a Wa@sddlmZddlZddlmZddlZddlZddlm m Z ddl Z ddl Z ddlmZddlmZmZmZmZddlmZddlmZddlmZddlmZddlZddlZdd lmZmZm Z dd l!m"Z"dd lm#Z#dd l$m%Z&dd l$m'Z(ddlm)Z)ddl*Z*ddl+m,Z,ddlm-Z-ddl.m/Z/ddl0m1Z1m2Z2m3Z3ddl4m5Z5ddl6m7Z7m8Z8m9Z9m:Z:ddl;mZ>ddl?m@Z@dd lm%Z%ddZAddZBddZCddZDd d!ZEd_d"d#ZFd$d%ZGdddejHejIBejJBejKBfd&d'ZLd(d)ZMd*d+ZNd,d-ZOejPfd.d/ZQd0d1ZRe(jSe(jTBe(jUBe(jVBZWd2d3ZXd`d5d6ZYd7d8ZZdad9d:Z[Gd;d<dd>e\Z]Gd?d@d@e\Z^GdAdBdBe\Z_GdCdDdDe\Z`GdEdFdFe\ZaGdGdHdHe\ZbGdIdJdJe\ZcGdKdLdLe\ZdGdMdNdNe\ZeGdOdPdPe\ZfGdQdRdRe\ZgGdSdTdTe\ZhGdUdVdVehZiGdWdXdXe\ZjGdYdZdZe\ZkGd[d\d\eZlGd]d^d^eZmdS)b)print_functionN)system_session)Command CommandErrorOption SuperCommand)SamDB)dsdb)security) ndr_unpack) AUTH_SESSION_INFO_DEFAULT_GROUPSAUTH_SESSION_INFO_AUTHENTICATED#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) netcmd_finddc)policy)param)libsmb_samba_internal) NTSTATUSError) dsacl2fsacl)nbt)Net)GPParserGPNoParserExceptionGPGeneralizeException) GPPolParser) GPIniParser GPTIniParserGPFDeploy1IniParserGPScriptsIniParser)GPAuditCsvParser)GptTmplInfParser) GPAasParsercCs||vr||dS|S)z/get an attribute from a ldap msg with a defaultr)msgattrnamedefaultr"r"2/usr/lib/python3/dist-packages/samba/netcmd/gpo.py attr_defaultCs r'cCs"t|}|sd}n d|}|S)zreturn gpo flags stringNONE )rZ get_gpo_flagsjoin)valueflagsretr"r"r&gpo_flags_stringJs   r.cCs"t|}|sd}n d|}|S)zreturn gplink options stringr(r))rZget_gplink_optionsr*)r+optionsr-r"r"r&gplink_options_stringTs   r0cCsg}|dkr|S|d}|D]^}|s,q"|d}t|dksP|dds\td|||ddd t|d d q"|S) z.parse a gPLink into an array of dn and options];rz[LDAP://zBadly formed gPLink '%s'Ndnr/)stripsplitlen startswith RuntimeErrorappendint)Zgplinkr-agdr"r"r& parse_gplink^s    &rCcCsddd|D}|S)z4Encode an array of dn and options into gPLink stringr1css"|]}d|d|dfVqdS)z[LDAP://%s;%d]r8r/Nr").0rAr"r"r& rz encode_gplink..)r*)gplistr-r"r"r& encode_gplinkpsrHc CsZ|durV|durNzt||}Wn.tyL}ztd|WYd}~n d}~00d|}|S)zjIf URL is not specified, return URL for writable DC. If dc is provided, use that to construct ldap URLNzCould not find a DC for domainldap://)r Exceptionr=)lpcredsurldcer"r"r&dc_urlvs rPcCs4|}|t|d|t|d||S)zConstruct the DN for gpoCN=Policies,CN=SystemzCN=%s)get_default_basedn add_childldbDn)samdbgpor8r"r"r& get_gpo_dnsrXc Cs|}|t|d|}d}tj}|dur>dt|}|durTdt|}|durf|}tj}z"|j|||gdd|gd} WnDty} z,|durd |} nd } t | | WYd} ~ n d} ~ 00| S) z0Get GPO information using gpo, displayname or dnrQz"(objectClass=groupPolicyContainer)Nz.