b[ddlZddlmZddlZddlZddlmcmZ ddl Z ddl Z ddl m Z ddlmZmZmZmZddlmZddlmZddlmZddlmZmZddlmZddlZddl Zdd l mZmZm Z dd l!m"Z"dd lm#Z#dd l$m%Z&dd l$m'Z(ddlm)Z)ddl*Z*ddl+m,Z,ddlm-Z-ddl.m/Z/ddl0m1Z1m2Z2m3Z3ddl4m5Z5ddl6m7Z7m8Z8m9Z9m:Z:ddl;mZ>ddl?m@Z@dd lm%Z%ddlAmBZBddl!mCZCddlDmEZEmFZFddlGmHZHddlImJZJmKZKddlLmMZMmNZNddlOZOdZPdZQd ZRd!ZSdd"ZTd#ZUdddejVejWzejXzejYzfd$ZZd%Z[d&Z\d'Z]ej^fd(Z_d)Z`e(jae(jbze(jcze(jdzZed*Zf dd,Zgd-Zhd.ZiGd/d0eZjGd1d2ejZkGd3d4ejZlGd5d6ejZmGd7d8ejZnGd9d:ejZoGd;dejZqGd?d@ejZrGdAdBejZsGdCdDejZtGdEdFejZuGdGdHejZvGdIdJevZwGdKdLejZxGdMdNejZyGdOdPeZzGdQdReZ{GdSdTeZ|GdUdVeZ}GdWdXeZ~GdYdZeZGd[d\eZGd]d^eZGd_d`eZGdadbeZGdcddeZGdedfeZGdgdheZGdidjeZGdkdleZGdmdneZGdodpeZGdqdreZGdsdteZGdudveZGdwdxeZGdydzeZGd{d|eZGd}d~eZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZdS)N)system_session)Command CommandErrorOption SuperCommand)SamDB)dsdb)security) ndr_unpackndr_pack)preg) AUTH_SESSION_INFO_DEFAULT_GROUPSAUTH_SESSION_INFO_AUTHENTICATED#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) netcmd_finddc)policy)param)libsmb_samba_internal) NTSTATUSError) dsacl2fsacl)nbt)Net)GPParserGPNoParserExceptionGPGeneralizeException) GPPolParser) GPIniParser GPTIniParserGPFDeploy1IniParserGPScriptsIniParser)GPAuditCsvParser)GptTmplInfParser) GPAasParser)SMB_SIGNING_REQUIRED) attr_default) get_bytes get_string) ConfigParser)StringIOBytesIO) calc_modestat_from_modecbtj|}|sd}nd|}|S)zreturn gpo flags stringNONE )r get_gpo_flagsjoin)valueflagsrets 2/usr/lib/python3/dist-packages/samba/netcmd/gpo.pygpo_flags_stringr6Js5   ' 'E hhuoo Jcbtj|}|sd}nd|}|S)zreturn gplink options stringr.r/)rget_gplink_optionsr1)r2optionsr4s r5gplink_options_stringr;Ts7'..G  hhw Jr7cg}|dkr|S|d}|D]}|s|d}t|dks|ddst d|z||ddd t |d d |S) z.parse a gPLink into an array of dn and options];rz[LDAP://zBadly formed gPLink '%s'Ndnr:)stripsplitlen startswith RuntimeErrorappendint)gplinkr4agds r5 parse_gplinkrP^s C ||~~  SA ;;   GGCLL q66Q;;adooj99;9A=>> > !A$qrr(s1Q4yy99:::: Jr7cDdd|D}|S)z4Encode an array of dn and options into gPLink stringr=c3<K|]}d|d|dfzVdS)z[LDAP://%s;%d]rDr:N).0rNs r5 z encode_gplink..rs5MM"agq|%<<MMMMMMr7)r1)gplistr4s r5 encode_gplinkrWps' ''MMfMMM M MC Jr7c|;|4 t||}n"#t$r}td|d}~wwxYwd|z}|S)zjIf URL is not specified, return URL for writable DC. If dc is provided, use that to construct ldap URLNzCould not find a DC for domainldap://)r ExceptionrI)lpcredsurldces r5dc_urlr`vsg { : H"2u-- H H H"#CQGGG H"n Js 616c|}|tj|d|tj|d|z|S)zConstruct the DN for gpoCN=Policies,CN=SystemzCN=%s)get_default_basedn add_childldbDn)samdbgporDs r5 get_gpo_dnris[  ! ! # #BLL677888LLw}--... Ir7c|}|tj|d|}d}tj}|dtj|z}|dtj|z}||}tj} ||||gdd|zg} n,#t$r} |d |z} nd } t| | d} ~ wwxYw| S) z0Get GPO information using gpo, displayname or dnrbz"(objectClass=groupPolicyContainer)Nz.