[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Aug 13 20:07:01 UTC 2021
The branch, master has been updated
via 0f26dbe0d09 gpo: Print getcert message to debug
via e3a956e075b gpo: Decode the bytes for cepces-submit failure
via 7a04052dad4 gpo: Ignore symlink failure on sscep renew
via 80e3daed120 gpo: Apply Group Policy User Scripts
via f04431b1d24 gpo: Test Group Policy User Scripts
via cd63893d4e7 gpo: Enable Scripts ADMX for User Policy
via 6d676cac41d gpo: Enable user policy application
from 1641e6c528e libreplace: remove now unused USE_COPY_FILE_RANGE define
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0f26dbe0d0907e16a2c1b10c620a9db5b1b6b4ab
Author: David Mulder <dmulder at suse.com>
Date: Fri Jul 23 09:28:21 2021 -0600
gpo: Print getcert message to debug
Otherwise re-running gpupdate to enforce policy
displays 'already exists' messages, which
confusingly appear to be a failure, but are
actually intentional behavior.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 13 20:06:31 UTC 2021 on sn-devel-184
commit e3a956e075b6030534463689b820eb037aeed4f3
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 22 10:37:41 2021 -0600
gpo: Decode the bytes for cepces-submit failure
When displaying the error from cepces-submit,
make sure to decode the bytes (otherwise it is
hard to read). Also print the error to debug
instead of warn (it may dump a traceback).
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7a04052dad4b52a20d47805a41b892bb4fecb433
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 22 10:16:42 2021 -0600
gpo: Ignore symlink failure on sscep renew
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 80e3daed120b5ed71ffd58427e5d8910b6bdb3a1
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 11:14:28 2021 -0600
gpo: Apply Group Policy User Scripts
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f04431b1d24d83dea700a2443c4a3600d623dfd4
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 11:13:21 2021 -0600
gpo: Test Group Policy User Scripts
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cd63893d4e773cef8a32d75e8177c6af3f6367d6
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 13:48:42 2021 -0600
gpo: Enable Scripts ADMX for User Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6d676cac41d0f84d5396a67bd445ef8cfd4b8e0c
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 09:13:06 2021 -0600
gpo: Enable user policy application
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libgpo/admx/samba.admx | 8 +--
python/samba/gp_cert_auto_enroll_ext.py | 31 ++++++---
python/samba/gp_scripts_ext.py | 88 ++++++++++++++++++++++-
python/samba/gpclass.py | 85 +++++++++++++++++-----
python/samba/tests/bin/crontab | 29 ++++++++
python/samba/tests/gpo.py | 120 +++++++++++++++++++++++++++-----
python/samba/tests/gpo_member.py | 3 +-
source4/scripting/bin/samba-gpupdate | 21 ++++--
8 files changed, 330 insertions(+), 55 deletions(-)
create mode 100755 python/samba/tests/bin/crontab
Changeset truncated at 500 lines:
diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx
index ee2816c2b31..d09956d5394 100755
--- a/libgpo/admx/samba.admx
+++ b/libgpo/admx/samba.admx
@@ -22,28 +22,28 @@
</category>
</categories>
<policies>
- <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Machine" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
+ <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Both" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings">
<parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<elements>
<list id="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6" key="Software\Policies\Samba\Unix Settings\Daily Scripts" valueName="Daily Scripts" />
</elements>
</policy>
- <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Machine" displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)" presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" key="Software\Policies\Samba\Unix Settings">
+ <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Both" displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)" presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" key="Software\Policies\Samba\Unix Settings">
<parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<elements>
<list id="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238" key="Software\Policies\Samba\Unix Settings\Hourly Scripts" valueName="Hourly Scripts" />
</elements>
</policy>
- <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Machine" displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)" presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" key="Software\Policies\Samba\Unix Settings">
+ <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Both" displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)" presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" key="Software\Policies\Samba\Unix Settings">
<parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<elements>
<list id="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60" key="Software\Policies\Samba\Unix Settings\Monthly Scripts" valueName="Monthly Scripts" />
</elements>
</policy>
- <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Machine" displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)" presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" key="Software\Policies\Samba\Unix Settings">
+ <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Both" displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)" presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" key="Software\Policies\Samba\Unix Settings">
<parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<elements>
diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index 99465ef01c0..60927709eaa 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -85,8 +85,8 @@ def get_supported_templates(server, logger):
stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
if p.returncode != 0:
- logger.warn('Failed to fetch the list of supported templates:' +
- '\n%s' % err)
+ logger.warn('Failed to fetch the list of supported templates.')
