b]dZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z mZmZddlmZmZddl mZddl mZddlmZdd lmZdd lmZejejzejzejzZe j e j!ze j"ze j#zZ$Gd d e%Z&d Z'dZ( ddZ) ddZ*dZ+d dZ,GddZ-GddZ.dZ/dZ0dZ1dZ2dZ3dS)!zNT Acls.N)param)securityxattridmap)ndr_pack ndr_unpack)smbd)libsmb_samba_internal)get_samba_logger) NTSTATUSError)system_session_unixceZdZdZdS)XattrBackendErrorzA generic xattr backend error.N)__name__ __module__ __qualname____doc__./usr/lib/python3/dist-packages/samba/ntacls.pyrr2s((((rrc|r|d}|!tj|dfS|d}|!tj|dfSdS|dkrdS|dkrl|tj|fStjtjtj|ddfS|d krp|tj|fS|d }tjtj|d }tj|fStd |z) z$return the path to the eadb, or NoneNzxattr_tdb:filez posix:eadbNNnativeeadbz private dirzeadb.tdbtdbzstate directoryz xattr.tdbzInvalid xattr backend choice %s) getsamba xattr_tdb posix_eadbospathabspathjoinr)lpbackendeadbfilerr state_dirdb_paths rcheckset_backendr)6sKFF+,,  ORVV,<%=%=> >VVL))  !$bff\&:&:; ;| H  | F    $h/ /$bgoobgll266-CXCXZd6e6e&f&fg g E    OX. .011Igoobgll9k&J&JKKGOW- - AG KLLLrc tj|tj}n#t $rYdSwxYwt tj|SN)r xattr_native wrap_getxattrrXATTR_DOSATTRIB_NAME_S3 Exceptionr DOSATTRIB)r$file attributes r getdosinfor3Rsa&44T5:5RTT  eoy 1 11s *- ;;Tc|r"t|||\}}|o |||tj} nv#t$r?t d|zt j|tj} Yn.wxYwt j|tj} ttj | } | j dkr| j S| j dkr | j j S| j dkr | j j S| j dkr | j j SdStj|t||S)NFail to open %sservice)r)r-rXATTR_NTACL_NAMEr/printrr,rNTACLversioninfosdr get_nt_aclSECURITY_SECINFO_FLAGS) r$r1 session_infor%r&direct_db_accessr; backend_objdbnamer2ntacls rgetntaclrI\si0 0Wh G Gf   U'55fd6;6LNN  U U U'&0111!.<9OQQI5; 22 =A  :  ]a  := ]a  := ]a  :=  t5+'.000 0s!=ABBFc :t|tst|tjsJt|trtj|} n+t|tjr|} t| }t|tst|tjsJt|tr!tj|| } n1t|tjr|} | | }|s[|rX| | j\} }|tj kr*|tj kr| jtjd|tj fzkrtjd|tj fz}| |\}}|tj ks|tj kr*| }||_tj|t ||| d}nht#d|||fzt%j|ddtj|tjtjztjz| || |rt/|||\}}t1j}d|_| |_| |||t0jt=|dS#t>$rNtAd|ztBj"|t0jt=|YdSwxYwtBj"|t0jt=|dStj|t | | | dS) a A wrapper for smbd set_nt_acl api. Args: lp (LoadParam): load param from conf file (str): a path to file or dir sddl (str): ntacl sddl string service (str): name of share service, e.g.: sysvol session_info (auth_session_info): session info for authentication Note: Get `session_info` with `samba.auth.user_session`, do not use the `admin_session` api. Returns: None z%s-%dr:TzDUnable to find UID for domain administrator %s, got id %d of type %drr6Nr5)r;rD)# isinstancestrrdom_sid descriptor from_sddlas_sddl sid_to_id owner_sidr ID_TYPE_UID ID_TYPE_BOTHDOMAIN_RID_ADMINSDOMAIN_RID_ADMINISTRATORr set_nt_aclrCrr chown SECINFO_GROUP SECINFO_DACL SECINFO_SACLr)rr>r?r@ wrap_setxattrr<rr/r=rr,)r$r1sddldomsidrDr%r& use_ntvfsskip_invalid_chownpassdbr;sidrAowner_id owner_type administratoradmin_id admin_typesd2rFrGrHs rsetntaclris, fc " "Kj9I&J&JKKK&#v&& FH, - -S dC JJtX5H$I$IJJJ$  * *4 5 5 D(- . . zz# )%+)%!'