bp6dZddlmZddlmZddlmZddlZddlZdZ ifdZ ifdZ ifd Z ifd Z ifd Zifd Zifd ZifdZifdZifdZifdZifdZifdZifdZifdZifdZifdZifdZifdZifdZifdZdZdZ dZ!dZ"d"d!Z#dS)#zFFunctions for setting up a Samba configuration (security descriptors).)security)ndr_pack)get_schema_descriptorNcd|z}|D]\}}|||}tj||}t |S)N%s)itemsreplacer descriptor from_sddlr)sddl_in domain_sidname_mapsddlnamesidsecs 2/usr/lib/python3/dist-packages/samba/descriptor.py sddl2binaryr&sa '>D~~'''' s||D#&&   ' 'j 9 9C C==c(d}t|||S)Nrr rrs rget_empty_descriptorr0s D tZ 2 22rc(d}t|||S)Na O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)rrs rget_config_descriptorr7s AD tZ 2 22rc(d}t|||S)NaD:(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)S:(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)rrs r get_config_partitions_descriptorrJs *D tZ 2 22rc(d}t|||S)NaD:(A;;RPLCLORC;;;AU)(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;RO)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(AU;CISA;CCDCSDDT;;;WD)(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)rrs rget_config_sites_descriptorr \s fD tZ 2 22rc(d}t|||S)NziD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPLCLORC;;;BA)(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)rrs r!get_config_ntds_quotas_descriptorr"ks r%rc(d}t|||S)Na O:SYG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;RPWPCRCCLCLORCWOWDSW;;;DA)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)(A;;RP;;;WD)(A;;RPLCLORC;;;ED)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)rrs rget_dns_partition_descriptorr=Fs2 (>> ? ?Ahi -EOO4E4E0F0FF G GImn U__->->)?)?? @ @B_` (3u/@/@+A+AA B BDcd }s5??+<+<'='== > >@[\ 1C8I8I4J4JJ K KMno 5EOOZ>Z$[\\ 6%6** + +{ : :tc+&6&66779UVA   # # #5K8H8HHII8:A   # # #3c+6F6FFGG8:A   # # #3c+6F6FFGG8:A   # # # fU$:c%//BSBS>T>T$UVV 6%6** + +{ : :tc+&6&66779UVA   # # #5K8H8HHII8:A   # # #3c+6F6FFGG8:A   # # #3c+6F6FFGG8:A   # # # rctjd}||}i}g|d<|D]G}t|ddkr |d|d<|d|dH|S)zzReturn separate ACE of an ACL :param acl: A string representing the ACL :return: A hash with different parts z(\w+)?(\(.*?\))acesrflags)recompilefindalllenrU)aclptabhashes r chunck_aclrks %&&A ))C..C DDL "" qt99q==aDDM V AaD!!!! Krctjd}||}i}|D]^}|ddkr |d|d<|ddkr |d|d<|ddkr |d|d <|dd kr |d|d <_|S) z Return separate parts of the SDDL (owner, group, ...) :param sddl: An string containing the SDDL to chunk :return: A hash with the different chunk z([OGDS]:)(.*?)(?=(?:[GDS]:|$))rzO:raownerzG:groupzD:daclzS:sacl)rbrcrd)rrgrhrirjs r chunck_sddlrqs 455A ))D//C D    Q44<<aDDM Q44<<aDDM Q44<<Q4DL Q44<<Q4DL Krc(tj}|j|_|j|_|j|_|j|_g}|j |jj}tdt|D]4}||}|j tj zs| |45g}|j |j j}tdt|D]4}||}|j tj zs||45|S)zvGet the SD without any inherited ACEs :param sd: SD to strip :return: An SD with inherited ACEs stripped Nr)rr owner_sid group_sidtyperevisionrpr_rangerer`SEC_ACE_FLAG_INHERITED_ACEsacl_addrodacl_add)sdsd_cleanr_iaces r get_clean_sdrs"$$HHHGHM H D ww| 1c$ii 1gy8>>    c " " "   D ww| 1c$ii 1gy8>>    c " " "   OrTcTt||}t||}d}t|}t|}d|vrd}n+d|vr'|d|dkrd|dd|dd}d|vrd|z}n-d|vr)|d|dkr|d |dd|dd}d g} |r| d | D]<} | |vr| |vr t } t } t || } t || }| d D]}| ||d D]}| |t | D]0}|| vr*| || |1t| t| zd kr"|d| d}| D] }|d|d} | D] }|d|d} | |vr| |vr |d| d},| |vr | |vr|d| d}>|S)aGet the difference between 2 sd This function split the textual representation of ACL into smaller chunck in order to not to report a simple permutation as a difference :param refsddl: First sddl to compare :param cursddl: Second sddl to compare :param checkSacl: If false we skip the sacl checks :return: A string that explain difference between sddls rrmz No owner in current SDz Owner mismatch: z (in ref) z (in current) rnz%s No group in current SDz Group mismatch: rorpr_rz Part z@ is different between reference and current here is the detail: z z% ACE is not present in the reference z# ACE is not present in the current z Reference ACL hasn't a z part z Current ACL hasn't a ) ras_sddlrqrUsetrkaddremovere)refsdcursd domainsid checkSaclcursddlrefsddltxthash_curhash_refpartsparth_curh_refc_curc_refelemkitems r get_diff_sdsr's5!!)))44G5!!)))44G C7##H7##Hh( H  '!2hw6G!G!G!G"*7"3"3"3Xg5F5F5FHh*S0 H  '!2hw6G!G!G"%##x'8'8'8(7:K:K:KMHE V#E#E 8   0 0EEEEEEx~..Ex~..Ef    $f    $ZZ $ $::LLOOOLLOOO5zzCJJ&**>Acc444I"77D,/CC7CC"55D*-##ttt5CCX  $h"6"6rs6ML!!!!!!...... /13333023333&;=3333$68 3 3 3 3<>3333BD3333DF3333BD33330223232323j?A33338:63636363r:< 3 3 3 368 3 3 3 3BD 3 3 3 3<> 3 3 3 3BD3333BD33337943434343nBD3333BD3333FH3333@@@F(0   FGGGGGGr