(lp, os.path.join(root, name), |
|
1708 |
if fsacl is None: |
1732 |
if fsacl is None: |
1709 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1733 |
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1710 |
fsacl_sddl = fsacl.as_sddl(sid) |
1734 |
fsacl_sddl = fsacl.as_sddl(sid) |
1711 |
|
1735 |
## Mask AI and P in DACL flags for comparison |
1712 |
if fsacl_sddl != acl_sddl: |
1736 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
|
|
1737 |
## similar to dsacl2fsacl: Mask the OI CI and ID in ACE flags for comparison |
1738 |
aces = fsacl.dacl.aces |
1739 |
for i in range(0, len(aces)): |
1740 |
ace = aces[i] |
1741 |
if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K: |
1742 |
ace.flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT | security.SEC_ACE_FLAG_INHERITED_ACE) |
1743 |
fsacl_sddl_filtered = fsacl.as_sddl(sid) |
1744 |
if fsacl_sddl_filtered != acl_sddl_filtered: |
1713 |
raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
1745 |
raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
1714 |
|
1746 |
|
1715 |
for name in dirs: |
1747 |
for name in dirs: |
|
1718 |
if fsacl is None: |
1750 |
if fsacl is None: |
1719 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1751 |
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) |
1720 |
fsacl_sddl = fsacl.as_sddl(sid) |
1752 |
fsacl_sddl = fsacl.as_sddl(sid) |
|
|
1753 |
## Mask AI and P in DACL flags for comparison |
1754 |
fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1755 |
## similar to dsacl2fsacl: Mask the OI CI and ID in ACE flags for comparison |
1756 |
aces = fsacl.dacl.aces |
1757 |
for i in range(0, len(aces)): |
1758 |
ace = aces[i] |
1759 |
if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K: |
1760 |
ace.flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT | security.SEC_ACE_FLAG_INHERITED_ACE) |
1761 |
fsacl_sddl_filtered = fsacl.as_sddl(sid) |
1721 |
|
1762 |
|
1722 |
if fsacl_sddl != acl_sddl: |
1763 |
if fsacl_sddl_filtered != acl_sddl_filtered: |
1723 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
1764 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl)) |
1724 |
|
1765 |
|
1725 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1766 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |