[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Fri Aug 13 20:07:01 UTC 2021


The branch, master has been updated
       via  0f26dbe0d09 gpo: Print getcert message to debug
       via  e3a956e075b gpo: Decode the bytes for cepces-submit failure
       via  7a04052dad4 gpo: Ignore symlink failure on sscep renew
       via  80e3daed120 gpo: Apply Group Policy User Scripts
       via  f04431b1d24 gpo: Test Group Policy User Scripts
       via  cd63893d4e7 gpo: Enable Scripts ADMX for User Policy
       via  6d676cac41d gpo: Enable user policy application
      from  1641e6c528e libreplace: remove now unused USE_COPY_FILE_RANGE define

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0f26dbe0d0907e16a2c1b10c620a9db5b1b6b4ab
Author: David Mulder <dmulder at suse.com>
Date:   Fri Jul 23 09:28:21 2021 -0600

    gpo: Print getcert message to debug
    
    Otherwise re-running gpupdate to enforce policy
    displays 'already exists' messages, which
    confusingly appear to be a failure, but are
    actually intentional behavior.
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Aug 13 20:06:31 UTC 2021 on sn-devel-184

commit e3a956e075b6030534463689b820eb037aeed4f3
Author: David Mulder <dmulder at suse.com>
Date:   Thu Jul 22 10:37:41 2021 -0600

    gpo: Decode the bytes for cepces-submit failure
    
    When displaying the error from cepces-submit,
    make sure to decode the bytes (otherwise it is
    hard to read). Also print the error to debug
    instead of warn (it may dump a traceback).
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 7a04052dad4b52a20d47805a41b892bb4fecb433
Author: David Mulder <dmulder at suse.com>
Date:   Thu Jul 22 10:16:42 2021 -0600

    gpo: Ignore symlink failure on sscep renew
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 80e3daed120b5ed71ffd58427e5d8910b6bdb3a1
Author: David Mulder <dmulder at suse.com>
Date:   Tue Jul 20 11:14:28 2021 -0600

    gpo: Apply Group Policy User Scripts
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit f04431b1d24d83dea700a2443c4a3600d623dfd4
Author: David Mulder <dmulder at suse.com>
Date:   Tue Jul 20 11:13:21 2021 -0600

    gpo: Test Group Policy User Scripts
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit cd63893d4e773cef8a32d75e8177c6af3f6367d6
Author: David Mulder <dmulder at suse.com>
Date:   Tue Jul 20 13:48:42 2021 -0600

    gpo: Enable Scripts ADMX for User Policy
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 6d676cac41d0f84d5396a67bd445ef8cfd4b8e0c
Author: David Mulder <dmulder at suse.com>
Date:   Tue Jul 20 09:13:06 2021 -0600

    gpo: Enable user policy application
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libgpo/admx/samba.admx                  |   8 +--
 python/samba/gp_cert_auto_enroll_ext.py |  31 ++++++---
 python/samba/gp_scripts_ext.py          |  88 ++++++++++++++++++++++-
 python/samba/gpclass.py                 |  85 +++++++++++++++++-----
 python/samba/tests/bin/crontab          |  29 ++++++++
 python/samba/tests/gpo.py               | 120 +++++++++++++++++++++++++++-----
 python/samba/tests/gpo_member.py        |   3 +-
 source4/scripting/bin/samba-gpupdate    |  21 ++++--
 8 files changed, 330 insertions(+), 55 deletions(-)
 create mode 100755 python/samba/tests/bin/crontab


Changeset truncated at 500 lines:

diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx
index ee2816c2b31..d09956d5394 100755
--- a/libgpo/admx/samba.admx
+++ b/libgpo/admx/samba.admx
@@ -22,28 +22,28 @@
     </category>
   </categories>
   <policies>
-    <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Machine" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
+    <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Both" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
       <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
         <list id="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6" key="Software\Policies\Samba\Unix Settings\Daily Scripts" valueName="Daily Scripts" />
       </elements>
     </policy>
-    <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Machine" displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)" presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" key="Software\Policies\Samba\Unix Settings">
+    <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Both" displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)" presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" key="Software\Policies\Samba\Unix Settings">
       <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
         <list id="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238" key="Software\Policies\Samba\Unix Settings\Hourly Scripts" valueName="Hourly Scripts" />
       </elements>
     </policy>
-    <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Machine" displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)" presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" key="Software\Policies\Samba\Unix Settings">
+    <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Both" displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)" presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" key="Software\Policies\Samba\Unix Settings">
       <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
         <list id="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60" key="Software\Policies\Samba\Unix Settings\Monthly Scripts" valueName="Monthly Scripts" />
       </elements>
     </policy>
-    <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Machine" displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)" presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" key="Software\Policies\Samba\Unix Settings">
+    <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Both" displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)" presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" key="Software\Policies\Samba\Unix Settings">
       <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
       <supportedOn ref="windows:SUPPORTED_WindowsVista" />
       <elements>
diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index 99465ef01c0..60927709eaa 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -85,8 +85,8 @@ def get_supported_templates(server, logger):
                        stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
-            logger.warn('Failed to fetch the list of supported templates:' +
-                        '\n%s' % err)
+            logger.warn('Failed to fetch the list of supported templates.')
+            logger.debug(err.decode())
         return out.strip().split()
     return []
 
