[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Sep 5 07:48:02 MDT 2012
The branch, master has been updated
via 7b86c18 selftest: Add python blackbox tests for samba-tool ntacl get/set
via f9cee8d samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID
via 7b5ba30 samba_tool: Fix ntacl get to correctly output in sddl
via c19208e s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL
from 558fa4c s4 dns: Revert erroneous push from wrong branch
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7b86c18f38412c621b3c316776067d949b0b0bbb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 5 18:13:53 2012 +1000
selftest: Add python blackbox tests for samba-tool ntacl get/set
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 5 15:47:55 CEST 2012 on sn-devel-104
commit f9cee8d832495798beb025c16afed5bd6a13799b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 5 18:12:52 2012 +1000
samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID
This gets the SID for the local machine correctly.
We also add options for --use-ntvfs and --use-s3fs to help control
exactly which database is being read and written.
Andrew Bartlett
commit 7b5ba3013867ae77d516b5ac3cd264fbaf5ca372
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 5 17:06:33 2012 +1000
samba_tool: Fix ntacl get to correctly output in sddl
commit c19208e93ce401b5ef0b752b32648926f9f39824
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 5 15:16:40 2012 +1000
s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL
-----------------------------------------------------------------------
Summary of changes:
source4/scripting/python/samba/netcmd/ntacl.py | 76 ++++++++++++++------
.../scripting/python/samba/provision/__init__.py | 4 +-
.../python/samba/tests/samba_tool/ntacl.py | 69 +++++++++++++++++-
3 files changed, 124 insertions(+), 25 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py
index 661af80..92239a7 100644
--- a/source4/scripting/python/samba/netcmd/ntacl.py
+++ b/source4/scripting/python/samba/netcmd/ntacl.py
@@ -21,7 +21,7 @@ import samba.getopt as options
from samba.dcerpc import security, idmap
from samba.ntacls import setntacl, getntacl
from samba import Ldb
-from samba.ndr import ndr_unpack
+from samba.ndr import ndr_unpack, ndr_print
from samba.samdb import SamDB
from samba.samba3 import param as s3param, passdb, smbd
from samba import provision
@@ -55,31 +55,42 @@ class cmd_ntacl_set(Command):
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
choices=["native","tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+ Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr for use with the ntvfs file server", action="store_true"),
+ Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server via the VFS layer", action="store_true")
]
takes_args = ["acl","file"]
- def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None,
+ def run(self, acl, file, use_ntvfs=False, use_s3fs=False,
+ quiet=False,xattr_backend=None,eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
+ logger = self.get_logger()
lp = sambaopts.get_loadparm()
- path = lp.private_path("secrets.ldb")
- creds = credopts.get_credentials(lp)
- creds.set_kerberos_state(DONT_USE_KERBEROS)
try:
- ldb = Ldb(path, session_info=system_session(), credentials=creds,
- lp=lp)
+ samdb = SamDB(session_info=system_session(),
+ lp=lp)
except Exception, e:
- raise CommandError("Unable to read domain SID from configuration files", e)
- attrs = ["objectSid"]
- res = ldb.search(expression="(objectClass=*)",
- base="flatname=%s,cn=Primary Domains" % lp.get("workgroup"),
- scope=SCOPE_BASE, attrs=attrs)
- if len(res) !=0:
- domainsid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
- setntacl(lp, file, acl, str(domainsid), xattr_backend, eadb_file)
- else:
+ raise CommandError("Unable to open samdb:", e)
+
+ if not use_ntvfs and not use_s3fs:
+ use_ntvfs = "smb" in lp.get("server services")
+ elif use_s3fs:
+ use_ntvfs = False
+
+ try:
+ domain_sid = security.dom_sid(samdb.domain_sid)
+ except:
raise CommandError("Unable to read domain SID from configuration files")
+ s3conf = s3param.get_context()
+ s3conf.load(lp.configfile)
+ # ensure we are using the right samba_dsdb passdb backend, no matter what
+ s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
+
+ setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs)
+
+ if use_ntvfs:
+ logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
class cmd_ntacl_get(Command):
@@ -97,19 +108,42 @@ class cmd_ntacl_get(Command):
Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
choices=["native","tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
+ Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"),
+ Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true")
]
takes_args = ["file"]
- def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None,
