s4-samba-tool: fixed the gpo command to use the right DN for access checks

author Andrew Tridgell <tridge@samba.org>

Thu, 13 Jan 2011 04:09:03 +0000 (15:09 +1100)

committer Andrew Tridgell <tridge@samba.org>

Fri, 14 Jan 2011 05:39:33 +0000 (16:39 +1100)
author Andrew Tridgell <tridge@samba.org>
Thu, 13 Jan 2011 04:09:03 +0000 (15:09 +1100)
committer Andrew Tridgell <tridge@samba.org>
Fri, 14 Jan 2011 05:39:33 +0000 (16:39 +1100)
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py

index aad3efd0fe0d2b43cf3820cd36d45d097b0e866c..19007b361cbfcc2d32d875676bbc490378871dd4 100644 (file)
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -180,7 +180,6 @@ class cmd_list(Command):
          session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn,
                                            session_info_flags=session_info_flags)
  
-        print dir(session)
          token = session.security_token
  
          gpos = []
@@ -188,7 +187,7 @@ class cmd_list(Command):
          inherit = True
          dn = ldb.Dn(self.samdb, str(user_dn)).parent()
          while True:
-            msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions', 'ntSecurityDescriptor'])[0]
+            msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
              if 'gPLink' in msg:
                  glist = parse_gplink(msg['gPLink'][0])
                  for g in glist:
@@ -197,17 +196,27 @@ class cmd_list(Command):
                      if g['options'] & dsdb.GPLINK_OPT_DISABLE:
                          continue
  
-                    secdesc_ndr = msg['ntSecurityDescriptor'][0]
+                    try:
+                        gmsg = self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE,
+                                                 attrs=['flags', 'ntSecurityDescriptor'])
+                    except Exception:
+                        print "Failed to fetch gpo object %s" % g['dn']
+                        continue
+
+                    secdesc_ndr = gmsg[0]['ntSecurityDescriptor'][0]
                      secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr)
  
                      try:
-                        samba.security.access_check(secdesc, token, dcerpc.security.SEC_RIGHTS_FILE_READ)
+                        samba.security.access_check(secdesc, token,
+                                                    dcerpc.security.SEC_STD_READ_CONTROL |
+                                                    dcerpc.security.SEC_ADS_LIST |
+                                                    dcerpc.security.SEC_ADS_READ_PROP)
                      except RuntimeError:
                          print "Failed access check on %s" % msg.dn
                          continue
  
                      # check the flags on the GPO
-                    flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0))
+                    flags = int(attr_default(gmsg[0], 'flags', 0))
                      if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE):
                          continue
                      if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE):
author	Andrew Tridgell <tridge@samba.org>
	Thu, 13 Jan 2011 04:09:03 +0000 (15:09 +1100)
committer	Andrew Tridgell <tridge@samba.org>
	Fri, 14 Jan 2011 05:39:33 +0000 (16:39 +1100)