from samba.gp_parse.gp_inf import GptTmplInfParser
from samba.gp_parse.gp_aas import GPAasParser
+from samba.provision import DEFAULT_POLICY_GUID, DEFAULT_DC_POLICY_GUID, SYSVOL_SUBFOLDER_SD
+
def attr_default(msg, attrname, default):
'''get an attribute from a ldap msg with a default'''
for m in msg:
# verify UNC path
- unc = str(m['gPCFileSysPath'][0])
+ try:
+ unc = str(m['gPCFileSysPath'][0])
+ except Exception:
+ continue
+
try:
[dom_name, service, sharepath] = parse_unc(unc)
except ValueError:
conn = smb_connection(dc_hostname, service, lp=self.lp,
creds=self.creds)
- fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+ try:
+ fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+ except Exception:
+ raise CommandError("Failed to get security_descriptor of '%s' using SMB" % sharepath)
if 'nTSecurityDescriptor' not in m:
raise CommandError("Could not read nTSecurityDescriptor. "
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
- # Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
+ name = m['name'][0]
+ if DEFAULT_POLICY_GUID in name or DEFAULT_DC_POLICY_GUID in name:
+ expected_fs_sd = security.descriptor.from_sddl(SYSVOL_SUBFOLDER_SD, domain_sid)
+ expected_fs_sd.sacl = None
+ expected_fs_sddl = expected_fs_sd.as_sddl(domain_sid)
+ else:
+ ds_sd_ndr = m['nTSecurityDescriptor'][0]
+ ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
+
+ # Create a file system security descriptor
+ expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))