[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Wed Sep 5 07:48:02 MDT 2012


The branch, master has been updated
       via  7b86c18 selftest: Add python blackbox tests for samba-tool ntacl get/set
       via  f9cee8d samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID
       via  7b5ba30 samba_tool: Fix ntacl get to correctly output in sddl
       via  c19208e s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL
      from  558fa4c s4 dns: Revert erroneous push from wrong branch

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7b86c18f38412c621b3c316776067d949b0b0bbb
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Sep 5 18:13:53 2012 +1000

    selftest: Add python blackbox tests for samba-tool ntacl get/set
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Sep  5 15:47:55 CEST 2012 on sn-devel-104

commit f9cee8d832495798beb025c16afed5bd6a13799b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Sep 5 18:12:52 2012 +1000

    samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID
    
    This gets the SID for the local machine correctly.
    
    We also add options for --use-ntvfs and --use-s3fs to help control
    exactly which database is being read and written.
    
    Andrew Bartlett

commit 7b5ba3013867ae77d516b5ac3cd264fbaf5ca372
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Sep 5 17:06:33 2012 +1000

    samba_tool: Fix ntacl get to correctly output in sddl

commit c19208e93ce401b5ef0b752b32648926f9f39824
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Sep 5 15:16:40 2012 +1000

    s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL

-----------------------------------------------------------------------

Summary of changes:
 source4/scripting/python/samba/netcmd/ntacl.py     |   76 ++++++++++++++------
 .../scripting/python/samba/provision/__init__.py   |    4 +-
 .../python/samba/tests/samba_tool/ntacl.py         |   69 +++++++++++++++++-
 3 files changed, 124 insertions(+), 25 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py
index 661af80..92239a7 100644
--- a/source4/scripting/python/samba/netcmd/ntacl.py
+++ b/source4/scripting/python/samba/netcmd/ntacl.py
@@ -21,7 +21,7 @@ import samba.getopt as options
 from samba.dcerpc import security, idmap
 from samba.ntacls import setntacl, getntacl
 from samba import Ldb
-from samba.ndr import ndr_unpack
+from samba.ndr import ndr_unpack, ndr_print
 from samba.samdb import SamDB
 from samba.samba3 import param as s3param, passdb, smbd
 from samba import provision
@@ -55,31 +55,42 @@ class cmd_ntacl_set(Command):
         Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
                choices=["native","tdb"]),
         Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+        Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr for use with the ntvfs file server", action="store_true"),
+        Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server via the VFS layer", action="store_true")
         ]
 
     takes_args = ["acl","file"]
 
-    def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None,
+    def run(self, acl, file, use_ntvfs=False, use_s3fs=False,
+            quiet=False,xattr_backend=None,eadb_file=None,
             credopts=None, sambaopts=None, versionopts=None):
+        logger = self.get_logger()
         lp = sambaopts.get_loadparm()
-        path = lp.private_path("secrets.ldb")
-        creds = credopts.get_credentials(lp)
-        creds.set_kerberos_state(DONT_USE_KERBEROS)
         try:
-            ldb = Ldb(path, session_info=system_session(), credentials=creds,
-                      lp=lp)
+            samdb = SamDB(session_info=system_session(),
+                          lp=lp)
         except Exception, e:
-            raise CommandError("Unable to read domain SID from configuration files", e)
-        attrs = ["objectSid"]
-        res = ldb.search(expression="(objectClass=*)",
-            base="flatname=%s,cn=Primary Domains" % lp.get("workgroup"),
-            scope=SCOPE_BASE, attrs=attrs)
-        if len(res) !=0:
-            domainsid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
-            setntacl(lp, file, acl, str(domainsid), xattr_backend, eadb_file)
-        else:
+            raise CommandError("Unable to open samdb:", e)
+
+        if not use_ntvfs and not use_s3fs:
+            use_ntvfs = "smb" in lp.get("server services")
+        elif use_s3fs:
+            use_ntvfs = False
+
+        try:
+            domain_sid = security.dom_sid(samdb.domain_sid)
+        except:
             raise CommandError("Unable to read domain SID from configuration files")
 
+        s3conf = s3param.get_context()
+        s3conf.load(lp.configfile)
+        # ensure we are using the right samba_dsdb passdb backend, no matter what
+        s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
+
+        setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs)
+
+        if use_ntvfs:
+            logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
 
 
 class cmd_ntacl_get(Command):
@@ -97,19 +108,42 @@ class cmd_ntacl_get(Command):
         Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
                choices=["native","tdb"]),
         Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+        Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"),
+        Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true")
         ]
 
     takes_args = ["file"]
 
