[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Nov 15 16:41:02 MST 2012 

The branch, master has been updated
       via  ace0909 s4:samba-tool: Fix samba-tool fsmo --role=schema
       via  256391c samba-tool: Add new samba-tool gpo aclcheck and test
      from  cf1540b Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ace0909b88739338e948b9c1e98307f324bb7503
Author: Arvid Requate <requate at univention.de>
Date:   Wed Nov 14 15:51:19 2012 +0100

    s4:samba-tool: Fix samba-tool fsmo --role=schema
    
    Fix traceback:
    samba-tool fsmo --role=schema --force
    ERROR(<type 'exceptions.TypeError'>): uncaught exception - argument 2 must be string, not ldb.Dn
      File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 168, in _run
        return self.run(*args, **kwargs)
      File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 160, in run
        self.seize_role(role, samdb, force)
      File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 119, in seize_role
        m.dn = ldb.Dn(samdb, self.schema_dn)
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Nov 16 00:40:24 CET 2012 on sn-devel-104

commit 256391c0faf4ff4d408821e3fe8cfe2eff44c043
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Nov 5 19:36:28 2012 +1100

    samba-tool: Add new samba-tool gpo aclcheck and test
    
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source4/scripting/python/samba/netcmd/fsmo.py      |    2 +-
 source4/scripting/python/samba/netcmd/gpo.py       |   63 ++++++++++++++++++++
 .../scripting/python/samba/tests/samba_tool/gpo.py |   10 +++
 3 files changed, 74 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py
index 15d1d49..c938c91 100644
--- a/source4/scripting/python/samba/netcmd/fsmo.py
+++ b/source4/scripting/python/samba/netcmd/fsmo.py
@@ -103,7 +103,7 @@ all=all of the above"""),
         domain_dn = samdb.domain_dn()
         self.infrastructure_dn = "CN=Infrastructure," + domain_dn
         self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
-        self.schema_dn = samdb.get_schema_basedn()
+        self.schema_dn = str(samdb.get_schema_basedn())
         self.rid_dn = "CN=RID Manager$,CN=System," + domain_dn
 
         m = ldb.Message()
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py
index 347231b..f70317a 100644
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -1072,6 +1072,68 @@ class cmd_del(Command):
         self.outf.write("GPO %s deleted.\n" % gpo)
 
 
+class cmd_aclcheck(Command):
+    """Check all GPOs have matching LDAP and DS ACLs."""
+
+    synopsis = "%prog [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptions,
+    }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+               metavar="URL", dest="H")
+        ]
+
+    def run(self, H=None, sambaopts=None, credopts=None, versionopts=None):
+
+        self.lp = sambaopts.get_loadparm()
+        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+        self.url = dc_url(self.lp, self.creds, H)
+
+        # We need to know writable DC to setup SMB connection
+        if H and H.startswith('ldap://'):
+            dc_hostname = H[7:]
+            self.url = H
+        else:
+            dc_hostname = netcmd_finddc(self.lp, self.creds)
+            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+        samdb_connect(self)
+
+        msg = get_gpo_info(self.samdb, None)
+
+        for m in msg:
+            # verify UNC path
+            unc = m['gPCFileSysPath'][0]
+            try:
+                [dom_name, service, sharepath] = parse_unc(unc)
+            except ValueError:
+                raise CommandError("Invalid GPO path (%s)" % unc)
+
+            # SMB connect to DC
+            try:
+                conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
+            except Exception:
+                raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
+
+            fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+
+            ds_sd_ndr = m['ntSecurityDescriptor'][0]
+            ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
+
+            # Create a file system security descriptor
+            domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+            expected_fs_sddl = dsacl2fsacl(ds_sd, domain_sid)
+
+            if (fs_sd.as_sddl(domain_sid) != expected_fs_sddl):
+                raise CommandError("Invalid GPO ACL %s on path (%s), should be %s" % (fs_sd.as_sddl(domain_sid), sharepath, expected_fs_sddl))
+
+
 class cmd_gpo(SuperCommand):
     """Group Policy Object (GPO) management."""
 
@@ -1088,3 +1150,4 @@ class cmd_gpo(SuperCommand):
     subcommands["fetch"] = cmd_fetch()
     subcommands["create"] = cmd_create()
     subcommands["del"] = cmd_del()
+    subcommands["aclcheck"] = cmd_aclcheck()
diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py
index 7ada91f..82e7268 100644
--- a/source4/scripting/python/samba/tests/samba_tool/gpo.py
+++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py
@@ -44,6 +44,16 @@ os.environ["SERVER"])
         self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
         shutil.rmtree(os.path.join(self.tempdir, "policy"))
 
+    def test_show(self):
+        """Show a real GPO, and make sure it passes"""
+        (result, out, err) = self.runsubcmd("gpo", "show", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"])
+        self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
+
+    def test_aclcheck(self):
+        """Check all the GPOs on the remote server have correct ACLs"""
+        (result, out, err) = self.runsubcmd("gpo", "aclcheck", "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
+        self.assertCmdSuccess(result, "Ensuring gpo checked successfully")
+
     def setUp(self):
         """set up a temporary GPO to work with"""
         super(GpoCmdTestCase, self).setUp()


-- 
Samba Shared Repository

More information about the samba-cvs mailing list