}
for (i = 0; i < sa->num_aces; i++) {
- if (sa->aces[i].flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
se_map_generic(&sa->aces[i].access_mask, mapping);
}
}
}
}
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- creator = &ace->trustee;
- ptrustee = &ace->trustee;
- }
-
/* The CREATOR sids are special when inherited */
if (dom_sid_equal(ptrustee, &global_sid_Creator_Owner)) {
creator = &global_sid_Creator_Owner;
}
}
- security_acl_map_generic(new_dacl, &file_generic_mapping);
-
*ppsd = make_sec_desc(ctx,
SECURITY_DESCRIPTOR_REVISION_1,
SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
def get_domain_descriptor(domain_sid, name_map={}):
- sddl = "O:BAG:BAD:AI" \
- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ sddl = "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
"(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
"(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
"(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
"(A;;RPLCLORC;;;ED)" \
"(A;;RPLCLORC;;;AU)" \
"(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
- "S:AI" \
- "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+ "S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
"(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
- "(AU;SA;CR;;;DU)" \
- "(AU;SA;CR;;;BA)" \
- "(AU;SA;WPWOWD;;;WD)"
+ "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)"
return sddl2binary(sddl, domain_sid, name_map)
from samba.gp_parse.gp_inf import GptTmplInfParser
from samba.gp_parse.gp_aas import GPAasParser
-from samba.provision import DEFAULT_POLICY_GUID, DEFAULT_DC_POLICY_GUID, SYSVOL_SUBFOLDER_SD
-
def attr_default(msg, attrname, default):
'''get an attribute from a ldap msg with a default'''
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- fs_sd = dsacl2fsacl(ds_sd, domain_sid, as_sddl=False)
- fs_sd.type = security.SEC_DESC_SELF_RELATIVE
- fs_sd.type |= security.SEC_DESC_DACL_PROTECTED
- fs_sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED
- fs_sd.type |= security.SEC_DESC_DACL_AUTO_INHERIT_REQ
- fs_sd.type |= security.SEC_DESC_SACL_AUTO_INHERITED
+ sddl = dsacl2fsacl(ds_sd, domain_sid)
+ fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
# Copy GPO directory
create_directory_hier(conn, sharepath)
- fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
# Set ACL
sio = (security.SECINFO_OWNER |
security.SECINFO_GROUP |
for m in msg:
# verify UNC path
- try:
- unc = str(m['gPCFileSysPath'][0])
- except Exception:
- continue
-
+ unc = str(m['gPCFileSysPath'][0])
try:
[dom_name, service, sharepath] = parse_unc(unc)
except ValueError:
conn = smb_connection(dc_hostname, service, lp=self.lp,
creds=self.creds)
- try:
- fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
- except Exception:
- raise CommandError("Failed to get security_descriptor of '%s' using SMB" % sharepath)
+ fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
if 'nTSecurityDescriptor' not in m:
raise CommandError("Could not read nTSecurityDescriptor. "
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
+ # Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- name = m['name'][0]
- if DEFAULT_POLICY_GUID in name or DEFAULT_DC_POLICY_GUID in name:
- expected_fs_sd = security.descriptor.from_sddl(SYSVOL_SUBFOLDER_SD, domain_sid)
- expected_fs_sd.sacl = None
- expected_fs_sddl = expected_fs_sd.as_sddl(domain_sid)
- else:
- ds_sd_ndr = m['nTSecurityDescriptor'][0]
- ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
-
- # Create a file system security descriptor
- expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
+ expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
def get_descriptor_sddl(self, object_dn):
res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"])
desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc,allow_remaining=True)
+ desc = ndr_unpack(security.descriptor, desc)
return desc.as_sddl(self.domain_sid)
