Lines 1691-1701
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
---|
|
1691 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1691 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1692 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1692 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1693 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1693 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
|
|
1694 |
|
1695 |
LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
1696 |
DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1697 |
CO = security.dom_sid(security.SID_CREATOR_OWNER) |
1698 |
|
1699 |
PAI_filter = False |
1700 |
PAI = (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
1701 |
|
1702 |
if fsacl.type & PAI == PAI: |
1703 |
PAI_filter = True |
1704 |
|
1705 |
sd = security.descriptor.from_sddl(acl, domainsid) |
1706 |
sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED |
1707 |
acl = sd.as_sddl(domainsid) |
1708 |
|
1709 |
sd3 = security.descriptor() |
1710 |
sd3.owner_sid = sd.owner_sid |
1711 |
sd3.group_sid = sd.group_sid |
1712 |
sd3.type = sd.type |
1713 |
sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED |
1714 |
sd3.revision = sd.revision |
1715 |
|
1716 |
sd2 = security.descriptor() |
1717 |
sd2.owner_sid = sd.owner_sid |
1718 |
sd2.group_sid = sd.group_sid |
1719 |
sd2.type = sd.type |
1720 |
sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED |
1721 |
sd2.revision = sd.revision |
1722 |
skip_other_da_aces = False |
1723 |
for i in range(0, len(sd.dacl.aces)): |
1724 |
if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): |
1725 |
continue |
1726 |
if sd.dacl.aces[i].trustee == DA: |
1727 |
skip_other_da_aces = True |
1728 |
if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: |
1729 |
continue |
1730 |
#sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE |
1731 |
sd3.dacl_add(sd.dacl.aces[i]) |
1732 |
sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE |
1733 |
sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT) |
1734 |
sd2.dacl_add(sd.dacl.aces[i]) |
1735 |
acl2 = sd2.as_sddl(domainsid) |
1736 |
acl3 = sd3.as_sddl(domainsid) |
1737 |
#print "ACL1: %s" % acl |
1738 |
#print "ACL2: %s" % acl2 |
1739 |
#print "ACL3: %s" % acl3 |
1740 |
else: |
1741 |
sd = security.descriptor.from_sddl(acl, domainsid) |
1742 |
|
1743 |
sd3 = security.descriptor() |
1744 |
sd3.owner_sid = sd.owner_sid |
1745 |
sd3.group_sid = sd.group_sid |
1746 |
sd3.type = sd.type |
1747 |
sd3.revision = sd.revision |
1748 |
|
1749 |
skip_other_da_aces = False |
1750 |
for i in range(0, len(sd.dacl.aces)): |
1751 |
if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): |
1752 |
continue |
1753 |
if sd.dacl.aces[i].trustee == DA: |
1754 |
skip_other_da_aces = True |
1755 |
if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: |
1756 |
continue |
1757 |
sd3.dacl_add(sd.dacl.aces[i]) |
1758 |
acl3 = sd3.as_sddl(domainsid) |
1759 |
acl2 = acl3 |
1760 |
#print "ACL1: %s" % acl |
1761 |
#print "ACL3: %s" % acl3 |
1694 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
1762 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
1695 |
|
1763 |
|
1696 |
|
1764 |
|
1697 |
if fsacl_sddl_mapped != acl: |
1765 |
if fsacl_sddl_mapped != acl: |
1698 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) |
1766 |
raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) |
1699 |
|
1767 |
|
1700 |
for root, dirs, files in os.walk(path, topdown=False): |
1768 |
for root, dirs, files in os.walk(path, topdown=False): |
1701 |
for name in files: |
1769 |
for name in files: |
Lines 1708-1717
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
---|
|
1708 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1776 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1709 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1777 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1710 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1778 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1711 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
|
|
1712 |
|
1779 |
|
1713 |
if fsacl_sddl_mapped != acl: |
1780 |
fsacl2 = security.descriptor() |
1714 |
raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
1781 |
fsacl2.owner_sid = fsacl.owner_sid |
|
|
1782 |
fsacl2.group_sid = fsacl.group_sid |
1783 |
fsacl2.type = fsacl.type |
1784 |
fsacl2.revision = fsacl.revision |
1785 |
skip_other_da_aces = False |
1786 |
for i in range(0, len(fsacl.dacl.aces)): |
1787 |
if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): |
1788 |
continue |
1789 |
if fsacl.dacl.aces[i].trustee == DA: |
1790 |
skip_other_da_aces = True |
1791 |
fsacl2.dacl_add(fsacl.dacl.aces[i]) |
1792 |
try: |
1793 |
fsacl2.dacl_del(CO) |
1794 |
except: |
1795 |
pass |
1796 |
|
1797 |
fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) |
1798 |
|
1799 |
if fsacl_sddl_mapped != acl2: |
1800 |
raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2)) |
1715 |
|
1801 |
|
1716 |
for name in dirs: |
1802 |
for name in dirs: |
1717 |
fsacl = getntacl(lp, os.path.join(root, name), |
1803 |
fsacl = getntacl(lp, os.path.join(root, name), |
Lines 1723-1732
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
---|
|
1723 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1809 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1724 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1810 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1725 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1811 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1726 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
|
|
1727 |
|
1812 |
|
1728 |
if fsacl_sddl_mapped != acl: |
1813 |
fsacl2 = security.descriptor() |
1729 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
1814 |
fsacl2.owner_sid = fsacl.owner_sid |
|
|
1815 |
fsacl2.group_sid = fsacl.group_sid |
1816 |
fsacl2.type = fsacl.type |
1817 |
fsacl2.revision = fsacl.revision |
1818 |
skip_other_da_aces = False |
1819 |
for i in range(0, len(fsacl.dacl.aces)): |
1820 |
if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): |
1821 |
continue |
1822 |
fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE |
1823 |
if fsacl.dacl.aces[i].trustee == DA: |
1824 |
skip_other_da_aces = True |
1825 |
fsacl2.dacl_add(fsacl.dacl.aces[i]) |
1826 |
try: |
1827 |
fsacl2.dacl_del(CO) |
1828 |
except: |
1829 |
pass |
1830 |
|
1831 |
fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) |
1832 |
|
1833 |
if fsacl_sddl_mapped != acl3: |
1834 |
raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3)) |
1730 |
|
1835 |
|
1731 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1836 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1732 |
direct_db_access): |
1837 |
direct_db_access): |
1733 |
- |
|
|