a WaF\@szddlmZddlZddlZddlZddlZddlZddlZddl Zddl m Z ddl mZmZmZddlmZmZddl mZddl mZddlmZdd lmZdd lmZejejBejBejBZ ej!ej"Bej#Bej$BZ%ej&ej'BZ(Gd d d e)Z*d dZ+ddZ,d)ddZ-d*ddZ.ddZ/d+ddZ0GdddZ1GdddZ2dd Z3d!d"Z4d#d$Z5d%d&Z6d'd(Z7dS),)print_functionN)param)securityxattridmap)ndr_pack ndr_unpack)smbd)libsmb_samba_internal)get_samba_logger) NTSTATUSError)system_session_unixc@seZdZdZdS)XattrBackendErrorzA generic xattr backend error.N)__name__ __module__ __qualname____doc__rr./usr/lib/python3/dist-packages/samba/ntacls.pyr:srcCs|durP|d}|dur*tj|dfS|d}|durLtj|dfSdS|dkr\dS|dkr|durvtj|fStjtjtj|ddfSnR|d kr|durtj|fS|d }tjtj|d }tj|fSn td |dS) z$return the path to the eadb, or NoneNzxattr_tdb:filez posix:eadb)NNZnativeZeadbz private dirzeadb.tdbZtdbzstate directoryz xattr.tdbzInvalid xattr backend choice %s) getsamba xattr_tdb posix_eadbospathabspathjoinr)lpbackendeadbfilerrZ state_dirZdb_pathrrrcheckset_backend>s*   $   r cCs6ztj|tj}Wnty(YdS0ttj|SN)r xattr_native wrap_getxattrrZXATTR_DOSATTRIB_NAME_S3 ExceptionrZ DOSATTRIB)rfile attributerrr getdosinfoZs r'Tc Cs|rt|||\}}|durbz|||tj} Wqrty^td|tj|tj} Yqr0ntj|tj} ttj | } | j dkr| j S| j dkr| j j S| j dkr| j j S| j dkr| j j Snt j|t||dSdS)NFail to open %sservice)r r#rXATTR_NTACL_NAMEr$printrr"rNTACLversioninfosdr Z get_nt_aclSECURITY_SECINFO_FLAGS) rr% session_inforrdirect_db_accessr. backend_objdbnamer&ntaclrrrgetntaclds:         r;Fc  Cs@t|tst|tjsJt|tr0t|} nt|tjrH|} t| }t|tsbt|tjsbJt|tr|tj|| } nt|tjr|} | | }|s|r| | j\} }|t j kr|t j kr| jtd|tj fkrXtd|tj f}| |\}}|t j ks |t j krD| }||_tj|t||| dd}ntd|||fn0t|ddtj|tjtjBtjB| || d|r(t|||\}}t}d|_| |_|durz|||tjt|Wn6ty t d|t!j"|tjt|Yn0nt!j"|tjt|ntj|t| | |d dS) a A wrapper for smbd set_nt_acl api. Args: lp (LoadParam): load param from conf file (str): a path to file or dir sddl (str): ntacl sddl string service (str): name of share service, e.g.: sysvol session_info (auth_session_info): session info for authentication Note: Get `session_info` with `samba.auth.user_session`, do not use the `admin_session` api. Returns: None z%s-%dr-TzDUnable to find UID for domain administrator %s, got id %d of type %drr)Nr()r.r6)# isinstancestrrdom_sid descriptor from_sddlas_sddlZ sid_to_id owner_sidrZ ID_TYPE_UIDZ ID_TYPE_BOTHZDOMAIN_RID_ADMINSZDOMAIN_RID_ADMINISTRATORr Z set_nt_aclr5rrchown SECINFO_GROUP SECINFO_DACL SECINFO_SACLr rr1r2r3Z wrap_setxattrr/rr$r0rr")rr%ZsddlZdomsidr6rr use_ntvfsZskip_invalid_chownZpassdbr.sidr4Zowner_idZ owner_typeZ administratorZadmin_idZ admin_typeZsd2r8r9r:rrrsetntacls|              rIcCsd}d}d}d}d}d}d}d}d } d} d} d} d} d}d}d}d}d}d}d}d}d}d }d }d }d }d }d}d}||@}||@r||@r||| B|B|B| B|BB}||@r||| B|B|B|B| B|BB}||@r||| BB}||@r||B}|S)zMTakes the access mask of a DS ACE and transform them in a File ACE mask. r)r*r, @iiiiiir)ZldmZRIGHT_DS_CREATE_CHILDZRIGHT_DS_DELETE_CHILDZRIGHT_DS_LIST_CONTENTSZ ACTRL_DS_SELFZRIGHT_DS_READ_PROPERTYZRIGHT_DS_WRITE_PROPERTYZRIGHT_DS_DELETE_TREEZRIGHT_DS_LIST_OBJECTZRIGHT_DS_CONTROL_ACCESSZFILE_READ_DATAZFILE_LIST_DIRECTORYZFILE_WRITE_DATAZ FILE_ADD_FILEZFILE_APPEND_DATAZFILE_ADD_SUBDIRECTORYZFILE_CREATE_PIPE_INSTANCEZ FILE_READ_EAZ FILE_WRITE_EAZ FILE_EXECUTEZ FILE_TRAVERSEZFILE_DELETE_CHILDZFILE_READ_ATTRIBUTESZFILE_WRITE_ATTRIBUTESZDELETEZ READ_CONTROLZ WRITE_DACZ WRITE_OWNERZ SYNCHRONIZEZSTANDARD_RIGHTS_ALLZfilemaskrrrldapmask2filemasksr rPcCstj||}t}|j|_|j|_|j|_|j|_|jj}t dt |D]p}||}|jtj @sLt |j tjkrL|jtjBtjB|_t |j tjkr|jtjB|_t|j|_||qL|s|S||S)z This function takes an the SDDL representation of a DS ACL and return the SDDL representation of this ACL adapted for files. It's used for Policy object provision r)rr?r@rBZ group_sidtypeZrevisionZdaclacesrangelenZ"SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECTr=ZtrusteeZSID_BUILTIN_PREW2KflagsZSEC_ACE_FLAG_OBJECT_INHERITZSEC_ACE_FLAG_CONTAINER_INHERITZSID_CREATOR_OWNERZSEC_ACE_FLAG_INHERIT_ONLYrPZ access_maskZdacl_addrA)ZdssddlrHrArefZfdescrrRiZacerrr dsacl2fsacl(s$  rXc@sjeZdZdZddZdddZddd Zd d Zd d ZddZ dddZ dddZ dddZ ddZ dS) SMBHelperzb A wrapper class for SMB connection smb_path: path with separator "\" other than "/" cCs||_||_dSr!)smb_connr>)selfrZr>rrr__init__NszSMBHelper.__init__FcCs0d|vs J|j|tt}|r,||jS|SN/)rZget_aclr5SECURITY_SEC_FLAGSrAr>)r[smb_pathrAntacl_sdrrrr_Rs  zSMBHelper.get_aclcCsd|vs J|jj|tdS)zM List file and dir base names in smb_path without recursive. r^)Zattribs)rZlistSMB_FILE_ATTRIBUTE_FLAGSr[rarrrrdZs zSMBHelper.listcCst|tj@S)ze Check whether the attrib value is a directory. attrib is from list method. )boollibsmbFILE_ATTRIBUTE_DIRECTORY)r[attribrrris_diraszSMBHelper.is_dircCs|r|d|S|S)z$ Join path with '\' \r)r[rootnamerrrriszSMBHelper.joincCsd|vs J|j|Sr])rZloadfilerfrrrroos zSMBHelper.loadfilecCsb|D]T\}}|||}t|trN|j|s>|j||j||dq|j||qdS)z1 Create files as defined in tree raN) itemsrr<dictrZZchkpathmkdir create_treeZsavefile)r[treerarnZcontentfullnamerrrrtss    zSMBHelper.create_treecCsZi}||D]F}|d}|||}||drF|j|d||<q||||<q|S)a Get the tree structure via smb conn self.smb_conn.list example: [ { 'attrib': 16, 'mtime': 1528848309, 'name': 'dir1', 'short_name': 'dir1', 'size': 0L }, { 'attrib': 32, 'mtime': 1528848309, 'name': 'file0.txt', 'short_name': 'file0.txt', 'size': 10L } ] rnrjrp)rdrrkget_treero)r[raruitemrnrvrrrrws zSMBHelper.get_treecCshi}||D]T}|d}|||}||drH||j|dq||}||j||<q|S)z> Get ntacl for each file and dir via smb conn rnrjrp)rdrrkupdate get_ntaclsr_rAr>)r[raZntaclsrxrnrvrbrrrrzs  zSMBHelper.get_ntaclscCsB|D]4}|d}||dr0|j|q|j|qdS)Nrnrj)rdrkrZZdeltreeunlink)r[rxrnrrr delete_trees  zSMBHelper.delete_treeN)F)rc)rc)rc)rc)rrrrr\r_rdrkrrortrwrzr|rrrrrYGs   rYc@s&eZdZddZd ddZddZdS) NtaclsHelpercCs8||_||_t|_|j|d|jdv|_dS)NZsmbzserver services)r.r>s3paramZ get_contextrloadrrG)r[r. smb_conf_pathr>rrrr\s   zNtaclsHelper.