@@ -120,6 +120,11 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
                             ' admin trust anchors.' +
                             ' The directory %s was not found' % \
                                                         global_trust_dir)
+            except FileExistsError:
+                # If we're simply downloading a renewed cert, the symlink
+                # already exists. Ignore the FileExistsError. Preserve the
+                # existing symlink in the unapply data.
+                data['files'].append(dst)
     else:
         logger.warn('sscep is not installed, which prevents the installation' +
                     ' of the root certificate chain.')
@@ -130,8 +135,13 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
     getcert = which('getcert')
     cepces_submit = find_cepces_submit()
     if getcert is not None and os.path.exists(cepces_submit):
-        Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
-               '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])]).wait()
+        p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
+                  '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+                  stdout=PIPE, stderr=PIPE)
+        out, err = p.communicate()
+        logger.debug(out.decode())
+        if p.returncode != 0:
+            logger.debug(err.decode())
         supported_templates = get_supported_templates(ca['dNSHostName'][0],
                                                       logger)
         for template, attrs in ca['certificateTemplates'].items():
@@ -140,10 +150,15 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
             nickname = '%s.%s' % (ca['cn'][0], template.decode())
             keyfile = os.path.join(private_dir, '%s.key' % nickname)
             certfile = os.path.join(trust_dir, '%s.crt' % nickname)
-            Popen([getcert, 'request', '-c', ca['cn'][0],
-                   '-T', template.decode(),
-                   '-I', nickname, '-k', keyfile, '-f', certfile,
-                   '-g', attrs['msPKI-Minimal-Key-Size'][0]]).wait()
+            p = Popen([getcert, 'request', '-c', ca['cn'][0],
+                       '-T', template.decode(),
+                       '-I', nickname, '-k', keyfile, '-f', certfile,
+                       '-g', attrs['msPKI-Minimal-Key-Size'][0]],
+                       stdout=PIPE, stderr=PIPE)
+            out, err = p.communicate()
+            logger.debug(out.decode())
+            if p.returncode != 0:
+                logger.debug(err.decode())
             data['files'].extend([keyfile, certfile])
             data['templates'].append(nickname)
         if update is not None:
diff --git a/python/samba/gp_scripts_ext.py b/python/samba/gp_scripts_ext.py
index 80e2262019d..33049ff6dc0 100644
--- a/python/samba/gp_scripts_ext.py
+++ b/python/samba/gp_scripts_ext.py
@@ -15,8 +15,10 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os, re
-from samba.gpclass import gp_pol_ext
+from subprocess import Popen, PIPE
+from samba.gpclass import gp_pol_ext, drop_privileges
 from base64 import b64encode
+from hashlib import blake2b
 from tempfile import NamedTemporaryFile
 
 intro = '''
@@ -28,6 +30,9 @@ intro = '''
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
+'''
+end = '''
+### autogenerated by samba ###
 '''
 
 class gp_scripts_ext(gp_pol_ext):
@@ -73,9 +78,9 @@ class gp_scripts_ext(gp_pol_ext):
                                 self.gp_db.store(str(self), attribute, f.name)
                         self.gp_db.commit()
 