def guid_as_string(self, guid_blob):
fdescr.owner_sid = ref.owner_sid
fdescr.group_sid = ref.group_sid
fdescr.type = ref.type
- fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
fdescr.revision = ref.revision
aces = ref.dacl.aces
for i in range(0, len(aces)):
ace = aces[i]
- if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
- pass
- elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
- pass
- else:
- continue
-
- if str(ace.trustee) == security.SID_BUILTIN_PREW2K:
- continue
-
- ace.flags |= security.SEC_ACE_FLAG_CONTAINER_INHERIT
- ace.flags |= security.SEC_ACE_FLAG_OBJECT_INHERIT
-
- ace.access_mask = ldapmask2filemask(ace.access_mask)
-
- fdescr.dacl_add(ace)
+ if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
+ # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
+ if str(ace.trustee) == security.SID_CREATOR_OWNER:
+ # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
+ ace.access_mask = ldapmask2filemask(ace.access_mask)
+ fdescr.dacl_add(ace)
if not as_sddl:
return fdescr
dst_file.write(data)
shutil.rmtree(tempdir)
-
-
-def fsacl_child_sd(parent_sddl, domain_sid, owner_sid, group_sid, container=True, as_sddl=True):
- """
-
- This function takes an the SDDL representation of a filesystem
- ACL and return the SDDL representation of this ACL adapted
- for child files/directories. It's used for Policy object provision
- """
- parent_sd = security.descriptor.from_sddl(parent_sddl, domain_sid)
- fdescr = security.descriptor()
- fdescr.owner_sid = owner_sid
- fdescr.group_sid = group_sid
- fdescr.type = parent_sd.type
- fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
- fdescr.revision = parent_sd.revision
- aces = parent_sd.dacl.aces
- for i in range(0, len(aces)):
- ace = aces[i]
- ace2 = None
-
- if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
- pass
- elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
- pass
- else:
- continue
-
- inherit_ace = False
- if not container:
- if ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT:
- inherit_ace = True
- else:
- if ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT:
- inherit_ace = True
- if ((ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT) and \
- not (ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)):
- inherit_ace = True
-
- if not inherit_ace:
- continue
-
- if not container:
- ace.flags = 0;
- else:
- ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
- if not (ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT):
- ace.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
- ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
- if ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT:
- ace.flags = 0;
-
- ace.flags |= security.SEC_ACE_FLAG_INHERITED_ACE
-
- if str(ace.trustee) == security.SID_CREATOR_OWNER:
- ace2 = ace
-
- ace = security.ace()
- ace.type = ace.type
- ace.flags = ace.flags
- ace.access_mask = ace.access_mask
- ace.trustee = owner_sid
-
- ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
-
- if str(ace.trustee) == security.SID_CREATOR_GROUP:
- ace2 = ace
-
- ace = security.ace()
- ace.type = ace.type
- ace.flags = ace.flags
- ace.access_mask = ace.access_mask
- ace.trustee = group_sid
-
- ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
-
- fdescr.dacl_add(ace)
- if container and ace2 is not None:
- fdescr.dacl_add(ace2)
-
- if not as_sddl:
- return fdescr
-
- return fdescr.as_sddl(domain_sid)
)
from samba.idmap import IDmapDB
from samba.ms_display_specifiers import read_ms_ldif
-from samba.ntacls import setntacl, getntacl, dsacl2fsacl, fsacl_child_sd
+from samba.ntacls import setntacl, getntacl, dsacl2fsacl
from samba.ndr import ndr_pack, ndr_unpack
from samba.provision.backend import (
FDSBackend,
DEFAULT_MIN_PWD_LENGTH = 7
-SYSVOL_FOLDER_SD = "O:BAG:SYD:PAI(A;;0x001200a9;;;AU)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;SO)(A;OICIIO;GRGX;;;SO)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001f01ff;;;SY)(A;OICIIO;GA;;;SY)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;CO)S:AI(AU;OICISA;SD;;;WD)"