!1!1",!?!?: 5, , ,:AS3S3S|x/68C]:^0^____ ( 0FHDe;f1f g g )/)9)9-)H)H&: 5#444*HZ:Z:ZC$1CMO4c$ ')))) !%II+,rwDFNPZv[-[\\\q!$$$*)*)* #%%%%8 0Wh G Gf     B))&*.0FQVYYYYY B B B'&0111"00u7M19%BBBBBB  B   , ,T53I-5e__ > > > > >  (", 8 8 8 8 8 8s7/K((AM?Mc&d}d}d}d}d}d}d}d}d } d} d} d} d} d}d}d}d}d}d}d}d}d}d }d }d }d }d }d}d}||z}||zr||zr||| z|z|z| z|zz}||zr||| z|z|z|z| z|zz}||zr||| zz}||zr||z}|S)zMTakes the access mask of a DS ACE and transform them in a File ACE mask. r6r7r9 @iiiiiir)ldmRIGHT_DS_CREATE_CHILDRIGHT_DS_DELETE_CHILDRIGHT_DS_LIST_CONTENTS ACTRL_DS_SELFRIGHT_DS_READ_PROPERTYRIGHT_DS_WRITE_PROPERTYRIGHT_DS_DELETE_TREERIGHT_DS_LIST_OBJECTRIGHT_DS_CONTROL_ACCESSFILE_READ_DATAFILE_LIST_DIRECTORYFILE_WRITE_DATA FILE_ADD_FILEFILE_APPEND_DATAFILE_ADD_SUBDIRECTORYFILE_CREATE_PIPE_INSTANCE FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_TRAVERSEFILE_DELETE_CHILDFILE_READ_ATTRIBUTESFILE_WRITE_ATTRIBUTESDELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZESTANDARD_RIGHTS_ALLfilemasks rldapmask2filemaskrs!+ * * *M * * * * * &N & &O &M & & & &L &M &L &M & & & *F *L *I *K *K *((H $$>31G+G>{-@@3 46B C- .0< => $$6{_</ 02? @4 57D E 5 56  ""F4}DE ""0// Orctj||}tj}|j|_|j|_|j|_|j|_|jj}tdt|D]}||}|jtj tj fvrt|jtjkr|jtjztjz|_t|jtjkr|jtjz|_t+|j|_|||s|S||S)z This function takes an the SDDL representation of a DS ACL and return the SDDL representation of this ACL adapted for files. It's used for Policy object provision r)rrNrOrR group_sidtyperevisiondaclacesrangelen"SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECTSEC_ACE_TYPE_ACCESS_ALLOWEDrLtrusteeSID_BUILTIN_PREW2KflagsSEC_ACE_FLAG_OBJECT_INHERITSEC_ACE_FLAG_CONTAINER_INHERITSID_CREATOR_OWNERSEC_ACE_FLAG_INHERIT_ONLYr access_maskdacl_addrP)dssddlrbrPreffdescrriaces r dsacl2fsaclr s>   ' ' 4 4C  " "F}F}F(FKlFO 8=D 1c$ii ! !1g 8C <> > >BEckBRBRV^VqBqBq H$HH8KrrCI3;8#===I(JJ /@@CO OOC  >>#  rcfeZdZdZdZ ddZ ddZddZd Zd Z d Z dd Z dd Z ddZ dZdS) SMBHelperzb A wrapper class for SMB connection smb_path: path with separator "\" other than "/" c"||_||_dSr+)smb_connrM)selfrrMs r__init__zSMBHelper.__init__Gs   rFNcd|vsJ|j|||}|r||jn|SN/)sinfor)rget_aclrPrM)rsmb_pathrPrrntacl_sds rrzSMBHelper.get_aclKs[(""""=((/45@)BB29Fx ---hFrc^d|vsJt|tst|tjsJt|tr&tj||j}nt|tjr|}|j||||dSr)rKrLrrNrO domain_sidrset_acl)rrrrrtmp_descs rrzSMBHelper.set_aclUs(""""(C((VJxAT,U,UVVV h $ $ *44XtOOHH ("5 6 6 H h$)*5  7 7 7 7 7rcPd|vsJ|j|tS)zM List file and dir base names in smb_path without recursive. r)attribs)rlistSMB_FILE_ATTRIBUTE_FLAGSrrs rrzSMBHelper.listcs1(""""}!!