a Wa@@s8ddlmZddlmZddlmZmZddlm Z m Z m Z ddl m Z ddlmZmZddlmZddlmZmZmZdd l mZdd lmZddlZdd lmZdd lmZm Z m!Z!m"Z"d dZ#GdddeZ$GdddeZ%GdddeZ&GdddeZ'GdddeZ(GdddeZ)Gddde!Z*dS))DONT_USE_KERBEROSN)securityidmap)setntaclgetntacl getdosinfo)Ldb) ndr_unpack ndr_print)SamDB)parampassdbsmbd) provision)system_session_unix)system_session)Command CommandError SuperCommandOptionc Csd}|}|dkrd}t}||j|rztt|d}Wn.typ}ztd|WYd}~n d}~00| dd|j z|rt |j }nt}WntdYn0|S) NFZROLE_ACTIVE_DIRECTORY_DCTZ session_infolpUnable to open samdb:passdb backend samba_dsdb:%sz2Unable to read domain SID from configuration files) server_roles3param get_contextload configfiler r Exceptionrseturlrdom_sid domain_sidr Zget_domain_sid)rZis_ad_dcrs3confsamdber$r(4/usr/lib/python3/dist-packages/samba/netcmd/ntacl.pyget_local_domain_sid(s*    r*c @seZdZdZdZejejejdZ e ddddde d d d d d gde dddde dddde dddde ddddgZ ddgZ dddZ dS) cmd_ntacl_setzSet ACLs on a file.z%prog [options] sambaoptscredopts versionoptsz-qz--quietzBe quiet store_truehelpaction--xattr-backendchoice%xattr backend type (native fs or tdb)nativetdbtyper2choices --eadb-file0Name of the tdb file where attributes are storedstringr2r: --use-ntvfsLSet the ACLs directly to the TDB or xattr for use with the ntvfs file server --use-s3fsHSet the ACLs for use with the default s3fs file server via the VFS layer --servicez:Name of the smb.conf service to use when applying the ACLsaclfileFNc  Csj|} | } t| }|s0|s0d| dv}n|r8d}t| ||t|t|||| d |rf| ddS)Nsmbserver servicesF use_ntvfsservicePPlease note that POSIX permissions have NOT been changed, only the stored NT ACL) get_logger get_loadparmr*getrstrrwarning)selfrErFrJuse_s3fsquiet xattr_backend eadb_filer.r-r/rKloggerrr$r(r(r)run]s& zcmd_ntacl_set.run) FFFNNNNNN__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsr takes_options takes_argsrXr(r(r(r)r+Fs*     r+c@s6eZdZdZdZejejejdZ dgZ dddZ dS) cmd_dosinfo_getz"Get DOS info of a file from xattr.%prog [options]r,rFNcCs>|}t}||jt||}|r:|jt|dS)N) rNrrrrroutfwriter )rRrFr.r-r/rr%Zdosinfor(r(r)rXs   zcmd_dosinfo_get.run)NNN) rZr[r\r]r^r_r`rarbrcrerXr(r(r(r)rfxsrfc @seZdZdZdZejejejdZ e dddde dd d d d gd e dddde dddde dddde ddddgZ dgZ dddZ dS) cmd_ntacl_getzGet ACLs of a file.rgr,z --as-sddlzOutput ACL in the SDDL formatr0r1r4r5r6r7r8r9r<r=r>r?r@zKGet the ACLs directly from the TDB or xattr used with the ntvfs file serverrBzKGet the ACLs for use via the VFS layer used by the default s3fs file serverrDz9Name of the smb.conf service to use when getting the ACLsrFFNc  Csx|} t| } |s(|s(d| dv}n|r0d}t| |t|||| d} |rd|j| | dn|jt| dS)NrGrHFZdirect_db_accessrK ) rNr*rOrrrhrias_sddlr )rRrFrJrSrmrUrVr.r-r/rKrr$rEr(r(r)rXs"zcmd_ntacl_get.run) FFFNNNNNNrYr(r(r(r)rjs*      rjc @seZdZdZdZdejiZeddddedd d d ed d d d eddddedddddgdedddd d eddd d edddd d gZ gdZ d#d!d"Z d S)$cmd_ntacl_changedomsidzChange the domain SID for ACLsz9%prog [options]r-rDz#Name of the smb.conf service to user>r?r@rAr0r1rBrCr<r=r4r5r6r7r8r9z-rz --recursivez;Set the ACLs for directories and their contents recursivelyz--follow-symlinkszFollow