summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--python/samba/dbchecker.py68
-rw-r--r--python/samba/netcmd/dbcheck.py7
2 files changed, 71 insertions, 4 deletions
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index fd42a78df1..39a2b4f354 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -25,13 +25,15 @@ from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs
from samba.common import dsdb_Dn
from samba.dcerpc import security
+from samba.descriptor import get_wellknown_sds, get_diff_sds
class dbcheck(object):
"""check a SAM database for errors"""
def __init__(self, samdb, samdb_schema=None, verbose=False, fix=False,
- yes=False, quiet=False, in_transaction=False):
+ yes=False, quiet=False, in_transaction=False,
+ reset_well_known_acls=False):
self.samdb = samdb
self.dict_oid_name = None
self.samdb_schema = (samdb_schema or samdb)
@@ -55,6 +57,8 @@ class dbcheck(object):
self.seize_fsmo_role = False
self.move_to_lost_and_found = False
self.fix_instancetype = False
+ self.reset_well_known_acls = reset_well_known_acls
+ self.reset_all_well_known_acls = False
self.in_transaction = in_transaction
self.infrastructure_dn = ldb.Dn(samdb, "CN=Infrastructure," + samdb.domain_dn())
self.naming_dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
@@ -62,6 +66,18 @@ class dbcheck(object):
self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn())
self.ntds_dsa = ldb.Dn(samdb, samdb.get_dsServiceName())
self.class_schemaIDGUID = {}
+ self.wellknown_sds = get_wellknown_sds(self.samdb)
+
+ self.name_map = {}
+ try:
+ res = samdb.search(base="CN=DnsAdmins,CN=Users,%s" % samdb.domain_dn(), scope=ldb.SCOPE_BASE,
+ attrs=["objectSid"])
+ dnsadmins_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
+ self.name_map['DnsAdmins'] = str(dnsadmins_sid)
+ except ldb.LdbError, (enum, estr):
+ if enum != ldb.ERR_NO_SUCH_OBJECT:
+ raise
+ pass
res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs'])
if "msDS-hasMasterNCs" in res[0]:
@@ -739,7 +755,29 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
nmsg.dn = dn
nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags],
- "Failed to fix metadata for attribute %s" % sd_attr):
+ "Failed to fix attribute %s" % sd_attr):
+ self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
+
+ def err_wrong_default_sd(self, dn, sd, sd_old, diff):
+ '''re-write the SD due to not matching the default (optional mode for fixing an incorrect provision)'''
+ sd_attr = "nTSecurityDescriptor"
+ sd_val = ndr_pack(sd)
+ sd_old_val = ndr_pack(sd_old)
+ sd_flags = security.SECINFO_DACL | security.SECINFO_SACL
+ if sd.owner_sid is not None:
+ sd_flags |= security.SECINFO_OWNER
+ if sd.group_sid is not None:
+ sd_flags |= security.SECINFO_GROUP
+
+ if not self.confirm_all('Reset %s on %s back to provision default?\n%s' % (sd_attr, dn, diff), 'reset_all_well_known_acls'):
+ self.report('Not resetting %s on %s\n' % (sd_attr, dn))
+ return
+
+ m = ldb.Message()
+ m.dn = dn
+ m[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
+ if self.do_modify(m, ["sd_flags:1:%d" % sd_flags],
+ "Failed to reset attribute %s" % sd_attr):
self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
def is_fsmo_role(self, dn):
@@ -774,6 +812,16 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
return instancetype
+ def get_wellknown_sd(self, dn):
+ for [sd_dn, descriptor_fn] in self.wellknown_sds:
+ if dn == sd_dn:
+ domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+ return ndr_unpack(security.descriptor,
+ descriptor_fn(domain_sid,
+ name_map=self.name_map))
+
+ raise KeyError
+
def check_object(self, dn, attrs=['*']):
'''check one object'''
if self.verbose:
@@ -826,6 +874,22 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if sd_broken is not None:
self.err_wrong_sd(dn, sd, sd_broken)
error_count += 1
+ continue
+
+ if self.reset_well_known_acls:
+ try:
+ well_known_sd = self.get_wellknown_sd(dn)
+ except KeyError:
+ continue
+
+ current_sd = ndr_unpack(security.descriptor,
+ str(obj[attrname][0]))
+
+ diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+ if diff != "":
+ self.err_wrong_default_sd(dn, well_known_sd, current_sd, diff)
+ error_count += 1
+ continue
continue
if str(attrname).lower() == 'objectclass':
diff --git a/python/samba/netcmd/dbcheck.py b/python/samba/netcmd/dbcheck.py
index 889b0ff075..4cc0631bf7 100644
--- a/python/samba/netcmd/dbcheck.py
+++ b/python/samba/netcmd/dbcheck.py
@@ -56,6 +56,7 @@ class cmd_dbcheck(Command):
Option("--attrs", dest="attrs", default=None, help="list of attributes to check (space separated)"),
Option("--reindex", dest="reindex", default=False, action="store_true", help="force database re-index"),
Option("--force-modules", dest="force_modules", default=False, action="store_true", help="force loading of Samba modules and ignore the @MODULES record (for very old databases)"),
+ Option("--reset-well-known-acls", dest="reset_well_known_acls", default=False, action="store_true", help="reset ACLs on objects with well known default ACL values to the default"),
Option("-H", "--URL", help="LDB URL for database or target server (defaults to local SAM database)",
type=str, metavar="URL", dest="H"),
]
@@ -63,7 +64,8 @@ class cmd_dbcheck(Command):
def run(self, DN=None, H=None, verbose=False, fix=False, yes=False,
cross_ncs=False, quiet=False,
scope="SUB", credopts=None, sambaopts=None, versionopts=None,
- attrs=None, reindex=False, force_modules=False):
+ attrs=None, reindex=False, force_modules=False,
+ reset_well_known_acls=False):
lp = sambaopts.get_loadparm()
@@ -114,7 +116,8 @@ class cmd_dbcheck(Command):
started_transaction = True
try:
chk = dbcheck(samdb, samdb_schema=samdb_schema, verbose=verbose,
- fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction)
+ fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction,
+ reset_well_known_acls=reset_well_known_acls)
if reindex:
self.outf.write("Re-indexing...\n")