+ logger.debug(err.decode())
return out.strip().split()
return []
@@ -120,6 +120,11 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
' admin trust anchors.' +
' The directory %s was not found' % \
global_trust_dir)
+ except FileExistsError:
+ # If we're simply downloading a renewed cert, the symlink
+ # already exists. Ignore the FileExistsError. Preserve the
+ # existing symlink in the unapply data.
+ data['files'].append(dst)
else:
logger.warn('sscep is not installed, which prevents the installation' +
' of the root certificate chain.')
@@ -130,8 +135,13 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
getcert = which('getcert')
cepces_submit = find_cepces_submit()
if getcert is not None and os.path.exists(cepces_submit):
- Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
- '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])]).wait()
+ p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
+ '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+ stdout=PIPE, stderr=PIPE)
+ out, err = p.communicate()
+ logger.debug(out.decode())
+ if p.returncode != 0:
+ logger.debug(err.decode())
supported_templates = get_supported_templates(ca['dNSHostName'][0],
logger)
for template, attrs in ca['certificateTemplates'].items():
@@ -140,10 +150,15 @@ def cert_enroll(ca, trust_dir, private_dir, logger):
nickname = '%s.%s' % (ca['cn'][0], template.decode())
keyfile = os.path.join(private_dir, '%s.key' % nickname)
certfile = os.path.join(trust_dir, '%s.crt' % nickname)
- Popen([getcert, 'request', '-c', ca['cn'][0],
- '-T', template.decode(),
- '-I', nickname, '-k', keyfile, '-f', certfile,
- '-g', attrs['msPKI-Minimal-Key-Size'][0]]).wait()
+ p = Popen([getcert, 'request', '-c', ca['cn'][0],
+ '-T', template.decode(),
+ '-I', nickname, '-k', keyfile, '-f', certfile,
+ '-g', attrs['msPKI-Minimal-Key-Size'][0]],
+ stdout=PIPE, stderr=PIPE)
+ out, err = p.communicate()
+ logger.debug(out.decode())
+ if p.returncode != 0:
+ logger.debug(err.decode())
data['files'].extend([keyfile, certfile])
data['templates'].append(nickname)
if update is not None:
diff --git a/python/samba/gp_scripts_ext.py b/python/samba/gp_scripts_ext.py
index 80e2262019d..33049ff6dc0 100644
--- a/python/samba/gp_scripts_ext.py
+++ b/python/samba/gp_scripts_ext.py
@@ -15,8 +15,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os, re
-from samba.gpclass import gp_pol_ext
+from subprocess import Popen, PIPE
+from samba.gpclass import gp_pol_ext, drop_privileges
from base64 import b64encode
+from hashlib import blake2b
from tempfile import NamedTemporaryFile
intro = '''
@@ -28,6 +30,9 @@ intro = '''
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
+'''
+end = '''
+### autogenerated by samba ###
'''
class gp_scripts_ext(gp_pol_ext):
@@ -73,9 +78,9 @@ class gp_scripts_ext(gp_pol_ext):
self.gp_db.store(str(self), attribute, f.name)
self.gp_db.commit()
- def rsop(self, gpo):
+ def rsop(self, gpo, target='MACHINE'):
output = {}
- pol_file = 'MACHINE/Registry.pol'
+ pol_file = '%s/Registry.pol' % target
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
@@ -88,3 +93,80 @@ class gp_scripts_ext(gp_pol_ext):
output[key] = []
output[key].append(e.data)
return output
+
+def fetch_crontab(username):
+ p = Popen(['crontab', '-l', '-u', username], stdout=PIPE, stderr=PIPE)
+ out, err = p.communicate()
+ if p.returncode != 0:
+ raise RuntimeError('Failed to read the crontab: %s' % err)
