search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc: Shorten dcerpc_binding_handle_call a bit
[Samba/vl.git] / python / samba / netcmd / ntacl.py
blob6d4d350653e15f46af7106b79552f6725b52e9d4
1 # Manipulate file NT ACLs
2 #
3 # Copyright Matthieu Patou 2010 <mat@matws.net>
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 from samba.credentials import DONT_USE_KERBEROS
20 import samba.getopt as options
21 from samba.dcerpc import security, idmap
22 from samba.ntacls import setntacl, getntacl
23 from samba import Ldb
24 from samba.ndr import ndr_unpack, ndr_print
25 from samba.samdb import SamDB
26 from samba.samba3 import param as s3param, passdb, smbd
27 from samba import provision
28
29 from ldb import SCOPE_BASE
30 import os
31
32 from samba.auth import system_session
33 from samba.netcmd import (
34 Command,
35 CommandError,
36 SuperCommand,
37 Option,
38 )
39
40
41
42 class cmd_ntacl_set(Command):
43 """Set ACLs on a file."""
44
45 synopsis = "%prog <acl> <file> [options]"
46
47 takes_optiongroups = {
48 "sambaopts": options.SambaOptions,
49 "credopts": options.CredentialsOptions,
50 "versionopts": options.VersionOptions,
51 }
52
53 takes_options = [
54 Option("--quiet", help="Be quiet", action="store_true"),
55 Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
56 choices=["native","tdb"]),
57 Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
58 Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr for use with the ntvfs file server", action="store_true"),
59 Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server via the VFS layer", action="store_true"),
60 Option("--service", help="Name of the smb.conf service to use when applying the ACLs", type="string")
61 ]
62
63 takes_args = ["acl","file"]
64
65 def run(self, acl, file, use_ntvfs=False, use_s3fs=False,
66 quiet=False,xattr_backend=None,eadb_file=None,
67 credopts=None, sambaopts=None, versionopts=None,
68 service=None):
69 logger = self.get_logger()
70 lp = sambaopts.get_loadparm()
71 try:
72 samdb = SamDB(session_info=system_session(),
73 lp=lp)
74 except Exception, e:
75 raise CommandError("Unable to open samdb:", e)
76
77 if not use_ntvfs and not use_s3fs:
78 use_ntvfs = "smb" in lp.get("server services")
79 elif use_s3fs:
80 use_ntvfs = False
81
82 try:
83 domain_sid = security.dom_sid(samdb.domain_sid)
84 except:
85 raise CommandError("Unable to read domain SID from configuration files")
86
87 s3conf = s3param.get_context()
88 s3conf.load(lp.configfile)
89 # ensure we are using the right samba_dsdb passdb backend, no matter what
90 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
91
92 setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service)
93
94 if use_ntvfs:
95 logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
96
97
98 class cmd_ntacl_get(Command):
99 """Get ACLs of a file."""
100 synopsis = "%prog <file> [options]"
101
102 takes_optiongroups = {
103 "sambaopts": options.SambaOptions,
104 "credopts": options.CredentialsOptions,
105 "versionopts": options.VersionOptions,
106 }
107
108 takes_options = [
109 Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
110 Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
111 choices=["native","tdb"]),
112 Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
113 Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"),
114 Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true"),
115 Option("--service", help="Name of the smb.conf service to use when getting the ACLs", type="string")
116 ]
117
118 takes_args = ["file"]
119
120 def run(self, file, use_ntvfs=False, use_s3fs=False,
121 as_sddl=False, xattr_backend=None, eadb_file=None,
122 credopts=None, sambaopts=None, versionopts=None,
123 service=None):
124 lp = sambaopts.get_loadparm()
125 try:
126 samdb = SamDB(session_info=system_session(),
127 lp=lp)
128 except Exception, e:
129 raise CommandError("Unable to open samdb:", e)
130
131 if not use_ntvfs and not use_s3fs:
132 use_ntvfs = "smb" in lp.get("server services")
133 elif use_s3fs:
134 use_ntvfs = False
135
136
137 s3conf = s3param.get_context()
138 s3conf.load(lp.configfile)
139 # ensure we are using the right samba_dsdb passdb backend, no matter what
140 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
141
142 acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service)
143 if as_sddl:
144 try:
145 domain_sid = security.dom_sid(samdb.domain_sid)
146 except:
147 raise CommandError("Unable to read domain SID from configuration files")
148 self.outf.write(acl.as_sddl(domain_sid)+"\n")
149 else:
150 self.outf.write(ndr_print(acl))
151
152
153 class cmd_ntacl_sysvolreset(Command):
154 """Reset sysvol ACLs to defaults (including correct ACLs on GPOs)."""
