[SCM] Samba Shared Repository - branch master updated
David Mulder
dmulder at samba.org
Wed Dec 9 18:43:02 UTC 2020
The branch, master has been updated
via 4fa938e7e5f WHATSNEW: samba-tool gpo manage command
via ef5ea147ddc samba-tool: Add a gpo command for setting smb.conf Group Policy
via 2705d39bff3 samba-tool: Test gpo smb.conf set command
via fff3e0eb6af samba-tool: Add a gpo command for listing smb.conf Group Policies
via f74dea08be4 samba-tool: Test gpo smb.conf list command
via 111f07fd58b samba-tool: Add a gpo command for listing Security Group Policies
via aba8ece11d2 samba-tool: Test gpo Security list
via eea46a38ebe samba-tool: Add a gpo command for setting Security Group Policy
via 5b49e0ac71c samba-tool: Test gpo Security set command
via f509550f872 samba-tool: Add a gpo command for removing Sudoers Group Policy
via f67a3644f41 samba-tool: Test gpo Sudoers remove command
via 5f9d2456fba samba-tool: Add a gpo command for adding Sudoers Group Policy
via b0ccebd3ee6 samba-tool: Test gpo Sudoers add command
via b402c7642c5 samba-tool: Add a gpo command for listing Sudoers Group Policies
via 6f1374844c3 samba-tool: Test gpo Sudoers list command
from cc9ff79d86c dbcheck: err_normalise-mismatch_replace: no msg if no error
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4fa938e7e5f56b23eb4b3bfa560f50fabdcba8e4
Author: David Mulder <dmulder at suse.com>
Date: Fri Dec 4 08:53:54 2020 -0700
WHATSNEW: samba-tool gpo manage command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Wed Dec 9 18:42:29 UTC 2020 on sn-devel-184
commit ef5ea147ddcc81830eec3405c648f2124c9d27cf
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 13 08:39:26 2020 -0700
samba-tool: Add a gpo command for setting smb.conf Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2705d39bff3ddb74c78659866079195b921af5ed
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 13 07:28:00 2020 -0700
samba-tool: Test gpo smb.conf set command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fff3e0eb6afe4ef2d6b74bf80413c74b176bc441
Author: David Mulder <dmulder at suse.com>
Date: Thu Nov 12 11:19:37 2020 -0700
samba-tool: Add a gpo command for listing smb.conf Group Policies
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f74dea08be48dcb194570d9ff0ef2a30c2cf878e
Author: David Mulder <dmulder at suse.com>
Date: Thu Nov 12 11:13:50 2020 -0700
samba-tool: Test gpo smb.conf list command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 111f07fd58b7a7f798cc10e40a44e7fcdd8e207f
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 6 10:44:28 2020 -0700
samba-tool: Add a gpo command for listing Security Group Policies
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit aba8ece11d21aafbb3b42a3c24b18c5f9c5559f7
Author: David Mulder <dmulder at suse.com>
Date: Mon Nov 9 16:28:11 2020 -0700
samba-tool: Test gpo Security list
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit eea46a38ebe3de36063f663068933818cef19ff6
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 6 12:19:12 2020 -0700
samba-tool: Add a gpo command for setting Security Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5b49e0ac71c2e10b73c8c67f0cb9547b70b8d021
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 10 08:05:37 2020 -0700
samba-tool: Test gpo Security set command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f509550f872424a67d4fbc9473c8959e53dffb70
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 6 09:54:59 2020 -0700
samba-tool: Add a gpo command for removing Sudoers Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f67a3644f413dd4c902af6970cd18cf17f469cd2
Author: David Mulder <dmulder at suse.com>
Date: Mon Nov 9 16:08:59 2020 -0700
samba-tool: Test gpo Sudoers remove command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5f9d2456fbaeeb5674edb228a3022ee749376715
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 6 09:30:35 2020 -0700
samba-tool: Add a gpo command for adding Sudoers Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b0ccebd3ee65b8a9e4d09e1ef9121fc8c6a336b4
Author: David Mulder <dmulder at suse.com>
Date: Mon Nov 9 15:48:28 2020 -0700
samba-tool: Test gpo Sudoers add command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b402c7642c5569bd0d8a6a9df4859f8bd89784b7
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 6 09:29:57 2020 -0700
samba-tool: Add a gpo command for listing Sudoers Group Policies
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6f1374844c3bced28ac59633d12f2125a74376db
Author: David Mulder <dmulder at suse.com>
Date: Mon Nov 9 08:34:28 2020 -0700
samba-tool: Test gpo Sudoers list command
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 4 +-
python/samba/netcmd/gpo.py | 586 ++++++++++++++++++++++++++++++++++-
python/samba/tests/samba_tool/gpo.py | 232 ++++++++++++++
3 files changed, 820 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9cfd2840b17..d53a7da1e8b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -69,7 +69,9 @@ Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
-Configuration/Policies/Administrative Templates.