(&(objectClass=groupPolicyContainer)(name=%s))z5(&(objectClass=groupPolicyContainer)(displayname=%s)))nTSecurityDescriptor versionNumberr,name displayNamegPCFileSysPathgPCMachineExtensionNamesgPCUserExtensionNames sd_flags:1:%d)basescope expressionattrscontrolsz!Cannot get information for GPO %szCannot get information for GPOs) rRrSrTrUZSCOPE_ONELEVEL binary_encode SCOPE_BASEsearchrJr) rVrW displaynamer8sd_flagsZ policies_dnZbase_dn search_exprZ search_scoper#rOZmesgr"r"r& get_gpo_infos0   rlc CsTd|}z|j|dgd}Wn2tyN}ztd||WYd}~n d}~00|S)z lists dn of containers for a GPOz(&(objectClass=*)(gPLink=*%s*))gPLink)rcrdz'Could not find container(s) with GPO %sN)rhrJr)rVrWrkr#rOr"r"r&get_gpo_containerss $rnc CsZz|j|tjddgdd}Wn2tyP}ztd||WYd}~n d}~00d}tt||}d|vrtt|dd}|D]*}|d|kr| |d }qqntd |std |t } || _ |rt |} t | tjd| d <nt |ddtjd| d <z|| Wn0tyT}ztd|WYd}~n d}~00dS)z!delete GPO link for the container(objectClass=*)rmrarbrcrdrContainer '%s' does not existNFr8Tz"No GPO(s) linked to this containerz%GPO '%s' not linked to this containerZr0Zd0z!Error removing GPO from container)rhrTrgrJrstrrXrClowerremoveMessager8rHMessageElementFLAG_MOD_REPLACEZFLAG_MOD_DELETEmodify) rV container_dnrWr#rOfoundgpo_dnrGrAm gplink_strr"r"r& del_gpo_links> $  r~cCs^g}|dr$|dddd}n|drB|dddd}t|dkrZtd||S) z;Parse UNC string into a hostname, a service, and a filepathz\\r4N\z///zInvalid UNC string: %s)r<r:r; ValueError)unctmpr"r"r& parse_uncs    rcCstjd||drtStjd||dr,tStjd||drBtStjd||drXtStjd||drntStjd||drtStjd||drtStjd ||drtStjd ||drt Stjd ||drt StS) Nzfdeploy1\.ini$r,z audit\.csv$z GptTmpl\.inf$z GPT\.INI$z scripts\.ini$zpsscripts\.ini$z GPE\.INI$z.*\.ini$z.*\.pol$z.*\.aas$) rematchrrr rrrrrr!)r[r,r"r"r& find_parsers*rc Cs d}tj|st||g}|g}|r|}|}|j|td}|jddd|D]} |d| d} tj|| d} | dt j @r| | | | t| q^| | } t | |d } | | Wdn1s0Yt| d}|| || d q^q&dS) N .SAMBABACKUPZattribscSs|dSNr[r"xr"r"r&#rFz2backup_directory_remote_to_local..keyrr[attribwb.xml)ospathisdirmkdirpoplist attr_flagssortr*libsmbFILE_ATTRIBUTE_DIRECTORYr>loadfileopenwriterparseZ write_xml)conn remotedirlocaldirSUFFIXr_dirsl_dirsr_dirl_dirdirlistrOr_namel_namedatafparserr"r"r& backup_directory_remote_to_locals.      (  rc Cstj|st||g}|g}|r|}|}|j|td}|jddd|D]n}|d|d} tj||d} |dt j @r| | | | t| qX| | } t | d| qXq"dS) NrcSs|dSrr"rr"r"r&rFrFz0copy_directory_remote_to_local..rrr[rr)rrrrrrrrr*rrr>rrr) rrrrrrrrrOrrrr"r"r&copy_directory_remote_to_local<s$      rFc Cs||s|||g}|g}|r|}|}t|} | | D]} tj|| } |d| } tj| r| | | | z|| Wqt y|sYq0qJ|rz| | WqJWnt yYn0t | d } || | qJq dS)Nrrb)chkpathrrrlistdirrrr*rr>rrrreadsavefile)rrrignore_existing_dirkeep_existing_filesrrrrrrOrrrr"r"r&copy_directory_local_to_remoteTs8           rcCsD|ddd}d}|D]$}|d|}||s||qdS)Nrrr1)replacer:rr)rrZelemsrrOr"r"r&create_directory_hierys   rcCsPz,t}||jtj|||||d}WntyJtd|Yn0|S)NrKrLsignz"Error connecting to '%s' using SMB)s3paramZ get_contextloadZ configfilerZConnrJr) dc_hostnameservicerKrLrZs3_lprr"r"r&smb_connections  rc@seZdZddZddZdS) GPOCommandc Cs|dur"t}td||jdtj|s:td|tj|d}tj|s^t |tj||}tj|rtd|zt |Wn2t t fy}ztd|WYd}~n d}~00||fS)aEnsure that the temporary directory structure used in fetch, backup, create, and restore is consistent. If --tmpdir is used the named directory must be present, which may contain a 'policy' subdirectory, but 'policy' must not itself have a subdirectory with the gpo name. The policy and gpo directories will be created. If --tmpdir is not used, a temporary directory is securely created. Nz5Using temporary directory %s (use --tmpdir to change))filez'Temporary directory '%s' does not existrz8GPO directory '%s' already exists, refusing to overwritez%Error creating teporary GPO directory) tempfileZmkdtempprintoutfrrrrr*rIOErrorOSError)selftmpdirrWrgpodirrOr"r"r&construct_tmpdirs(       zGPOCommand.construct_tmpdirc CsXzt|jt|j|jd|_Wn4tyR}ztd|j|WYd}~n d}~00dS)z$make a ldap connection to the server)rMZ session_infoZ credentialsrKzLDAP connection to %s failed N)rrMrrLrKrVrJr)rrOr"r"r& samdb_connects zGPOCommand.samdb_connectN)__name__ __module__ __qualname__rrr"r"r"r&rs#rc@sFeZdZdZdZejejejdZ e ddde ddd gZ d d d Z d S) cmd_listallzList all GPOs.%prog [options] sambaopts versionoptscredopts-H--URL%LDB URL for database or target serverURLHhelptypemetavardestNc Cs||_|j|jdd|_t|j|j||_|t|jd}|D]}|j d|dd|j d|dd|j d|d d|j d |j |j d t |d d |j dt tt |dd|j dqFdS)NTZfallback_machineGPO : %s r[rdisplay name : %s r\path : %s r]dn : %s version : %s rZ0flags : %s r, ) get_loadparmrKget_credentialsrLrPrMrrlrVrrr8r'r.r?)rrrrrr#r|r"r"r&runs   zcmd_listall.run)NNNNrrr__doc__synopsisr/ SambaOptionsVersionOptionsCredentialsOptionstakes_optiongroupsrrr takes_optionsrr"r"r"r&rs rc@sLeZdZdZdZdgZejejej dZ e ddde dd d gZ dd d Zd S)cmd_listzList GPOs for an account.z&%prog [options] accountnamerrrrrrrNc Cst||_|j|jdd|_t|j|j||_|z0|jjdt |t |fd}|dj }Wnt yt d|Yn0z*|jj|t jdgdd}d |dv}Wnt yt d |Yn0ttB} |jdur|jd r| tO} tjj|j|j|| d } | j} g} d} t |jt|}|jj|t jd dgdd}d |vrtt|d d}|D]p}| s|dtj@sqp|dtj@rqpzVtjtj Btj!B}|jj|dt jgdd|gd}|ddd}t"tj#|}Wn.t y(|j$%d|dYqpYn0z"tj&|| tj'tj(Btj)BWn,t*yx|j$%d|j YqpYn0t+t,|ddd}|r|tj-@rqp|s|tj.