__init__FNcCs8|dur|j}t|j||||jd}|r4||jS|S)N)r7r.)rGr;rr.rAr>)r[rr6rAr7rbrrrr;szNtaclsHelper.getntaclcCst|j|||j||jdS)N)rG)rIrr>rG)r[rrbr6rrrrIszNtaclsHelper.setntacl)FN)rrrr\r;rIrrrrr}s r}cCs<t|dd}||Wdn1s.0YdS)N.NTACLw)openwrite)dstntacl_sddl_strfrrr_create_ntacl_filesrcCsN|d}tj|sdSt|d}|WdS1s@0YdS)Nrr)rrexistsrread)srcZ ntacl_filerrrr_read_ntacl_files   rc Cst}t|trt|}t||}d}t}|g}|g}|rd|} |} |j | dD]} | | | d} t j | | d} | | dr|| || t | n>|| }t| d}||Wdn1s0Yz|j| dd}t| |Wq^ty^} z6|d | | jd f|d | d WYd} ~ q^d} ~ 00q^q}t |D]"}t j ||}|j||dq~Wdn1s0Yt|dS)aa Backup all files and dirs with ntacl for the serive behind smb_conn. 1. Create a temp dir as container dir 2. Backup all files with dir structure into container dir 3. Generate file.NTACL files for each file and dir in contianer dir 4. Create a tar file from container dir(without top level folder) 5. Delete contianer dir rcrprnrjwbNTrAz"Failed to get the ntacl for %s: %sr)z!The permissions for %s may not bez restored correctlyw:gzrnmodeZarcname)r r<r=rr>rYtempfilemkdtemppoprdrrrrkappendrsrorrr_rr errorargswarningtarfilelistdiraddshutilrmtree)rZdest_tarfile_pathr>loggerZ smb_helperZ remotedirZlocaldirZr_dirsZl_dirsZr_dirZl_direZr_nameZl_namedatarrtarrnrrrr backup_onlinesH         (   2rc Cs|dddd}t}t}|}t|}t|||} t |D].\} } } t j j | |d} t j || }| D]H}t j | |}t j ||}t|||| j||dd}t||qz| D]}t j | |}t j ||}t|||| j||dd}t||t|dN}|}t|d}||Wd n1sP0YWd q1sp0YqqLtj|d d >}t |D]"}t j ||}|j||d qWd n1s0Yt|d S) z< Backup files and ntacls to a tarfile for a service r^r)startTrrbrNrrr)rstriprsplitrrr get_domain_sidrr>r}rwalkrrelpathrr rsr;r create_filerrrrrrrr)Zsrc_service_pathr samdb_connrr.tempdirr6 dom_sid_strr> ntacls_helperdirpathdirnames filenames rel_dirpath dst_dirpathdirnamerrrfilenamesrc_filerdst_filerrnrrrrbackup_offline s<      N2rc Cs0t}|dddd}t}|}t|}t|||} t } t |} | j |dWdn1st0Yt |D]\} } }t jj| |d}t jt j||}| D]v}|dst j| |}t j||}t j|st|| |t|}|r"| ||| q|d|d q|D]}|ds:t j| |}t j||}t j|st|| |t|}|r| ||| n|d |d t |d N}|}t |d }||Wdn1s0YWdn1s0Yq:qt|dS) z> Restore files and ntacls from a tarfile to a service r^r)r)rNrrz)Failed to restore ntacl for directory %s.z) Please check the permissions are correctz$Failed to restore ntacl for file %s.rr) r rrrrrrr>r}r rrZ extractallrrrrnormpathrendswithisdirr rsrrIrisfilerrrrr)Zsrc_tarfile_pathZdst_service_pathrrrr.rrr>rr6rrrrrrrrrrrrrrrrrbackup_restoreSsZ   *      Pr)NNTN)NNTFNN)T)8Z __future__rrrrrZsamba.xattr_nativerZsamba.xattr_tdbZsamba.posix_eadbZ samba.samba3rr~Z samba.dcerpcrrrZ samba.ndrrrr r rhZ samba.loggerr r Zsamba.auth_utilr FILE_ATTRIBUTE_SYSTEMriFILE_ATTRIBUTE_ARCHIVEFILE_ATTRIBUTE_HIDDENreZ SECINFO_OWNERrDrErFr5ZSEC_FLAG_SYSTEM_SECURITYZSEC_STD_READ_CONTROLr`r$rr r'r;rIrPrXrYr}rrrrrrrrrsj         ' g7 q <3