[PATCH] s4: regroup gpo modification in one function, set acl on files accordingly with ACL in LDAP
Matthieu Patou
mat at matws.net
Sun Oct 25 15:27:44 MDT 2009
---
source4/scripting/python/samba/provision.py | 49 +++++++++++++++++---------
1 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 4df1188..bc9a027 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -48,7 +48,7 @@ from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTI
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
-from samba.ndr import ndr_pack
+from samba.ndr import ndr_pack,ndr_unpack
import urllib
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, timestring
from ms_schema import read_ms_schema
@@ -989,6 +989,36 @@ def setup_self_join(samdb, names,
"NETBIOSNAME": names.netbiosname,
"NTDSGUID": names.ntdsguid
})
+def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid):
+ policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
+ "{" + policyguid + "}")
+ os.makedirs(policy_path, 0755)
+ open(os.path.join(policy_path, "GPT.INI"), 'w').write(
+ "[General]\r\nVersion=65543")
+ os.makedirs(os.path.join(policy_path, "MACHINE"), 0755)
+ os.makedirs(os.path.join(policy_path, "USER"), 0755)
+
+ policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
+ "{" + policyguid_dc + "}")
+ os.makedirs(policy_path_dc, 0755)
+ open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write(
+ "[General]\r\nVersion=2")
+ os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
+ os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
+# call setntacl ...
+ res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid,names.domaindn),
+ attrs=["nTSecurityDescriptor"],
+ expression="", scope=SCOPE_BASE)
+ assert(len(res) > 0)
+ acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
+ print "set +x;PATH=./bin:\$PATH setntacl \"%s\" \"%s\""%(acl,policy_path)
+ os.system("set +x;PATH=./bin:\$PATH setntacl \"%s\" \"%s\""%(acl,policy_path))
+ res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid_dc,names.domaindn),
+ attrs=["nTSecurityDescriptor"],
+ expression="", scope=SCOPE_BASE)
+ assert(len(res) > 0)
+ acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1"))
+ os.system("set +x;PATH=./bin:\$PATH setntacl \"%s\" \"%s\""%(acl,policy_path_dc))
def setup_samdb(path, setup_path, session_info, credentials, lp,
@@ -1382,22 +1412,7 @@ def provision(setup_dir, message, session_info,
assert(paths.sysvol is not None)
# Set up group policies (domain policy and domain controller policy)
-
- policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
- "{" + policyguid + "}")
- os.makedirs(policy_path, 0755)
- open(os.path.join(policy_path, "GPT.INI"), 'w').write(
- "[General]\r\nVersion=65543")
- os.makedirs(os.path.join(policy_path, "MACHINE"), 0755)
- os.makedirs(os.path.join(policy_path, "USER"), 0755)
-
- policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
- "{" + policyguid_dc + "}")
- os.makedirs(policy_path_dc, 0755)
- open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write(
- "[General]\r\nVersion=2")
- os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
- os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
+ setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
if not os.path.isdir(paths.netlogon):
os.makedirs(paths.netlogon, 0755)
--
1.6.0.4
--------------020004030705000601050707--
More information about the samba-technical
mailing list