-SYSVOL_SUBFOLDER_SD = "O:BAG:SYD:PAI(A;;0x001200a9;;;AU)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;SO)(A;OICIIO;GRGX;;;SO)(A;;0x001e01bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x001f01ff;;;SY)(A;OICIIO;GA;;;SY)(A;;0x001e01bf;;;BA)(A;OICIIO;GA;;;CO)S:AI(AU;SA;SD;;;WD)"
-SYSVOL_SUBFILE_SD = "O:BAG:SYD:AI(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;ID;0x001f01ff;;;BA)(A;ID;0x001f01ff;;;SY)"
-POLICIES_FOLDER_SD = "O:BAG:SYD:PAI(A;;0x001200a9;;;AU)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;SO)(A;OICIIO;GRGX;;;SO)(A;;0x001e01bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x001f01ff;;;SY)(A;OICIIO;GA;;;SY)(A;;0x001e01bf;;;BA)(A;OICIIO;GA;;;CO)(A;;0x001201bf;;;PA)(A;OICIIO;GRGWGX;;;PA)S:AI(AU;SA;SD;;;WD)"
class ProvisionPaths(object):
return samdb
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
SYSVOL_SERVICE = "sysvol"
-def set_dir_acl(path, self_sd, subfolder_sd, subfile_sd, domsid, lp, use_ntvfs,
- passdb, service=SYSVOL_SERVICE):
- setntacl(lp, path, self_sd, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True,
- passdb=passdb, service=service)
+def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):
+ setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
- setntacl(lp, os.path.join(root, name), subfile_sd, domsid,
+ setntacl(lp, os.path.join(root, name), acl, domsid,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
for name in dirs:
- setntacl(lp, os.path.join(root, name), subfolder_sd, domsid,
+ setntacl(lp, os.path.join(root, name), acl, domsid,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
# Set ACL for GPO root folder
root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
- setntacl(lp, root_policy_path, POLICIES_FOLDER_SD, str(domainsid),
+ setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
res = samdb.search(base="CN=Policies,CN=System,%s" %(domaindn),
expression="", scope=ldb.SCOPE_ONELEVEL)
for policy in res:
- guid = str(policy["cn"])
- policy_path = getpolicypath(sysvol, dnsdomain, guid)
-
- if DEFAULT_POLICY_GUID in guid or DEFAULT_DC_POLICY_GUID in guid:
- self_sd = SYSVOL_SUBFOLDER_SD
- sub_folder_sd = SYSVOL_SUBFOLDER_SD
- sub_file_sd = SYSVOL_SUBFILE_SD
- else:
- acl = ndr_unpack(security.descriptor,
- str(policy["nTSecurityDescriptor"])).as_sddl()
- owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
- group_sid = security.dom_sid("%s-%d" % (str(domainsid), security.DOMAIN_RID_USERS))
- self_sd = dsacl2fsacl(acl, domainsid)
- sub_folder_sd = fsacl_child_sd(self_sd, domainsid, owner_sid, group_sid, container=True)
- sub_file_sd = fsacl_child_sd(self_sd, domainsid, owner_sid, group_sid, container=False)
-
- set_dir_acl(policy_path, self_sd,
- sub_folder_sd, sub_file_sd,
- str(domainsid), lp, use_ntvfs,
+ acl = ndr_unpack(security.descriptor,
+ policy["nTSecurityDescriptor"][0]).as_sddl()
+ policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
+ set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
+ str(domainsid), use_ntvfs,
passdb=passdb)
+
def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
domaindn, lp, use_ntvfs):
"""Set the ACL for the sysvol share and the subfolders
session_info = auth.user_session(samdb, lp_ctx=lp, dn=userdn,
session_info_flags=flags)
- def _setntacl(path, acl):
+ def _setntacl(path):
"""A helper to reuse args"""
return setntacl(
- lp, path, acl, str(domainsid),
+ lp, path, SYSVOL_ACL, str(domainsid),
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb,
service=SYSVOL_SERVICE, session_info=session_info)
- # Set the SYSVOL_FOLDER_SD on the sysvol folder and
- # SYSVOL_SUBFILE_SD on files and SYSVOL_SUBFOLDER_SD on the subfolder (first level)
- _setntacl(sysvol, SYSVOL_FOLDER_SD)
+ # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
+ _setntacl(sysvol)