+ m = re.findall('%s(.*)%s' % (intro, end), out.decode(), re.DOTALL)
+ if len(m) == 1:
+ entries = m[0].strip().split('\n')
+ else:
+ entries = []
+ m = re.findall('(.*)%s.*%s(.*)' % (intro, end), out.decode(), re.DOTALL)
+ if len(m) == 1:
+ others = '\n'.join([l.strip() for l in m[0]])
+ else:
+ others = out.decode()
+ return others, entries
+
+def install_crontab(fname, username):
+ p = Popen(['crontab', fname, '-u', username], stdout=PIPE, stderr=PIPE)
+ _, err = p.communicate()
+ if p.returncode != 0:
+ raise RuntimeError('Failed to install crontab: %s' % err)
+
+class gp_user_scripts_ext(gp_scripts_ext):
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+ for guid, settings in deleted_gpo_list:
+ self.gp_db.set_guid(guid)
+ if str(self) in settings:
+ others, entries = fetch_crontab(self.username)
+ for attribute, entry in settings[str(self)].items():
+ if entry in entries:
+ entries.remove(entry)
+ self.gp_db.delete(str(self), attribute)
+ with NamedTemporaryFile() as f:
+ if len(entries) > 0:
+ f.write('\n'.join([others, intro,
+ '\n'.join(entries), end]).encode())
+ else:
+ f.write(others.encode())
+ f.flush()
+ install_crontab(f.name, self.username)
+ self.gp_db.commit()
+
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ reg_key = 'Software\\Policies\\Samba\\Unix Settings'
+ sections = { '%s\\Daily Scripts' % reg_key : '@daily',
+ '%s\\Monthly Scripts' % reg_key : '@monthly',
+ '%s\\Weekly Scripts' % reg_key : '@weekly',
+ '%s\\Hourly Scripts' % reg_key : '@hourly' }
+ self.gp_db.set_guid(gpo.name)
+ pol_file = 'USER/Registry.pol'
+ path = os.path.join(gpo.file_sys_path, pol_file)
+ pol_conf = drop_privileges('root', self.parse, path)
+ if not pol_conf:
+ continue
+ for e in pol_conf.entries:
+ if e.keyname in sections.keys() and e.data.strip():
+ cron_freq = sections[e.keyname]
+ attribute = '%s:%s' % (e.keyname,
+ blake2b(e.data.encode()).hexdigest())
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ entry = '%s %s' % (cron_freq, e.data)
+ others, entries = fetch_crontab(self.username)
+ if not old_val or entry not in entries:
+ entries.append(entry)
+ with NamedTemporaryFile() as f:
+ f.write('\n'.join([others, intro,
+ '\n'.join(entries), end]).encode())
+ f.flush()
+ install_crontab(f.name, self.username)
+ self.gp_db.store(str(self), attribute, entry)
+ self.gp_db.commit()
+
+ def rsop(self, gpo):
+ return super().rsop(gpo, target='USER')
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 17d7d0c9243..1b8f825e47b 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -19,6 +19,7 @@ import sys
import os, shutil
import errno
import tdb
+import pwd
sys.path.insert(0, "bin/python")
from samba import NTSTATUSError
from configparser import ConfigParser
@@ -294,11 +295,12 @@ class GPOStorage:
class gp_ext(object):
__metaclass__ = ABCMeta
- def __init__(self, logger, lp, creds, store):
+ def __init__(self, logger, lp, creds, username, store):
self.logger = logger
self.lp = lp
self.creds = creds
- self.gp_db = store.get_gplog(creds.get_username())
+ self.username = username
+ self.gp_db = store.get_gplog(username)
@abstractmethod
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
@@ -364,11 +366,12 @@ def get_dc_hostname(creds, lp):
''' Fetch a list of GUIDs for applicable GPOs '''
-def get_gpo_list(dc_hostname, creds, lp):
+def get_gpo_list(dc_hostname, creds, lp, username):
gpos = []
ads = gpo.ADS_STRUCT(dc_hostname, lp, creds)
