b0[ddlZddlZddlZddlZddlZddlZejddddlm Z ddl m Z ddl m Z ddlZddlmZddlmZmZddlmcmZddlZddlmZdd lmZdd lmZddlm Z dd l!m"Z"dd l#m$Z$dd l%m&Z&ddlm'Z'ddlm(Z(ddl)m*Z*m+Z+ddl,m-Z-ddl.m/Z/ ddl0m1Z1e1ddZ2n#e3$rGddZ2YnwxYwGddZ4GddZ5Gdde6Z7Gdde7Z8Gdd e7Z9Gd!d"e7Z: d#Z; d$Zd'Z?d(Z@d)ZAd9d+ZBd,ZCd:d.ZDd/ZEd0ZFd1ZGd2ZH d;d4ZId -864000000000 -36288000000000 7 1 1d 300 Each guid value contains a list of extensions, which contain a list of attributes. The guid value represents a GPO. The attributes are the values of those settings prior to the application of the GPO. The list of guids is enclosed within a user name, which represents the user the settings were applied to. This user may be the samaccountname of the local computer, which implies that these are machine policies. The applylog keeps track of the order in which the GPOs were applied, so that they can be rolled back in reverse, returning the machine to the state prior to policy application. NcFtj|_||_||_|rt j||_nt jd|_||_ |j d|z}|&t j |jd}||j d<dSdS)ag Initialize the gp_log param user - the username (or machine name) that policies are being applied to param gpostore - the GPOStorage obj which references the tdb which contains gp_logs param db_log - (optional) a string to initialize the gp_log gpuser[@name="%s"]Nusername) rr_stategpostoreusernameetree fromstringgpdbElementr)find SubElementattrib)selfr)r,db_loguser_objs r#__init__zgp_log.__init__]sn     ,(00DII d++DI 9>>"4t";<<  ' 6::H&*HOF # # #  r"c|tjkrh|jd|jz}|d}|t |dkrtj|_dS||_dS||_dS)a( Policy application state param value - APPLY, ENFORCE, or UNAPPLY The behavior of the gp_log depends on whether we are applying policy, enforcing policy, or unapplying policy. During an apply, old settings are recorded in the log. During an enforce, settings are being applied but the gp_log does not change. During an unapply, additions to the log should be ignored (since function calls to apply settings are actually reverting policy), but removals from the log are allowed. r(applylogNr)rrr0r2r)lenrr+)r5valuer7 apply_logs r#statez gp_log.statersw H$ $ $y~~&849&DEEH j11I C NNa$7$7&n # DKKKr"c||_|jd|jz}|d|z}|t j|d}||jd<|jtj kr|d}|t j|d}|d|z}|@t j|d}dt|dz z|jd <||jd<dSdSdS) z Log to a different GPO guid param guid - guid value of the GPO from which we're applying policy r(guid[@value="%s"]Nguidr<r:z%drcount) rAr0r2r)r.r3r4r+rrr;)r5rAr7objr=previtems