(&(objectClass=groupPolicyContainer)(name=%s))z5(&(objectClass=groupPolicyContainer)(displayname=%s)))nTSecurityDescriptor versionNumberr3name displayNamegPCFileSysPathgPCMachineExtensionNamesgPCUserExtensionNames sd_flags:1:%d)basescope expressionattrscontrolsz!Cannot get information for GPO %szCannot get information for GPOs) rcrdrerfSCOPE_ONELEVEL binary_encode SCOPE_BASEsearchrZr) rgrh displaynamerDsd_flags policies_dnbase_dn search_expr search_scopemsgr_mesgs r5 get_gpo_infors#**,,K#&(?@@AAAG6K%L FIZ[^I_I__ MPSPabmPnPnn  ~~ $ll|&1";";";&5x%?$@ B B $$$ ?6BBBCs,*- AA  AF%% G/F??Gc"g}|dr|dddd}n3|dr|dddd}t|dkrtd|z|S) z;Parse UNC string into a hostname, a service, and a filepath\\r@N\z///zInvalid UNC string: %s)rHrFrG ValueError)unctmps r5 parse_uncrs C ~~f$!""gmmD!$$   $!""gmmC## 3xx1}}1C7888 Jr7ctjd||rtStjd||rtStjd||rt Stjd||rt Stjd||rt Stjd||rt Stjd||rtStjd ||rtStjd ||rtStjd ||rtStS) Nzfdeploy1\.ini$r3z audit\.csv$z GptTmpl\.inf$z GPT\.INI$z scripts\.ini$zpsscripts\.ini$z GPE\.INI$z.*\.ini$z.*\.pol$z.*\.aas$) rematchrr!r"rr rrrr#)rmr3s r5 find_parserrsz x!4u555%"$$$ xE222"!!! x $e444"!!! x d%000~~ x $e444$!### x"D666$!### x d%000 zz x T///}} x T///}} x T///}} ::r7cd}tj|stj||g}|g}|r|}|}||t }|d|D]"} |dz| dz} tj|| d} | dtj zr?| | | | tj| | | } t| |zd5} | | dddn #1swxYwYt| d}|| || d z$|dSdS) N .SAMBABACKUPattribsc|dSNrmrSxs r5z2backup_directory_remote_to_local..# AfIr7keyrrmattribwb.xml)ospathisdirmkdirpoplist attr_flagssortr1libsmbFILE_ATTRIBUTE_DIRECTORYrJloadfileopenwriterparse write_xml)conn remotedirlocaldirSUFFIXr_dirsl_dirsr_dirl_dirdirlistr_r_namel_namedatafparsers r5 backup_directory_remote_to_localrs F 7== " " ]F\F 2  ))E:)66 -- ... 2 2AT\AfI-FW\\%633F{V<< 2 f%%% f%%%    }}V,,&6/400"AGGDMMM"""""""""""""""%QvY// T"""  &1111+ 22222sE11E5 8E5 ctj|stj||g}|g}|r%|}|}||t }|d|D]}|dz|dz} tj||d} |dtj zr?| | | | tj| | | } t| d| |#dSdS)Nrc|dSrrSrs r5rz0copy_directory_remote_to_local..Frr7rrrmrr)rrrrrrrrr1rrrJrrr) rrrrrrrrr_rrrs r5copy_directory_remote_to_localr<sZ 7== " " [FZF /  ))E:)66 -- ... / /AT\AfI-FW\\%633F{V<< / f%%% f%%%    }}V,,VT""((....! /////r7Fc||s|||g}|g}|rV|}|}tj|} | | D]} tj|| } |dz| z} tj| rT| | | |  || #t$r|sYwxYw|r' | | #t$rYnwxYwt| d } || | |TdSdS)Nrrb)chkpathrrrlistdirrrr1rrJrrrreadsavefile)rrrignore_existing_dirkeep_existing_filesrrrrrr_rrrs r5copy_directory_local_to_remoterTs << " " 9ZF[F ,  *U##  , ,AW\\%++FT\A%Fw}}V$$ , f%%% f%%%JJv&&&&$.' f--- (FD))..00 fd++++7 ,,,,,s$:D D D &D<< E E c|ddd}d}|D]4}|dz|z}||s||5dS)Nrrr=)replacerFrr)rrelemsrr_s r5create_directory_hierrysw   c4 ( ( . .t 4 4E D d{Q||D!!  