[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Thu Feb 11 03:48:14 MST 2010 

The branch, master has been updated
       via  a4d0563... provision: Use short name for assignee of ACE (BA, SA, CO, ...)
       via  bcba41c... python-s4: use secrets.ldb instead of sam.ldb for reading domain SID
       via  d1c2923... provision: Fix an error with eadb when using not default install dir and running as a non root user
      from  2cf97c4... s4-dns: don't leave behind a tmp file

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a4d056339235d436dfdbf82e14975151ee1bc7c3
Author: Matthieu Patou <mat at matws.net>
Date:   Wed Jan 27 02:03:15 2010 +0300

    provision: Use short name for assignee of ACE (BA, SA, CO, ...)
    
      Use short name (shortcut for wellknown SID/RID) for assignee in each entry of ACL (when possible)
      of sysvol files (GPO objects and netlogon folders).
      This avoid error prone substitution of DOMAINSID in ACL and make ACL clearer by using shortname
      for assignee accordingly with SDDL synthax rules. Translation to real SID is handled internaly by the
      from_sddl function.
    
    Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>

commit bcba41c351bc78d739fb174338d8c71148053b5d
Author: Matthieu Patou <mat at matws.net>
Date:   Wed Jan 27 01:32:29 2010 +0300

    python-s4: use secrets.ldb instead of sam.ldb for reading domain SID
    
      This allow to be able to run net acl set xxx yyy on DC, but also on domain
      member.
    
    Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>

commit d1c29231511376f4379909401f723b1ea9c538ea
Author: Matthieu Patou <mat at matws.net>
Date:   Mon Feb 8 15:36:07 2010 +0300

    provision: Fix an error with eadb when using not default install dir and running as a non root user
    
    Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>

-----------------------------------------------------------------------

Summary of changes:
 source4/scripting/python/samba/netcmd/ntacl.py |    4 ++--
 source4/scripting/python/samba/provision.py    |   20 +++++++++++---------
 2 files changed, 13 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py
index a96593e..8c0803f 100644
--- a/source4/scripting/python/samba/netcmd/ntacl.py
+++ b/source4/scripting/python/samba/netcmd/ntacl.py
@@ -61,7 +61,7 @@ class cmd_acl_set(Command):
             credopts=None, sambaopts=None, versionopts=None):
 		lp = sambaopts.get_loadparm()
 		creds = credopts.get_credentials(lp)
-		path = os.path.join(lp.get("private dir"), lp.get("sam database") or "samdb.ldb")
+		path = os.path.join(lp.get("private dir"), lp.get("secrets database") or "secrets.ldb")
 		creds = credopts.get_credentials(lp)
 		creds.set_kerberos_state(DONT_USE_KERBEROS)
 		try:
@@ -71,7 +71,7 @@ class cmd_acl_set(Command):
 			sys.exit(1)
 		attrs = ["objectSid"]
 		print lp.get("realm")
-		res = ldb.search(expression="(objectClass=*)",base="DC=%s"%lp.get("realm").lower().replace(".",",DC="), scope=SCOPE_BASE, attrs=attrs)
+		res = ldb.search(expression="(objectClass=*)",base="flatname=%s,cn=Primary Domains"%lp.get("workgroup"), scope=SCOPE_BASE, attrs=attrs)
 		if len(res) !=0:
 			domainsid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
 			setntacl(lp,file,acl,str(domainsid),xattr_backend,eadb_file)
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 86f1d9c..f52766b 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -465,7 +465,11 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
     if os.path.exists(smbconf):
         default_lp.load(smbconf)
     if eadb:
-        posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(os.path.join(targetdir, "private"),"eadb.tdb"))
+        if targetdir is not None:
+            privdir = os.path.join(targetdir, "private")
+        else:
+            privdir = default_lp.get("private dir")
+        posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(privdir,"eadb.tdb"))
     else:
         posixeadb_line = ""
 
@@ -1061,8 +1065,8 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
 FILL_FULL = "FULL"
 FILL_NT4SYNC = "NT4SYNC"
 FILL_DRS = "DRS"
-SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
-POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
 
 def set_gpo_acl(path,acl,lp,domsid):
 	setntacl(lp,path,acl,domsid)
@@ -1074,27 +1078,25 @@ def set_gpo_acl(path,acl,lp,domsid):
 
 def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
 	canchown = 1
-	acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
 	try:
 		os.chown(sysvol,-1,gid)
 	except:
 		canchown = 0
 
-	setntacl(lp,sysvol,acl,str(domainsid))
+	setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
 	for root, dirs, files in os.walk(sysvol, topdown=False):
 		for name in files:
 			if canchown:
 				os.chown(os.path.join(root, name),-1,gid)
-			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+			setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
 		for name in dirs:
 			if canchown:
 				os.chown(os.path.join(root, name),-1,gid)
-			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+			setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
 
 	# Set ACL for GPO
 	policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
-	acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
-	set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+	set_gpo_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
 	res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
 						attrs=["cn","nTSecurityDescriptor"],
 						expression="", scope=ldb.SCOPE_ONELEVEL)


-- 
Samba Shared Repository

More information about the samba-cvs mailing list