summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/scripting/python/samba/netcmd/ntacl.py74
1 files changed, 73 insertions, 1 deletions
diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py
index 09c1ce0032..81217b76d6 100644
--- a/source4/scripting/python/samba/netcmd/ntacl.py
+++ b/source4/scripting/python/samba/netcmd/ntacl.py
@@ -18,10 +18,13 @@
from samba.credentials import DONT_USE_KERBEROS
import samba.getopt as options
-from samba.dcerpc import security
+from samba.dcerpc import security, idmap
from samba.ntacls import setntacl, getntacl
from samba import Ldb
from samba.ndr import ndr_unpack
+from samba.samdb import SamDB
+from samba.samba3 import param as s3param, passdb, smbd
+from samba import provision
from ldb import SCOPE_BASE
import os
@@ -109,10 +112,79 @@ class cmd_ntacl_get(Command):
acl.dump()
+class cmd_ntacl_sysvolreset(Command):
+ """Reset sysvol ACLs to defaults (including correct ACLs on GPOs)"""
+ synopsis = "%prog <file> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ takes_options = [
+ Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"),
+ Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server", action="store_true")
+ ]
+
+ def run(self, use_ntvfs=False, use_s3fs=False,
+ credopts=None, sambaopts=None, versionopts=None):
+ lp = sambaopts.get_loadparm()
+ path = lp.private_path("secrets.ldb")
+ creds = credopts.get_credentials(lp)
+ creds.set_kerberos_state(DONT_USE_KERBEROS)
+ logger = self.get_logger()
+
+ netlogon = lp.get("path", "netlogon")
+ sysvol = lp.get("path", "sysvol")
+ try:
+ samdb = SamDB(session_info=system_session(),
+ lp=lp)
+ except Exception, e:
+ raise CommandError("Unable to open samdb:", e)
+
+ if not use_ntvfs and not use_s3fs:
+ use_ntvfs = "smb" in lp.get("server services")
+ elif use_s3fs:
+ use_ntvfs = False
+
+ domain_sid = security.dom_sid(samdb.domain_sid)
+
+ s3conf = s3param.get_context()
+ s3conf.load(lp.configfile)
+ # ensure we are using the right samba4 passdb backend, no matter what
+ s3conf.set("passdb backend", "samba4:%s" % samdb.url)
+
+ LA_sid = security.dom_sid(str(domain_sid)
+ +"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
+ BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
+
+ s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
+
+ # These assertions correct for current plugin_s4_dc selftest
+ # configuration. When other environments have a broad range of
+ # groups mapped via passdb, we can relax some of these checks
+ (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
+ if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH):
+ raise CommandError("SID %s is not mapped to a UID" % LA_sid)
+ (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
+ if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH):
+ raise CommandError("SID %s is not mapped to a GID" % BA_sid)
+
+ if use_ntvfs:
+ logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
+
+ provision.setsysvolacl(samdb, netlogon, sysvol,
+ LA_uid, BA_gid, domain_sid,
+ lp.get("realm").lower(), samdb.domain_dn(),
+ lp, use_ntvfs=use_ntvfs)
+
+
class cmd_ntacl(SuperCommand):
"""NT ACLs manipulation"""
subcommands = {}
subcommands["set"] = cmd_ntacl_set()
subcommands["get"] = cmd_ntacl_get()
+ subcommands["sysvolreset"] = cmd_ntacl_sysvolreset()