JJt   r7cZ|}|t tj}||jtj||||}n #t$rtd|zwxYw|||S)Nr[r\z"Error connecting to '%s' using SMB) get_smb_signingset_smb_signingr$s3param get_contextload configfilerConnrZr) dc_hostnameservicer[r\saved_signing_states3_lprs r5smb_connectionrs //11 .///O#%% 2=!!!{;EGGG OOO?+MNNNO -... Ks AA66BceZdZdZdZdS) GPOCommandc|,tj}td|z|jtj|std|ztj|d}tj|st j |tj||}tj|rtd|z t j |n)#ttf$r}td|d}~wwxYw||fS)aEnsure that the temporary directory structure used in fetch, backup, create, and restore is consistent. If --tmpdir is used the named directory must be present, which may contain a 'policy' subdirectory, but 'policy' must not itself have a subdirectory with the gpo name. The policy and gpo directories will be created. If --tmpdir is not used, a temporary directory is securely created. Nz5Using temporary directory %s (use --tmpdir to change))filez'Temporary directory '%s' does not existrz8GPO directory '%s' already exists, refusing to overwritez%Error creating teporary GPO directory) tempfilemkdtempprintoutfrrrrr1rIOErrorOSError)selftmpdirrhrgpodirr_s r5construct_tmpdirzGPOCommand.construct_tmpdirsJ >%''F IFRy " " " "w}}V$$ SH6QRR R7<<11w}}X&&  HX   h,, 7==  UJVSUU U K HV    ! K K KFJJ J Kv~sDE+D;;Ec t|jt|j|j|_dS#t $r}td|jz|d}~wwxYw)z$make a ldap connection to the serverr] session_info credentialsr[zLDAP connection to %s failed N)rr]rr\r[rgrZr)rr_s r5 samdb_connectzGPOCommand.samdb_connectsx N48,:,<,<+/:$'CCCDJJJ N N N>I1MM M Ns37 AAAN)__name__ __module__ __qualname__rrrSr7r5rrs8!!!FNNNNNr7rcleZdZdZdZejejejdZ e ddde dd gZ d d Z d S) cmd_listallzList all GPOs.%prog [options] sambaopts versionoptscredopts-H--URL%LDB URL for database or target serverURLHhelptypemetavardestNc l||_||jd|_t |j|j||_|t|jd}|D],}|j d|ddz|j d|ddz|j d|d dz|j d |j z|j d t|d d z|j dttt|ddz|j d.dS)NTfallback_machineGPO : %s rmrdisplay name : %s rnpath : %s rodn : %s version : %s rl0flags : %s r3 ) get_loadparmr[get_credentialsr\r`r]rrrgrrrDr%r6rK)rrrrrrrs r5runzcmd_listall.runs((**--dg-MM $'4:q11 4:t,, " "A IOO1AfIaL@ A A A IOO1Am4DQ4GG H H H IOO1A6F4G4JJ K K K IOO1AD8 9 9 9 IOO1LOUX4Y4YY Z Z Z IOO14DSVWY`bcIdIdEeEe4f4ff g g g IOOD ! ! ! ! " "r7NNNNrr