-    def rsop(self, gpo):
+    def rsop(self, gpo, target='MACHINE'):
         output = {}
-        pol_file = 'MACHINE/Registry.pol'
+        pol_file = '%s/Registry.pol' % target
         if gpo.file_sys_path:
             path = os.path.join(gpo.file_sys_path, pol_file)
             pol_conf = self.parse(path)
@@ -88,3 +93,80 @@ class gp_scripts_ext(gp_pol_ext):
                         output[key] = []
                     output[key].append(e.data)
         return output
+
+def fetch_crontab(username):
+    p = Popen(['crontab', '-l', '-u', username], stdout=PIPE, stderr=PIPE)
+    out, err = p.communicate()
+    if p.returncode != 0:
+        raise RuntimeError('Failed to read the crontab: %s' % err)
+    m = re.findall('%s(.*)%s' % (intro, end), out.decode(), re.DOTALL)
+    if len(m) == 1:
+        entries = m[0].strip().split('\n')
+    else:
+        entries = []
+    m = re.findall('(.*)%s.*%s(.*)' % (intro, end), out.decode(), re.DOTALL)
+    if len(m) == 1:
+        others = '\n'.join([l.strip() for l in m[0]])
+    else:
+        others = out.decode()
+    return others, entries
+
+def install_crontab(fname, username):
+    p = Popen(['crontab', fname, '-u', username], stdout=PIPE, stderr=PIPE)
+    _, err = p.communicate()
+    if p.returncode != 0:
+        raise RuntimeError('Failed to install crontab: %s' % err)
+
+class gp_user_scripts_ext(gp_scripts_ext):
+    def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+        for guid, settings in deleted_gpo_list:
+            self.gp_db.set_guid(guid)
+            if str(self) in settings:
+                others, entries = fetch_crontab(self.username)
+                for attribute, entry in settings[str(self)].items():
+                    if entry in entries:
+                        entries.remove(entry)
+                    self.gp_db.delete(str(self), attribute)
+                with NamedTemporaryFile() as f:
+                    if len(entries) > 0:
+                        f.write('\n'.join([others, intro,
+                                   '\n'.join(entries), end]).encode())
+                    else:
+                        f.write(others.encode())
+                    f.flush()
+                    install_crontab(f.name, self.username)
+            self.gp_db.commit()
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                reg_key = 'Software\\Policies\\Samba\\Unix Settings'
+                sections = { '%s\\Daily Scripts' % reg_key : '@daily',
+                             '%s\\Monthly Scripts' % reg_key : '@monthly',
+                             '%s\\Weekly Scripts' % reg_key : '@weekly',
+                             '%s\\Hourly Scripts' % reg_key : '@hourly' }
+                self.gp_db.set_guid(gpo.name)
+                pol_file = 'USER/Registry.pol'
+                path = os.path.join(gpo.file_sys_path, pol_file)
+                pol_conf = drop_privileges('root', self.parse, path)
+                if not pol_conf:
+                    continue
+                for e in pol_conf.entries:
+                    if e.keyname in sections.keys() and e.data.strip():
+                        cron_freq = sections[e.keyname]
+                        attribute = '%s:%s' % (e.keyname,
+                                blake2b(e.data.encode()).hexdigest())
+                        old_val = self.gp_db.retrieve(str(self), attribute)
+                        entry = '%s %s' % (cron_freq, e.data)
+                        others, entries = fetch_crontab(self.username)
+                        if not old_val or entry not in entries:
+                            entries.append(entry)
+                            with NamedTemporaryFile() as f:
+                                f.write('\n'.join([others, intro,
+                                           '\n'.join(entries), end]).encode())
+                                f.flush()
+                                install_crontab(f.name, self.username)
+                            self.gp_db.store(str(self), attribute, entry)
+                        self.gp_db.commit()
+
+    def rsop(self, gpo):
+        return super().rsop(gpo, target='USER')
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 17d7d0c9243..1b8f825e47b 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -19,6 +19,7 @@ import sys
 import os, shutil
 import errno
 import tdb
+import pwd
 sys.path.insert(0, "bin/python")
 from samba import NTSTATUSError
 from configparser import ConfigParser
@@ -294,11 +295,12 @@ class GPOStorage:
 class gp_ext(object):
     __metaclass__ = ABCMeta
 
-    def __init__(self, logger, lp, creds, store):
+    def __init__(self, logger, lp, creds, username, store):
         self.logger = logger
         self.lp = lp
         self.creds = creds
-        self.gp_db = store.get_gplog(creds.get_username())
+        self.username = username
+        self.gp_db = store.get_gplog(username)
 
     @abstractmethod
     def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
@@ -364,11 +366,12 @@ def get_dc_hostname(creds, lp):
 ''' Fetch a list of GUIDs for applicable GPOs '''
 
 
-def get_gpo_list(dc_hostname, creds, lp):
+def get_gpo_list(dc_hostname, creds, lp, username):
     gpos = []
     ads = gpo.ADS_STRUCT(dc_hostname, lp, creds)
     if ads.connect():
-        gpos = ads.get_gpo_list(creds.get_username())
+        # username is DOM\\SAM, but get_gpo_list expects SAM
+        gpos = ads.get_gpo_list(username.split('\\')[-1])
     return gpos
 
 
@@ -433,10 +436,10 @@ def gpo_version(lp, path):
     return int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
 