r#set_guidzgp_log.set_guids  9>>"4ty"@AAmm/$677 ;"8V44C"&CJw  ;(. ( ( j11I !,XzBB >>"5"<==D|' 6::'+s9~~/A'B G$'+ G$$$ ) ( |r"c|jtjks|jtjkrdS|jd|jz}|d|jz}| Jd|d|z}|tj |d}||j d<|d|z}|(tj |d }||j d<||_ dSdS) a Store an attribute in the gp_log param gp_ext_name - Name of the extension applying policy param attribute - The attribute being modified param old_val - The value of the attribute prior to policy application Nr(r@gpo guid was not setgp_ext[@name="%s"]gp_extr*attribute[@name="%s"] attribute) r+rr rr0r2r)rAr.r3r4text)r5 gp_ext_namerLold_valr7guid_objextattrs r#storez gp_log.stores ;(* * *dkX=M.M.M49>>"4ty"@AA==!4ty!@AA##%;###mm0;>?? ;"8X66C!,CJv xx/);<< <#C55D"+DK DIII >"4ty"@AA==!4ty!@AA##%;###mm0;>?? ?883i?@@Dy tr"c,g}|jd|jz}|m|d}|V|d}d|D}|d|d|D|S) z Return a list of applied ext guids return - List of guids for gpos that have applied settings to the system. r(Nr:z guid[@count]cbg|],}|d|df-S)rBr<)get).0gs r# z,gp_log.get_applied_guids..sA"6"6"6&'$%55>>155>>"B"6"6"6r"T)reversec3 K|] \}}|V dSNr!)rZrBrAs r# z+gp_log.get_applied_guids..s&DDkeTTDDDDDDr")r0r2r)findallsortextend)r5guidsr7r= guid_objsguids_by_counts r#get_applied_guidszgp_log.get_applied_guidss 9>>"4ty"@AA   j11I$%--n== "6"6+4"6"6"6##D#111 DD^DDDDDD r"cpg}|jd|jz}|D]}|d|z}|d}i}|D]C}i} |d} | D]} | j| | jd<| ||jd<D|||f|S)ai Return a list of applied ext guids return - List of tuples containing the guid of a gpo, then a dictionary of policies and their values prior policy application. These are sorted so that the most recently applied settings are removed first. r(r@rJrLr*)r0r2r)rarMr4append) r5rdretr7rA guid_settingsextssettingsrQ attr_dictattrsrRs r#get_applied_settingszgp_log.get_applied_settingss9>>"4ty"@AA ) )D$MM*=*DEEM ((22DH 9 9  K00!??D59YIdk&122/8F+,, JJh' ( ( ( ( r"c|jd|jz}|d|jz}| Jd|d|z}|Y|d|z}|A||t |dkr||dSdSdSdS)z Remove an attribute from the gp_log param gp_ext_name - name of extension from which to remove the attribute param attribute - attribute to remove r(r@NrHrIrKr)r0r2r)rAremover;rUs r#deletez gp_log.deletes 9>>"4ty"@AA==!4ty!@AA##%;###mm0;>?? ?883i?@@D 4   s88q==OOC((((( ? =r"cv|j|jtj|jddS)z Write gp_log changes to disk zutf-8N)r,rSr-r.tostringr0r5s r#commitz gp_log.commits0 DM5>$)W+M+MNNNNNr"r_) rrr__doc__r8r>rFrSrVrgrprsrwr!r"r#r%r%7s$$J++++*   ,,,,*   ,"",)))"OOOOOr"r%cJeZdZdZdZdZdZdZdZdZ dZ d Z d Z d S) GPOStoragectj|rtj||_dStj|dtjtjtj z|_dS)Nr) ospathisfiletdbopenrTdbDEFAULTO_CREATO_RDWR)r5log_files r#r8zGPOStorage.