r __doc__synopsisr: SambaOptionsVersionOptionsCredentialsOptionstakes_optiongroupsrr takes_optionsr)rSr7r5r r s H)-. tW#JQT3 ( ( (M """"""r7r creZdZdZdZdgZejejej dZ e ddde dd gZ d d Zd S)cmd_listzList GPOs for an account.z&%prog [options] accountnamerrrrrrrNc ||_||jd|_t |j|j||_| |jdtj |dtj |d}|dj }n #t$rtd|zwxYw |j|tjd g d}d |d v}n #t$rtd |zwxYwtt z} |j$|jd r | t$z} t&j|j|j|| } | j} g} d} tj|jt1|} |j|tjddg d}d|vrt5t1|dd}|D]}| s|dt6jzs|dt6jzr1 t<jt<j zt<j!z}|j|dtjgdd|zg}|ddd}tEt<j#|}n3#t$r&|j$%d|dzYwxYw t&j&|| t<j't<j(zt<j)zn3#tT$r&|j$%d|j zYdwxYwtWtY|ddd}|r|t6j-zr|s|t6j.zr| /|ddd|dddftWtY|dd}|t6j0zrd} ||j1krn|}|rd }nd}|j$%d|d|d | D]/}|j$%d!|dd|d"d 0dS)#NTrz(&(|(samAccountName=z)(samAccountName=z$))(objectClass=User)))rurzFailed to find account %s objectClass)rsrtrvcomputerz!Failed to find objectClass for %sldap)lp_ctxrDsession_info_flagsr gPOptionsr:rD)rmrnr3rkrr)rsrtrvrwrkz8Failed to fetch gpo object with nTSecurityDescriptor %s zFailed access check on %s r3rnrmFuserz GPOs for r/r&z rB)2r'r[r(r\r`r]rrgr{reryrDrZrrzrrrHrsambaauth user_sessionsecurity_tokenrfrparentrPr GPLINK_OPT_ENFORCEGPLINK_OPT_DISABLEr SECINFO_OWNER SECINFO_GROUP SECINFO_DACLr descriptorrr access_checkSEC_STD_READ_CONTROL SEC_ADS_LISTSEC_ADS_READ_PROPrIrKr%GPO_FLAG_MACHINE_DISABLEGPO_FLAG_USER_DISABLErJGPO_BLOCK_INHERITANCErc)rr5rrrrruser_dn is_computerr;sessiontokengposinheritrDglistrNr}gmsg secdesc_ndrsecdescr3 gpoptionsmsg_strs r5r)z cmd_list.runsc((**--dg-MM $'4:q11  J*###%(%6{%C%C%C%CSEVWbEcEcEcEc0e#ffC!fiGG J J J:[HII I J R*##}o#^^_`aC$M(::KK R R RB[PQQ Q R?=> 8 DH$7$7$?$?  "E E *))$*TW=O*QQ& VDJG - - 4 4 6 61 *##3>(T_I`#aabcdC3$SXq)9%:%:;;$Q$QA"!AiL4;R,R! |d&==!  !$,$:$,$:%;$,$9%: $z00agS^8P8P8P;JX;U:V 1 X X'+1g.D&Ea&H ",X-@+"N"N$!!! (c()$)0111 ! !33GU4<4Q4<4I5J4<4N5OPPPP(!!! (E(NOOO !  T!Wgq A ABBE"!0M(M! &!ED4N,N! KKa!7!:DGFOA>I455 TZ224444Bc1 f   GGG ggg{{{CDDD : :A IOOOQqTTT1Q4448 9 9 9 9 : :s?0ACC!%8DD;:BL-L32L37AM==,N-,N-r*)rr r r,r- takes_argsr:r.r/r0r1rrr2r)rSr7r5r4r4s##7HJ)-. tW#JS 2 2 2M a:a:a:a:a:a:r7r4cleZdZdZdZejejejdZ dgZ e dde gZ d d ZdS) cmd_showzShow information for a GPO.%prog [options]rrhrrrrNc ||_||jd|_t |j|j||_| t|j|d}n #t$rtd|zwxYw |dd}ttj |}|} n#t$rd} YnwxYw|jd|ddz|jd |d dz|jd |d dz|jd |jz|jdt%|ddz|jdt't)t%|ddz|jd| z|jddS)NTrrGPO '%s' does not existrkzrrmr rnr!ror"r#rlr$r%r3zACL : %s r&)r'r[r(r\r`r]rrrgrZrr r rHas_sddlrrrDr%r6rK) rrhrrrrrrXrY secdesc_sddls r5r)z cmd_show.runks%((**--dg-MM $'4:q11  @tz3//2CC @ @ @83>?? ? @ &45a8K !4kBBG"??,,LL & & &%LLL & -F A>??? -M0B10EEFFF -4D0Ea0HHIII -6777 - S/SV0W0WWXXX -0@\RUW^`aEbEbAcAc0d0ddeee - <=== s0B B)- [options]rrrrr`Nc||_||jd|_t |j|j||_| |j|tj ddgd}n #t$rtd|zwxYwd|vr|dr|j d|ztt!