 
-def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
-    gp_db = store.get_gplog(creds.get_username())
+def apply_gp(lp, creds, logger, store, gp_extensions, username, target, force=False):
+    gp_db = store.get_gplog(username)
     dc_hostname = get_dc_hostname(creds, lp)
-    gpos = get_gpo_list(dc_hostname, creds, lp)
+    gpos = get_gpo_list(dc_hostname, creds, lp, username)
     del_gpos = get_deleted_gpos_list(gp_db, gpos)
     try:
         check_refresh_gpo_list(dc_hostname, lp, creds, gpos)
@@ -464,8 +467,12 @@ def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
     store.start()
     for ext in gp_extensions:
         try:
-            ext = ext(logger, lp, creds, store)
-            ext.process_group_policy(del_gpos, changed_gpos)
+            ext = ext(logger, lp, creds, username, store)
+            if target == 'Computer':
+                ext.process_group_policy(del_gpos, changed_gpos)
+            else:
+                drop_privileges(creds.get_principal(), ext.process_group_policy,
+                                del_gpos, changed_gpos)
         except Exception as e:
             logger.error('Failed to apply extension  %s' % str(ext))
             logger.error('Message was: %s: %s' % (type(e).__name__, str(e)))
@@ -481,16 +488,20 @@ def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
     store.commit()
 
 
-def unapply_gp(lp, creds, logger, store, gp_extensions):
-    gp_db = store.get_gplog(creds.get_username())
+def unapply_gp(lp, creds, logger, store, gp_extensions, username, target):
+    gp_db = store.get_gplog(username)
     gp_db.state(GPOSTATE.UNAPPLY)
     # Treat all applied gpos as deleted
     del_gpos = gp_db.get_applied_settings(gp_db.get_applied_guids())
     store.start()
     for ext in gp_extensions:
         try:
-            ext = ext(logger, lp, creds, store)
-            ext.process_group_policy(del_gpos, [])
+            ext = ext(logger, lp, creds, username, store)
+            if target == 'Computer':
+                ext.process_group_policy(del_gpos, [])
+            else:
+                drop_privileges(username, ext.process_group_policy,
+                                del_gpos, [])
         except Exception as e:
             logger.error('Failed to unapply extension  %s' % str(ext))
             logger.error('Message was: ' + str(e))
@@ -509,9 +520,9 @@ def __rsop_vals(vals, level=4):
     else:
         return vals
 
-def rsop(lp, creds, logger, store, gp_extensions, target):
+def rsop(lp, creds, logger, store, gp_extensions, username, target):
     dc_hostname = get_dc_hostname(creds, lp)
-    gpos = get_gpo_list(dc_hostname, creds, lp)
+    gpos = get_gpo_list(dc_hostname, creds, lp, username)
     check_refresh_gpo_list(dc_hostname, lp, creds, gpos)
 
     print('Resultant Set of Policy')
@@ -523,7 +534,7 @@ def rsop(lp, creds, logger, store, gp_extensions, target):
         print('GPO: %s' % gpo.display_name)
         print('='*term_width)
         for ext in gp_extensions:
-            ext = ext(logger, lp, creds, store)
+            ext = ext(logger, lp, creds, username, store)
             cse_name_m = re.findall("'([\w\.]+)'", str(type(ext)))
             if len(cse_name_m) > 0:
                 cse_name = cse_name_m[-1].split('.')[-1]
@@ -616,3 +627,45 @@ def unregister_gp_extension(guid, smb_conf=None):
     atomic_write_conf(lp, parser)
 
