summaryrefslogtreecommitdiff
path: root/source4/scripting
diff options
context:
space:
mode:
Diffstat (limited to 'source4/scripting')
-rw-r--r--source4/scripting/python/samba/netcmd/gpo.py48
1 files changed, 10 insertions, 38 deletions
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py
index f87d192ff7..fb45539ed9 100644
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -34,7 +34,8 @@ from samba.netcmd import (
SuperCommand,
)
from samba.samdb import SamDB
-from samba import dsdb, dcerpc
+from samba import dsdb
+from samba.dcerpc import security
from samba.ndr import ndr_unpack
import samba.security
import samba.auth
@@ -43,6 +44,7 @@ from samba.netcmd.common import netcmd_finddc
from samba import policy
from samba import smb
import uuid
+from samba.ntacls import dsacl2fsacl
def samdb_connect(ctx):
@@ -336,13 +338,13 @@ class cmd_list(Command):
continue
secdesc_ndr = gmsg[0]['ntSecurityDescriptor'][0]
- secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr)
+ secdesc = ndr_unpack(security.descriptor, secdesc_ndr)
try:
samba.security.access_check(secdesc, token,
- dcerpc.security.SEC_STD_READ_CONTROL |
- dcerpc.security.SEC_ADS_LIST |
- dcerpc.security.SEC_ADS_READ_PROP)
+ security.SEC_STD_READ_CONTROL |
+ security.SEC_ADS_LIST |
+ security.SEC_ADS_READ_PROP)
except RuntimeError:
self.outf.write("Failed access check on %s\n" % msg.dn)
continue
@@ -406,7 +408,7 @@ class cmd_show(Command):
raise CommandError("GPO %s does not exist" % gpo, e)
secdesc_ndr = msg['ntSecurityDescriptor'][0]
- secdesc = ndr_unpack(dcerpc.security.descriptor, secdesc_ndr)
+ secdesc = ndr_unpack(security.descriptor, secdesc_ndr)
self.outf.write("GPO : %s\n" % msg['name'][0])
self.outf.write("display name : %s\n" % msg['displayName'][0])
@@ -912,40 +914,10 @@ class cmd_create(Command):
# Get new security descriptor
msg = get_gpo_info(self.samdb, gpo=gpo)[0]
ds_sd_ndr = msg['ntSecurityDescriptor'][0]
- ds_sd = ndr_unpack(dcerpc.security.descriptor, ds_sd_ndr)
+ ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
# Create a file system security descriptor
- fs_sd = dcerpc.security.descriptor()
- fs_sd.owner_sid = ds_sd.owner_sid
- fs_sd.group_sid = ds_sd.group_sid
- fs_sd.type = ds_sd.type
- fs_sd.revision = ds_sd.revision
-
- # Copy sacl
- fs_sd.sacl = ds_sd.sacl
-
- # Copy dacl
- dacl = ds_sd.dacl
- for ace in dacl.aces:
- # Don't add the allow for SID_BUILTIN_PREW2K
- if (not (ace.type & dcerpc.security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) and
- ace.trustee == dcerpc.security.SID_BUILTIN_PREW2K):
- continue
-
- # Copy the ace from the directory server security descriptor
- new_ace = ace
-
- # Set specific inheritance flags for within the GPO
- new_ace.flags |= (dcerpc.security.SEC_ACE_FLAG_OBJECT_INHERIT |
- dcerpc.security.SEC_ACE_FLAG_CONTAINER_INHERIT)
- if ace.trustee == dcerpc.security.SID_CREATOR_OWNER:
- new_ace.flags |= dcerpc.security.SEC_ACE_FLAG_INHERIT_ONLY
-
- # Get a directory access mask from the assigned access mask on the ldap object
- new_ace.access_mask = policy.ads_to_dir_access_mask(ace.access_mask)
-
- # Add the ace to DACL
- fs_sd.dacl_add(new_ace)
+ fs_sd = security.descriptor(dsacl2fsacl(ds_sd, self.samdb.get_domain_sid()))
# Set ACL
try: