bgjddlmZddlZddlmZddlmZddlmZddl m Z ddl m Z ddl mZmZddlmZdd lmZmZmZmZGd d eZGd d eZGddeZGddeZGddeZGddeZGddeZGddeZdS)N) provision)dsdb)SamDB)system_session)security)ndr_pack ndr_unpack)_get_user_realm_domain)Command CommandError SuperCommandOptioncxeZdZdZdZejejejdZ e ddde dd gZ d gZ d Zdd Zd S)cmd_delegation_showz*Show the delegation setting of an account.z%prog [options] sambaoptscredopts versionopts-H--URL%LDB URL for database or target serverURLHhelptypemetavardest accountnamec|j}|j}d}||tjzs |jd|ddS|tjzs |jd|ddSd}|jD]}|j} | d|dtj } t| d kr | d j }n7#tj$r%} | j\} } | tjkrYd} ~ nd} ~ wwxYwd } |jtjks|jtjkr$|jd |d|dd} n,|jtjkr|jtjkrd} |jtjz}|jtjz}|jtjz}|jtjz}|r|s|sd} nJ|r#|jd|d|dd} |r#|jd|d|dd} |jsd} | s<|r|jdd }|jd|ddS)NzISecurity Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentityzWarning: DACL not present in z! zWarning: DACL in z lacks SELF_RELATIVE flag! Tz)scoperFzWarning: ACE in z denies access for trustee zWarning: ACE for trustee z. has unexpected CONTAINER_INHERIT flag set in z* has unexpected INHERITED_ACE flag set in z0 Principals that may delegate to this account: z*msDS-AllowedToActOnBehalfOfOtherIdentity:  )daclrrSEC_DESC_DACL_PRESENTerrfwriteSEC_DESC_SELF_RELATIVEacestrusteesearchldb SCOPE_BASElendnLdbErrorargsERR_NO_SUCH_OBJECTSEC_ACE_TYPE_ACCESS_DENIED!SEC_ACE_TYPE_ACCESS_DENIED_OBJECTSEC_ACE_TYPE_ACCESS_ALLOWED"SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECTflagsSEC_ACE_FLAG_INHERIT_ONLYSEC_ACE_FLAG_OBJECT_INHERITSEC_ACE_FLAG_CONTAINER_INHERITSEC_ACE_FLAG_INHERITED_ACE access_maskoutf)selfsamsecurity_descriptorr% desc_type warning_infofirstacer+reserrnum_ignore inherit_onlyobject_inheritcontainer_inherit inherited_aces 9/usr/lib/python3/dist-packages/samba/netcmd/delegation.pyshow_security_descriptorz,cmd_delegation_show.show_security_descriptor8sW"'', C   0> 0CkG (jj!3!3!3!3'*~!77s88q==!!fiG <   Q#00010000 FH???x8#MMM !C<!C!C6=!C!C!CDDD(hBBBH$OOO9x'IIL Y)MMN HCC I(KKM "N ";L "$"IOO%9%9%9'3%9%9%9:::"F "IOO%9%9%9'3%9%9%9:::"F?  0"IOO%2333!E !/#*!/!/!/000{> 0> 0s%C  C?C::C?NcZ|}||}tj||d}||j} n|} t | t||} t|| \} } } | dtj | ztj gd}t|dkrtd|zt|dksJt|dd d}|dd }|dd d }|jd t%|djz|jdt)|t*jzz|jdt)|t*jzz|r<|jd|D]}|jd|z |^ t1t2j|}|| |dS#t8$r|jdYdSwxYwdS)Nrealm session_info credentialslpsAMAccountName=%s)userAccountControlmsDS-AllowedToDelegateTo(msDS-AllowedToActOnBehalfOfOtherIdentity expressionr"attrsr Unable to find account name '%s'r#rXrYrZidxzAccount-DN: %s zUF_TRUSTED_FOR_DELEGATION: %s z.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s z) Services this account may delegate to: zmsDS-AllowedToDelegateTo: %s znWarning: Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity could not be unmarshalled! ) get_loadparmget_credentialsrprovision_paths_from_lpgetsamdbrrr r,r- binary_encode SCOPE_SUBTREEr/r intr>r(strr0boolrUF_TRUSTED_FOR_DELEGATION)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONr r descriptorrP RuntimeErrorr')r?rrrrrrVcredspathspathr@cleanedaccountrRdomainrFuacallowed allowed_fromarAs rOrunzcmd_delegation_show.runs  # # % %((,,1"bffWooFF 9;DDDD~'7'7 %"...+AAD+F+F'jj$7*>::%;"0 L L LMM s88q==AKOPP P3xx1}}}}#a&**1221566a&**7881vzz"LRSzTT  *SQ^^;<<< 9sT%CCDDE F F F IS4#QQRRS T T T  F IOOH I I I F F  @1 DEEEE  # H&01Dl&S&S# --c3FGGGGG   @ @ @ !?@@@@@@ @ $ #sJ$J('J(NNNN)__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsrri takes_options takes_argsrPrxrOrr&s44.H).- tW#JQT3 ( ( (M  JP0P0P0f0H0H0H0H0H0HrrcxeZdZdZdZejejejdZ e ddde dd gZ d d gZ dd Zd S)cmd_delegation_for_any_servicez3Set/unset UF_TRUSTED_FOR_DELEGATION for an account.(%prog [(on|off)] [options]rrrrrrrronoffNc0d}|dkrd}n|dkrd}ntd|z|}||} tj||d} || j} n|} t| t| |} t|| \} }}dtj | z}tj } | ||d |d dS#t$r}t|d}~wwxYw) NFonToff0invalid argument: '%s' (choose from 'on', 'off')rRrSrWzTrusted-for-Delegation flags_strrstrict)r rarbrrcrdrerrr r-rfrrktoggle_userAccountFlags Exceptionr?rrrrrrrrVrorprqr@rrrRrs search_filterflagrGs rOrxz"cmd_delegation_for_any_service.runsZ D==BB e^^BBQTYYZZ Z  # # % %((,,1"bffWooFF 9;DDDD~'7'7 %"...+AAD+F+F',c.?.O.OO - $  ' ' t2J+-d ( < < < < < $ $ $s## # $sC77 DDDryrzr{r|r}r~rrrrrrrirrrxrrrOrrs==9H).- tW#JQT3 ( ( (M  )JGK!$!$!$!$!$!$rrcxeZdZdZdZejejejdZ e ddde dd gZ d d gZ dd Zd S)cmd_delegation_for_any_protocolzOSet/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.rrrrrrrrrrNc4d}|dkrd}n|dkrd}ntd|z|}||d} tj||d} || j} n|} t| t| |} t|| \} }}d tj | z}tj } | ||d |d dS#t$r}t|d}~wwxYw) NFrTrr)fallback_machinerRrSrWz&Trusted-to-Authenticate-for-Delegationr)r rarbrrcrdrerrr r-rfrrlrrrs rOrxz#cmd_delegation_for_any_protocol.runs_ D==BB e^^BBQTYYZZ Z  # # % %((d(CC1"bffWooFF 9;DDDD~'7'7 %"...+AAD+F+F',c.?.O.OO = $  ' ' t2Z+-d ( < < < < < $ $ $s## # $sC99 DDDryrrrrOrrsYY9H).- tW#JQT3 ( ( (M  )JGK!$!$!$!$!$!$rrcxeZdZdZdZejejejdZ e ddde dd gZ d d gZ dd Zd S)cmd_delegation_add_servicezZAdd a service principal to msDS-AllowedToDelegateTo so that an account may delegate to it.)%prog [options]rrrrrrrr principalNc |}||}tj||d} || j} n|} t | t||} t|| \} } }| dtj | ztj dg}t|dkrtd|zt|dksJtj}|dj|_tj|gtjd|d< | |dS#t($r}t|d}~wwxYw NrRrSrWrYr[rr^r#)rarbrrcrdrerrr r,r-rfrgr/r Messager0MessageElement FLAG_MOD_ADDmodifyrr?rrrrrrrVrorprqr@rrrRrsrFmsgrGs rOrxzcmd_delegation_add_service.run<s # # % %((,,1"bffWooFF 9;DDDD~'7'7 %"...+AAD+F+F'jj$7*>::%;"0 :;== s88q==AKOPP P3xx1}}}}kmmQ*-*::%;"0 :;== s88q==AKOPP P3xx1}}}}kmmQ*-*z3cmd_delegation_add_principal.run..s*88Cs{i'888888rzACE for principal 'zl' already present in Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account ''.01RRefused to update attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account ':': a conflicting attribute update occurred simultaneously.)4rarbrrcrdrerrr r,r-rfrgr/r rdom_sidSID_BUILTIN_ADMINISTRATORSrm SD_REVISIONrevisionr&r)r owner_sidr rnr%aclSECURITY_ACL_REVISION_ADSnum_acesschema_format_valuedecoder*anyrEr6r8SEC_ADS_GENERIC_ALLr=r+appendrrr0rrrrr1r2ERR_NO_SUCH_ATTRIBUTE)r?rrrrrrrVrorprqr@rrrI account_resdatar security_descr% cleanedprinc princ_resr*rEnew_datarrGrHrs @rOrxz cmd_delegation_add_principal.runs # # % %((,,1"bffWooFF 9;DDDD~'7'7 %"... 6k3GG1jj*  n - -.#=> !@@ {  q M{MMMNN N;1$$$$1~!! 6A"?? < ()LMMI$/11M%-%9M ""*"@"*"A#BM &/M #DD 5 *8+> E E  5 5 5"$43>$4$4$4555 5 !%D <<>>D$>DMDM4IsCC aJJ*="0>>+?%(%6&1]44  y>>Q  MMMMNN N9~~""""$  # #!   ! 44 6 66z4cmd_delegation_del_principal.run..}s%DDD3;)+C+C+C+C+Crz"Unable to find ACE for principal 'z\' in Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account 'rrrrr)#rarbrrcrdrerrr r,r-rfrgr/r r rrmrnr%rrrr*rrrr0rrrrr1r2r)r?rrrrrrrVrorprqr@rrrIrrrr%rrold_acesr*rrrGrHrs @rOrxz cmd_delegation_del_principal.run9so # # % %((,,1"bffWooFF 9;DDDD~'7'7 %"... 6k3GG1jj*  n - -.#=> !@@ {  q AKOPP P;1$$$$1~!! 6A"?? < G+6 G G GHH H 1&x':DAAMM 1 1 1 0+6 0 0 011 1 1 ! < ;,7 ; ; ;<< <4IsCC aJJ*="0>>+?%(%6&1]44  y>>Q  MMMMNN N9~~""""$  # #!   ! 44 6 66rsm* %%%%%%!!!!!!********666666UHUHUHUHUH'UHUHUHp3$3$3$3$3$W3$3$3$l3$3$3$3$3$g3$3$3$l4$4$4$4$4$4$4$4$n4$4$4$4$4$4$4$4$nL(L(L(L(L(7L(L(L(^}(}(}(}(}(7}(}(}(@ B B B B B\ B B B B Br