1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#!/usr/bin/python
#
# Manipulate file NT ACLs
#
# Copyright Matthieu Patou 2010 <mat@matws.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from samba.credentials import DONT_USE_KERBEROS
import samba.getopt as options
from samba.dcerpc import security
from samba.ntacls import setntacl, getntacl
from samba import Ldb
from samba.ndr import ndr_unpack
from ldb import SCOPE_BASE
import ldb
import os
import sys
from samba.auth import system_session
from samba.netcmd import (
Command,
SuperCommand,
CommandError,
Option,
)
class cmd_acl_set(Command):
"""Set ACLs on a file"""
synopsis = "%prog set <acl> <file> [--xattr-backend=native|tdb] [--eadb-file=file] [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("--quiet", help="Be quiet", action="store_true"),
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
choices=["native","tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
]
takes_args = ["acl","file"]
def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
path = os.path.join(lp.get("private dir"), lp.get("secrets database") or "secrets.ldb")
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
try:
ldb = Ldb(path, session_info=system_session(), credentials=creds,lp=lp)
except:
print "Unable to read domain SID from configuration files"
sys.exit(1)
attrs = ["objectSid"]
print lp.get("realm")
res = ldb.search(expression="(objectClass=*)",base="flatname=%s,cn=Primary Domains"%lp.get("workgroup"), scope=SCOPE_BASE, attrs=attrs)
if len(res) !=0:
domainsid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
setntacl(lp,file,acl,str(domainsid),xattr_backend,eadb_file)
else:
print "Unable to read domain SID from configuration files"
sys.exit(1)
class cmd_acl_get(Command):
"""Set ACLs on a file"""
synopsis = "%prog get <file> [--as-sddl] [--xattr-backend=native|tdb] [--eadb-file=file] [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
choices=["native","tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
]
takes_args = ["file"]
def run(self, file, as_sddl=False,xattr_backend=None,eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
acl = getntacl(lp,file,xattr_backend,eadb_file)
if as_sddl:
anysid=security.dom_sid(security.SID_NT_SELF)
print acl.info.as_sddl(anysid)
else:
acl.dump()
class cmd_acl(SuperCommand):
"""NT ACLs manipulation"""
subcommands = {}
subcommands["set"] = cmd_acl_set()
subcommands["get"] = cmd_acl_get()
|