for root, dirs, files in os.walk(sysvol, topdown=False):
for name in files:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
- _setntacl(os.path.join(root, name), SYSVOL_SUBFILE_SD)
+ _setntacl(os.path.join(root, name))
for name in dirs:
if use_ntvfs and canchown:
os.chown(os.path.join(root, name), -1, gid)
- _setntacl(os.path.join(root, name), SYSVOL_SUBFOLDER_SD)
+ _setntacl(os.path.join(root, name))
# Set acls on Policy folder and policies folders
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
return "VFS"
-def check_dir_acl(path, self_sddl, subfolder_sddl, subfile_sddl, domsid, lp, direct_db_access):
+def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
fsacl_sddl = fsacl.as_sddl(domainsid)
- if fsacl_sddl != self_sddl:
- raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, self_sddl))
+ if fsacl_sddl != acl:
+ raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
for root, dirs, files in os.walk(path, topdown=False):
for name in files:
(acl_type(direct_db_access),
os.path.join(root, name)))
fsacl_sddl = fsacl.as_sddl(domainsid)
- if fsacl_sddl != subfile_sddl:
- raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, subfile_sddl))
+ if fsacl_sddl != acl:
+ raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
for name in dirs:
fsacl = getntacl(lp, os.path.join(root, name),
% (acl_type(direct_db_access),
os.path.join(root, name)))
fsacl_sddl = fsacl.as_sddl(domainsid)
- if fsacl_sddl != subfolder_sddl:
- raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, subfolder_sddl))
+ if fsacl_sddl != acl:
+ raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
+
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
direct_db_access):
if fsacl is None:
raise ProvisioningError('DB ACL on policy root %s %s not found!' % (acl_type(direct_db_access), root_policy_path))
fsacl_sddl = fsacl.as_sddl(domainsid)
- if fsacl_sddl != POLICIES_FOLDER_SD:
- raise ProvisioningError('%s ACL on policy root %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), root_policy_path, fsacl_sddl, POLICIES_FOLDER_SD))
+ if fsacl_sddl != POLICIES_ACL:
+ raise ProvisioningError('%s ACL on policy root %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), root_policy_path, fsacl_sddl, fsacl))
res = samdb.search(base="CN=Policies,CN=System,%s" %(domaindn),
attrs=["cn", "nTSecurityDescriptor"],
expression="", scope=ldb.SCOPE_ONELEVEL)
for policy in res:
- guid = str(policy["cn"])
- policy_path = getpolicypath(sysvol, dnsdomain, guid)
-
- if DEFAULT_POLICY_GUID in guid or DEFAULT_DC_POLICY_GUID in guid:
- self_sd = SYSVOL_SUBFOLDER_SD
- sub_folder_sd = SYSVOL_SUBFOLDER_SD
- sub_file_sd = SYSVOL_SUBFILE_SD
- else:
- acl = ndr_unpack(security.descriptor,
- str(policy["nTSecurityDescriptor"])).as_sddl()
- owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
- group_sid = security.dom_sid("%s-%d" % (str(domainsid), security.DOMAIN_RID_USERS))
- self_sd = dsacl2fsacl(acl, domainsid)
- sub_folder_sd = fsacl_child_sd(self_sd, domainsid, owner_sid, group_sid, container=True)
- sub_file_sd = fsacl_child_sd(self_sd, domainsid, owner_sid, group_sid, container=False)
-
- check_dir_acl(policy_path, self_sd,
- sub_folder_sd, subfile_sd,
- domainsid, lp, direct_db_access)
+ acl = ndr_unpack(security.descriptor,
+ policy["nTSecurityDescriptor"][0]).as_sddl()
+ policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
+ check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
+ domainsid, direct_db_access)
def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,
:param samdb: An LDB object on the SAM db
:param netlogon: Physical path for the netlogon folder
:param sysvol: Physical path for the sysvol folder
+ :param uid: The UID of the "Administrator" user
+ :param gid: The GID of the "Domain adminstrators" group
:param domainsid: The SID of the domain
:param dnsdomain: The DNS name of the domain
:param domaindn: The DN of the domain (ie. DC=...)