@rqp| /|ddd|dddfqpt+t,|dd}|tj0@rd} ||j1krq$|}q2|r0d }nd}|j$%d||f| D]"}|j$%d|d|dfqLdS)NTrz?(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User)))rcrzFailed to find account %s objectClass)rarbrdZcomputerz!Failed to find objectClass for %sZldap)Zlp_ctxr8session_info_flagsrm gPOptionsr/r8)r[r\r,rYr`)rarbrdrerYz8Failed to fetch gpo object with nTSecurityDescriptor %s zFailed access check on %s r,r\r[FuserzGPOs for %s %s z %s %s r6)2rrKrrLrPrMrrVrhrTrfr8rJrrgr r r<rsambaZauthZ user_sessionZsecurity_tokenrUrrparentrCr GPLINK_OPT_ENFORCEGPLINK_OPT_DISABLEr SECINFO_OWNER SECINFO_GROUP SECINFO_DACLr descriptorrrZ access_checkZSEC_STD_READ_CONTROLZ SEC_ADS_LISTZSEC_ADS_READ_PROPr=r?r'ZGPO_FLAG_MACHINE_DISABLEZGPO_FLAG_USER_DISABLEr>GPO_BLOCK_INHERITANCErR)rrrrrrr#Zuser_dnZ is_computerrZsessiontokenZgposinheritr8ZglistrArjZgmsg secdesc_ndrsecdescr,Z gpoptionsZmsg_strr"r"r&rs        *  z cmd_list.run)NNNN)rrrrr takes_argsr/rrrrrrrrrr"r"r"r&rsrc@sFeZdZdZdZejejejdZ dgZ e dde dgZ d d d ZdS) cmd_showzShow information for a GPO.%prog [options]rrWrrrrNc CsX||_|j|jdd|_t|j|j||_|zt|j|d}Wnt yht d|Yn0z$|dd}t t j |}|} Wnt yd} Yn0|jd|dd|jd |d d|jd |d d|jd |j|jdt|dd|jdttt|dd|jd| |jddS)NTrrGPO '%s' does not existrYzrr[rr\rr]rrrZrrr,zACL : %s r)rrKrrLrPrMrrlrVrJrr r ras_sddlrrr8r'r.r?) rrWrrrrr#rr Z secdesc_sddlr"r"r&rfs,        z cmd_show.run)NNNNrrrrrr/rrrrr rrrrrr"r"r"r&r Us r c@sFeZdZdZdZejejejdZ dgZ e dde dgZ d d d ZdS) cmd_getlinkzList GPO Links for a container.%prog [options]rryrrr Nc Cs<||_|j|jdd|_t|j|j||_|z |jj|t j ddgdd}Wnt ytt d|Yn0d|vr(|dr(|j d|tt|dd}|D]r}t|j|d d }|j d |dd d|j d |ddd|j dt|d|j dqn|j d|dS)NTrrormrprrqzGPO(s) linked to DN %s r8)r8z GPO : %s r[z Name : %s r\z Options : %s r/rzNo GPO(s) linked to DN=%s )rrKrrLrPrMrrVrhrTrgrJrrrrCrrrlr0) rryrrrrr#rGrAr"r"r&rs.   zcmd_getlink.run)NNNNrr"r"r"r&rs rc @sheZdZdZdZejejejdZ ddgZ e dde de d d d d d de ddd d ddgZ dddZdS) cmd_setlinkz(Add or update a GPO link to a container.$%prog [options]rryrWrrr z --disabledisabledF store_truezDisable policy)rr%actionrz --enforceenforcedzEnforce policyNc  Cs,||_|j|jdd|_t|j|j||_|d} |rH| tjO} |rV| tj O} zt |j |dd} Wnt yt d|Yn0tt|j |} z |j j|tjddgdd} Wnt yt d |Yn0d } d| vrbtt| dd} d} d }| D].