summaryrefslogtreecommitdiff
path: root/source4/scripting/python
diff options
context:
space:
mode:
Diffstat (limited to 'source4/scripting/python')
-rw-r--r--source4/scripting/python/samba/netcmd/gpo.py99
1 files changed, 99 insertions, 0 deletions
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py
index edbd5a273c..90b7a5efaa 100644
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -66,6 +66,20 @@ def flags_string(flags, value):
return ret.rstrip()
+def parse_gplink(gplink):
+ '''parse a gPLink into an array of dn and options'''
+ ret = []
+ a = gplink.split(']')
+ for g in a:
+ if not g:
+ continue
+ d = g.split(';')
+ if len(d) != 2 or not d[0].startswith("[LDAP://"):
+ raise RuntimeError("Badly formed gPLink '%s'" % g)
+ ret.append({ 'dn' : d[0][8:], 'options' : int(d[1])})
+ return ret
+
+
class cmd_listall(Command):
"""list all GPOs"""
@@ -113,8 +127,93 @@ class cmd_listall(Command):
print("")
+class cmd_list(Command):
+ """list GPOs for a user"""
+
+ synopsis = "%prog gpo list <username>"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_args = [ 'username' ]
+
+ takes_options = [
+ Option("-H", help="LDB URL for database or target server", type=str)
+ ]
+
+ def run(self, username, H=None, sambaopts=None,
+ credopts=None, versionopts=None, server=None):
+
+ self.url = H
+ self.lp = sambaopts.get_loadparm()
+
+ self.creds = credopts.get_credentials(self.lp)
+ if not self.creds.authentication_requested():
+ self.creds.set_machine_account(self.lp)
+
+ samdb_connect(self)
+
+ try:
+ user_dn = self.samdb.search(expression='(&(samAccountName=%s)(objectclass=User))' % username)[0].dn
+ except Exception, estr:
+ raise CommandError("Failed to find user %s - %s" % (username, estr))
+
+ # check if its a computer account
+ try:
+ msg = self.samdb.search(base=user_dn, scope=ldb.SCOPE_BASE, attrs=['objectClass'])[0]
+ is_computer = 'computer' in msg['objectClass']
+ except Exception, estr:
+ raise CommandError("Failed to find objectClass for user %s - %s" % (username, estr))
+
+ print("TODO: get user token")
+ # token = self.samdb.get_user_token(username)
+
+ gpos = []
+
+ inherit = True
+ dn = ldb.Dn(self.samdb, str(user_dn)).parent()
+ while True:
+ msg = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=['gPLink', 'gPOptions'])[0]
+ if 'gPLink' in msg:
+ glist = parse_gplink(msg['gPLink'][0])
+ for g in glist:
+ if not inherit and not (g['options'] & dsdb.GPLINK_OPT_ENFORCE):
+ continue
+ if g['options'] & dsdb.GPLINK_OPT_DISABLE:
+ continue
+
+ print("TODO: access checking")
+ #if not samdb.access_check(secdesc, token, security.SEC_RIGHTS_FILE_READ):
+ # continue
+
+ # check the flags on the GPO
+ flags = int(attr_default(self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE, attrs=['flags'])[0], 'flags', 0))
+ if is_computer and (flags & dsdb.GPO_FLAG_MACHINE_DISABLE):
+ continue
+ if not is_computer and (flags & dsdb.GPO_FLAG_USER_DISABLE):
+ continue
+ gpos.append(g)
+
+ # check if this blocks inheritance
+ gpoptions = int(attr_default(msg, 'gPOptions', 0))
+ if gpoptions & dsdb.GPO_BLOCK_INHERITANCE:
+ inherit = False
+
+ if dn == self.samdb.get_default_basedn():
+ break
+ dn = dn.parent()
+
+ print("GPO's for user %s" % username)
+ for g in gpos:
+ print("\t%s" % g['dn'])
+
+
class cmd_gpo(SuperCommand):
"""GPO commands"""
subcommands = {}
subcommands["listall"] = cmd_listall()
+ subcommands["list"] = cmd_list()