# Ensure we can read this directly, and via the smbd VFS
for direct_db_access in [True, False]:
+ # Check the SYSVOL_ACL on the sysvol folder and subfolder (first level)
for dir_path in [os.path.join(sysvol, dnsdomain), netlogon]:
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
if fsacl is None:
raise ProvisioningError('%s ACL on sysvol directory %s not found!' % (acl_type(direct_db_access), dir_path))
fsacl_sddl = fsacl.as_sddl(domainsid)
- if fsacl_sddl != SYSVOL_SUBFOLDER_ACL:
- raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_SUBFOLDER_ACL))
+ if fsacl_sddl != SYSVOL_ACL:
+ raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
# Check acls on Policy folder and policies folders
check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
self.assertEquals(posix_acl.acl[4].a_perm, 7)
def test_setntacl_sysvol_check_getposixacl(self):
- acl = provision.SYSVOL_SUBFOLDER_SD
+ acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
# gid: -1
def test_setntacl_sysvol_dir_check_getposixacl(self):
- acl = provision.SYSVOL_SUBFOLDER_SD
+ acl = provision.SYSVOL_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
# other::---
def test_setntacl_policies_dir_check_getposixacl(self):
- acl = provision.POLICIES_FOLDER_SD
+ acl = provision.POLICIES_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
# other::---
def test_setntacl_policies_check_getposixacl(self):
- acl = provision.POLICIES_FOLDER_SD
+ acl = provision.POLICIES_ACL
domsid = passdb.get_global_sam_sid()
session_info = self.get_session_info(domsid)
/* Print aces */
for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
- fprintf(f, "DACL:");
+ fprintf(f, "ACL:");
print_ace(cli, f, ace, numeric);
fprintf(f, "\n");
}
- /* Print aces */
- for (i = 0; sd->sacl && i < sd->sacl->num_aces; i++) {
- struct security_ace *ace = &sd->sacl->aces[i];
- fprintf(f, "SACL:");
- print_ace(cli, f, ace, numeric);
- fprintf(f, "\n");
- }
}
for (i=0;i<acl->num_aces;i++) {
struct security_ace *ace = &acl->aces[i];
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
ace->access_mask = pvfs_translate_mask(ace->access_mask);
}
}
}
}
- if (orig_flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- creator = &ace.trustee;
- new_id = &ace.trustee;
- }
-
/* the CREATOR sids are special when inherited */
if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_owner)) {
creator = pvfs->sid_cache.creator_owner;
}
}
- pvfs_translate_generic_bits(sd->dacl);
- sd->type |= SEC_DESC_DACL_PRESENT;
-
return NT_STATUS_OK;
}
const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr,
uint32_t object_count,
const struct drsuapi_DsReplicaObjectListItemEx *first_object,
- uint32_t linked_attributes_count,
- const struct drsuapi_DsReplicaLinkedAttribute *linked_attributes,
const DATA_BLOB *gensec_skey)
{
static uint32_t object_id;
mapping_ctr,
object_count,
first_object,
- linked_attributes_count,
- linked_attributes,
+ 0, NULL,
NULL, NULL,
gensec_skey,
0,
struct ldb_request *search_req;
struct ldb_result *res;
struct ldb_message *new_msg, *drs_msg, *ldap_msg;
- size_t num_attrs = objs->objects[i].msg->num_elements+1+1;
+ size_t num_attrs = objs->objects[i].msg->num_elements+1;
const char **attrs = talloc_array(objs, const char *, num_attrs);
for (j=0; j < objs->objects[i].msg->num_elements; j++) {
attrs[j] = objs->objects[i].msg->elements[j].name;
}
- attrs[j] = "uSNChanged";
- j++;
attrs[j] = NULL;
res = talloc_zero(objs, struct ldb_result);
if (!res) {