}|d | kr | |d <d}q:q |rNt d |n| d| | dng} | | | dt| }t}t|j ||_| rt|tjd|d<nt|tjd|d<z|j |Wn0t y}zt d|WYd}~n d}~00|j dt!"|||||dS)NTrrrWrrormrprqFr8r/z)GPO '%s' already linked to this containerr7 new_valuezError adding GPO LinkzAdded/Updated GPO link )#rrKrrLrPrMrr rrrlrVrJrrrrXrhrTrgrCrsinsertr>rHrurUr8rvrw FLAG_MOD_ADDrxrrrr)rryrWrrrrrrZgplink_optionsr#r{Zexisting_gplinkrGrzrAr}r|rOr"r"r&rsd          zcmd_setlink.run)NFFNNNrr"r"r"r&rs$   rc@sHeZdZdZdZejejejdZ ddgZ e dde dgZ d d d Zd S) cmd_dellinkz!Delete GPO link from a container.rr containerrWrrr NcCs||_|j|jdd|_t|j|j||_|zt|j|ddWnt yjt d|Yn0t |j|}t |j|||jdt|||||dS)NTrrrrzDeleted GPO link. )rrKrrLrPrMrrlrVrJrrTrUr~rrrr)rrrWrrrrryr"r"r&rs   zcmd_dellink.run)NNNNrr"r"r"r&rs rc@sFeZdZdZdZejejejdZ dgZ e dde dgZ d d d ZdS) cmd_listcontainersz%List all linked containers for a GPO.r rrWrrr NcCs||_|j|jdd|_t|j|j||_|t|j|}t |rz|j d||D]}|j d|dq^n|j d|dS)NTrzContainer(s) using GPO %s z DN: %s r8zNo Containers using GPO %s ) rrKrrLrPrMrrnrVr;rr)rrWrrrrr#r|r"r"r&rFs  zcmd_listcontainers.run)NNNNrr"r"r"r&r5s rc@sFeZdZdZdZejejejdZ dgZ e dde dgZ d d d ZdS) cmd_getinheritancez%Get inheritance flag for a container.rrryrrr NcCs||_|j|jdd|_t|j|j||_|z |jj|t j ddgdd}Wnt ytt d|Yn0d}d|vrt |dd}|tjkr|jdn |jd dS) NTrrorrprrqz$Container has GPO_BLOCK_INHERITANCE zContainer has GPO_INHERIT )rrKrrLrPrMrrVrhrTrgrJrr?r rrr)rryrrrrr# inheritancer"r"r&rjs&    zcmd_getinheritance.run)NNNNrr"r"r"r&r Ys r c@sHeZdZdZdZejejejdZ ddgZ e dde dgZ d d d Zd S) cmd_setinheritancez$Set inheritance flag on a container.z.%prog [options]rry inherit_staterrr Nc CsF|dkrtj}n |dkr(tj}n td|||_|j|jdd|_t |j|j||_ | z |j j |tjddgdd }Wntytd |Yn0t} t|j || _d|vrtt|tjd| d <ntt|tjd| d <z|j | Wn4ty@} ztd || WYd} ~ n d} ~ 00dS) NblockrzUnknown inheritance state (%s)Trrorrprrqrz"Error setting inheritance state %s)rsr rZ GPO_INHERITrrrKrrLrPrMrrVrhrTrgrJrurUr8rvrrrwrrx) rryr#rrrrr!r#r|rOr"r"r&rs6      zcmd_setinheritance.run)NNNNrr"r"r"r&r"s r"c@sReZdZdZdZejejejdZ dgZ e dde de dd e dgZ d d d Zd S) cmd_fetchzDownload a GPO.r rrWrrr --tmpdir,Temporary directory for copying policy filesNc CsZ||_|j|jdd|_|r>|dr>|dd}||_n"t|j|j}t|j|j|d|_|zt |j |d}Wnt yt d|Yn0t |dd} zt| \} } } Wntyt d | Yn0t|| |j|jdd } |||\}}zt| | |Wn0t yD}zt d |WYd}~n d}~00|jd |dS) NTrrIrNrrr]Invalid GPO path (%s)rError copying GPO from DCGPO copied to %s )rrKrrLr<rMrrPrrlrVrJrrrrrrrrrr)rrWrrrrrrr#rdom_namer sharepathrrrOr"r"r&rs4      z cmd_fetch.run)NNNNNrr"r"r"r&r%s  