__init__sT 7>>( # # Qx))DHHHwxCKbi9OPPDHHHr"c8|jdSr_)rtransaction_startrvs r#startzGPOStorage.starts ""$$$$$r"c t|jt|S#t$rYdSwxYwr_)intrrYr TypeErrorr5keys r#get_intzGPOStorage.get_int sK tx||IcNN3344 4   44 s36 AAcP|jt|Sr_)rrYrrs r#rYzGPOStorage.getsx||IcNN+++r"c nt|||jt|Sr_)r%rrYr)r5r)s r# get_gplogzGPOStorage.get_gplogs(dD$(,,y"?"?@@@r"cp|jt|t|dSr_)rrSr)r5rvals r#rSzGPOStorage.stores* y~~y~~66666r"c8|jdSr_)rtransaction_cancelrvs r#cancelzGPOStorage.cancel ##%%%%%r"cT|jt|dSr_)rrsrrs r#rszGPOStorage.deletes"  #'''''r"c8|jdSr_)rtransaction_commitrvs r#rwzGPOStorage.commit rr"c8|jdSr_)rcloservs r#__del__zGPOStorage.__del__#s r"N) rrrr8rrrYrrSrrsrwrr!r"r#rzrzsQQQ %%% ,,,AAA777&&&(((&&&r"rzcveZdZeZdZedZedZdZ edZ edZ dS)rJcd||_||_||_|||_dSr_)lpcredsr-rgp_db)r5rrr-rSs r#r8zgp_ext.__init__*s.   __X.. r"cdSr_r!)r5deleted_gpo_listchanged_gpo_lists r#process_group_policyzgp_ext.process_group_policy0 r"cdSr_r!)r5policys r#readz gp_ext.read4rr"c |jd}tj|t |}tj|r||SdS)N gpo_cache) r cache_pathr|r}joincheck_safe_pathupperexistsr)r5afile local_path data_files r#parsez gp_ext.parse8smW'' 44 GLL_U-C-C-I-I-K-KLL 7>>) $ $ (99Y'' 'tr"cdSr_r!rvs r#__str__zgp_ext.__str__?rr"ciSr_r!)r5gpos r#rsopz gp_ext.rsopCs r"N) rrrr __metaclass__r8rrrrrrr!r"r#rJrJ'sM///   ^   ^   ^ ^r"rJceZdZdZdS) gp_inf_extcxt|d}td}t|_ |t |nE#t$r8|t |dYnwxYw|S)Nrb interpolationutf-16) rrrstr optionxformreadfprdecodeUnicodeDecodeError)r5rrinf_confs r#rzgp_inf_ext.readIsi&&++--d333" ? OOHV]]__55 6 6 6 6! ? ? ? OOHV]]8%<%<== > > > > > ?s4A55?B76B7Nrrrrr!r"r#rrHs#r"rceZdZdZdS) gp_pol_extczt|d}ttj|S)Nr)rrrrfiler5rraws r#rzgp_pol_ext.readUs/9d##((**$)S)))r"Nrr!r"r#rrTs#*****r"rceZdZdZdS) gp_xml_extct|d} tj|S#t $r*tj|dcYSwxYw)Nrr)rrr.r/rrrs r#rzgp_xml_ext.read[sy9d##((** :#CJJLL11 1! : : :#CJJx$8$899 9 9 9 :s%A 1A>=A>Nrr!r"r#rrZs#:::::r"rct||}||dtjtjz}|jS)N)rrrealm)domainflags)r finddcrYr NBT_SERVER_LDAP NBT_SERVER_DS pdc_dns_name)rrnet cldap_rets r#get_dc_hostnamerfsQ Eb ! ! !C "&&//#:M:=:K;L NNI  !!r"cg}tj|||}|r.