if ads.connect():
- gpos = ads.get_gpo_list(creds.get_username())
+ # username is DOM\\SAM, but get_gpo_list expects SAM
+ gpos = ads.get_gpo_list(username.split('\\')[-1])
return gpos
@@ -433,10 +436,10 @@ def gpo_version(lp, path):
return int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
-def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
- gp_db = store.get_gplog(creds.get_username())
+def apply_gp(lp, creds, logger, store, gp_extensions, username, target, force=False):
+ gp_db = store.get_gplog(username)
dc_hostname = get_dc_hostname(creds, lp)
- gpos = get_gpo_list(dc_hostname, creds, lp)
+ gpos = get_gpo_list(dc_hostname, creds, lp, username)
del_gpos = get_deleted_gpos_list(gp_db, gpos)
try:
check_refresh_gpo_list(dc_hostname, lp, creds, gpos)
@@ -464,8 +467,12 @@ def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
store.start()
for ext in gp_extensions:
try:
- ext = ext(logger, lp, creds, store)
- ext.process_group_policy(del_gpos, changed_gpos)
+ ext = ext(logger, lp, creds, username, store)
+ if target == 'Computer':
+ ext.process_group_policy(del_gpos, changed_gpos)
+ else:
+ drop_privileges(creds.get_principal(), ext.process_group_policy,
+ del_gpos, changed_gpos)
except Exception as e:
logger.error('Failed to apply extension %s' % str(ext))
logger.error('Message was: %s: %s' % (type(e).__name__, str(e)))
@@ -481,16 +488,20 @@ def apply_gp(lp, creds, logger, store, gp_extensions, force=False):
store.commit()
-def unapply_gp(lp, creds, logger, store, gp_extensions):
- gp_db = store.get_gplog(creds.get_username())
+def unapply_gp(lp, creds, logger, store, gp_extensions, username, target):
+ gp_db = store.get_gplog(username)
gp_db.state(GPOSTATE.UNAPPLY)
# Treat all applied gpos as deleted
del_gpos = gp_db.get_applied_settings(gp_db.get_applied_guids())
store.start()
for ext in gp_extensions:
try:
- ext = ext(logger, lp, creds, store)
- ext.process_group_policy(del_gpos, [])
+ ext = ext(logger, lp, creds, username, store)
+ if target == 'Computer':
+ ext.process_group_policy(del_gpos, [])
+ else:
+ drop_privileges(username, ext.process_group_policy,
+ del_gpos, [])
except Exception as e:
logger.error('Failed to unapply extension %s' % str(ext))
logger.error('Message was: ' + str(e))
@@ -509,9 +520,9 @@ def __rsop_vals(vals, level=4):
else:
return vals
-def rsop(lp, creds, logger, store, gp_extensions, target):
+def rsop(lp, creds, logger, store, gp_extensions, username, target):
dc_hostname = get_dc_hostname(creds, lp)
- gpos = get_gpo_list(dc_hostname, creds, lp)
+ gpos = get_gpo_list(dc_hostname, creds, lp, username)
check_refresh_gpo_list(dc_hostname, lp, creds, gpos)
print('Resultant Set of Policy')
@@ -523,7 +534,7 @@ def rsop(lp, creds, logger, store, gp_extensions, target):
print('GPO: %s' % gpo.display_name)
print('='*term_width)
for ext in gp_extensions:
- ext = ext(logger, lp, creds, store)
+ ext = ext(logger, lp, creds, username, store)
cse_name_m = re.findall("'([\w\.]+)'", str(type(ext)))
if len(cse_name_m) > 0:
cse_name = cse_name_m[-1].split('.')[-1]
@@ -616,3 +627,45 @@ def unregister_gp_extension(guid, smb_conf=None):
atomic_write_conf(lp, parser)
return True
+
+
+def set_privileges(username, uid, gid):
+ '''
+ Set current process privileges
+ '''
+
+ os.setegid(gid)
+ os.seteuid(uid)
+
+
+def drop_privileges(username, func, *args):
+ '''
+ Run supplied function with privileges for specified username.