(4L!MMMrc:t|tjzS)ze Check whether the attrib value is a directory. attrib is from list method. )boollibsmbFILE_ATTRIBUTE_DIRECTORY)rattribs ris_dirzSMBHelper.is_dirjs FV<<===rc|r|dz|zn|S)z$ Join path with '\' \r)rrootnames rr#zSMBHelper.joinrs&*3td{T!!t3rcBd|vsJ|j|S)Nr)rloadfilers rrzSMBHelper.loadfilexs)(""""}%%h///rc^|D]\}}|||}t|trL|j|s|j||||||j||dS)z1 Create files as defined in tree rN) itemsr#rKdictrchkpathmkdir create_treesavefile)rtreerrcontentfullnames rrzSMBHelper.create_tree|s"ZZ\\ : :MD'yy400H'4(( :},,X662M''111  8 <<<< &&x9999 : :rci}||D]m}|d}|||}||dr||||<U||||<n|S)a Get the tree structure via smb conn self.smb_conn.list example: [ { 'attrib': 16, 'mtime': 1528848309, 'name': 'dir1', 'short_name': 'dir1', 'size': 0L }, { 'attrib': 32, 'mtime': 1528848309, 'name': 'file0.txt', 'short_name': 'file0.txt', 'size': 10L } ] rrr)rr#rget_treer)rrritemrrs rrzSMBHelper.get_trees,IIh'' 5 5D** 5!]]H]==T !]]844T  rcdi}||D]}|d}|||}||dr*|||e||}||j||<|S)z> Get ntacl for each file and dir via smb conn rrr)rr#rupdate get_ntaclsrrPrM)rrntaclsrrrrs rrzSMBHelper.get_ntaclssIIh'' B BD** B dooxo@@AAAA<<11#+#3#3DL#A#Ax   rc|D]Z}|d}||dr|j|@|j|[dS)Nrr)rrrdeltreeunlink)rrrs r delete_treezSMBHelper.delete_treesvIIKK + +D** + %%d++++ $$T****  + +r)FNNr)r)rrrrrrrrrr#rrrrrrrrrr@s ).(,GGGG)- 7 7 7 7NNNN>>>444 000 : : : :@    +++++rrc"eZdZdZddZdZdS) NtaclsHelperc||_||_tj|_|j|d|jdv|_dS)Nsmbzserver services)r;rMs3param get_contextr$loadrr_)rr; smb_conf_pathrMs rrzNtaclsHelper.__init__sU  %''  ]###$'++.?"@"@@rFNc||j}t|j||||j}|r||jn|S)N)rEr;)r_rIr$r;rPrM)rr!rDrPrErs rrIzNtaclsHelper.getntaclsW  ##~  GT<-L""" 29Fx ---hFrcJt|j|||j||jS)N)r_)rir$rMr_)rr!rrDs rrizNtaclsHelper.setntacls,x|"&.222 2r)FN)rrrrrIrirrrrrsMAAA G G G G22222rrct|dzd5}||ddddS#1swxYwYdS)N.NTACLw)openwrite)dstntacl_sddl_strfs r_create_ntacl_filers cHnc " " a                   s 7;;c|dz}tj|sdSt|d5}|cdddS#1swxYwYdS)Nrr)r r!existsrread)src ntacl_filers r_read_ntacl_filersxJ 7>>* % %t j#  !vvxxsAAAc \t}t|trtj|}t ||}d}t j}|g}|g}|r|} |} | | D]r} | | | d} tj | | d} | | dr?|| || tj| nR|| }t#| d5}||dddn #1swxYwY || d}t)| |#t*$rL} |d | d | jd |d | zd zYd} ~ ld} ~ wwxYw|t3j|d5}tj|D]9}tj ||}|||: dddn #1swxYwYt9j|dS)aa Backup all files and dirs with ntacl for the serive behind smb_conn. 1. Create a temp dir as container dir 2. Backup all files with dir structure into container dir 3. Generate file.NTACL files for each file and dir in contianer dir 4. Create a tar file from container dir(without top level folder) 5. Delete contianer dir rrrrwbNTrPzFailed to get the ntacl for z: r6z!The permissions for %s may not bez restored correctlyw:gzrmodearcname)r rKrLrrMrtempfilemkdtemppoprr#r r!rappendrrrrrrr errorargswarningtarfilelistdiraddshutilrmtree)rdest_tarfile_pathrMlogger smb_helper remotedirlocaldirr_dirsl_dirsr_dirl_direr_namel_namedatarrtarrr!s r backup_onliners9  F'3,"7++8W--JI!!H[FZF 6  %00 6 6A__UAfI66FW\\%633F  8-- " f%%% f%%%    !