+Configuration/Policies/Administrative Templates. Alternatively, Samba policy
+may be managed using the `samba-tool gpo manage` command. This tool does not
+require the admx templates to be installed.
CTDB CHANGES
============
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index ca479207d6e..8be7368282f 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -37,7 +37,8 @@ from samba.netcmd import (
from samba.samdb import SamDB
from samba import dsdb
from samba.dcerpc import security
-from samba.ndr import ndr_unpack
+from samba.ndr import ndr_unpack, ndr_pack
+from samba.dcerpc import preg
import samba.security
import samba.auth
from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
@@ -64,6 +65,9 @@ from samba.gp_parse.gp_aas import GPAasParser
from samba import param
from samba.credentials import SMB_SIGNING_REQUIRED
from samba.netcmd.common import attr_default
+from samba.common import get_bytes, get_string
+from configparser import ConfigParser
+from io import StringIO
def gpo_flags_string(value):
@@ -1664,6 +1668,585 @@ class cmd_admxload(Command):
raise CommandError("The authenticated user does "
"not have sufficient privileges")
+class cmd_add_sudoers(Command):
+ """Adds a Samba Sudoers Group Policy to the sysvol
+
+This command adds a sudo rule to the sysvol for applying to winbind clients.
+
+Example:
+samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL'
+ """
+
+ synopsis = "%prog <gpo> <entry> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo", "entry"]
+
+ def run(self, gpo, entry, H=None, sambaopts=None, credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ pol_dir = '\\'.join([realm.lower(), 'Policies', gpo, 'MACHINE'])
+ pol_file = '\\'.join([pol_dir, 'Registry.pol'])
+ try:
+ pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file))
+ except NTSTATUSError as e:
+ # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND
+ if e.args[0] in [0xC0000033, 0xC0000034]:
+ pol_data = preg.file() # The file doesn't exist
+ elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ else:
+ raise
+
+ e = preg.entry()
+ e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
+ e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
+ e.type = 1
+ e.data = get_bytes(entry)
+ entries = list(pol_data.entries)
+ entries.append(e)
+ pol_data.entries = entries
+ pol_data.num_entries = len(entries)
+
+ try:
+ create_directory_hier(conn, pol_dir)
+ conn.savefile(pol_file, ndr_pack(pol_data))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ raise
+
+class cmd_list_sudoers(Command):
+ """List Samba Sudoers Group Policy from the sysvol
+
+This command lists sudo rules from the sysvol that will be applied to winbind clients.
+
+Example:
+samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9}
+ """
+
+ synopsis = "%prog <gpo> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo"]
+
+ def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ pol_file = '\\'.join([realm.lower(), 'Policies', gpo,
+ 'MACHINE\\Registry.pol'])
+ try:
+ pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID
+ return # The file doesn't exist, so there is nothing to list
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ raise
+
+ keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
+ for entry in pol_data.entries:
+ if get_bytes(entry.keyname) == keyname:
+ self.outf.write('%s\n' % entry.data)
+
+class cmd_remove_sudoers(Command):
+ """Removes a Samba Sudoers Group Policy from the sysvol
+
+This command removes a sudo rule from the sysvol from applying to winbind clients.
+
+Example:
+samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL'
+ """
+
+ synopsis = "%prog <gpo> <entry> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo", "entry"]
+
+ def run(self, gpo, entry, H=None, sambaopts=None, credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ pol_file = '\\'.join([realm.lower(), 'Policies', gpo,
+ 'MACHINE\\Registry.pol'])
+ try:
+ pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID
+ raise CommandError("The specified entry does not exist")
+ elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ raise
+
+ if entry not in [e.data for e in pol_data.entries]:
+ raise CommandError("Cannot remove '%s' because it does not exist" %
+ entry)
+
+ entries = [e for e in pol_data.entries if e.data != entry]
+ pol_data.num_entries = len(entries)
+ pol_data.entries = entries
+
+ try:
+ conn.savefile(pol_file, ndr_pack(pol_data))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ raise
+
+class cmd_sudoers(SuperCommand):
+ """Manage Sudoers Group Policy Objects"""
+ subcommands = {}
+ subcommands["add"] = cmd_add_sudoers()
+ subcommands["list"] = cmd_list_sudoers()
+ subcommands["remove"] = cmd_remove_sudoers()
+
+class cmd_set_security(Command):
+ """Set Samba Security Group Policy to the sysvol
+
+This command sets a security setting to the sysvol for applying to winbind
+clients. Not providing a value will unset the policy.
+These settings only apply to the ADDC.
+
+Example:
+samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10
+
+Possible policies:
+MaxTicketAge Maximum lifetime for user ticket
+ Defined in hours
+
+MaxServiceAge Maximum lifetime for service ticket
+ Defined in minutes
+
+MaxRenewAge Maximum lifetime for user ticket renewal
+ Defined in minutes
+
+MinimumPasswordAge Minimum password age
+ Defined in days
+
+MaximumPasswordAge Maximum password age
+ Defined in days
+
+MinimumPasswordLength Minimum password length
+ Defined in characters
+
+PasswordComplexity Password must meet complexity requirements
+ 1 is Enabled, 0 is Disabled
+ """
+
+ synopsis = "%prog <gpo> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo", "policy", "value?"]
+
+ def run(self, gpo, policy, value=None, H=None, sambaopts=None,
+ credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ inf_dir = '\\'.join([realm.lower(), 'Policies', gpo,
+ 'MACHINE\\Microsoft\\Windows NT\\SecEdit'])
+ inf_file = '\\'.join([inf_dir, 'GptTmpl.inf'])
+ try:
+ inf_data = ConfigParser(interpolation=None)
+ inf_data.optionxform=str
+ raw = conn.loadfile(inf_file)
+ try:
+ inf_data.readfp(StringIO(raw.decode()))
+ except UnicodeDecodeError:
+ inf_data.readfp(StringIO(raw.decode('utf-16')))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_PATH_NOT_FOUND
+ if e.args[0] not in [0xC0000033, 0xC000003A]:
+ raise
+
+ section_map = { 'MaxTicketAge' : 'Kerberos Policy',
+ 'MaxServiceAge' : 'Kerberos Policy',
+ 'MaxRenewAge' : 'Kerberos Policy',
+ 'MinimumPasswordAge' : 'System Access',
+ 'MaximumPasswordAge' : 'System Access',
+ 'MinimumPasswordLength' : 'System Access',
+ 'PasswordComplexity' : 'System Access'
+ }
+
+ section = section_map[policy]
+ if not inf_data.has_section(section):
+ inf_data.add_section(section)
+ if value is not None:
+ inf_data.set(section, policy, value)
+ else:
+ inf_data.remove_option(section, policy)
+
+ out = StringIO()
+ inf_data.write(out)
+ try:
+ create_directory_hier(conn, inf_dir)
+ conn.savefile(inf_file, get_bytes(out.getvalue()))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ else:
+ raise
+
+class cmd_list_security(Command):
+ """List Samba Security Group Policy from the sysvol
+
+This command lists security settings from the sysvol that will be applied to winbind clients.
+These settings only apply to the ADDC.
+
+Example:
+samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}
+ """
+
+ synopsis = "%prog <gpo> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo"]
+
+ def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ inf_file = '\\'.join([realm.lower(), 'Policies', gpo,
+ 'MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf'])
+ try:
+ inf_data = ConfigParser(interpolation=None)
+ inf_data.optionxform=str
+ raw = conn.loadfile(inf_file)
+ try:
+ inf_data.readfp(StringIO(raw.decode()))
+ except UnicodeDecodeError:
+ inf_data.readfp(StringIO(raw.decode('utf-16')))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID
+ return # The file doesn't exist, so there is nothing to list
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
+ raise
+
+ for section in inf_data.sections():
+ if section not in ['Kerberos Policy', 'System Access']:
+ continue
+ for key, value in inf_data.items(section):
+ self.outf.write('%s = %s\n' % (key, value))
+
+class cmd_security(SuperCommand):
+ """Manage Security Group Policy Objects"""
+ subcommands = {}
+ subcommands["set"] = cmd_set_security()
+ subcommands["list"] = cmd_list_security()
+
+class cmd_list_smb_conf(Command):
+ """List Samba smb.conf Group Policy from the sysvol
+
+This command lists smb.conf settings from the sysvol that will be applied to winbind clients.
+
+Example:
+samba-tool gpo manage smb_conf list {31B2F340-016D-11D2-945F-00C04FB984F9}
+ """
+
+ synopsis = "%prog <gpo> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server", type=str,
+ metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["gpo"]
+
+ def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None):
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+ # We need to know writable DC to setup SMB connection
+ if H and H.startswith('ldap://'):
+ dc_hostname = H[7:]
+ self.url = H
+ else:
+ dc_hostname = netcmd_finddc(self.lp, self.creds)
+ self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+ # SMB connect to DC
+ conn = smb_connection(dc_hostname,
+ 'sysvol',
+ lp=self.lp,
+ creds=self.creds)
+
+ realm = self.lp.get('realm')
+ pol_file = '\\'.join([realm.lower(), 'Policies', gpo,
+ 'MACHINE\\Registry.pol'])
+ try:
+ pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file))
+ except NTSTATUSError as e:
+ if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID
+ return # The file doesn't exist, so there is nothing to list
+ if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+ raise CommandError("The authenticated user does "
+ "not have sufficient privileges")
--
Samba Shared Repository
More information about the samba-cvs
mailing list