[PATCH 5/8] gpo: create a local cifs connection to avoid case issues when searching for policies
David Mulder
dmulder at suse.com
Mon Jan 30 15:17:17 UTC 2017
From: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
---
python/samba/gpclass.py | 29 +++++++++++++-------------
source4/scripting/bin/samba_gpoupdate | 39 ++++++++++++++++++++++++++---------
2 files changed, 43 insertions(+), 25 deletions(-)
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index f88e3d3..b7f6e34 100755
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -100,19 +100,16 @@ class gp_sec_ext(gp_ext):
return "Security GPO extension"
def list(self, rootpath):
- path = "%s/%s" % (rootpath, "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
- if os.path.exists(path):
- return path
+ path = "%s%s" % (rootpath, "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
+ return path
def listmachpol(self, rootpath):
- path = "%s/%s" % (rootpath, "Machine/Registry.pol")
- if os.path.exists(path):
- return path
+ path = "%s%s" % (rootpath, "Machine/Registry.pol")
+ return path
def listuserpol(self, rootpath):
- path = "%s/%s" % (rootpath, "User/Registry.pol")
- if os.path.exists(path):
- return path
+ path = "%s%s" % (rootpath, "User/Registry.pol")
+ return path
def populate_inf(self):
return {"System Access": {"MinimumPasswordAge": ("minPwdAge", inf_to_ldb),
@@ -123,14 +120,16 @@ class gp_sec_ext(gp_ext):
}
#FIXME. EACH gpo should have a parser, and a creater. Essentially a gpo is just a file. Possibly a method and class to link it to organization unit (if that already does not exist) so that GPO's can be created arithmetically, possibly with a hashtable for certain GPO, then linked if desired. Also could store a backup folder of gpo's and then configure them without necessarily deploying it.
- def read_inf(self, path):
+ def read_inf(self, path, conn):
inftable = self.populate_inf()
'''The inf file to be mapped'''
- policy = codecs.open(path, encoding='utf-16')
- if not policy:
+ #policy = codecs.open(path, encoding='utf-16')
+ try:
+ policy = conn.loadfile(path).decode('utf-16')
+ except:
return None
current_section = None
- for line in policy.readlines():
+ for line in policy.splitlines():
line = line.strip()
if line[0] == '[':
section = line[1: -1]
@@ -148,11 +147,11 @@ class gp_sec_ext(gp_ext):
setter(self.ldb, self.dn, att, value).update_samba()
#FIXME read registry files (.pol). Can they ever apply? Define read_registry():
- def parse(self, afile, ldb):
+ def parse(self, afile, ldb, conn):
self.ldb = ldb
self.dn = ldb.get_default_basedn()
if afile.endswith('inf'):
- self.read_inf(afile)
+ self.read_inf(afile, conn)
class samba4_gpo_hierarchy(object):
diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/samba_gpoupdate
index 4f5c692..772c071 100755
--- a/source4/scripting/bin/samba_gpoupdate
+++ b/source4/scripting/bin/samba_gpoupdate
@@ -17,6 +17,9 @@ import samba
import optparse
from samba import getopt as options
from samba.gpclass import *
+from samba.net import Net
+from samba.dcerpc import nbt
+from samba import smb
# Finds all GPO Files ending in inf
def gp_path_list(path):
@@ -24,15 +27,13 @@ def gp_path_list(path):
GPO_LIST = []
for ext in gp_extensions:
GPO_LIST.append((ext, ext.list(path)))
-
return GPO_LIST
# Reads the GPOs and sends them to their proper handlers
-def gpo_parser(GPO_LIST, ldb):
+def gpo_parser(GPO_LIST, ldb, conn):
for entry in GPO_LIST:
(ext, thefile) = entry
- ext.parse(thefile, ldb)
-
+ ext.parse(thefile, ldb, conn)
parser = optparse.OptionParser("testsearchdn [options]")
@@ -51,7 +52,7 @@ opts, args = parser.parse_args()
lp = sambaopts.get_loadparm()
smbconf = lp.configfile
-creds = credopts.get_credentials(lp)
+creds = credopts.get_credentials(lp, fallback_machine=True)
session = system_session()
@@ -72,7 +73,8 @@ schemadn = test_ldb.get_schema_basedn()
basedn = test_ldb.get_default_basedn()
'''Will need sysvol to write a basic GUID version dynamic log file'''
-path = '%s/%s/%s' % (lp.get("path", "sysvol"), lp.get("realm").lower(), 'Policies')
+#path = '%s/%s/%s' % (lp.get("path", "sysvol"), lp.get("realm").lower(), 'Policies')
+path = '%s/Policies' % lp.get("realm").lower()
sys_log = '%s/%s' % (lp.get("path", "sysvol"), 'syslog.txt')
'''Returns dict from previous logfile, then scraps the logfile '''
@@ -87,7 +89,23 @@ specific_ou = "OU=Domain Controllers"
global_dn = test_ldb.domain_dn()
print 'The global DN for this domain is ' + global_dn
DC_OU = specific_ou + ',' + global_dn
-guid_list = os.listdir(path)
+
+net = Net(creds=creds, lp=lp)
+
+# We need to know writable DC to setup SMB connection
+flags = (nbt.NBT_SERVER_LDAP |
+ nbt.NBT_SERVER_DS |
+ nbt.NBT_SERVER_WRITABLE)
+cldap_ret = net.finddc(domain=lp.get('realm'), flags=flags)
+dc_hostname = cldap_ret.pdc_dns_name
+
+try:
+ conn = smb.SMB(dc_hostname, 'sysvol', lp=lp, creds=creds)
+except Exception, e:
+ raise Exception("Error connecting to '%s' using SMB" % dc_hostname, e)
+
+guid_list = [x['name'] for x in conn.list(path)]
+#guid_list = os.listdir(path)
#guid_list = establish_hierarchy(test_ldb, guid_list, DC_OU, global_dn)
hierarchy_gpos = samba4_gpo_hierarchy(test_ldb, guid_list, DC_OU, global_dn)
@@ -106,8 +124,9 @@ for guid_eval in hierarchy_gpos.sorted_full:
'''If an important GPO parse it. Will not parse if it has not changed, is empty, or is not in the right container'''
if guid_eval[1]:
if gpolist[0][1]:
- if (version != previous_scanned_version.get(guid)) and (version != 0):
- print ('GPO %s has changed' % guid)
- gpo_parser(gpolist, test_ldb)
+ #print version, previous_scanned_version.get(guid)
+ #if (version != previous_scanned_version.get(guid)) and (version != 0):
+ # print ('GPO %s has changed' % guid)
+ gpo_parser(gpolist, test_ldb, conn)
sys_log.write('%s %i\n' % (guid,version))
--
2.10.2
More information about the samba-technical
mailing list