3 # Manipulate ACLs on directory objects
5 # Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 import samba
.getopt
as options
22 from samba
.dcerpc
import security
23 from samba
.samdb
import SamDB
24 from samba
.ndr
import ndr_unpack
, ndr_pack
25 from samba
.dcerpc
.security
import (
26 GUID_DRS_ALLOCATE_RIDS
, GUID_DRS_CHANGE_DOMAIN_MASTER
,
27 GUID_DRS_CHANGE_INFR_MASTER
, GUID_DRS_CHANGE_PDC
,
28 GUID_DRS_CHANGE_RID_MASTER
, GUID_DRS_CHANGE_SCHEMA_MASTER
,
29 GUID_DRS_GET_CHANGES
, GUID_DRS_GET_ALL_CHANGES
,
30 GUID_DRS_GET_FILTERED_ATTRIBUTES
, GUID_DRS_MANAGE_TOPOLOGY
,
31 GUID_DRS_MONITOR_TOPOLOGY
, GUID_DRS_REPL_SYNCRONIZE
,
32 GUID_DRS_RO_REPL_SECRET_SYNC
)
36 from ldb
import SCOPE_BASE
39 from samba
.auth
import system_session
40 from samba
.netcmd
import (
47 class cmd_ds_acl_set(Command
):
48 """Modify access list on a directory object"""
50 synopsis
= "set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn"
51 car_help
= """ The access control right to allow or deny """
53 takes_optiongroups
= {
54 "sambaopts": options
.SambaOptions
,
55 "credopts": options
.CredentialsOptions
,
56 "versionopts": options
.VersionOptions
,
60 Option("--host", help="LDB URL for database or target server",
62 Option("--car", type="choice", choices
=["change-rid",
64 "change-infrastructure",
70 "get-changes-filtered",
74 "ro-repl-secret-sync"],
76 Option("--action", type="choice", choices
=["allow", "deny"],
77 help="""Deny or allow access"""),
78 Option("--objectdn", help="DN of the object whose SD to modify",
80 Option("--trusteedn", help="DN of the entity that gets access",
84 def find_trustee_sid(self
, samdb
, trusteedn
):
85 res
= samdb
.search(base
=trusteedn
, expression
="(objectClass=*)",
88 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
90 def modify_descriptor(self
, samdb
, object_dn
, desc
, controls
=None):
91 assert(isinstance(desc
, security
.descriptor
))
93 m
.dn
= ldb
.Dn(samdb
, object_dn
)
94 m
["nTSecurityDescriptor"]= ldb
.MessageElement(
95 (ndr_pack(desc
)), ldb
.FLAG_MOD_REPLACE
,
96 "nTSecurityDescriptor")
99 def read_descriptor(self
, samdb
, object_dn
):
100 res
= samdb
.search(base
=object_dn
, scope
=SCOPE_BASE
,
101 attrs
=["nTSecurityDescriptor"])
102 # we should theoretically always have an SD
103 assert(len(res
) == 1)
104 desc
= res
[0]["nTSecurityDescriptor"][0]
105 return ndr_unpack(security
.descriptor
, desc
)
107 def get_domain_sid(self
, samdb
):
108 res
= samdb
.search(base
=samdb
.domain_dn(),
109 expression
="(objectClass=*)", scope
=SCOPE_BASE
)
110 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
112 def add_ace(self
, samdb
, object_dn
, new_ace
):
113 """Add new ace explicitly."""
114 desc
= self
.read_descriptor(samdb
, object_dn
)
115 desc_sddl
= desc
.as_sddl(self
.get_domain_sid(samdb
))
116 #TODO add bindings for descriptor manipulation and get rid of this
117 desc_aces
= re
.findall("\(.*?\)", desc_sddl
)
118 for ace
in desc_aces
:
120 desc_sddl
= desc_sddl
.replace(ace
, "")
121 if new_ace
in desc_sddl
:
123 if desc_sddl
.find("(") >= 0:
124 desc_sddl
= desc_sddl
[:desc_sddl
.index("(")] + new_ace
+ desc_sddl
[desc_sddl
.index("("):]
126 desc_sddl
= desc_sddl
+ new_ace
127 desc
= security
.descriptor
.from_sddl(desc_sddl
, self
.get_domain_sid(samdb
))
128 self
.modify_descriptor(samdb
, object_dn
, desc
)
130 def print_new_acl(self
, samdb
, object_dn
):
131 desc
= self
.read_descriptor(samdb
, object_dn
)
132 desc_sddl
= desc
.as_sddl(self
.get_domain_sid(samdb
))
133 print "new descriptor for %s:" % object_dn
136 def run(self
, car
, action
, objectdn
, trusteedn
,
137 host
=None, credopts
=None, sambaopts
=None, versionopts
=None):
138 lp
= sambaopts
.get_loadparm()
139 creds
= credopts
.get_credentials(lp
)
141 if (car
is None or action
is None or objectdn
is None or
145 samdb
= SamDB(url
=host
, session_info
=system_session(),
146 credentials
=creds
, lp
=lp
)
147 cars
= {'change-rid' : GUID_DRS_CHANGE_RID_MASTER
,
148 'change-pdc' : GUID_DRS_CHANGE_PDC
,
149 'change-infrastructure' : GUID_DRS_CHANGE_INFR_MASTER
,
150 'change-schema' : GUID_DRS_CHANGE_SCHEMA_MASTER
,
151 'change-naming' : GUID_DRS_CHANGE_DOMAIN_MASTER
,
152 'allocate_rids' : GUID_DRS_ALLOCATE_RIDS
,
153 'get-changes' : GUID_DRS_GET_CHANGES
,
154 'get-changes-all' : GUID_DRS_GET_ALL_CHANGES
,
155 'get-changes-filtered' : GUID_DRS_GET_FILTERED_ATTRIBUTES
,
156 'topology-manage' : GUID_DRS_MANAGE_TOPOLOGY
,
157 'topology-monitor' : GUID_DRS_MONITOR_TOPOLOGY
,
158 'repl-sync' : GUID_DRS_REPL_SYNCRONIZE
,
159 'ro-repl-secret-sync' : GUID_DRS_RO_REPL_SECRET_SYNC
,
161 sid
= self
.find_trustee_sid(samdb
, trusteedn
)
162 if action
== "allow":
163 new_ace
= "(OA;;CR;%s;;%s)" % (cars
[car
], str(sid
))
164 elif action
== "deny":
165 new_ace
= "(OD;;CR;%s;;%s)" % (cars
[car
], str(sid
))
167 raise CommandError("Wrong argument '%s'!" % action
)
169 self
.print_new_acl(samdb
, objectdn
)
170 self
.add_ace(samdb
, objectdn
, new_ace
)
171 self
.print_new_acl(samdb
, objectdn
)
174 class cmd_ds_acl(SuperCommand
):
175 """DS ACLs manipulation"""
178 subcommands
["set"] = cmd_ds_acl_set()
