from samba.dcerpc import nbt
from samba.net import Net
+from samba.provision import DEFAULT_POLICY_GUID, DEFAULT_DC_POLICY_GUID, SYSVOL_SUBFOLDER_SD
def samdb_connect(ctx):
'''make a ldap connection to the server'''
for m in msg:
# verify UNC path
- unc = m['gPCFileSysPath'][0]
+ try:
+ unc = m['gPCFileSysPath'][0]
+ except Exception:
+ continue
+
try:
[dom_name, service, sharepath] = parse_unc(unc)
except ValueError:
except Exception:
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
- fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
-
- ds_sd_ndr = m['nTSecurityDescriptor'][0]
- ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
+ try:
+ fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+ except Exception:
+ raise CommandError("Failed to get security_descriptor of '%s' using SMB" % sharepath)
- # Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
+ name = m['name'][0]
+ if DEFAULT_POLICY_GUID in name or DEFAULT_DC_POLICY_GUID in name:
+ expected_fs_sd = security.descriptor.from_sddl(SYSVOL_SUBFOLDER_SD, domain_sid)
+ expected_fs_sd.sacl = None
+ expected_fs_sddl = expected_fs_sd.as_sddl(domain_sid)
+ else:
+ ds_sd_ndr = m['nTSecurityDescriptor'][0]
+ ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
+
+ # Create a file system security descriptor
+ expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))