r%c @szeZdZdZdZejejejdZ dgZ e dde de dd e de d d d d de ddde dgZ dddZeddZdS) cmd_backupz Backup a GPO.r rrWrrr r&r'z --generalizez"Generalize XML entities to restoreFrrr%r --entitiesz4File to export defining XML entities for the restoreent_file)rrrNc  Csp||_|j|jdd|_|r>|dr>|dd} ||_n"t|j|j} t|j|j| d|_|zt |j |d} Wnt yt d|Yn0t | dd} zt| \} } }Wntyt d | Yn0t| | |j|jd }|||\}}zt|||Wn0t yB}zt d |WYd}~n d}~00|jd ||r |jd t|j||}ddl}dddt||ddD}|rt|d}||Wdn1s0Y|jd|n|jd|j|dD]\}|| vrttj||dd"}|| |dWdn1s^0YqdS)NTrrIr(r)rrr]r*rKrLr+r,z( Attempting to generalize XML entities: r1css(|] }d|dd|dVqdS)zr6z&;rN)formatr9)rDZentr"r"r&rE;sz!cmd_backup.run..r6rwz$Entities successfully written to %s z Entities: r^r_ .SAMBAEXTr)rrKrrLr<rMrrPrrlrVrJrrrrrrrrrrr/generalize_xml_entitiesoperatorr*sorteditems itemgetterrrr)rrWrrZ generalizerrrr2rr#rr-rr.rrrOentitiesr9Zentsrextr"r"r&r s^          *   zcmd_backup.runc Csji}tj|st||g}|g}|rf|}|}t|}||D]} tj|| } tj|| } tj| r| | | | tj| st| qR| drHtj | dd} t | } zNt | d}|}Wdn1s0Yt|}| || |}Wn"tyD|d| Yn0qRtj| | sRt| | qRq&|S)Nrrz%SKIPPING: Generalizing failed for %s )rrexistsrrrrr*rr>endswithbasenamerrrET fromstringZgeneralize_xmlrrsamefileshutilcopy2)r sourcedir targetdirr=rrrrrrOrrto_parserltemprZ concrete_xmlZfound_entitiesr"r"r&r8Ms>           & z"cmd_backup.generalize_xml_entities)NNFNNNN)rrrrrr/rrrrr rrrrr staticmethodr8r"r"r"r&r/s*    Ar/c@sReZdZdZdZejejejdZ dgZ e dde de dd e dgZ d d d Zd S) cmd_createzCreate an empty GPO.z%prog [options]rrirrr r&r'Nc! Cs ||_|j|jdd|_t|j|jd}|rn|drn|dd}||_tjtj Btj B} |j || d} nBtjtj Btj B} |j |j d| d} | j }t|j|j|d |_|t|j|d } | jd krtd |tt} d | } | |_| j}d||| f}||| \|_}||_zJttj |dttj |dd}t!tj |dd"|Wn0t#y}ztd|WYd}~n d}~00t$|\}}}||_%t&|||j|jd}||_'|j(zt)|j| }t*+}||_,t*-dt*j.d|d<|j/|t*+}t*0|jdt||_,t*-dt*j.d|d<|j/|t*+}t*0|jdt||_,t*-dt*j.d|d<|j/|t1j2t1j3Bt1j4B}t|j| |dd } | dd }t5t1j6|7}t18|j9}t:||}t1j6;||}t<||t1j2t1j3Bt1j4Bt1j=B}|>|||t?|||t*+}||_,t*-|t*j@d|d<t*-|t*j@d |d!<t*-d"t*j@d#|d$<t*-d%t*j@d&|d'<t*-d"t*j@d(|d)<d*g} |jjA|| d+Wn t#y|jBYn 0|jC|jD"d,|| fdS)-NTr)rLrKrIr()Zaddressr,realm)Zdomainr,r))rirz%A GPO already existing with name '%s'z{%s}z\\%s\sysvol\%s\Policies\%sZMachineZUserz[General] Version=0 zGPT.INIr5zError Creating GPO filesr3ZgroupPolicyContainerrZa01 CN=User,%sr CN=Machine,%s)rWrjrYr\Za02r]Za03rrZZa052ZgpcFunctionalityVersionZa07r,Za04zpermissive_modify:0)rezGPO '%s' created as %s )ErrKrrLrr<rMrZNBT_SERVER_LDAPZ NBT_SERVER_DSZNBT_SERVER_WRITABLEZfinddcgetZ pdc_dns_namerPrrlrVcountrrruuidZuuid4uppergpo_nameZ dns_domainrrrrrrr*rrrJrr.rrtransaction_startrXrTrur8rvraddrUr rrrr rrdom_sidget_domain_sidrZ from_sddlrZSECINFO_PROTECTED_DACLZset_aclrrwrxtransaction_canceltransaction_commitr)!rrirrrrrZnetrr,Z cldap_retr#ZguidrWrOunc_pathrZ gpt_contentsrOr-rr.rr{r|Z ds_sd_flags ds_sd_ndrds_sd domain_sidZsddlfs_sdZsiorer"r"r&rs                   zcmd_create.run)NNNNNrr"r"r"r&rNs  rNc seZdZdZdZejejejdZ ddgZ e dde de d d e de d d e de d ddddgZ dddZdfdd ZZS) cmd_restorez!Restore a GPO to a new container.z/%prog [options]rribackuprrr r&r'r1z8File defining XML entities to insert into DOCTYPE headerz--restore-metadataz7Keep the old GPT.INI file and associated version numberFrr0r1c Cs"d}tj|st||g}|g}|r|}|}t|} | | D]} tj|| } tj|| } tj| r| | | | tj| st| qR| drRtj | dd} t | }zt | dx}|}d}||r"|t|d}|t|||n|t|||| ddWdn1s^0YWqRty| dd|}t|| dd|jd| |jdYqRddl}|| dd|}t|| dd|jd | |jdYqR0qRq&dS) Nrrr?r@z&zWARNING: No such parser for %s z.WARNING: Falling back to simple copy-restore. rz%WARNING: Error during parsing for %s )rrrArrrrr*rr>rBrCrrrr<r;Zload_xmlrDrEZ write_binaryrrGrHrr traceback print_exc)rrIrJ dtd_headerrrrrrrrOrrrKrrLrZxml_headZ original_filerer"r"r& restore_from_backup_to_local_dir&sT            6z,cmd_restore.restore_from_backup_to_local_dirNc  sd} tj|std||durd} tj|s@td|t|dB} | } tjd| tjddurrtd| | 7} Wdn1s0Y| d 7} t t | ||||||z| ||j| | } t|j|j|jd | d t|j|j}d D]}tj||d }tj|rt|d}|}Wdn1sN0Yt}||_t|tj|||<|j|qWn|ty}zbddl}||j t!|d|j dt"}| |j||||td|WYd}~n d}~00dS)Nr1z"Backup directory does not exist %sz)+\s*\ZrzPEntities file does not appear to conform to format e.g. z ]> T)rrr6r7rrrz%Failed to restore GPO -- deleting... zFailed to restore: %s)#rrrArrrrr MULTILINEr9superrcrrhrrrr.rXrVrWr*rTrur8rvrwrxrJrerfrrrrcmd_del)rrirdrrr=rrrZrestore_metadatargZ entities_fileZentities_contentZkeep_new_filesr{r>Zext_filerrr|rOrecmd __class__r"r&rjsh    *   (  zcmd_restore.run)r1)NNNNNNN)rrrrrr/rrrrr rrrrrhr __classcell__r"r"rmr&rcs$    Drcc@sFeZdZdZdZejejejdZ dgZ e dde dgZ d d d ZdS) rkz Delete a GPO.r rrWrrr NcCs||_|j|jdd|_|r>|dr>|dd}||_n"t|j|j}t|j|j|d|_|z&t |j |dd}t |dd}Wnt yt d |Yn0t|\} } } t|| |j|jd } |j zt|j |}t|r4|jd ||D],} t|j | d ||jd | d qt|j |}|j t|j dt ||j t|j dt ||j || | Wn t y|j Yn 0|j |jd|dS)NTrrIr(r)rrr]rr3zGPO %s is linked to containers r8z Removed link from %s. rPrQzGPO %s deleted. )rrKrrLr<rMrrPrrlrVrrrJrrrrXrnr;rrr~rXdeleterTrUZdeltreer\r])rrWrrrrrr#r^r-rr.rr|r{r"r"r&rsF           