[PATCH 06/18] s4: Set acls correctly on all sysvol and scripts shares

Matthieu Patou mat at matws.net
Sun Nov 22 10:50:30 MST 2009


---
 source4/scripting/python/samba/provision.py |   71 +++++++++++++++++----------
 source4/setup/provision                     |    9 +++-
 2 files changed, 52 insertions(+), 28 deletions(-)

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 14ca2d1..0da494d 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -828,16 +828,8 @@ def setup_self_join(samdb, names,
               "DNSPASS_B64": b64encode(dnspass),
               })
 
-def set_gpo_acl(path,acl,setfileacl):
-	if setfileacl:	
-		setntacl(path,acl)
-		for root, dirs, files in os.walk(path, topdown=False):
-			for name in files:
-	 			setntacl(os.path.join(root, name),acl)
-			for name in dirs:
-	 			setntacl(os.path.join(root, name),acl)
-
-def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl):
+
+def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid):
     policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
                                "{" + policyguid + "}")
     os.makedirs(policy_path, 0755)
@@ -853,20 +845,6 @@ def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl):
                       "[General]\r\nVersion=2")
     os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
     os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
-# call setntacl ...
-    res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid,names.domaindn),
-                                attrs=["nTSecurityDescriptor"],
-                                expression="", scope=SCOPE_BASE)
-    assert(len(res) > 0)
-    acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
-    set_gpo_acl(policy_path_dc,dsacl2fsacl(acl),setfileacl)
-
-    res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid_dc,names.domaindn),
-                                attrs=["nTSecurityDescriptor"],
-                                expression="", scope=SCOPE_BASE)
-    assert(len(res) > 0)
-    acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
-    set_gpo_acl(policy_path,dsacl2fsacl(acl),setfileacl)
 
 
 def setup_samdb(path, setup_path, session_info, provision_backend, lp, 
@@ -1075,6 +1053,43 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
 FILL_FULL = "FULL"
 FILL_NT4SYNC = "NT4SYNC"
 FILL_DRS = "DRS"
+SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
+
+def set_gpo_acl(path,acl):
+	setntacl(path,acl)
+	for root, dirs, files in os.walk(path, topdown=False):
+		for name in files:
+			setntacl(os.path.join(root, name),acl)
+		for name in dirs:
+			setntacl(os.path.join(root, name),acl)
+
+def setdiracl(samdb,names,netlogon,sysvol,gid,domainsid):
+	acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
+	os.chown(sysvol,-1,gid)
+	setntacl(sysvol,acl)
+	for root, dirs, files in os.walk(sysvol, topdown=False):
+		for name in files:
+			os.chown(os.path.join(root, name),-1,gid)
+			setntacl(os.path.join(root, name),acl)
+		for name in dirs:
+			os.chown(os.path.join(root, name),-1,gid)
+			setntacl(os.path.join(root, name),acl)
+
+	# Set ACL for GPO
+	policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
+	acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
+	set_gpo_acl(policy_path,dsacl2fsacl(acl))
+	res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
+						attrs=["cn","nTSecurityDescriptor"],
+						expression="", scope=SCOPE_ONELEVEL)
+	security.dom_sid("S-1-5-21-1")
+	for policy in res:
+		acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
+		policy_path = os.path.join(sysvol, names.dnsdomain, "Policies",
+									 str(policy["cn"]))
+		set_gpo_acl(policy_path,dsacl2fsacl(acl))
+
 
 
 def provision(setup_dir, message, session_info, 
@@ -1292,8 +1307,6 @@ def provision(setup_dir, message, session_info,
                     (paths.smbconf, setup_path("provision.smb.conf.dc")))
             assert(paths.sysvol is not None)            
             
-        # Set up group policies (domain policy and domain controller policy)
-        setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl)
 
         if not os.path.isdir(paths.netlogon):
             os.makedirs(paths.netlogon, 0755)
@@ -1303,6 +1316,12 @@ def provision(setup_dir, message, session_info,
                             root_uid=root_uid, nobody_uid=nobody_uid,
                             users_gid=users_gid, wheel_gid=wheel_gid)
 
+        setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
+
+        if setfileacl:
+            setdiracl(samdb,names,paths.netlogon,paths.sysvol,wheel_gid,domainsid)
+        # Set up group policies (domain policy and domain controller policy)
+
         message("Setting up sam.ldb rootDSE marking as synchronized")
         setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))
 
diff --git a/source4/setup/provision b/source4/setup/provision
index ada976b..1165eda 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -110,7 +110,7 @@ parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
 parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", 
 		help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") 
 parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true")
-parser.add_option("--setfileacl", help="Set NT ACL on files", action="store_true")
+parser.add_option("--nosetfileacl", help="Do not set NT ACL on files (set by default)", action="store_true")
 parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early.  Used only for the test environment.  DO NOT USE", action="store_true")
 
 opts = parser.parse_args()[0]
@@ -202,6 +202,11 @@ if opts.blank:
 elif opts.partitions_only:
     samdb_fill = FILL_DRS
 
+setfileacl = True
+
+if opts.nosetfileacl:
+	setfileacl = False
+
 session = system_session()
 provision(setup_dir, message, 
           session, creds, smbconf=smbconf, targetdir=opts.targetdir,
@@ -220,4 +225,4 @@ provision(setup_dir, message,
           backend_type=opts.ldap_backend_type,
           ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
           slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
-          nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,setfileacl=opts.setfileacl)
+          nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,setfileacl=setfileacl)
-- 
1.6.3.3


--------------080603070205020905060303
Content-Type: text/x-patch;
 name="0007-s4-ntvfs-create-push_xattr_blob_tdb_raw-and-pull_xat.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0="0007-s4-ntvfs-create-push_xattr_blob_tdb_raw-and-pull_xat.pa";
 filename*1="tch"



More information about the samba-technical mailing list