[PATCH 1/3] provision: make gpo related function more reusable for upgradeprovision

Matthieu Patou mat at matws.net
Tue Feb 23 09:11:58 MST 2010 

---
 source4/scripting/python/samba/provision.py |   56 ++++++++++++++------------
 1 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 1d5e61c..862aea5 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -36,6 +36,7 @@ import param
 import registry
 import urllib
 import shutil
+import string
 
 import ldb
 
@@ -811,25 +812,26 @@ def setup_self_join(samdb, names,
               "NTDSGUID": names.ntdsguid,
               "DNSPASS_B64": b64encode(dnspass),
               })
+def getpolicypath(sysvolpath,dnsdomain,guid):
+    if string.find(guid,"{",0,1) == -1:
+        guid = "{%s}"%guid
+    policy_path = os.path.join(sysvolpath, dnsdomain, "Policies",  guid )
+    return policy_path
 
-
-def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid):
-    policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
-                               "{" + policyguid + "}")
+def create_gpo_struct(policy_path):
     os.makedirs(policy_path, 0755)
     open(os.path.join(policy_path, "GPT.INI"), 'w').write(
                       "[General]\r\nVersion=65543")
     os.makedirs(os.path.join(policy_path, "MACHINE"), 0755)
     os.makedirs(os.path.join(policy_path, "USER"), 0755)
 
-    policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
-                                  "{" + policyguid_dc + "}")
-    os.makedirs(policy_path_dc, 0755)
-    open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write(
-                      "[General]\r\nVersion=2")
-    os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
-    os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
+def setup_gpo(sysvolpath,dnsdomain,policyguid,policyguid_dc):
+
+    policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid)
+    create_gpo_struct(policy_path)
 
+    policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid_dc)
+    create_gpo_struct(policy_path)
 
 def setup_samdb(path, setup_path, session_info, provision_backend, lp, 
                 names, message, 
@@ -1040,7 +1042,7 @@ FILL_DRS = "DRS"
 SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
 POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
 
-def set_gpo_acl(path,acl,lp,domsid):
+def set_dir_acl(path,acl,lp,domsid):
 	setntacl(lp,path,acl,domsid)
 	for root, dirs, files in os.walk(path, topdown=False):
 		for name in files:
@@ -1048,7 +1050,19 @@ def set_gpo_acl(path,acl,lp,domsid):
 		for name in dirs:
 			setntacl(lp,os.path.join(root, name),acl,domsid)
 
-def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
+def set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp):
+	# Set ACL for GPO
+	policy_path = os.path.join(sysvol, dnsdomain, "Policies")
+	set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
+	res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
+						attrs=["cn","nTSecurityDescriptor"],
+						expression="", scope=ldb.SCOPE_ONELEVEL)
+	for policy in res:
+		acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
+		policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"]))
+		set_dir_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+
+def setsysvolacl(samdb,netlogon,sysvol,gid,domainsid,dnsdomain,domaindn,lp):
 	canchown = 1
 	try:
 		os.chown(sysvol,-1,gid)
@@ -1065,18 +1079,8 @@ def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
 			if canchown:
 				os.chown(os.path.join(root, name),-1,gid)
 			setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
+	set_gpo_acl(sysvol,dnsdomain,domainsid,domaindn,samdb,lp)
 
-	# Set ACL for GPO
-	policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
-	set_gpo_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
-	res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
-						attrs=["cn","nTSecurityDescriptor"],
-						expression="", scope=ldb.SCOPE_ONELEVEL)
-	for policy in res:
-		acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
-		policy_path = os.path.join(sysvol, names.dnsdomain, "Policies",
-									 str(policy["cn"]))
-		set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
 
 
 
@@ -1330,8 +1334,8 @@ def provision(setup_dir, message, session_info,
 
         if serverrole == "domain controller":
             # Set up group policies (domain policy and domain controller policy)
-            setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
-            setsysvolacl(samdb,names,paths.netlogon,paths.sysvol,wheel_gid,domainsid,lp)
+            setup_gpo(paths.sysvol,names.dnsdomain,policyguid,policyguid_dc)
+            setsysvolacl(samdb,paths.netlogon,paths.sysvol,wheel_gid,domainsid,names.dnsdomain,names.domaindn,lp)
 
         message("Setting up sam.ldb rootDSE marking as synchronized")
         setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))
-- 
1.6.3.3


--------------060606040102000308020205
Content-Type: text/x-patch;
 name="0002-s4-allow-upgrade-provision-to-fix-acl-and-missing-di.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0="0002-s4-allow-upgrade-provision-to-fix-acl-and-missing-di.pa";
 filename*1="tch"

More information about the samba-technical mailing list