From e9caf7d06352b557ef1e2d41a2325f29a4a2506a Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Date: Fri, 29 May 2009 14:45:24 +0300
Subject: [PATCH] A script to compare the differences in nTSecurityDescriptor
 between 2 hosts

This script walks the schema, configuration and domain partitions of the locally
installed Ldb and a remote hosts and compares the descriptors disregarding the
difference in domain SID. The goal is to make sure a freshly provisioned Samba
has the correct descriptors so ACLs work correctly. It outputs the descriptors
in short SDDL, where the correct SIDs are to be replaced during provisioning.
Optionally it can be output as an LDIF file with the current local domain and
domain SIDs.
---
 source4/scripting/bin/get-descriptors | 153 ++++++++++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100755 source4/scripting/bin/get-descriptors

diff --git a/source4/scripting/bin/get-descriptors b/source4/scripting/bin/get-descriptors
new file mode 100755
index 0000000000..f22500b0ba
--- /dev/null
+++ b/source4/scripting/bin/get-descriptors
@@ -0,0 +1,153 @@
+#!/usr/bin/python
+#
+# Unix SMB/CIFS implementation.
+# A script to compare differences of security descriotors between
+# a remote host and the local Ldb
+# Needs the local domain, the remote domain, IP of the remote host
+# Username and password for the remote domain, must be at least
+# Domain Administrator
+#
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
+# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
+#
+# Based on the original in EJS:
+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import getopt
+import optparse
+import sys
+import os
+import base64
+import re
+
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.auth import system_session
+import samba.getopt as options
+from samba import param
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+from samba import Ldb
+from samba.samdb import SamDB
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+
+parser = optparse.OptionParser("get-descriptor [options]")
+sambaopts = options.SambaOptions(parser)
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+
+parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
+                  help="set local domain")
+parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
+                  help="set remote domain")
+parser.add_option("--host", type="string", metavar="HOST",
+                  help="Ip of the remote host used for comparison")
+parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+opts = parser.parse_args()[0]
+
+class DescrGetter:
+    def __init__(self, localdomain, remotedomain):
+        self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
+        self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
+                             options=["modules:paged_searches"])
+        self.local_domain = localdomain.replace(".", ",DC=")
+        self.local_domain = "DC=" + self.local_domain
+        self.remote_domain = remotedomain.replace(".", ",DC=")
+        self.remote_domain = "DC=" + self.remote_domain
+        self.local_map = {}
+        self.remote_map = {}
+
+    def get_domain_local_sid(self):
+        res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
+        self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+    def get_domain_remote_sid(self):
+        res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
+        self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+    def add_to_ldif(self, dn, descr):
+        ldif_entry = ["dn: " + dn,
+                      "changetype: modify",
+                      "replace: nTSecurityDescriptor",
+                      "nTSecurityDescriptor::  " + base64.b64encode(ndr_pack(descr))]
+
+        for line in ldif_entry:
+            length = 79
+            if len(line) <= length + 1:
+                print line
+            else:
+                for i in range(len(line) / length + 1):
+                    if i == 0:
+                        l = line[i * length:((i + 1) * length)]
+                    else:
+                        l = " " + line[(i * length):((i + 1) * length)]
+                    print l
+        print "\n"
+
+    def write_as_sddl(self, dn, descr):
+        print dn
+        print descr + "\n"
+
+    def read_descr_by_base(self, search_base):
+        res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+        for entry in res:
+            dn = entry["dn"].__str__().replace(self.local_domain, "")
+
+            if "nTSecurityDescriptor" in entry:
+                desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+                self.local_map[dn] = desc_obj
+
+        res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+        for entry in res:
+            dn = entry["dn"].__str__().replace(self.remote_domain, "")
+
+            if "nTSecurityDescriptor" in entry:
+                desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+                self.remote_map[dn] = desc_obj
+
+    def read_desc(self):
+        self.read_descr_by_base("CN=Schema,CN=Configuration,")
+        self.read_descr_by_base("CN=Configuration,")
+        self.read_descr_by_base("")
+
+    def write_desc_to_ldif(self):
+        key_list_local = self.local_map.keys()
+        key_list_remote = self.remote_map.keys()
+        for key in key_list_remote:
+            if key in key_list_local:
+                sddl = self.remote_map[key].as_sddl(self.remote_sid)
+                sddl_local = self.local_map[key].as_sddl(self.local_sid)
+                if sddl != sddl_local:
+                    descr = security.descriptor.from_sddl(sddl, self.local_sid)
+                if opts.as_ldif:
+                    self.add_to_ldif(key + self.local_domain, descr)
+                else:
+                    self.write_as_sddl(key, descr.as_sddl(self.local_sid))
+
+    def run(self):
+        self.get_domain_local_sid()
+        self.get_domain_remote_sid()
+        self.read_desc()
+        self.write_desc_to_ldif()
+
+desc = DescrGetter(opts.local_domain, opts.remote_domain)
+desc.run()
-- 
2.34.1