search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
scripting ntacls: Do not place a SACL in the GPO filesystem ACL
[Samba/bb.git] / source4 / scripting / bin / get-descriptors
blob73295b0c3834e869d5e2db95f0e07cfe3ce0ea22
1 #!/usr/bin/env python
2 #
3 # Unix SMB/CIFS implementation.
4 # A script to compare differences of security descriotors between
5 # a remote host and the local Ldb
6 # Needs the local domain, the remote domain, IP of the remote host
7 # Username and password for the remote domain, must be at least
8 # Domain Administrator
9 #
10 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
11 # Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
12 #
13 # Based on the original in EJS:
14 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
15 #
16 # This program is free software; you can redistribute it and/or modify
17 # it under the terms of the GNU General Public License as published by
18 # the Free Software Foundation; either version 3 of the License, or
19 # (at your option) any later version.
20 #
21 # This program is distributed in the hope that it will be useful,
22 # but WITHOUT ANY WARRANTY; without even the implied warranty of
23 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 # GNU General Public License for more details.
25 #
26 # You should have received a copy of the GNU General Public License
27 # along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #
29
30 import optparse
31 import sys
32 import base64
33
34 sys.path.insert(0, "bin/python")
35
36 import samba
37 from samba.auth import system_session
38 import samba.getopt as options
39 from samba.ndr import ndr_pack, ndr_unpack
40 from samba.dcerpc import security
41 from samba import Ldb
42 from samba.samdb import SamDB
43 from ldb import SCOPE_SUBTREE, SCOPE_BASE
44
45 parser = optparse.OptionParser("get-descriptor [options]")
46 sambaopts = options.SambaOptions(parser)
47 credopts = options.CredentialsOptions(parser)
48 parser.add_option_group(credopts)
49
50 parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
51 help="set local domain")
52 parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
53 help="set remote domain")
54 parser.add_option("--host", type="string", metavar="HOST",
55 help="Ip of the remote host used for comparison")
56 parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
57
58 lp = sambaopts.get_loadparm()
59 creds = credopts.get_credentials(lp)
60
61 opts = parser.parse_args()[0]
62
63 class DescrGetter:
64
65 def __init__(self, localdomain, remotedomain):
66 self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
67 self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
68 options=["modules:paged_searches"])
69 self.local_domain = localdomain.replace(".", ",DC=")
70 self.local_domain = "DC=" + self.local_domain
71 self.remote_domain = remotedomain.replace(".", ",DC=")
72 self.remote_domain = "DC=" + self.remote_domain
73 self.local_map = {}
74 self.remote_map = {}
75
76 def get_domain_local_sid(self):
77 res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
78 self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
79
80 def get_domain_remote_sid(self):
81 res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
82 self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
83
84 def add_to_ldif(self, dn, descr):
85 ldif_entry = ["dn: " + dn,
86 "changetype: modify",
87 "replace: nTSecurityDescriptor",
88 "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr))]
89
90 for line in ldif_entry:
91 length = 79
92 if len(line) <= length + 1:
93 print line
94 else:
95 for i in range(len(line) / length + 1):
96 if i == 0:
97 l = line[i * length:((i + 1) * length)]
98 else:
99 l = " " + line[(i * length):((i + 1) * length)]
100 print l
101 print "\n"
102
103 def write_as_sddl(self, dn, descr):
104 print dn
105 print descr + "\n"
106
107 def read_descr_by_base(self, search_base):
108 res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
109 for entry in res:
110 dn = entry["dn"].__str__().replace(self.local_domain, "")
111
112 if "nTSecurityDescriptor" in entry:
113 desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
114 self.local_map[dn] = desc_obj
115
116 res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
117 for entry in res:
118 dn = entry["dn"].__str__().replace(self.remote_domain, "")
119
120 if "nTSecurityDescriptor" in entry:
121 desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
122 self.remote_map[dn] = desc_obj
123
124 def read_desc(self):
125 self.read_descr_by_base("CN=Schema,CN=Configuration,")
126 self.read_descr_by_base("CN=Configuration,")
127 self.read_descr_by_base("")
128
129 def write_desc_to_ldif(self):
130 key_list_local = self.local_map.keys()
131 key_list_remote = self.remote_map.keys()
132 for key in key_list_remote:
133 if key in key_list_local:
134 sddl = self.remote_map[key].as_sddl(self.remote_sid)
135 sddl_local = self.local_map[key].as_sddl(self.local_sid)
136 if sddl != sddl_local:
137 descr = security.descriptor.from_sddl(sddl, self.local_sid)
138 if opts.as_ldif:
139 self.add_to_ldif(key + self.local_domain, descr)
140 else:
141 self.write_as_sddl(key, descr.as_sddl(self.local_sid))
142
143 def run(self):
144 self.get_domain_local_sid()
145 self.get_domain_remote_sid()
146 self.read_desc()
147 self.write_desc_to_ldif()
148
149 desc = DescrGetter(opts.local_domain, opts.remote_domain)
150 desc.run()