diff options
-rwxr-xr-x | source4/scripting/bin/upgradeprovision | 37 | ||||
-rw-r--r-- | source4/scripting/python/samba/provision.py | 97 |
2 files changed, 69 insertions, 65 deletions
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision index bdc58c3f59..8f01bd3bf0 100755 --- a/source4/scripting/bin/upgradeprovision +++ b/source4/scripting/bin/upgradeprovision @@ -41,7 +41,7 @@ from ldb import SCOPE_SUBTREE, SCOPE_BASE, \ from samba import param from samba import glue from samba.misc import messageEltFlagToString -from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join,set_gpo_acl,getpolicypath,create_gpo_struct +from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join,set_gpo_acl,getpolicypath,create_gpo_struct from samba.provisionexceptions import ProvisioningError from samba.schema import get_linked_attributes, Schema, get_schema_descriptor from samba.dcerpc import security @@ -871,22 +871,24 @@ def update_machine_account_password(paths, creds, session, names): def update_gpo(paths,creds,session,names): - """Create missing GPO file object if needed + """Create missing GPO file object if needed - Set ACL correctly also. - """ - dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid) - if not os.path.isdir(dir): - create_gpo_struct(dir) - - dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid_dc) - if not os.path.isdir(dir): - create_gpo_struct(dir) - samdb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) - set_gpo_acl(path.sysvol,names.dnsdomain,names.domainsid,names.domaindn,samdb,lp) - -def updateOEMInfo(paths,creds,session,names): - sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"]) + Set ACL correctly also. + """ + dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid) + if not os.path.isdir(dir): + create_gpo_struct(dir) + + dir = getpolicypath(paths.sysvol,names.dnsdomain,names.policyid_dc) + if not os.path.isdir(dir): + create_gpo_struct(dir) + samdb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) + set_gpo_acl(paths.sysvol, names.dnsdomain, names.domainsid, + names.domaindn, samdb, lp) + +def updateOEMInfo(paths, creds, session,names): + sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp, + options=["modules:samba_dsdb"]) res = sam_ldb.search(expression="(objectClass=*)",base=str(names.rootdn), scope=SCOPE_BASE, attrs=["dn","oEMInformation"]) if len(res) > 0: @@ -895,7 +897,8 @@ def updateOEMInfo(paths,creds,session,names): delta = Message() delta.dn = Dn(sam_ldb,str(res[0]["dn"])) descr = get_schema_descriptor(names.domainsid) - delta["oEMInformation"] = MessageElement(info, FLAG_MOD_REPLACE, "oEMInformation" ) + delta["oEMInformation"] = MessageElement(info, FLAG_MOD_REPLACE, + "oEMInformation" ) sam_ldb.modify(delta) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 83e6e02daf..17dc470dec 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -36,7 +36,6 @@ import param import registry import urllib import shutil -import string import ldb @@ -472,7 +471,7 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole, "SIDGENERATOR_LINE": sid_generator_line, "PRIVATEDIR_LINE": privatedir_line, "LOCKDIR_LINE": lockdir_line, - "POSIXEADB_LINE": posixeadb_line + "POSIXEADB_LINE": posixeadb_line }) @@ -807,10 +806,11 @@ def setup_self_join(samdb, names, "NTDSGUID": names.ntdsguid, "DNSPASS_B64": b64encode(dnspass), }) -def getpolicypath(sysvolpath,dnsdomain,guid): - if string.find(guid,"{",0,1) == -1: - guid = "{%s}"%guid - policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid ) + +def getpolicypath(sysvolpath, dnsdomain, guid): + if guid[0] != "{": + guid = "{%s}" % guid + policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid) return policy_path def create_gpo_struct(policy_path): @@ -820,8 +820,7 @@ def create_gpo_struct(policy_path): os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) os.makedirs(os.path.join(policy_path, "USER"), 0755) -def setup_gpo(sysvolpath,dnsdomain,policyguid,policyguid_dc): - +def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc): policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid) create_gpo_struct(policy_path) @@ -1037,46 +1036,48 @@ FILL_DRS = "DRS" SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" -def set_dir_acl(path,acl,lp,domsid): - setntacl(lp,path,acl,domsid) - for root, dirs, files in os.walk(path, topdown=False): - for name in files: - setntacl(lp,os.path.join(root, name),acl,domsid) - for name in dirs: - setntacl(lp,os.path.join(root, name),acl,domsid) - -def set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp): - # Set ACL for GPO - policy_path = os.path.join(sysvol, dnsdomain, "Policies") - set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid)) - res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn), - attrs=["cn","nTSecurityDescriptor"], - expression="", scope=ldb.SCOPE_ONELEVEL) - for policy in res: - acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl() - policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"])) - set_dir_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid)) - -def setsysvolacl(samdb,netlogon,sysvol,gid,domainsid,dnsdomain,domaindn,lp): - canchown = 1 - try: - os.chown(sysvol,-1,gid) - except: - canchown = 0 - - setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid)) - for root, dirs, files in os.walk(sysvol, topdown=False): - for name in files: - if canchown: - os.chown(os.path.join(root, name),-1,gid) - setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid)) - for name in dirs: - if canchown: - os.chown(os.path.join(root, name),-1,gid) - setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid)) - set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp) - - +def set_dir_acl(path, acl, lp, domsid): + setntacl(lp, path, acl, domsid) + for root, dirs, files in os.walk(path, topdown=False): + for name in files: + setntacl(lp, os.path.join(root, name), acl, domsid) + for name in dirs: + setntacl(lp, os.path.join(root, name), acl, domsid) + + +def set_gpo_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp): + # Set ACL for GPO + policy_path = os.path.join(sysvol, dnsdomain, "Policies") + set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL, str(domainsid)), + lp, str(domainsid)) + res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn), + attrs=["cn","nTSecurityDescriptor"], + expression="", scope=ldb.SCOPE_ONELEVEL) + for policy in res: + acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl() + policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"])) + set_dir_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid)) + +def setsysvolacl(samdb, netlogon, sysvol, gid, domainsid, dnsdomain, domaindn, + lp): + try: + os.chown(sysvol,-1,gid) + except: + canchown = False + else: + canchown = True + + setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid)) + for root, dirs, files in os.walk(sysvol, topdown=False): + for name in files: + if canchown: + os.chown(os.path.join(root, name),-1,gid) + setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid)) + for name in dirs: + if canchown: + os.chown(os.path.join(root, name),-1,gid) + setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid)) + set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp) def provision(setup_dir, message, session_info, |