+ def run(self, file, use_ntvfs=False, use_s3fs=False,
+ as_sddl=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
- acl = getntacl(lp, file, xattr_backend, eadb_file)
+ try:
+ samdb = SamDB(session_info=system_session(),
+ lp=lp)
+ except Exception, e:
+ raise CommandError("Unable to open samdb:", e)
+
+ if not use_ntvfs and not use_s3fs:
+ use_ntvfs = "smb" in lp.get("server services")
+ elif use_s3fs:
+ use_ntvfs = False
+
+
+ s3conf = s3param.get_context()
+ s3conf.load(lp.configfile)
+ # ensure we are using the right samba_dsdb passdb backend, no matter what
+ s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
+
+ acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs)
if as_sddl:
- anysid = security.dom_sid(security.SID_NT_SELF)
- self.outf.write(acl.info.as_sddl(anysid)+"\n")
+ try:
+ domain_sid = security.dom_sid(samdb.domain_sid)
+ except:
+ raise CommandError("Unable to read domain SID from configuration files")
+ self.outf.write(acl.as_sddl(domain_sid)+"\n")
else:
- acl.dump()
+ self.outf.write(ndr_print(acl))
class cmd_ntacl_sysvolreset(Command):
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index e1f0571..12904a7 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -1477,7 +1477,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
fsacl_sddl = fsacl.as_sddl(domainsid)
if fsacl_sddl != acl:
- raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl))
+ raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
for name in files:
fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access)
@@ -1485,7 +1485,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
fsacl_sddl = fsacl.as_sddl(domainsid)
if fsacl_sddl != acl:
- raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl))
+ raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, direct_db_access):
diff --git a/source4/scripting/python/samba/tests/samba_tool/ntacl.py b/source4/scripting/python/samba/tests/samba_tool/ntacl.py
index 913a79b..d00b9a0 100644
--- a/source4/scripting/python/samba/tests/samba_tool/ntacl.py
+++ b/source4/scripting/python/samba/tests/samba_tool/ntacl.py
@@ -22,9 +22,10 @@ import os
import time
import ldb
from samba.tests.samba_tool.base import SambaToolCmdTest
+import random
-class NtACLCmdTestCase(SambaToolCmdTest):
- """Tests for samba-tool ntacl subcommands"""
+class NtACLCmdSysvolTestCase(SambaToolCmdTest):
+ """Tests for samba-tool ntacl sysvol* subcommands"""
def test_ntvfs(self):
@@ -68,3 +69,67 @@ class NtACLCmdTestCase(SambaToolCmdTest):
self.assertEquals(err,"","Shouldn't be any error messages")
self.assertEquals(out,"","Shouldn't be any output messages")
+class NtACLCmdGetSetTestCase(SambaToolCmdTest):
+ """Tests for samba-tool ntacl get/set subcommands"""
+
+ acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+
+
+ def test_ntvfs(self):
+ path = os.environ['SELFTEST_PREFIX']
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+
+ (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf,
+ "--use-ntvfs")
+ self.assertCmdSuccess(result)
+ self.assertEquals(out,"","Shouldn't be any output messages")
+ self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err)
+
+ def test_s3fs(self):
+ path = os.environ['SELFTEST_PREFIX']
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+
+ (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf,
+ "--use-s3fs")
+
+ self.assertCmdSuccess(result)
+ self.assertEquals(err,"","Shouldn't be any error messages")
+ self.assertEquals(out,"","Shouldn't be any output messages")
+
+ def test_ntvfs_check(self):
+ path = os.environ['SELFTEST_PREFIX']
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+
+ (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf,
+ "--use-ntvfs")
+ self.assertCmdSuccess(result)
+ self.assertEquals(out,"","Shouldn't be any output messages")
+ self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err)
+
+ # Now check they were set correctly
+ (result, out, err) = self.runsubcmd("ntacl", "get", tempf,
+ "--use-ntvfs", "--as-sddl")
+ self.assertCmdSuccess(result)
+ self.assertEquals(err,"","Shouldn't be any error messages")
+ self.assertEquals(self.acl+"\n", out, "Output should be the ACL")
+
+ def test_s3fs_check(self):
+ path = os.environ['SELFTEST_PREFIX']
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+
+ (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf,
+ "--use-s3fs")
+ self.assertCmdSuccess(result)
+ self.assertEquals(out,"","Shouldn't be any output messages")
+ self.assertEquals(err,"","Shouldn't be any error messages")
+
+ # Now check they were set correctly
+ (result, out, err) = self.runsubcmd("ntacl", "get", tempf,
+ "--use-s3fs", "--as-sddl")
+ self.assertCmdSuccess(result)
+ self.assertEquals(err,"","Shouldn't be any error messages")
+ self.assertEquals(self.acl+"\n", out,"Output should be the ACL")
--
Samba Shared Repository
More information about the samba-cvs
mailing list