-    def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None,
+    def run(self, file, use_ntvfs=False, use_s3fs=False,
+            as_sddl=False, xattr_backend=None, eadb_file=None,
             credopts=None, sambaopts=None, versionopts=None):
         lp = sambaopts.get_loadparm()
-        acl = getntacl(lp, file, xattr_backend, eadb_file)
+        try:
+            samdb = SamDB(session_info=system_session(),
+                          lp=lp)
+        except Exception, e:
+            raise CommandError("Unable to open samdb:", e)
+
+        if not use_ntvfs and not use_s3fs:
+            use_ntvfs = "smb" in lp.get("server services")
+        elif use_s3fs:
+            use_ntvfs = False
+
+
+        s3conf = s3param.get_context()
+        s3conf.load(lp.configfile)
+        # ensure we are using the right samba_dsdb passdb backend, no matter what
+        s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
+
+        acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs)
         if as_sddl:
-            anysid = security.dom_sid(security.SID_NT_SELF)
-            self.outf.write(acl.info.as_sddl(anysid)+"\n")
+            try:
+                domain_sid = security.dom_sid(samdb.domain_sid)
+            except:
+                raise CommandError("Unable to read domain SID from configuration files")
+            self.outf.write(acl.as_sddl(domain_sid)+"\n")
         else:
-            acl.dump()
+            self.outf.write(ndr_print(acl))
 
 
 class cmd_ntacl_sysvolreset(Command):
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index e1f0571..12904a7 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -1477,7 +1477,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
                 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
             fsacl_sddl = fsacl.as_sddl(domainsid)
             if fsacl_sddl != acl:
-                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl))
+                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
 
         for name in files:
             fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access)
@@ -1485,7 +1485,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
                 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
             fsacl_sddl = fsacl.as_sddl(domainsid)
             if fsacl_sddl != acl:
-                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl))
+                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
 
 
 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, direct_db_access):
diff --git a/source4/scripting/python/samba/tests/samba_tool/ntacl.py b/source4/scripting/python/samba/tests/samba_tool/ntacl.py
index 913a79b..d00b9a0 100644
--- a/source4/scripting/python/samba/tests/samba_tool/ntacl.py
+++ b/source4/scripting/python/samba/tests/samba_tool/ntacl.py
@@ -22,9 +22,10 @@ import os
 import time
 import ldb
 from samba.tests.samba_tool.base import SambaToolCmdTest
+import random
 
-class NtACLCmdTestCase(SambaToolCmdTest):
-    """Tests for samba-tool ntacl subcommands"""
+class NtACLCmdSysvolTestCase(SambaToolCmdTest):
+    """Tests for samba-tool ntacl sysvol* subcommands"""
 
 
     def test_ntvfs(self):
@@ -68,3 +69,67 @@ class NtACLCmdTestCase(SambaToolCmdTest):
         self.assertEquals(err,"","Shouldn't be any error messages")
         self.assertEquals(out,"","Shouldn't be any output messages")
 
+class NtACLCmdGetSetTestCase(SambaToolCmdTest):
+    """Tests for samba-tool ntacl get/set subcommands"""
+
+    acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+
+
+    def test_ntvfs(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+        open(tempf, 'w').write("empty")
+
+        (result, out, err) =  self.runsubcmd("ntacl", "set", self.acl, tempf,
+                                             "--use-ntvfs")
+        self.assertCmdSuccess(result)
+        self.assertEquals(out,"","Shouldn't be any output messages")
+        self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err)
+
+    def test_s3fs(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+        open(tempf, 'w').write("empty")
+
+        (result, out, err) =  self.runsubcmd("ntacl", "set", self.acl, tempf,
+                                             "--use-s3fs")
+
+        self.assertCmdSuccess(result)
+        self.assertEquals(err,"","Shouldn't be any error messages")
+        self.assertEquals(out,"","Shouldn't be any output messages")
+
+    def test_ntvfs_check(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+        open(tempf, 'w').write("empty")
+
+        (result, out, err) =  self.runsubcmd("ntacl", "set", self.acl, tempf,
+                                             "--use-ntvfs")
+        self.assertCmdSuccess(result)
+        self.assertEquals(out,"","Shouldn't be any output messages")
+        self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err)
+
+        # Now check they were set correctly
+        (result, out, err) =  self.runsubcmd("ntacl",  "get", tempf,
+                                             "--use-ntvfs", "--as-sddl")
+        self.assertCmdSuccess(result)
+        self.assertEquals(err,"","Shouldn't be any error messages")
+        self.assertEquals(self.acl+"\n", out, "Output should be the ACL")
+
+    def test_s3fs_check(self):
+        path = os.environ['SELFTEST_PREFIX']
+        tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+        open(tempf, 'w').write("empty")
+
+        (result, out, err) =  self.runsubcmd("ntacl", "set", self.acl, tempf,
+                                             "--use-s3fs")
+        self.assertCmdSuccess(result)
+        self.assertEquals(out,"","Shouldn't be any output messages")
+        self.assertEquals(err,"","Shouldn't be any error messages")
+
+        # Now check they were set correctly
+        (result, out, err) =  self.runsubcmd("ntacl",  "get", tempf,
+                                             "--use-s3fs", "--as-sddl")
+        self.assertCmdSuccess(result)
+        self.assertEquals(err,"","Shouldn't be any error messages")
+        self.assertEquals(self.acl+"\n", out,"Output should be the ACL")


-- 
Samba Shared Repository


More information about the samba-cvs mailing list