diff options
author | Andrew Tridgell <tridge@samba.org> | 2011-01-13 15:09:03 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2011-01-14 16:39:33 +1100 |
commit | a0bc538a8f5906e86aa7cc8636ca141794c04514 (patch) | |
tree | f11f29b22b8311931c1a91bdd31c94b43253ff99 | |
parent | a38854f74b9ab0e54647e1fe28fd85be345766dc (diff) | |
download | samba-a0bc538a8f5906e86aa7cc8636ca141794c04514.tar.gz samba-a0bc538a8f5906e86aa7cc8636ca141794c04514.tar.bz2 samba-a0bc538a8f5906e86aa7cc8636ca141794c04514.zip |
s4-samba-tool: fixed the gpo command to use the right DN for access checks
-rw-r--r-- | source4/scripting/python/samba/netcmd/gpo.py | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py index aad3efd0fe..19007b361c 100644 --- a/source4/scripting/python/samba/netcmd/gpo.py +++ b/source4/scripting/python/samba/netcmd/gpo.py @@ -180,7 +180,6 @@ class cmd_list(Command): session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn, session_info_flags=session_info_flags) - print dir(session) token = session.security_token gpos = [] @@ -188,7 +187,7 @@ class cmd_list(Command): inherit = True dn = ldb.Dn(self.samdb, str(user_dn)).parent() while True: - msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions', 'ntSecurityDescriptor'])[0] + msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0] if 'gPLink' in msg: glist = parse_gplink(msg['gPLink'][0]) for g in glist: @@ -197,17 +196,27 @@ class cmd_list(Command): if g['options'] & dsdb.GPLINK_OPT_DISABLE: continue - secdesc_ndr = msg['ntSecurityDescriptor'][0] + try: + gmsg = self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, + attrs=['flags', 'ntSecurityDescriptor']) + except Exception: + print "Failed to fetch gpo object %s" % g['dn'] + continue + + secdesc_ndr = gmsg[0]['ntSecurityDescriptor'][0] secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr) try: - samba.security.access_check(secdesc, token, dcerpc.security.SEC_RIGHTS_FILE_READ) + samba.security.access_check(secdesc, token, + dcerpc.security.SEC_STD_READ_CONTROL | + dcerpc.security.SEC_ADS_LIST | + dcerpc.security.SEC_ADS_READ_PROP) except RuntimeError: print "Failed access check on %s" % msg.dn continue # check the flags on the GPO - flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0)) + flags = int(attr_default(gmsg[0], 'flags', 0)) if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE): continue if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE): |