3 # Unix SMB/CIFS implementation.
4 # A script to compare differences of security descriotors between
5 # a remote host and the local Ldb
6 # Needs the local domain, the remote domain, IP of the remote host
7 # Username and password for the remote domain, must be at least
10 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
11 # Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
13 # Based on the original in EJS:
14 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
16 # This program is free software; you can redistribute it and/or modify
17 # it under the terms of the GNU General Public License as published by
18 # the Free Software Foundation; either version 3 of the License, or
19 # (at your option) any later version.
21 # This program is distributed in the hope that it will be useful,
22 # but WITHOUT ANY WARRANTY; without even the implied warranty of
23 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 # GNU General Public License for more details.
26 # You should have received a copy of the GNU General Public License
27 # along with this program. If not, see <http://www.gnu.org/licenses/>.
37 sys
.path
.insert(0, "bin/python")
40 from samba
.auth
import system_session
41 import samba
.getopt
as options
42 from samba
import param
43 from samba
.ndr
import ndr_pack
, ndr_unpack
44 from samba
.dcerpc
import security
46 from samba
.samdb
import SamDB
47 from ldb
import SCOPE_SUBTREE
, SCOPE_ONELEVEL
, SCOPE_BASE
, LdbError
49 parser
= optparse
.OptionParser("get-descriptor [options]")
50 sambaopts
= options
.SambaOptions(parser
)
51 credopts
= options
.CredentialsOptions(parser
)
52 parser
.add_option_group(credopts
)
54 parser
.add_option("--local-domain", type="string", metavar
="LOCALDOMAIN",
55 help="set local domain")
56 parser
.add_option("--remote-domain", type="string", metavar
="REMOTEDOMAIN",
57 help="set remote domain")
58 parser
.add_option("--host", type="string", metavar
="HOST",
59 help="Ip of the remote host used for comparison")
60 parser
.add_option("--as-ldif", help="Output in LDIF format", action
="store_true")
62 lp
= sambaopts
.get_loadparm()
63 creds
= credopts
.get_credentials(lp
)
65 opts
= parser
.parse_args()[0]
68 def __init__(self
, localdomain
, remotedomain
):
69 self
.samdb
= SamDB(session_info
=system_session(), lp
=lp
, options
=["modules:paged_searches"])
70 self
.remote_ldb
= Ldb("ldap://" + opts
.host
+ ":389", credentials
=creds
, lp
=lp
,
71 options
=["modules:paged_searches"])
72 self
.local_domain
= localdomain
.replace(".", ",DC=")
73 self
.local_domain
= "DC=" + self
.local_domain
74 self
.remote_domain
= remotedomain
.replace(".", ",DC=")
75 self
.remote_domain
= "DC=" + self
.remote_domain
79 def get_domain_local_sid(self
):
80 res
= self
.samdb
.search(base
=self
.local_domain
,expression
="(objectClass=*)", scope
=SCOPE_BASE
)
81 self
.local_sid
= ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
83 def get_domain_remote_sid(self
):
84 res
= self
.remote_ldb
.search(base
=self
.remote_domain
, expression
="(objectClass=*)", scope
=SCOPE_BASE
)
85 self
.remote_sid
= ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
87 def add_to_ldif(self
, dn
, descr
):
88 ldif_entry
= ["dn: " + dn
,
90 "replace: nTSecurityDescriptor",
91 "nTSecurityDescriptor:: " + base64
.b64encode(ndr_pack(descr
))]
93 for line
in ldif_entry
:
95 if len(line
) <= length
+ 1:
98 for i
in range(len(line
) / length
+ 1):
100 l
= line
[i
* length
:((i
+ 1) * length
)]
102 l
= " " + line
[(i
* length
):((i
+ 1) * length
)]
106 def write_as_sddl(self
, dn
, descr
):
110 def read_descr_by_base(self
, search_base
):
111 res
= self
.samdb
.search(base
=search_base
+ self
.local_domain
, expression
="(objectClass=*)", scope
=SCOPE_SUBTREE
, attrs
=["nTSecurityDescriptor"])
113 dn
= entry
["dn"].__str
__().replace(self
.local_domain
, "")
115 if "nTSecurityDescriptor" in entry
:
116 desc_obj
= ndr_unpack(security
.descriptor
, entry
["nTSecurityDescriptor"][0])
117 self
.local_map
[dn
] = desc_obj
119 res
= self
.remote_ldb
.search(base
=search_base
+ self
.remote_domain
, expression
="(objectClass=*)", scope
=SCOPE_SUBTREE
, attrs
=["nTSecurityDescriptor"])
121 dn
= entry
["dn"].__str
__().replace(self
.remote_domain
, "")
123 if "nTSecurityDescriptor" in entry
:
124 desc_obj
= ndr_unpack(security
.descriptor
, entry
["nTSecurityDescriptor"][0])
125 self
.remote_map
[dn
] = desc_obj
128 self
.read_descr_by_base("CN=Schema,CN=Configuration,")
129 self
.read_descr_by_base("CN=Configuration,")
130 self
.read_descr_by_base("")
132 def write_desc_to_ldif(self
):
133 key_list_local
= self
.local_map
.keys()
134 key_list_remote
= self
.remote_map
.keys()
135 for key
in key_list_remote
:
136 if key
in key_list_local
:
137 sddl
= self
.remote_map
[key
].as_sddl(self
.remote_sid
)
138 sddl_local
= self
.local_map
[key
].as_sddl(self
.local_sid
)
139 if sddl
!= sddl_local
:
140 descr
= security
.descriptor
.from_sddl(sddl
, self
.local_sid
)
142 self
.add_to_ldif(key
+ self
.local_domain
, descr
)
144 self
.write_as_sddl(key
, descr
.as_sddl(self
.local_sid
))
147 self
.get_domain_local_sid()
148 self
.get_domain_remote_sid()
150 self
.write_desc_to_ldif()
152 desc
= DescrGetter(opts
.local_domain
, opts
.remote_domain
)