[PATCH] Improve samba-tool gpo aclcheck error handling
Tim Beale
timbeale at catalyst.net.nz
Wed Jan 30 02:33:16 UTC 2019
I was hitting an untidy samba-tool command exception and tried to make
the error handling a bit more user-friendly. See attached.
CI pass: https://gitlab.com/catalyst-samba/samba/pipelines/45190381
Review appreciated. Thanks.
-------------- next part --------------
From f15614d9fb7b424223a14d778507ef6b644e310c Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue, 29 Jan 2019 13:25:55 +1300
Subject: [PATCH] netcmd: Improve error handling of gpo aclcheck as non-admin
Reading the nTSecurityDescriptor attribute over LDAP requires admin
creds. However, if you don't specify admin creds, then you get an error
like this:
bin/samba-tool gpo aclcheck
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
File "bin/python/samba/netcmd/__init__.py", line 184, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/gpo.py", line 1536, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
This patch adds an explicit check/error message to make the problem
clearer.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
python/samba/netcmd/gpo.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 1b5e927..95fe5d6 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1533,6 +1533,10 @@ class cmd_aclcheck(GPOCommand):
fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+ if 'nTSecurityDescriptor' not in m:
+ raise CommandError("Could not read nTSecurityDescriptor. "
+ "This requires an Administrator account")
+
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
--
2.7.4
More information about the samba-technical
mailing list