| blob | 33c9001cb6d0e86778507d64ea34069cb9a57da0 |
1 # Reads important GPO parameters and updates Samba
2 # Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 import sys
19 import os
20 import tdb
27 import re
39 ''' Log settings overwritten by gpo apply
40 The gp_log is an xml file that stores a history of gpo changes (and the
41 original setting value).
43 The log is organized like so:
45 <gp>
46 <user name="KDC-1$">
47 <applylog>
48 <guid count="0" value="{31B2F340-016D-11D2-945F-00C04FB984F9}" />
49 </applylog>
50 <guid value="{31B2F340-016D-11D2-945F-00C04FB984F9}">
51 <gp_ext name="System Access">
52 <attribute name="minPwdAge">-864000000000</attribute>
53 <attribute name="maxPwdAge">-36288000000000</attribute>
54 <attribute name="minPwdLength">7</attribute>
55 <attribute name="pwdProperties">1</attribute>
56 </gp_ext>
57 <gp_ext name="Kerberos Policy">
58 <attribute name="ticket_lifetime">1d</attribute>
59 <attribute name="renew_lifetime" />
60 <attribute name="clockskew">300</attribute>
61 </gp_ext>
62 </guid>
63 </user>
64 </gp>
66 Each guid value contains a list of extensions, which contain a list of
67 attributes. The guid value represents a GPO. The attributes are the values
68 of those settings prior to the application of the GPO.
69 The list of guids is enclosed within a user name, which represents the user
70 the settings were applied to. This user may be the samaccountname of the
71 local computer, which implies that these are machine policies.
72 The applylog keeps track of the order in which the GPOs were applied, so
73 that they can be rolled back in reverse, returning the machine to the state
74 prior to policy application.
75 '''
77 ''' Initialize the gp_log
78 param user - the username (or machine name) that policies are
79 being applied to
80 param gpostore - the GPOStorage obj which references the tdb which
81 contains gp_logs
82 param db_log - (optional) a string to initialize the gp_log
83 '''
98 ''' Policy application state
99 param value - APPLY, ENFORCE, or UNAPPLY
101 The behavior of the gp_log depends on whether we are applying policy,
102 enforcing policy, or unapplying policy. During an apply, old settings
103 are recorded in the log. During an enforce, settings are being applied
104 but the gp_log does not change. During an unapply, additions to the log
105 should be ignored (since function calls to apply settings are actually
106 reverting policy), but removals from the log are allowed.
107 '''
108 # If we're enforcing, but we've unapplied, apply instead
120 ''' Log to a different GPO guid
121 param guid - guid value of the GPO from which we're applying
122 policy
123 '''
139 ''' Pop a GPO guid from the applylog
140 return - last applied GPO guid
142 Removes the GPO guid last added to the list, which is the most recently
143 applied GPO.
144 '''
154 return None
157 ''' Store an attribute in the gp_log
158 param gp_ext_name - Name of the extension applying policy
159 param attribute - The attribute being modified
160 param old_val - The value of the attribute prior to policy
161 application
162 '''
164 return None
179 ''' Retrieve a stored attribute from the gp_log
180 param gp_ext_name - Name of the extension which applied policy
181 param attribute - The attribute being retrieved
182 return - The value of the attribute prior to policy
183 application
184 '''
193 return None
196 ''' Return a list of attributes, their previous values, and functions
197 to set them
198 param gp_extensions - list of extension objects, for retrieving attr to
199 func mappings
200 return - list of (attr, value, apply_func) tuples for
201 unapplying policy
202 '''
206 ret = []
207 data_maps = {}
224 break
226 return ret
229 ''' Remove an attribute from the gp_log
230 param gp_ext_name - name of extension from which to remove the
231 attribute
232 param attribute - attribute to remove
233 '''
246 ''' Write gp_log changes to disk '''
263 return None
287 __metaclass__ = ABCMeta
289 @abstractmethod
291 pass
293 @abstractmethod
295 pass
297 @abstractmethod
299 pass
301 @abstractmethod
303 pass
306 __metaclass__ = ABCMeta
323 @abstractmethod
325 pass
327 @abstractmethod
329 pass
355 }
361 '''This class takes the .inf file parameter (essentially a GPO file mapped
362 to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
363 object to update the parameter to Samba4. Not registry oriented whatsoever.
364 '''
405 '''ldap value : samba setter'''
408 # Could be none, but I like the method assignment in
409 # update_samba
413 }
420 '''This class does the following two things:
421 1) Identifies the GPO if it has a certain kind of filepath,
422 2) Finally parses it.
423 '''
445 inf_to_ldb),
447 inf_to_ldb),
449 inf_to_ldb),
451 inf_to_ldb),
452 },
455 inf_to_kdc_tdb
456 ),
459 inf_to_kdc_tdb
460 ),
463 inf_to_kdc_tdb
464 ),
465 }
466 }
475 # So here we would declare a boolean,
476 # that would get changed to TRUE.
477 #
478 # If at any point in time a GPO was applied,
479 # then we return that boolean at the end.
491 continue
500 return ret
507 # Fixing the bug where only some Linux Boxes capitalize MACHINE
519 continue
524 return None