|dd}|D]}t#|j|d  }|j d |dd dz|j d |dddz|j dt%|dz|j ddS|j d|zdS)NTrrrrrrzGPO(s) linked to DN %s rD)rDz GPO : %s rmz Name : %s rnz Options : %s r:r&zNo GPO(s) linked to DN=%s )r'r[r(r\r`r]rrgr{rerzrZrrrrPrrr;) rrrrrrrrVrNs r5r)zcmd_getlink.runs((**--dg-MM $'4:q11  O*##S^/@+3*$66679CC O O O>MNN N O s??s8}? IOO6E F F F!#c(mA&6"7"788F & &"4:!D':::  4s1vf~a7H HIII  4s1vm7LQ7O OPPP  47LQy\7Z7Z Z[[[ %%%%  & & IOO9LH I I I I I 0/B B=r*rerSr7r5rgrgs))/H)-. !!J tALLLMBFJJJJJJr7rgc eZdZdZdZejejejdZ ddgZ e dde e d d d d d e ddd d dgZ ddZdS) cmd_setlinkz(Add or update a GPO link to a container.$%prog [options]rrrhrrr`z --disabledisabledF store_truezDisable policyrdefaultactionrz --enforceenforcedzEnforce policyNc  ||_||jd|_t |j|j||_|d} |r| tjz} |r| tj z} t|j |dn #t$rtd|zwxYwtt|j |} |j |t"jddgd} n #t$rtd |zwxYwd } d| vrt't| dd} d} d }| D];}|d | kr | |d <d}n<|rtd |z| d| | dng} | | | dt/| }t#j}t#j|j ||_| r$t#j|t"jd|d<n#t#j|t"jd|d< |j |n"#t$r}td|d}~wwxYw|j dtC"|||||dS)NTrrrhrbrrrrFrDr:z)GPO '%s' already linked to this containerrC new_valuezError adding GPO LinkzAdded/Updated GPO link )#r'r[r(r\r`r]rr rDrCrrgrZrrrir{rerzrPrinsertrJrWrrfrDrr FLAG_MOD_ADDrrrrgr))rrrhrrnrsrrrgplink_optionsrrexisting_gplinkrVrrNrrr_s r5r)zcmd_setlink.runs?((**--dg-MM $'4:q11   6 d5 5N  6 d5 5N @  - - -a 0 0 0 @ @ @83>?? ? @Z C0011 O*##S^/@+3*$66679CC O O O>MNN N O  s??!#c(mA&6"7"788F"OE  T7==??fllnn44#1AiL EE5 L"#NQT#TUUU a>!J!JKKKKF MMNCC D D D"6** KMMvdj,//  X / C?? ? @vdj)44 TZs333 -... ,9h LLLLLs 0B B*r*rerSr7r5r|r|s++5H)-. u%J tALLLMDHMMMMMMr7r|cpeZdZdZdZejejejdZ dgZ e dde gZ d d ZdS) cmd_listcontainersz%List all linked containers for a GPO.r_rrhrrr`Nc||_||jd|_t |j|j||_|t|j|}t|rG|j d|z|D]%}|j d|dz&dS|j d|zdS)NTrzContainer(s) using GPO %s z DN: %s rDzNo Containers using GPO %s ) r'r[r(r\r`r]rrrgrGrr)rrhrrrrrrs r5r)zcmd_listcontainers.runKs((**--dg-MM $'4:q11  S11 s88 B IOO9C? @ @ @ : : 4 89999 : : IOO:S@ A A A A Ar7r*rerSr7r5rr:s//&H)-. J tALLLM9=BBBBBBr7rcpeZdZdZdZejejejdZ dgZ e dde gZ d d ZdS) cmd_getinheritancez%Get inheritance flag for a container.rhrrrrr`NcR||_||jd|_t |j|j||_| |j|tj ddgd}n #t$rtd|zwxYwd}d|vrt|dd}|tjkr|jddS|jd dS) NTrrr<rrrz$Container has GPO_BLOCK_INHERITANCE zContainer has GPO_INHERIT )r'r[r(r\r`r]rrgr{rerzrZrrKr rOrr)rrrrrrr inheritances r5r)zcmd_getinheritance.runos8((**--dg-MM $'4:q11  O*##S^/@+6-$999:MNN N O #  c+.q122K $4 4 4 IOOC D D D D D IOO9 : : : : :rjr*rerSr7r5rr^s///H)-. !!J tALLLMBF;;;;;;r7rcreZdZdZdZejejejdZ ddgZ e dde gZ d d Zd S) cmd_setinheritancez$Set inheritance flag on a container.z.