||dd}|S)N\)r ADS_STRUCTconnect get_gpo_listsplit) dc_hostnamerrr-gposadss r#rrpsS D .b% 0 0C {{}}:t 4 4R 899 Kr"c t|}tj||} tj|dn-#t $r }|jt jkrYd}~nd}~wwxYw||D]'}|dtj zr6t||tj||dN|d}td|}tj||d dd} ||| |tj|jtj||)dS) Ni)moder4r*F)rsdir/r)rr|r}rmakedirsOSErrorerrnoEEXISTlistlibsmbFILE_ATTRIBUTE_DIRECTORY cache_gpo_dirrreplacewriteloadfilerrenamer*) conncachesub_dir loc_sub_dir local_direfdata local_nameffnames r#rrys--//K UK00I IE*****  7el " "  # " " " "7## C C ?V< < C $rw||GU6]'K'K L L L Lv,,..J"%Y???AGLL%-88@@dKKE GGDMM%(( ) ) ) GGIII Iafbgll9jAA B B B B C CsA A7A22A7c2tjd|}d|vrGtjd|}||ddzd}d|vrt jj|St|)Nz/|\\sysvolrz..)rerlowerindexr|r}rr)r}dirsldirss r#rrs 8Hd # #D4::<<4::<<00EKK))A-../ 4w|T"" $--r"cF|}|ttj|d||}|||d}|D]-}|js t||t|j.dS)Nr)rrr) get_smb_signingset_smb_signingrrConnr file_sys_pathrr)rrrrsaved_signing_staterrrs r#check_refresh_gpo_listrs//11 ./// ;{H5 A A AD -...{++JLL   dJ8I(J(JKKKKLLr"c|}td|Dfd|D}||S)Ncg|] }|j Sr!)r*)rZps r#r\z)get_deleted_gpos_list..s...A...r"cg|]}|v| Sr!r!)rZrA current_guidss r#r\z)get_deleted_gpos_list..s#OOOTT5N5ND5N5N5Nr")rgsetrp)rr applied_gpos deleted_gposrs @r#get_deleted_gpos_listrs]**,,L.....//MOOOO\OOOL  % %l 3 33r"c|tjd|}t t j|dS)Nrr)rr|r}rrrgpo_get_sysvol_gpt_version)rr}gpt_paths r# gpo_versionrsC}}RW\\+t<<==H s-h77: ; ;;r"Fc ||}t||}t||||} t|| } t |||| n#t jd|zYdSxYw|r"| } |tj ng} | D]} | j s | j } t| j  }t||}||| kr,t jd| z| | |tj||D]} |||||}|dkr|| | n)t+||j| | X#t.$r}t jdt1|zt jdt3|jdt1|t jt9jYd}~d}~wwxYw| D]`} | j s | j } t| j  }t||}|| d|za|dS)Nz0Failed downloading gpt cache from '%s' using SMBzGPO %s has changedComputerzFailed to apply extension %s Message was: z: z%i) rrrrrrerrorr>rrr r*rrrrinforirrrdrop_privileges get_principal Exceptionrtyperdebug traceback format_excrSrw)rrrS gp_extensionsr-targetforcerrrdel_gpos changed_gposgpo_objrAr}versionrQrs r#apply_gpr0s OOH % %E!%,,K  UB 9 9D$UD11H{Bt<<<< F  ! ! ! $  H$%%%%  - -G( rr rprgrrr"r$rr rrw) rrrSr)r-r*rr,rQrs r# unapply_gpr2s4 OOH % %E KK !!!))%*A*A*C*CDDH KKMMM   #b%511C##((26666#*B ("...    I7#c((B C C C IoA. / / / HHHH  LLNNNNNs5AB88 DADDc$t|tkr8fd|D}dd|zSt|tkr&fd|D}dd|zS|S)Nc Tg|]$\}}dzd|dt|dzz%S) z[ z ] = r __rsop_vals)rZkvlevels r#r\z__rsop_vals..sR***Aq5yyAAA{1eAg/F/F/FGG***r" c Hg|]}dzdt|dzzzS)r6z[ %s ]rr7)rZr:r;s r#r\z__rsop_vals..s5LLL!s5y8k!U1W&=&===LLLr")r%dictitemsrr)valsr;rjs ` r#r8r8s DzzT**** JJLL***diinn$$ dt  LLLLtLLLdiinn$$ r"c t||}t||||}t||||tdtd|zt jdd}|D] } | jdkr!td| jztd|z|D]} | ||||} tj d tt| } t| dkr"| d  d d } n | j d d } td | ztd dt|dz zz| | D]\} }td| ztddt|dz zztt%|dtddt|dz zztd dt|dz zztdd|zzdS)NzResultant Set of Policyz %s Policy )x2)fallbackrz Local PolicyzGPO: %s=z '([\w\.]