[PATCH 5/8] gpo: create a local cifs connection to avoid case issues when searching for policies

David Mulder dmulder at suse.com
Mon Jan 30 15:17:17 UTC 2017


From: Garming Sam <garming at catalyst.net.nz>

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
---
 python/samba/gpclass.py               | 29 +++++++++++++-------------
 source4/scripting/bin/samba_gpoupdate | 39 ++++++++++++++++++++++++++---------
 2 files changed, 43 insertions(+), 25 deletions(-)

diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index f88e3d3..b7f6e34 100755
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -100,19 +100,16 @@ class gp_sec_ext(gp_ext):
         return "Security GPO extension"
 
     def list(self, rootpath):
-        path = "%s/%s" % (rootpath, "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
-        if os.path.exists(path):
-                return path
+        path = "%s%s" % (rootpath, "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
+        return path
 
     def listmachpol(self, rootpath):
-        path = "%s/%s" % (rootpath, "Machine/Registry.pol")
-        if os.path.exists(path):
-            return path
+        path = "%s%s" % (rootpath, "Machine/Registry.pol")
+        return path
 
     def listuserpol(self, rootpath):
-        path = "%s/%s" % (rootpath, "User/Registry.pol")
-        if os.path.exists(path):
-            return path
+        path = "%s%s" % (rootpath, "User/Registry.pol")
+        return path
 
     def populate_inf(self):
         return {"System Access": {"MinimumPasswordAge": ("minPwdAge", inf_to_ldb),
@@ -123,14 +120,16 @@ class gp_sec_ext(gp_ext):
                }
 #FIXME. EACH gpo should have a parser, and a creater. Essentially a gpo is just a file. Possibly a method and class to link it to organization unit (if that already does not exist) so that GPO's can be created arithmetically, possibly with a hashtable for certain GPO, then linked if desired. Also could store a backup folder of gpo's and then configure them without necessarily deploying it.
 
-    def read_inf(self, path):
+    def read_inf(self, path, conn):
         inftable = self.populate_inf()
         '''The inf file to be mapped'''
-        policy = codecs.open(path, encoding='utf-16')
-        if not policy:
+        #policy = codecs.open(path, encoding='utf-16')
+	try:
+            policy = conn.loadfile(path).decode('utf-16')
+        except:
             return None
         current_section = None
-        for line in policy.readlines():
+        for line in policy.splitlines():
             line = line.strip()
             if line[0] == '[':
                 section = line[1: -1]
@@ -148,11 +147,11 @@ class gp_sec_ext(gp_ext):
                     setter(self.ldb, self.dn, att, value).update_samba()
     #FIXME read registry files (.pol). Can they ever apply? Define read_registry():
 
-    def parse(self, afile, ldb):
+    def parse(self, afile, ldb, conn):
         self.ldb = ldb
         self.dn = ldb.get_default_basedn()
         if afile.endswith('inf'):
-            self.read_inf(afile)
+            self.read_inf(afile, conn)
 
 class samba4_gpo_hierarchy(object):
 
diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/samba_gpoupdate
index 4f5c692..772c071 100755
--- a/source4/scripting/bin/samba_gpoupdate
+++ b/source4/scripting/bin/samba_gpoupdate
@@ -17,6 +17,9 @@ import samba
 import optparse
 from samba import getopt as options
 from samba.gpclass import *
+from samba.net import Net
+from samba.dcerpc import nbt
+from samba import smb
 
 # Finds all GPO Files ending in inf
 def gp_path_list(path):
@@ -24,15 +27,13 @@ def gp_path_list(path):
     GPO_LIST = []
     for ext in gp_extensions:
         GPO_LIST.append((ext, ext.list(path)))
-
     return GPO_LIST
 
 # Reads the GPOs and sends them to their proper handlers
-def gpo_parser(GPO_LIST, ldb):
+def gpo_parser(GPO_LIST, ldb, conn):
     for entry in GPO_LIST:
         (ext, thefile) = entry
-        ext.parse(thefile, ldb)
-
+        ext.parse(thefile, ldb, conn)
 
 parser = optparse.OptionParser("testsearchdn [options]")
 
@@ -51,7 +52,7 @@ opts, args = parser.parse_args()
 lp = sambaopts.get_loadparm()
 
 smbconf = lp.configfile
-creds = credopts.get_credentials(lp)
+creds = credopts.get_credentials(lp, fallback_machine=True)
 
 session = system_session()
 
@@ -72,7 +73,8 @@ schemadn = test_ldb.get_schema_basedn()
 basedn = test_ldb.get_default_basedn()
 
 '''Will need sysvol to write a basic GUID version dynamic log file'''
-path = '%s/%s/%s' % (lp.get("path", "sysvol"), lp.get("realm").lower(), 'Policies')
+#path = '%s/%s/%s' % (lp.get("path", "sysvol"), lp.get("realm").lower(), 'Policies')
+path = '%s/Policies' % lp.get("realm").lower()
 sys_log = '%s/%s' % (lp.get("path", "sysvol"), 'syslog.txt')
 
 '''Returns dict from previous logfile, then scraps the logfile '''
@@ -87,7 +89,23 @@ specific_ou = "OU=Domain Controllers"
 global_dn = test_ldb.domain_dn()
 print 'The global DN for this domain is ' + global_dn
 DC_OU = specific_ou + ',' + global_dn
-guid_list = os.listdir(path)
+
+net = Net(creds=creds, lp=lp)
+
+# We need to know writable DC to setup SMB connection
+flags = (nbt.NBT_SERVER_LDAP |
+	 nbt.NBT_SERVER_DS |
+	 nbt.NBT_SERVER_WRITABLE)
+cldap_ret = net.finddc(domain=lp.get('realm'), flags=flags)
+dc_hostname = cldap_ret.pdc_dns_name
+
+try:
+    conn = smb.SMB(dc_hostname, 'sysvol', lp=lp, creds=creds)
+except Exception, e:
+    raise Exception("Error connecting to '%s' using SMB" % dc_hostname, e)
+
+guid_list = [x['name'] for x in conn.list(path)]
+#guid_list = os.listdir(path)
 #guid_list = establish_hierarchy(test_ldb, guid_list, DC_OU, global_dn)
 
 hierarchy_gpos = samba4_gpo_hierarchy(test_ldb, guid_list, DC_OU, global_dn)
@@ -106,8 +124,9 @@ for guid_eval in hierarchy_gpos.sorted_full:
     '''If an important GPO parse it. Will not parse if it has not changed, is empty, or is not in the right container'''
     if guid_eval[1]:
         if gpolist[0][1]:
-            if (version != previous_scanned_version.get(guid)) and (version != 0):
-                print ('GPO %s has changed' % guid)
-                gpo_parser(gpolist, test_ldb)
+            #print version, previous_scanned_version.get(guid)
+            #if (version != previous_scanned_version.get(guid)) and (version != 0):
+            #    print ('GPO %s has changed' % guid)
+            gpo_parser(gpolist, test_ldb, conn)
 
     sys_log.write('%s %i\n' % (guid,version))
-- 
2.10.2




More information about the samba-technical mailing list