z cmd_del.run)NNNNrr"r"r"r&rks rkc@sFeZdZdZdZejejejdZ e ddde ddd gZ d d d Z d S) cmd_aclcheckz.Check all GPOs have matching LDAP and DS ACLs.rrrrrrrrNc Csv||_|j|jdd|_t|j|j||_|rP|drP|dd}||_n"t|j|j}t|j|j|d|_|t |j d}|D]}t |dd}zt |\} } } Wnt ytd|Yn0t|| |j|jd } | | tjtjBtjBtj} d |vrtd |d d}ttj|}t|j }t||}| ||krtd | || |fqdS) NTrrIr(r)r]rr*r3rYzKCould not read nTSecurityDescriptor. This requires an Administrator accountz-Invalid GPO ACL %s on path (%s), should be %s)rrKrrLrPrMr<rrrlrVrrrrrrZget_aclr rrrZSEC_FLAG_MAXIMUM_ALLOWEDr rrrZr[r)rrrrrrr#r|rr-rr.rrbr_r`raZexpected_fs_sddlr"r"r&rs8        zcmd_aclcheck.run)NNNNrr"r"r"r&rqs rqc @sbeZdZdZdZejejejdZ e ddde ddd e d d e e j ed d gZdddZdS) cmd_admxloadz Loads samba admx files to sysvolrrrrrrrrz --admx-dirz)Directory where admx templates are storedz samba/admx)rrr%Nc Cs8||_|j|jdd|_|r>|dr>|dd}||_n"t|j|j}t|j|j|d|_t|d|j|jdd}d |j d  d d g}z| |WnLt y} z4| jd d krtdn| jd dkr؂WYd} ~ n d} ~ 00t|D]8\} } } | D]&} | |d}tj | | }d ||gdd}d || g}z| |WnRt y} z8| jd d krtdn| jd dkrWYd} ~ n d} ~ 00t|dd}z|||Wn>t y } z$| jd d krtdWYd} ~ n d} ~ 00Wdn1s$0YqqdS)NTrrIr(r)ZsysvolrrrOZPoliciesZPolicyDefinitionsrl"z:The authenticated user does not have sufficient privilegesl5r1rr)rrKrrLr<rMrrPrr*rSrsrrargsrrwalkrrrrr)rrrrrZadmx_dirrrZsmb_dirrOdirnamedirsfilesfnameZ path_in_admx full_pathZsub_dirZsmb_pathrr"r"r&rOsT       zcmd_admxload.run)NNNNN)rrrrrr/rrrrrrrrrr*rZdata_dirrrr"r"r"r&rr=s  rrc@seZdZdZiZeed<eed<eed<eed<e ed<e ed<e ed<e ed <e ed <eed <eed <eed <eed<eed<eed<eed<dS)cmd_gpoz%Group Policy Object (GPO) management.ZlistallrZshowZgetlinkZsetlinkZdellinkZlistcontainersZgetinheritanceZsetinheritanceZfetchZcreatedelZaclcheckrdZrestoreZadmxloadN)rrrrZ subcommandsrrr rrrrr r"r%rNrkrqr/rcrrr"r"r"r&rzs$               rz)NN)FF)F)nZ __future__rrZ samba.getoptZgetoptr/rTrZxml.etree.ElementTreeZetreeZ ElementTreerDrGrZ samba.authrZ samba.netcmdrrrrZ samba.samdbrrr Z samba.dcerpcr Z samba.ndrr Zsamba.securityr r rZsamba.netcmd.commonrrZ samba.samba3rrrrrrUZ samba.ntaclsrrZ samba.netrZsamba.gp_parserrrZsamba.gp_parse.gp_polrZsamba.gp_parse.gp_inirrrrZsamba.gp_parse.gp_csvrZsamba.gp_parse.gp_infr Zsamba.gp_parse.gp_aasr!r'r.r0rCrHrPrXrrrZ SECINFO_SACLrlrnr~r IGNORECASErrFILE_ATTRIBUTE_SYSTEMrFILE_ATTRIBUTE_ARCHIVEFILE_ATTRIBUTE_HIDDENrrrrrrrrr rrrrr r"r%r/rNrcrkrqrrrzr"r"r"r&s                         . & % .%u0/Z'$,6; $J?G