+)'r.z CSE: %sz -rz Policy Type: %sz r<z%s )rrrprintshutilget_terminal_size display_namestriprrarr%r;rrrrr?r8lstrip)rrrSr)r-r*rr term_widthrrQ cse_name_mcse_namesectionrms r#rrs!%,,K  UB 9 9D;E4888 #$$$ -& !!!)9===a@J))   ! ! # #~ 5 5  i#**+++ c*n  2 2C#b%511CM3tCyy>>BBJ:""%b>//44R8>//44R8 +( ) ) ) $#c*Q,///0 1 1 1%(XXc]]%8%8%:%: 8 8!+g5666fC 1 $5$5 56777k(++22488999fC 1 $5$5 567777 $#c*Q,///0 1 1 1 1 fJ'(((()))r"ct}|||n||d}t d}||||fS)N gpext.confr)r load load_default state_pathrr)smb_confrext_confparsers r#parse_gpext_confrZ%ss B  }}\**H  - - -F KK v:r"c|d}tddtj|5}||tj|j|ddddS#1swxYwYdS)NrSzw+F)rrsr)rVrr|r}dirnamerrr*)rrYrXrs r#atomic_write_confr]1s}}\**H e9R9R S S S$WX Q !&(###$$$$$$$$$$$$$$$$$$s0BB Bc|ddks|ddkst|dkrdS t|dn#t$rYdSwxYwd S) Nr{r}&Fr3)r/T)r;r ValueError)rAs r# check_guidrc8sp Aw#~~bSCIIOOu T1 uu 4sA AATctj|sdSt|sdSt |\}}||vr||||d|||d|||d|rdnd||d|rdndt||dS) NFDllNameProcessGroupPolicyNoMachinePolicy01 NoUserPolicyT) r|r}rrcrZsections add_sectionrr])rAr*r}rWmachiner)rrYs r#register_gp_extensionrnCs 7>>$  u d  u!(++JB 6??$$$$4    JJtY%%% JJt)4000 JJt&w(?C@@@ JJt^D%9SSc:::b&!!! 4r"ct|\}}i}|D]}i||<||d||d<||d||d<t||d ||d<t||d ||d<|S)Nrerfrg MachinePolicyrj UserPolicy)rZrkrYr)rW_rYresultsrAs r#list_gp_extensionsrtXs **IAvG!!PP #)::dI#>#> i JJt1 2 2  *+FJJt%67788 8  o&*-fjj~.N.N*O*O&O l## Nr"ct|sdSt|\}}||vr||t ||dS)NFT)rcrZrkremove_sectionr])rArWrrYs r#unregister_gp_extensionrwfsf d  u!(++JB v    d###b&!!! 4r"cVtj|tj|dS)z( Set current process privileges N)r|setegidseteuid)r-uidgids r#set_privilegesr}ss" JsOOOJsOOOOOr"cNtj}|dkstdtj|j}tj|j}t|||d}d} ||}n#t$r }|}Yd}~nd}~wwxYwtd|d|r||S)zG Run supplied function with privileges for specified username. rz)Not enough permissions to drop privilegesNroot)r|getuidr$pwdgetpwnampw_uidpw_gidr}) r-funcargs current_uiduser_uiduser_gidoutexcrs r#r"r"|s)++K !  CDDD|H%%,H|H%%,H8Xx000 C CdDk 6;***  Js1A77 B BB )F)r3)NTTr_)Nsysr|rIrrrr}insertsambar configparserriorr' samba.commonrabcrrxml.etree.ElementTreer. ElementTreer samba.netr samba.dcerpcr samba.samba3r r samba.gpor samba.paramr uuidr tempfilerrr samba.ndrrrsamba.credentialsrsamba.gp.util.loggingrenumrr ImportErrorr%rzobjectrJrrrrrrrrrrr0r2r8rrZr]rcrnrtrwr}r"r!r"r#rs$  < %%%%%%""""""''''''''%%%%%%%%% 888888 ''''''********222222%%%%%%tJ 788HHGOGOGOGOGOGOGOGOT########LVB        ******** ::::::::,"""2CCC( L L L444 <<<1111h*    )))>   $$$=A*        s0CCC