return false;
}
- ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL);
- if (ret != LDB_SUCCESS) {
- return false;
- }
-
ret = ldb_request_add_control(search_req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_dn_ctrl);
if (ret != LDB_SUCCESS) {
return false;
ldb_errstring(ldb)));
torture_assert_int_equal(tctx, res->count, 1, "Could not re-fetch object just delivered over DRS");
ldap_msg = res->msgs[0];
-
-{
-uint64_t usn = ldb_msg_find_attr_as_int64(ldap_msg, "uSNChanged", 0);
-struct GUID g;
-GUID_from_ndr_blob(&objs->objects[i].guid_value, &g);
-torture_comment(tctx, "o[%d] usn_changed[%llu]: %s - %s\n", i, (unsigned long long)usn,
- GUID_string(objs, &g),
- ldb_dn_get_linearized(objs->objects[i].msg->dn));
-continue;
-}
for (j=0; j < ldap_msg->num_elements; j++) {
ldap_msg->elements[j].flags = LDB_FLAG_MOD_ADD;
/* For unknown reasons, there is no nTSecurityDescriptor on cn=deleted objects over LDAP, but there is over DRS! Skip it on both transports for now here so */
talloc_free(search_req);
}
- for (i=0; i < objs->linked_attributes_count; i++) {
-torture_comment(tctx, "l[%d] usn_changed[%llu]: attid[%u] %s\n", i,
- (unsigned long long)objs->linked_attributes[i].meta_data.originating_usn,
- objs->linked_attributes[i].attid,
- GUID_string(objs, &objs->linked_attributes[i].identifier->guid));
- }
if (!lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "print_pwd_blobs", false)) {
talloc_free(objs);
return true;
}
};
- struct drsuapi_DsReplicaCursorCtrEx utdv;
- struct drsuapi_DsReplicaCursor cursors[1];
-
- ZERO_STRUCT(utdv);
- utdv.version = 1;
- utdv.count = ARRAY_SIZE(cursors);
- utdv.cursors = cursors;
- ZERO_STRUCT(cursors);
- GUID_from_string("0d36ca05-5507-4e62-aca3-354bab0d39e1",
- &cursors[0].source_dsa_invocation_id);
- cursors[0].highest_usn = 12755;
-/*
- uptodateness_vector : *
- uptodateness_vector: struct drsuapi_DsReplicaCursorCtrEx
- version : 0x00000001 (1)
- reserved1 : 0x00000000 (0)
- count : 0x00000001 (1)
- reserved2 : 0x00000000 (0)
- cursors: ARRAY(1)
- cursors: struct drsuapi_DsReplicaCursor
- source_dsa_invocation_id : 0d36ca05-5507-4e62-aca3-354bab0d39e1
- highest_usn : 0x00000000000031d3 (12755)
-*/
ZERO_STRUCT(null_guid);
ZERO_STRUCT(null_sid);
r.in.req->req8.highwatermark.tmp_highest_usn = highest_usn;
r.in.req->req8.highwatermark.reserved_usn = 0;
r.in.req->req8.highwatermark.highest_usn = highest_usn;
- r.in.req->req8.uptodateness_vector = NULL;//&utdv;
+ r.in.req->req8.uptodateness_vector = NULL;
r.in.req->req8.replica_flags = 0;
if (lpcfg_parm_bool(tctx->lp_ctx, NULL, "dssync", "compression", false)) {
r.in.req->req8.replica_flags |= DRSUAPI_DRS_USE_COMPRESSION;
| DRSUAPI_DRS_GET_ANC
| DRSUAPI_DRS_NEVER_SYNCED
;
- r.in.req->req8.replica_flags = 0x00201074;
- //r.in.req->req8.replica_flags |= DRSUAPI_DRS_GET_ANC;
r.in.req->req8.max_object_count = 402;
r.in.req->req8.max_ndr_size = 402116;
(unsigned long long) ctr1->new_highwatermark.highest_usn);
if (!test_analyse_objects(tctx, ctx, nc_dn_str, &ctr1->mapping_ctr, ctr1->object_count,
- ctr1->first_object, 0, NULL, &gensec_skey)) {
+ ctr1->first_object, &gensec_skey)) {
return false;
}
(unsigned long long) ctr6->new_highwatermark.highest_usn);
if (!test_analyse_objects(tctx, ctx, nc_dn_str, &ctr6->mapping_ctr, ctr6->object_count,
- ctr6->first_object,
- ctr6->linked_attributes_count,
- ctr6->linked_attributes,
- &gensec_skey)) {
+ ctr6->first_object, &gensec_skey)) {
return false;
}