From d48d0c5bbf70394dfc6ab44ef124582fd836695f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Nov 2012 09:31:12 +0100 Subject: s4:samba-tool/gpo: fix the operation order when creating gpos We should do it like the windows GUI. 1. create the LDAP objects 2. query the security_descriptor of the groupPolicyContainer 3. create the gPCFileSysPath via smb 4. set the security_descriptor of gPCFileSysPath 5. copy the files and directories into gPCFileSysPath 6. modify the groupPolicyContainer and link gPCFileSysPath Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/scripting/python/samba/netcmd/gpo.py | 33 +++++++++++++++++----------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'source4/scripting') diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py index 26b2e8c561..23b562eb63 100644 --- a/source4/scripting/python/samba/netcmd/gpo.py +++ b/source4/scripting/python/samba/netcmd/gpo.py @@ -962,34 +962,25 @@ class cmd_create(Command): m = ldb.Message() m.dn = gpo_dn m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass") - m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_ADD, "displayName") - m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_ADD, "gPCFileSysPath") - m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_ADD, "flags") - m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_ADD, "versionNumber") - m['a06'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly") - m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_ADD, "gpcFunctionalityVersion") self.samdb.add(m) # Add cn=User,cn= m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") - m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly") self.samdb.add(m) # Add cn=Machine,cn= m = ldb.Message() m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)) m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass") - m['a02'] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_ADD, "showInAdvancedViewOnly") self.samdb.add(m) - # Copy GPO files over SMB - create_directory_hier(conn, sharepath) - copy_directory_local_to_remote(conn, gpodir, sharepath) - # Get new security descriptor - msg = get_gpo_info(self.samdb, gpo=gpo)[0] + ds_sd_flags = ( security.SECINFO_OWNER | + security.SECINFO_GROUP | + security.SECINFO_DACL ) + msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0] ds_sd_ndr = msg['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() @@ -998,12 +989,28 @@ class cmd_create(Command): sddl = dsacl2fsacl(ds_sd, domain_sid) fs_sd = security.descriptor.from_sddl(sddl, domain_sid) + # Copy GPO directory + create_directory_hier(conn, sharepath) + # Set ACL sio = ( security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL ) conn.set_acl(sharepath, fs_sd, sio) + + # Copy GPO files over SMB + copy_directory_local_to_remote(conn, gpodir, sharepath) + + m = ldb.Message() + m.dn = gpo_dn + m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName") + m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath") + m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber") + m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion") + m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags") + controls=["permissive_modify:0"] + self.samdb.modify(m, controls=controls) except Exception: self.samdb.transaction_cancel() raise -- cgit