     return True
+
+
+def set_privileges(username, uid, gid):
+    '''
+    Set current process privileges
+    '''
+
+    os.setegid(gid)
+    os.seteuid(uid)
+
+
+def drop_privileges(username, func, *args):
+    '''
+    Run supplied function with privileges for specified username.
+    '''
+    current_uid = os.getuid()
+
+    if not current_uid == 0:
+        raise Exception('Not enough permissions to drop privileges')
+
+    user_uid = pwd.getpwnam(username).pw_uid
+    user_gid = pwd.getpwnam(username).pw_gid
+
+    # Drop privileges
+    set_privileges(username, user_uid, user_gid)
+
+    # We need to catch exception in order to be able to restore
+    # privileges later in this function
+    out = None
+    exc = None
+    try:
+        out = func(*args)
+    except Exception as e:
+        exc = e
+
+    # Restore privileges
+    set_privileges('root', current_uid, 0)
+
+    if exc:
+        raise exc
+
+    return out
diff --git a/python/samba/tests/bin/crontab b/python/samba/tests/bin/crontab
new file mode 100755
index 00000000000..764d5843091
--- /dev/null
+++ b/python/samba/tests/bin/crontab
@@ -0,0 +1,29 @@
+#!/usr/bin/python3
+import optparse
+import os, sys
+from shutil import copy
+
+sys.path.insert(0, "bin/python")
+
+if __name__ == "__main__":
+    parser = optparse.OptionParser('crontab <file> [options]')
+    parser.add_option('-l', action="store_true")
+    parser.add_option('-u')
+
+    (opts, args) = parser.parse_args()
+
+    # Use a dir we can write to in the testenv
+    if 'LOCAL_PATH' in os.environ:
+        data_dir = os.path.realpath(os.environ.get('LOCAL_PATH'))
+    else:
+        data_dir = os.path.dirname(os.path.realpath(__file__))
+    dump_file = os.path.join(data_dir, 'crontab.dump')
+    if opts.u:
+        assert opts.u == os.environ.get('DC_USERNAME')
+    if len(args) == 1:
+        assert os.path.exists(args[0])
+        copy(args[0], dump_file)
+    elif opts.l:
+        if os.path.exists(dump_file):
+            with open(dump_file, 'r') as r:
+                print(r.read())
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index b5dc09543ad..6fdf9664f48 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -24,8 +24,11 @@ from samba.gpclass import check_refresh_gpo_list, check_safe_path, \
     check_guid, parse_gpext_conf, atomic_write_conf, get_deleted_gpos_list
 from subprocess import Popen, PIPE
 from tempfile import NamedTemporaryFile, TemporaryDirectory
+from samba import gpclass
+# Disable privilege dropping for testing
+gpclass.drop_privileges = lambda _, func, *args : func(*args)
 from samba.gp_sec_ext import gp_krb_ext, gp_access_ext
-from samba.gp_scripts_ext import gp_scripts_ext
+from samba.gp_scripts_ext import gp_scripts_ext, gp_user_scripts_ext
 from samba.gp_sudoers_ext import gp_sudoers_ext
 from samba.vgp_sudoers_ext import vgp_sudoers_ext
 from samba.vgp_symlink_ext import vgp_symlink_ext
@@ -478,7 +481,8 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
-        ext = gp_krb_ext(logger, self.lp, machine_creds, store)
+        ext = gp_krb_ext(logger, self.lp, machine_creds,
+                         machine_creds.get_username(), store)
 
         ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
         if ads.connect():
@@ -532,7 +536,8 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
-        ext = gp_scripts_ext(logger, self.lp, machine_creds, store)
+        ext = gp_scripts_ext(logger, self.lp, machine_creds,
+                             machine_creds.get_username(), store)
 
         ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
         if ads.connect():
@@ -590,7 +595,8 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
-        ext = gp_sudoers_ext(logger, self.lp, machine_creds, store)
+        ext = gp_sudoers_ext(logger, self.lp, machine_creds,
+                             machine_creds.get_username(), store)
 
         ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
         if ads.connect():
@@ -641,7 +647,8 @@ class GPOTests(tests.TestCase):
         machine_creds.set_machine_account()
 
         # Initialize the group policy extension
-        ext = vgp_sudoers_ext(logger, self.lp, machine_creds, store)
+        ext = vgp_sudoers_ext(logger, self.lp, machine_creds,
+                              machine_creds.get_username(), store)
 
         ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
         if ads.connect():
@@ -734,7 +741,8 @@ class GPOTests(tests.TestCase):
         machine_creds.guess(self.lp)
         machine_creds.set_machine_account()
 
-        ext = gp_inf_ext(logger, self.lp, machine_creds, store)
+        ext = gp_inf_ext(logger, self.lp, machine_creds,
+                         machine_creds.get_username(), store)
         test_data = '[Kerberos Policy]\nMaxTicketAge = 99\n'
 
         with NamedTemporaryFile() as f:
@@ -819,7 +827,8 @@ class GPOTests(tests.TestCase):
             self.assertTrue(ret, 'Could not create the target %s' %
                                  (reg_pol % g.name))
             for ext in gp_extensions:
-                ext = ext(logger, self.lp, machine_creds, store)
+                ext = ext(logger, self.lp, machine_creds,
+                          machine_creds.get_username(), store)
                 ret = ext.rsop(g)
                 self.assertEquals(len(ret.keys()), 1,
                                   'A single policy should have been displayed')
@@ -918,7 +927,8 @@ class GPOTests(tests.TestCase):
         remove = []
         with TemporaryDirectory() as dname:
             for ext in gp_extensions:
-                ext = ext(logger, self.lp, machine_creds, store)
+                ext = ext(logger, self.lp, machine_creds,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list