summaryrefslogtreecommitdiff
path: root/source4/scripting/python
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-01-11 18:40:54 +1100
committerAndrew Tridgell <tridge@samba.org>2011-01-14 16:39:32 +1100
commit29fb42a48b29158dc77682e2f4a42ed0e961c4b2 (patch)
tree100c3ef0925c04a8832fe2c87f49bd26315cf44b /source4/scripting/python
parent012e570416de8b48f89216ac1e6b0bba2357ac39 (diff)
downloadsamba-29fb42a48b29158dc77682e2f4a42ed0e961c4b2.tar.gz
samba-29fb42a48b29158dc77682e2f4a42ed0e961c4b2.tar.bz2
samba-29fb42a48b29158dc77682e2f4a42ed0e961c4b2.zip
s4-samba_tool Added ACL checking to python GPO management tool
Diffstat (limited to 'source4/scripting/python')
-rw-r--r--source4/scripting/python/samba/netcmd/gpo.py34
1 files changed, 26 insertions, 8 deletions
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py
index 2b481aaf86..aad3efd0fe 100644
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -31,9 +31,12 @@ from samba.netcmd import (
SuperCommand,
)
from samba.samdb import SamDB
-from samba import drs_utils, nttime2string, dsdb
+from samba import drs_utils, nttime2string, dsdb, dcerpc
from samba.dcerpc import misc
-
+from samba.ndr import ndr_unpack
+import samba.security
+import samba.auth
+from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
def samdb_connect(ctx):
'''make a ldap connection to the server'''
@@ -167,15 +170,25 @@ class cmd_list(Command):
except Exception, e:
raise CommandError("Failed to find objectClass for user %s" % username, e)
- print("TODO: get user token")
- # token = self.samdb.get_user_token(username)
+ session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ AUTH_SESSION_INFO_AUTHENTICATED )
+
+ # When connecting to a remote server, don't look up the local privilege DB
+ if self.url is not None and self.url.startswith('ldap'):
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
+
+ session = samba.auth.user_session(self.samdb, lp_ctx=self.lp, dn=user_dn,
+ session_info_flags=session_info_flags)
+
+ print dir(session)
+ token = session.security_token
gpos = []
inherit = True
dn = ldb.Dn(self.samdb, str(user_dn)).parent()
while True:
- msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
+ msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions', 'ntSecurityDescriptor'])[0]
if 'gPLink' in msg:
glist = parse_gplink(msg['gPLink'][0])
for g in glist:
@@ -184,9 +197,14 @@ class cmd_list(Command):
if g['options'] & dsdb.GPLINK_OPT_DISABLE:
continue
- print("TODO: access checking")
- #if not samdb.access_check(secdesc, token, security.SEC_RIGHTS_FILE_READ):
- # continue
+ secdesc_ndr = msg['ntSecurityDescriptor'][0]
+ secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr)
+
+ try:
+ samba.security.access_check(secdesc, token, dcerpc.security.SEC_RIGHTS_FILE_READ)
+ except RuntimeError:
+ print "Failed access check on %s" % msg.dn
+ continue
# check the flags on the GPO
flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0))