3 # implement samba_tool gpo commands
5 # Copyright Andrew Tridgell 2010
7 # based on C implementation by Guenther Deschner and Wilco Baan Hofman
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 import samba.getopt as options
26 from samba.auth import system_session
27 from samba.netcmd import (
33 from samba.samdb import SamDB
34 from samba import drs_utils, nttime2string, dsdb
35 from samba.dcerpc import misc
38 def samdb_connect(ctx):
39 '''make a ldap connection to the server'''
41 ctx.samdb = SamDB(url=ctx.url,
42 session_info=system_session(),
43 credentials=ctx.creds, lp=ctx.lp)
45 raise CommandError("LDAP connection to %s failed " % ctx.url, e)
48 def attr_default(msg, attrname, default):
49 '''get an attribute from a ldap msg with a default'''
51 return msg[attrname][0]
55 def flags_string(flags, value):
56 '''return a set of flags as a string'''
60 for (str, val) in flags:
65 ret += '0x%08x' % value
69 def parse_gplink(gplink):
70 '''parse a gPLink into an array of dn and options'''
77 if len(d) != 2 or not d[0].startswith("[LDAP://"):
78 raise RuntimeError("Badly formed gPLink '%s'" % g)
79 ret.append({ 'dn' : d[0][8:], 'options' : int(d[1])})
83 class cmd_listall(Command):
86 synopsis = "%prog gpo listall"
88 takes_optiongroups = {
89 "sambaopts": options.SambaOptions,
90 "versionopts": options.VersionOptions,
91 "credopts": options.CredentialsOptions,
95 Option("-H", help="LDB URL for database or target server", type=str)
98 def run(self, H=None, sambaopts=None,
99 credopts=None, versionopts=None, server=None):
102 self.lp = sambaopts.get_loadparm()
104 self.creds = credopts.get_credentials(self.lp)
105 if not self.creds.authentication_requested():
106 self.creds.set_machine_account(self.lp)
110 policies_dn = self.samdb.get_default_basedn()
111 policies_dn.add_child(ldb.Dn(self.samdb, "CN=Policies,CN=System"))
114 ("GPO_FLAG_USER_DISABLE", dsdb.GPO_FLAG_USER_DISABLE ),
115 ( "GPO_FLAG_MACHINE_DISABLE", dsdb.GPO_FLAG_MACHINE_DISABLE ) ]
118 msg = self.samdb.search(base=policies_dn, scope=ldb.SCOPE_ONELEVEL,
119 expression="(objectClass=groupPolicyContainer)",
120 attrs=['nTSecurityDescriptor', 'versionNumber', 'flags', 'name', 'displayName', 'gPCFileSysPath'])
122 raise CommandError("Failed to list policies in %s" % policies_dn, e)
124 print("GPO : %s" % m['name'][0])
125 print("display name : %s" % m['displayName'][0])
126 print("path : %s" % m['gPCFileSysPath'][0])
127 print("dn : %s" % m.dn)
128 print("version : %s" % attr_default(m, 'version', '0'))
129 print("flags : %s" % flags_string(gpo_flags, int(attr_default(m, 'flags', 0))))
133 class cmd_list(Command):
134 """list GPOs for a user"""
136 synopsis = "%prog gpo list <username>"
138 takes_optiongroups = {
139 "sambaopts": options.SambaOptions,
140 "versionopts": options.VersionOptions,
141 "credopts": options.CredentialsOptions,
144 takes_args = [ 'username' ]
147 Option("-H", help="LDB URL for database or target server", type=str)
150 def run(self, username, H=None, sambaopts=None,
151 credopts=None, versionopts=None, server=None):
154 self.lp = sambaopts.get_loadparm()
156 self.creds = credopts.get_credentials(self.lp)
157 if not self.creds.authentication_requested():
158 self.creds.set_machine_account(self.lp)
163 user_dn = self.samdb.search(expression='(&(samAccountName=%s)(objectclass=User))' % username)[0].dn
165 raise CommandError("Failed to find user %s" % username, e)
167 # check if its a computer account
169 msg = self.samdb.search(base=user_dn, scope=ldb.SCOPE_BASE, attrs=['objectClass'])[0]
170 is_computer = 'computer' in msg['objectClass']
172 raise CommandError("Failed to find objectClass for user %s" % username, e)
174 print("TODO: get user token")
175 # token = self.samdb.get_user_token(username)
180 dn = ldb.Dn(self.samdb, str(user_dn)).parent()
182 msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
184 glist = parse_gplink(msg['gPLink'][0])
186 if not inherit and not (g['options'] & dsdb.GPLINK_OPT_ENFORCE):
188 if g['options'] & dsdb.GPLINK_OPT_DISABLE:
191 print("TODO: access checking")
192 #if not samdb.access_check(secdesc, token, security.SEC_RIGHTS_FILE_READ):
195 # check the flags on the GPO
196 flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0))
197 if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE):
199 if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE):
203 # check if this blocks inheritance
204 gpoptions = int(attr_default(msg, 'gPOptions', 0))
205 if gpoptions & dsdb.GPO_BLOCK_INHERITANCE:
208 if dn == self.samdb.get_default_basedn():
212 print("GPO's for user %s" % username)
214 print("\t%s" % g['dn'])
217 class cmd_gpo(SuperCommand):
221 subcommands["listall"] = cmd_listall()
222 subcommands["list"] = cmd_list()