summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-05-29 14:45:24 +0300
committerAndrew Bartlett <abartlet@samba.org>2009-06-11 18:54:32 +1000
commite9caf7d06352b557ef1e2d41a2325f29a4a2506a (patch)
tree995c9345feb24c597a22f3530fa434a844219b72
parente5353ce95bbfeab79b6055b1acf07a04b0f3e22a (diff)
downloadsamba-e9caf7d06352b557ef1e2d41a2325f29a4a2506a.tar.gz
samba-e9caf7d06352b557ef1e2d41a2325f29a4a2506a.tar.bz2
samba-e9caf7d06352b557ef1e2d41a2325f29a4a2506a.zip
A script to compare the differences in nTSecurityDescriptor between 2 hosts
This script walks the schema, configuration and domain partitions of the locally installed Ldb and a remote hosts and compares the descriptors disregarding the difference in domain SID. The goal is to make sure a freshly provisioned Samba has the correct descriptors so ACLs work correctly. It outputs the descriptors in short SDDL, where the correct SIDs are to be replaced during provisioning. Optionally it can be output as an LDIF file with the current local domain and domain SIDs.
-rwxr-xr-xsource4/scripting/bin/get-descriptors153
1 files changed, 153 insertions, 0 deletions
diff --git a/source4/scripting/bin/get-descriptors b/source4/scripting/bin/get-descriptors
new file mode 100755
index 0000000000..f22500b0ba
--- /dev/null
+++ b/source4/scripting/bin/get-descriptors
@@ -0,0 +1,153 @@
+#!/usr/bin/python
+#
+# Unix SMB/CIFS implementation.
+# A script to compare differences of security descriotors between
+# a remote host and the local Ldb
+# Needs the local domain, the remote domain, IP of the remote host
+# Username and password for the remote domain, must be at least
+# Domain Administrator
+#
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
+# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
+#
+# Based on the original in EJS:
+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import getopt
+import optparse
+import sys
+import os
+import base64
+import re
+
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.auth import system_session
+import samba.getopt as options
+from samba import param
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+from samba import Ldb
+from samba.samdb import SamDB
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+
+parser = optparse.OptionParser("get-descriptor [options]")
+sambaopts = options.SambaOptions(parser)
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+
+parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
+ help="set local domain")
+parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
+ help="set remote domain")
+parser.add_option("--host", type="string", metavar="HOST",
+ help="Ip of the remote host used for comparison")
+parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+opts = parser.parse_args()[0]
+
+class DescrGetter:
+ def __init__(self, localdomain, remotedomain):
+ self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
+ self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
+ options=["modules:paged_searches"])
+ self.local_domain = localdomain.replace(".", ",DC=")
+ self.local_domain = "DC=" + self.local_domain
+ self.remote_domain = remotedomain.replace(".", ",DC=")
+ self.remote_domain = "DC=" + self.remote_domain
+ self.local_map = {}
+ self.remote_map = {}
+
+ def get_domain_local_sid(self):
+ res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
+ self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+ def get_domain_remote_sid(self):
+ res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
+ self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+ def add_to_ldif(self, dn, descr):
+ ldif_entry = ["dn: " + dn,
+ "changetype: modify",
+ "replace: nTSecurityDescriptor",
+ "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr))]
+
+ for line in ldif_entry:
+ length = 79
+ if len(line) <= length + 1:
+ print line
+ else:
+ for i in range(len(line) / length + 1):
+ if i == 0:
+ l = line[i * length:((i + 1) * length)]
+ else:
+ l = " " + line[(i * length):((i + 1) * length)]
+ print l
+ print "\n"
+
+ def write_as_sddl(self, dn, descr):
+ print dn
+ print descr + "\n"
+
+ def read_descr_by_base(self, search_base):
+ res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+ for entry in res:
+ dn = entry["dn"].__str__().replace(self.local_domain, "")
+
+ if "nTSecurityDescriptor" in entry:
+ desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+ self.local_map[dn] = desc_obj
+
+ res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+ for entry in res:
+ dn = entry["dn"].__str__().replace(self.remote_domain, "")
+
+ if "nTSecurityDescriptor" in entry:
+ desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+ self.remote_map[dn] = desc_obj
+
+ def read_desc(self):
+ self.read_descr_by_base("CN=Schema,CN=Configuration,")
+ self.read_descr_by_base("CN=Configuration,")
+ self.read_descr_by_base("")
+
+ def write_desc_to_ldif(self):
+ key_list_local = self.local_map.keys()
+ key_list_remote = self.remote_map.keys()
+ for key in key_list_remote:
+ if key in key_list_local:
+ sddl = self.remote_map[key].as_sddl(self.remote_sid)
+ sddl_local = self.local_map[key].as_sddl(self.local_sid)
+ if sddl != sddl_local:
+ descr = security.descriptor.from_sddl(sddl, self.local_sid)
+ if opts.as_ldif:
+ self.add_to_ldif(key + self.local_domain, descr)
+ else:
+ self.write_as_sddl(key, descr.as_sddl(self.local_sid))
+
+ def run(self):
+ self.get_domain_local_sid()
+ self.get_domain_remote_sid()
+ self.read_desc()
+ self.write_desc_to_ldif()
+
+desc = DescrGetter(opts.local_domain, opts.remote_domain)
+desc.run()