symlinksz-vz --verbosez Be verbose)old_domain_sidnew_domain_sidrFFNc  s4} | t s0|s0ddv n|r8d sHsHtdzt|Wn4ty}ztd||fWYd}~n d}~00zt|Wn4ty}ztd||fWYd}~n d}~00 f ddfdd }|| r tj |r || r0| d dS) NrGrHFz0Must provide a share name with --service=zCould not parse old sid %s: %sc srjd|zt|t d}Wn4tyd}ztd||fWYd}~n d}~00|}rjd|fdd}||j|_||j|_|j r|j j D]}||j |_ q|j r|j j D]}||j |_ q|}r jd|||kr*r&jdd Sz t ||t d Wn6ty}ztd ||fWYd}~n d}~00dS) Nz file: %s rkzCould not get acl for %s: %sz before: %s cs*|\}}|kr&td|fS|S)Nz%s-%i)splitrr#)ZsidZdomZrid)rpror(r)replace_domain_sid(s zNcmd_ntacl_changedomsid.run..changedom_sids..replace_domain_sidz after: %s znothing to do TrIzCould not set acl for %s: %s)rhrirrr rrmZ owner_sidZ group_sidZsaclZacesZtrusteeZdaclr)rFrEr'Z orig_sddlrrZaceZnew_sddl) r$rVrrprorRrKrJverboserUr(r)changedom_sidssZ &         z2cmd_ntacl_changedomsid.run..changedom_sidscsVtj|dD]B\}}}|D]}tj||q|D]}tj||q8qdS)N) followlinks)oswalkpathjoin)rFrootdirsfilesfd)rtfollow_symlinksr(r)recursive_changedom_sidsNs z.recursive_changedom_sidszQPlease note that POSIX permissions have NOT been changed, only the stored NT ACL.) rMrNr*rOrrr#r rvrxisdirrQ)rRZold_domain_sid_strZnew_domain_sid_strrFrJrSrKrUrVr- recursiverrsrWr'rr() rtr$rVrrrprorRrKrJrsrUr)rXs< 9zcmd_ntacl_changedomsid.run) FFNNNNFFF) rZr[r\r]r^r_r`rcrrdrerXr(r(r(r)rnsv(rnc@sLeZdZdZdZejejejdZ e dddde dd ddgZ dd d Z d S)cmd_ntacl_sysvolresetz?Reset sysvol ACLs to defaults (including correct ACLs on GPOs).rgr,r@z/Set the ACLs for use with the ntvfs file serverr0r1rBz6Set the ACLs for use with the default s3fs file serverFNc Cs|}||}|t|}|dd} |dd} ztt|d} Wn.ty|} zt d| WYd} ~ n d} ~ 00|s|sd|dv}n|rd}t | j } t }||j|d d | jt t| d tt j}t t j}t|d }||\}}|tjkr:|tjkr:t d |||\}}|tjkrl|tjkrlt d ||r||dtj| | | ||| |d | !||d dS)NrxnetlogonsysvolrrrGrHFrr-zSID %s is not mapped to a UIDzSID %s is not mapped to a GIDrLrealm)rJ)"rNget_credentialsset_kerberos_staterrMrOr rr rrr#r$rrrrr!r"rPZDOMAIN_RID_ADMINISTRATORZSID_BUILTIN_ADMINISTRATORSr ZPDBZ sid_to_idrZ ID_TYPE_UIDZ ID_TYPE_BOTHZ ID_TYPE_GIDrQrZ setsysvolacllower domain_dn)rRrJrSr.r-r/rcredsrWrrr&r'r$r%ZLA_sidZBA_sidZ s4_passdbZLA_uidZLA_typeZBA_gidZBA_typer(r(r)rXnsP              zcmd_ntacl_sysvolreset.run)FFNNN) rZr[r\r]r^r_r`rarbrcrrdrXr(r(r(r)r_s  rc@s0eZdZdZdZejejejdZ dddZ dS)cmd_ntacl_sysvolcheckzBCheck sysvol ACLs match defaults (including correct ACLs on GPOs).rgr,Nc Cs|}||}|t|}|dd}|dd}ztt|d} Wn.ty|} zt d| WYd} ~ n d} ~ 00t | j } t | ||| |d| |dS)Nrxrrrrr)rNrrrrMrOr rr rrr#r$rZchecksysvolaclrr) rRr.r-r/rrrWrrr&r'r$r(r(r)rXs        zcmd_ntacl_sysvolcheck.run)NNN) rZr[r\r]r^r_r`rarbrcrXr(r(r(r)rsrc@sPeZdZdZiZeed<eed<eed<eed<e ed<e ed<dS) cmd_ntaclzNT ACLs manipulation.r!rOZ changedomsidZ sysvolresetZ sysvolcheckrN) rZr[r\r]Z subcommandsr+rjrnrrrfr(r(r(r)rs     r)+Zsamba.credentialsrZ samba.getoptZgetoptr_Z samba.dcerpcrrZ samba.ntaclsrrrZsambarZ samba.ndrr r Z samba.samdbr Z samba.samba3r rr rrZsamba.auth_utilrrvZ samba.authrZ samba.netcmdrrrrr*r+rfrjrnrrrr(r(r(r)s*       2/#C