%prog [options]rr inherit_staterrr`Nc|dkr tj}n7|dkr tj}nt d|z||_||jd|_t|j|j||_ |  |j |tjddgd }n #t $rt d |zwxYwtj} tj|j || _d|vr1tjt+|tjd| d <n0tjt+|tjd| d < |j | dS#t $r} t d |z| d} ~ wwxYw) NblockrUzUnknown inheritance state (%s)Trrr<rrrrvz"Error setting inheritance state %s)rr rO GPO_INHERITrr'r[r(r\r`r]rrgr{rerzrZrrfrDrrrrxr) rrrrrrrrrrr_s r5r)zcmd_setinheritance.runs    G + +4KK  " "i / /*KK?-OPP P((**--dg-MM $'4:q11  O*##S^/@+6-$999:MNN N O KMMvdj,// #   /K0@0@#BVXcddAkNN /K0@0@#BRT_``AkN X J  a  X X XCmSUVWW W Xs$ /C<<D4G G2G--G2r*rerSr7r5rrs..?H)-. !/2J tALLLMQU"X"X"X"X"X"Xr7rceZdZdZdZejejejdZ dgZ e dde e dd e gZ d d Zd S) cmd_fetchzDownload a GPO.r_rrhrrr`--tmpdir,Temporary directory for copying policy filesNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_| t|j |d}n #t$rtd|zwxYwt|dd} t| \} } } n #t$rtd | zwxYwt!|| |j|j } |||\}} t%| | |n"#t$r}td |d}~wwxYw|jd |zdS) NTrrYr^rrbroInvalid GPO path (%s)rError copying GPO from DCGPO copied to %s )r'r[r(r\rHr]rr`rrrgrZrrrrrrrrr)rrhrrrrrrrrdom_namer sharepathrrr_s r5r)z cmd_fetch.runs((**--dg-MM   Ci(( CABB%KDHH'<?? ? @#&'*++ >-6s^^ *Xw  > > >6<== = >k7tw$(J000..vs;; ? *4F C C C C ? ? ?:A>> > ? ,v566666s04CC- D D=7F F(F##F(NNNNNrerSr7r5rrs&H)-. J tALLLz NUXYYYM &7&7&7&7&7&7r7rc eZdZdZdZejejejdZ dgZ e dde e dd e e d d d d e ddde gZ ddZedZdS) cmd_backupz Backup a GPO.r_rrhrrr`rrz --generalizez"Generalize XML entities to restoreFrorrqrr --entitiesz4File to export defining XML entities for the restoreent_file)rrrNc ||_||jd|_|r'|dr|dd} ||_n;t |j|j} t|j|j| |_| t|j |d} n #t$rtd|zwxYwt| dd} t| \} } }n #t$rtd | zwxYwt!| | |j|j }|||\}} t%|||n"#t$r}td |d}~wwxYw|jd |z|r#|jd t*|j||}ddl}ddt3||dD}|r[t9|d5}||dddn #1swxYwY|jd|zn4|jd|j|dD]p}|| vrjt9t:j||dzd5}|| |ddddn #1swxYwYqdS)NTrrYrrrrbrorrrrz( Attempting to generalize XML entities: r=c3K|]9}d|dd|dV:dS)zrBz&;rN)formatrE)rTents r5rUz!cmd_backup.run..@sc^^!$177A T8J8JCPQFSS^^^^^^r7rBrwz$Entities successfully written to %s z Entities: rprq .SAMBAEXTr)r'r[r(r\rHr]rr`rrrgrZrrrrrrrrrrgeneralize_xml_entitiesoperatorr1sorteditems itemgetterrrr)rrhrr generalizerrrrrrrrrrrrr_entitiesrentsrexts r5r)zcmd_backup.runs$((**--dg-MM   Ci(( CABB%KDHH'<?? ? @#&'*++ >-6s^^ *Xw  > > >6<== = >k7tw$(J000..vs;; ? ,T9f E E E E ? ? ?:A>> > ? ,v5666  & IOOH I I I!99$)V:@BBH OOO77^^(.x~~/?