**622&$''"1GGDMMM""""""""""""""" 6!+!3!3FD!3!I!I"6>::::  6 6 6 $ffafQii1222BVK4 566666666 6+ 66 ,6 : : :(cJx(( ( (D7<<$//D GGD$G ' ' ' ' ((((((((((((((((  M(s>(F  F F 'F?? H AHH1AJ  JJc |dddd}tj}t }t |||}t j|D]\}} } t j ||} t j || } | D]} t j || }t j | | }tj |||| ||d}t||| D]}t j ||}t j | |}tj|||| ||d}t||t!|d5}|}t!|d5}||d d d n #1swxYwYd d d n #1swxYwYt'j|d 5}t j|D]9}t j ||}||| : d d d n #1swxYwYt-j|d S) z< Backup files and ntacls to a tarfile for a service rr6startTrrbrNrrr)rstriprsplitrrr rr walkr!relpathr#r rrIr create_filerrrr r rrr)src_service_pathrrrMr;tempdirrD ntacls_helperdirpathdirnames filenames rel_dirpath dst_dirpathdirnamerrrfilenamesrc_filerdst_filerrr!s rbackup_offliner6)sO%%c**11#q99"=G  G&((L -AAM(*0@(A(A))$9goog5EoFF gll7K88   4 4G',,w00C',,{G44C JsL' 2 2 2*33Ct3TTN sN 3 3 3 3" ) )H',,w11C',,{H55C  S, 8 8 8*33Ct3TTN sN 3 3 3c4 )H}}#t__)NN4((())))))))))))))) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ,6 : : :(cJw'' ( (D7<<..D GGD$G ' ' ' ' ((((((((((((((((  M'sI%H18H  H1H H1!H "H11H5 8H5 AJ11J58J5c t}|dddd}tj}|}t j|}t|||} t} tj |5} | |dddn #1swxYwYtj|D]\} } }tj| |}tjtj||}| D]}|dstj| |}tj||}tj|st+j|| |t/|}|r| ||| |d|zd z|D]K}|ds2tj| |}tj||}tj|st+j|| |t/|}|r| ||| n|d |zd zt|d 5}|}t|d 5}||dddn #1swxYwYdddn #1swxYwYMt=j|dS) z> Restore files and ntacls from a tarfile to a service rr6r!)r!Nr"rz)Failed to restore ntacl for directory %s.z) Please check the permissions are correctz$Failed to restore ntacl for file %s.r$r) r r%r&rrget_domain_sidrrMrr r r extractallr r'r!r(normpathr#endswithisdirr rrrir isfiler)rrrr)src_tarfile_pathdst_service_path samdb_connrrr;r+ dom_sid_strrMr,rDrr-r.r/r0r1r2rrrr3r4rr5s rbackup_restorerBYs  F%%c**11#q99"=G  G++--K{++G -AAM&((L & ' '#1 ' """###############)+(8(8(-(-$9googWo== g&& GLL); 7 799   G GG##H-- Ggll7G44gll;88w}}S));JsL':::!1#!6!6!G!**3 MMMMNNCcIEFGGG" - -H$$X.. -gll7H55gll;99w~~c**A$S,@@@!1#!6!6!P!**3 MMMMNN#IC#O#N$OPPP#t__-#==??Dc4-H t,,,------------------------------! -* M'sH,CCC %M(/M  M(M M(M M((M, /M, )NNTN)NNTFNN)T)4rr r rrsamba.xattr_nativersamba.xattr_tdbsamba.posix_eadb samba.samba3rr samba.dcerpcrrr samba.ndrrrr r r samba.loggerr r samba.auth_utilr FILE_ATTRIBUTE_SYSTEMrFILE_ATTRIBUTE_ARCHIVEFILE_ATTRIBUTE_HIDDENr SECINFO_OWNERrYrZr[rCr/rr)r3rIrirrrrrrrr6rBrrrrOs$  ))))))//////////********888888))))))//////"7!:;!89"78 "/!/0!./"./ ))))) )))MMM8222" #0#0#0#0N%)05"&d8d8d8d8N444n@~+~+~+~+~+~+~+~+B22222222:   999x---`<<<<<r