+ '''
+ current_uid = os.getuid()
+
+ if not current_uid == 0:
+ raise Exception('Not enough permissions to drop privileges')
+
+ user_uid = pwd.getpwnam(username).pw_uid
+ user_gid = pwd.getpwnam(username).pw_gid
+
+ # Drop privileges
+ set_privileges(username, user_uid, user_gid)
+
+ # We need to catch exception in order to be able to restore
+ # privileges later in this function
+ out = None
+ exc = None
+ try:
+ out = func(*args)
+ except Exception as e:
+ exc = e
+
+ # Restore privileges
+ set_privileges('root', current_uid, 0)
+
+ if exc:
+ raise exc
+
+ return out
diff --git a/python/samba/tests/bin/crontab b/python/samba/tests/bin/crontab
new file mode 100755
index 00000000000..764d5843091
--- /dev/null
+++ b/python/samba/tests/bin/crontab
@@ -0,0 +1,29 @@
+#!/usr/bin/python3
+import optparse
+import os, sys
+from shutil import copy
+
+sys.path.insert(0, "bin/python")
+
+if __name__ == "__main__":
+ parser = optparse.OptionParser('crontab <file> [options]')
+ parser.add_option('-l', action="store_true")
+ parser.add_option('-u')
+
+ (opts, args) = parser.parse_args()
+
+ # Use a dir we can write to in the testenv
+ if 'LOCAL_PATH' in os.environ:
+ data_dir = os.path.realpath(os.environ.get('LOCAL_PATH'))
+ else:
+ data_dir = os.path.dirname(os.path.realpath(__file__))
+ dump_file = os.path.join(data_dir, 'crontab.dump')
+ if opts.u:
+ assert opts.u == os.environ.get('DC_USERNAME')
+ if len(args) == 1:
+ assert os.path.exists(args[0])
+ copy(args[0], dump_file)
+ elif opts.l:
+ if os.path.exists(dump_file):
+ with open(dump_file, 'r') as r:
+ print(r.read())
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index b5dc09543ad..6fdf9664f48 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -24,8 +24,11 @@ from samba.gpclass import check_refresh_gpo_list, check_safe_path, \
check_guid, parse_gpext_conf, atomic_write_conf, get_deleted_gpos_list
from subprocess import Popen, PIPE
from tempfile import NamedTemporaryFile, TemporaryDirectory
+from samba import gpclass
+# Disable privilege dropping for testing
+gpclass.drop_privileges = lambda _, func, *args : func(*args)
from samba.gp_sec_ext import gp_krb_ext, gp_access_ext
-from samba.gp_scripts_ext import gp_scripts_ext
+from samba.gp_scripts_ext import gp_scripts_ext, gp_user_scripts_ext
from samba.gp_sudoers_ext import gp_sudoers_ext
from samba.vgp_sudoers_ext import vgp_sudoers_ext
from samba.vgp_symlink_ext import vgp_symlink_ext
@@ -478,7 +481,8 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
- ext = gp_krb_ext(logger, self.lp, machine_creds, store)
+ ext = gp_krb_ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
@@ -532,7 +536,8 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
- ext = gp_scripts_ext(logger, self.lp, machine_creds, store)
+ ext = gp_scripts_ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
@@ -590,7 +595,8 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
- ext = gp_sudoers_ext(logger, self.lp, machine_creds, store)
+ ext = gp_sudoers_ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
@@ -641,7 +647,8 @@ class GPOTests(tests.TestCase):
machine_creds.set_machine_account()
# Initialize the group policy extension
- ext = vgp_sudoers_ext(logger, self.lp, machine_creds, store)
+ ext = vgp_sudoers_ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
@@ -734,7 +741,8 @@ class GPOTests(tests.TestCase):
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
- ext = gp_inf_ext(logger, self.lp, machine_creds, store)
+ ext = gp_inf_ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
test_data = '[Kerberos Policy]\nMaxTicketAge = 99\n'
with NamedTemporaryFile() as f:
@@ -819,7 +827,8 @@ class GPOTests(tests.TestCase):
self.assertTrue(ret, 'Could not create the target %s' %
(reg_pol % g.name))
for ext in gp_extensions:
- ext = ext(logger, self.lp, machine_creds, store)
+ ext = ext(logger, self.lp, machine_creds,
+ machine_creds.get_username(), store)
ret = ext.rsop(g)
self.assertEquals(len(ret.keys()), 1,
'A single policy should have been displayed')
@@ -918,7 +927,8 @@ class GPOTests(tests.TestCase):
remove = []
with TemporaryDirectory() as dname:
for ext in gp_extensions:
- ext = ext(logger, self.lp, machine_creds, store)
+ ext = ext(logger, self.lp, machine_creds,
--
Samba Shared Repository
More information about the samba-cvs
mailing list