/?XEXEXYZE[E[(\(\(\^^^^^D &(C(("AGGDMMM"""""""""""""""  G (!)**** 000 %%%I ) )Cczz"',,vs[/@AA4HH)AGGCHQK((())))))))))))))) ) )sT4CC- D D=7F F(F##F(/JJJ'"MM M ci}tj|stj||g}|g}|r*|}|}tj|}||D]} tj|| } tj|| } tj| r^| | | | tj| stj| | drtj | dd} t| } t| d5}|}dddn #1swxYwYtj|}| || |}u#t$$r|d| zYwxYwtj| | st+j| | |*|S)Nrrz%SKIPPING: Generalizing failed for %s )rrexistsrrrrr1rrJendswithbasenamerrrET fromstringgeneralize_xmlrrsamefileshutilcopy2)r sourcedir targetdirrrrrrrr_rrto_parserltempr concrete_xmlfound_entitiess r5rz"cmd_backup.generalize_xml_entitiesRsuw~~i(( HY   ' 9JJLLEJJLLEj''G LLNNN! 9! 9eQ//eQ//7==((9MM&)))MM&)))7>>&11)(((v..9$&7#3#3F#;#;CRC#@!,X!6!6\!%fc!2!24e',zz||444444444444444,.=+>+>L-3-B-B [options]rr|rrr`rrNcZ||_||jd|_t |j|j}|rd|drO|dd}||_tjtj ztj z} | || } n}tjtj ztj z} | |j d| } | j }t|j|j| |_|t!|j| } | jd krt'd |zt)t+j} d | z} | |_| j}d|d|d| }||| \|_}||_ t;jt:j |dt;jt:j |dd}tCt:j |dd"|n"#tF$r}t'd|d}~wwxYwtI|\}}}||_%tM|||j|j}||_'|j( tS|j| }tUj+}||_,tUj-dtTj.d|d<|j/|tUj+}tUj0|jdt)|z|_,tUj-dtTj.d|d<|j/|tUj+}tUj0|jdt)|z|_,tUj-dtTj.d|d<|j/|tbj2tbj3ztbj4z}t!|j| |d } | dd }tktbj6|7}tcj8|j9}tu||}tbj6;||}ty||tbj2tbj3ztbj4ztbj=z}|>|||t|||tUj+}||_,tUj-|tTj@d |d!<tUj-|tTj@d"|d#<tUj-d$tTj@d%|d&<tUj-d'tTj@d(|d)<tUj-d$tTj@d*|d+<d,g} |jA|| -|jBn(#tF$r|jCwxYw|tjE|j|jF"d.|d/| d0dS)1NTr)r\r[rYr)addressr3realm)domainr3r)r|rz%A GPO already existing with name '%s'z{%s}rz\sysvol\z \Policies\MachineUserz[General] Version=0 zGPT.INIrzError Creating GPO filesrgroupPolicyContainerr7a01 CN=User,%sr} CN=Machine,%s)rhr}rkrna02roa03r$rla052gpcFunctionalityVersiona07r3a04zpermissive_modify:0)rwzGPO 'z ' created as r&)Gr'r[r(r\rrHr]rNBT_SERVER_LDAP NBT_SERVER_DSNBT_SERVER_WRITABLEfinddcget pdc_dns_namer`rrrgcountrruuiduuid4uppergpo_name dns_domainrrrrrrr1rrrZrrrrtransaction_startrirerrDrrxaddrfr rErFrGr rHrcdom_sidget_domain_sidr from_sddlrSECINFO_PROTECTED_DACLset_aclrrrtransaction_committransaction_cancelrrmtreer)!rr|rrrrrnetrr3 cldap_retrguidrhrunc_pathr gpt_contentsr_rrrrrr ds_sd_flags ds_sd_ndrds_sd domain_sidsddlfs_sdsiorws! r5r)zcmd_create.runsQ((**--dg-MM  tw/// Ci(( CABB%KDH(&',-E ;e DDII(&',-E $'++g*>*>e LLI#0KdgtzkBBBDH 4:;??? 9q==FTUU UDJLL!!tzz||# $9>ssK#33FC@@ V  > HRW\\&)44 5 5 5 HRW\\&&11 2 2 27L fi00# 6 6 < <\ J J J J > > >91== = >*38)<)<&7I"k7tw$(J000  $$&&&< , C00F AAD)*@#BRTabbAeH JNN1    A6$*lS[[&@AAAD)+s7GWWAeH JNN1    A6$*oF &CDDAD)+s7GWWAeH JNN1   $1#12#01Ktzs[III!LC23A6Ix2I>>FFHHE")$**C*C*E*EFFJuj11D'11$ CCE "$ 2 2 2))*()23C LLE3 / / / +4 C C C AAD)+s7K][[AeH)(C4HJZ[[AeH)#s/C_UUAeH)#s/CE^__AeH)#s/CWMMAeH-.H J  a(  3 3 3 J ) ) + + + +     J ) ) + + +   > M$+ & & & kkk333GHHHHHs&6B'J J=(J88J=N[%[,rrerSr7r5rrs.H)-.  