155 synopsis = "%prog <file> [options]"
156
157 takes_optiongroups = {
158 "sambaopts": options.SambaOptions,
159 "credopts": options.CredentialsOptions,
160 "versionopts": options.VersionOptions,
161 }
162
163 takes_options = [
164 Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"),
165 Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server", action="store_true")
166 ]
167
168 def run(self, use_ntvfs=False, use_s3fs=False,
169 credopts=None, sambaopts=None, versionopts=None):
170 lp = sambaopts.get_loadparm()
171 path = lp.private_path("secrets.ldb")
172 creds = credopts.get_credentials(lp)
173 creds.set_kerberos_state(DONT_USE_KERBEROS)
174 logger = self.get_logger()
175
176 netlogon = lp.get("path", "netlogon")
177 sysvol = lp.get("path", "sysvol")
178 try:
179 samdb = SamDB(session_info=system_session(),
180 lp=lp)
181 except Exception, e:
182 raise CommandError("Unable to open samdb:", e)
183
184 if not use_ntvfs and not use_s3fs:
185 use_ntvfs = "smb" in lp.get("server services")
186 elif use_s3fs:
187 use_ntvfs = False
188
189 domain_sid = security.dom_sid(samdb.domain_sid)
190
191 s3conf = s3param.get_context()
192 s3conf.load(lp.configfile)
193 # ensure we are using the right samba_dsdb passdb backend, no matter what
194 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
195
196 LA_sid = security.dom_sid(str(domain_sid)
197 +"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
198 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
199
200 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
201
202 # These assertions correct for current plugin_s4_dc selftest
203 # configuration. When other environments have a broad range of
204 # groups mapped via passdb, we can relax some of these checks
205 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
206 if (LA_type != idmap.ID_TYPE_UID and LA_type != idmap.ID_TYPE_BOTH):
207 raise CommandError("SID %s is not mapped to a UID" % LA_sid)
208 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
209 if (BA_type != idmap.ID_TYPE_GID and BA_type != idmap.ID_TYPE_BOTH):
210 raise CommandError("SID %s is not mapped to a GID" % BA_sid)
211
212 if use_ntvfs:
213 logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
214
215 provision.setsysvolacl(samdb, netlogon, sysvol,
216 LA_uid, BA_gid, domain_sid,
217 lp.get("realm").lower(), samdb.domain_dn(),
218 lp, use_ntvfs=use_ntvfs)
219
220 class cmd_ntacl_sysvolcheck(Command):
221 """Check sysvol ACLs match defaults (including correct ACLs on GPOs)."""
222 synopsis = "%prog <file> [options]"
223
224 takes_optiongroups = {
225 "sambaopts": options.SambaOptions,
226 "credopts": options.CredentialsOptions,
227 "versionopts": options.VersionOptions,
228 }
229
230 def run(self, credopts=None, sambaopts=None, versionopts=None):
231 lp = sambaopts.get_loadparm()
232 path = lp.private_path("secrets.ldb")
233 creds = credopts.get_credentials(lp)
234 creds.set_kerberos_state(DONT_USE_KERBEROS)
235 logger = self.get_logger()
236
237 netlogon = lp.get("path", "netlogon")
238 sysvol = lp.get("path", "sysvol")
239 try:
240 samdb = SamDB(session_info=system_session(), lp=lp)
241 except Exception, e:
242 raise CommandError("Unable to open samdb:", e)
243
244 domain_sid = security.dom_sid(samdb.domain_sid)
245
246 provision.checksysvolacl(samdb, netlogon, sysvol,
247 domain_sid,
248 lp.get("realm").lower(), samdb.domain_dn(),
249 lp)
250
251
252 class cmd_ntacl(SuperCommand):
253 """NT ACLs manipulation."""
254
255 subcommands = {}
256 subcommands["set"] = cmd_ntacl_set()
257 subcommands["get"] = cmd_ntacl_get()
258 subcommands["sysvolreset"] = cmd_ntacl_sysvolreset()
259 subcommands["sysvolcheck"] = cmd_ntacl_sysvolcheck()
260