J tALLLz NUXYYYM NR~I~I~I~I~I~Ir7rc eZdZdZdZejejejdZ ddgZ e dde e d d e e d d e e d dddgZ ddZ dfd ZxZS) cmd_restorez!Restore a GPO to a new container.z/%prog [options]rr|backuprrr`rrrz8File defining XML entities to insert into DOCTYPE headerz--restore-metadataz7Keep the old GPT.INI file and associated version numberFrorr=cd}tj|stj||g}|g}|r5|}|}tj|} | | D]} tj|| } tj|| } tj| r^| | | | tj| stj| | drtj | dd} t| } t| d5}|}d}||rE|t!|d}|t%j||z|zn*|t%j||z|| dddddn #1swxYwY#t*$re| dd|z}t-j|| dd|jd| z|jdY\ddl}|| dd|z}t-j|| dd|jd | z|jdYxYw|3dSdS) Nrrrrz&zWARNING: No such parser for %s z.WARNING: Falling back to simple copy-restore. rz%WARNING: Error during parsing for %s )rrrrrrrr1rrJrrrrrrHrGload_xmlrr write_binaryrrrrr traceback print_exc)rrr dtd_headerrrrrrrr_rrrrrrxml_head original_filers r5 restore_from_backup_to_local_dirz,cmd_restore.restore_from_backup_to_local_dir/sw~~i(( HY   : _JJLLEJJLLEj''G LLNNN4 _4 _eQ//eQ//7==((0_MM&)))MM&)))7>>&11)(((v..*_$&7#3#3F#;#;CRC#@!,X!6!6#_!%fc!2!2Ae',zz||+S#'??8#<#<!V,0H +?D%+OOBM(ZBWZ^B^4_4_$`$`$`$`$*OOBM*tBS4T4T$U$U$U!' 3 3F3B3K @ @ @!AAAAAAAAAAAAAAA$ 3___,23B3K&,@M"Lss DDD IOO,NQY,YZZZ IOO,]^^^^^ _,,,,%//111-33B3K&,@M"Lss DDD IOO,TW],]^^^ IOO,]^^^^^U*_!: _: _: _: _: _s9I?.B8I2& I?2I6 6I?9I6 :I??A+M*-A:M*Nc  d} tj|std|z|d} tj|std|zt |d5} | } t jd| t j td| | z } dddn #1swxYwY| d z } tt| |||||| | ||j| | } t|j|j|jd | t%|j|j}d D]}tj||d z}tj|rt |d5}|}dddn #1swxYwYt-j}||_t-j|t,j|||<|j|dS#t8$r}ddl}||j tC|dz|j dtE}| |j||||td|zd}~wwxYw)Nr=z"Backup directory does not exist %sz)+\s*\ZrzPEntities file does not appear to conform to format e.g. z ]> T)rrrrrrr&z%Failed to restore GPO -- deleting... zFailed to restore: %s)#rrrrrrrr MULTILINErEsuperrr)rrrrrrirgrr1rerrDrrrrZrrrrrcmd_del)rr|rrrrrrrrestore_metadatar entities_fileentities_contentkeep_new_filesrrext_filerrrr_rcmd __class__s r5r)zcmd_restore.runss w~~f%% NCfLMM M  0J7>>(++ -"#D#+$,---h$$ 7 #0#5#5#7#7 8H,BLBBBEIJ&(GHHH.44666  7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 ( "J k4  $$[!VY%-{ < < <& <  1 1&$+2< > > >"21N +49dk+/>?C?M O O O O   DM::FM ) )7<<k0ABB7>>(++ )h--( vvxx((((((((((((((( A!AD /c6J0355AcFJ%%a((( ) ) < < <        ! ! ! IOOCFFTM * * * IOOD E E E))C GGDM1i; G G G6:;; ; ?? ? @*38)<)<&7Ik7tw$(J000 $$&&& ,$TZ55C3xx M  BS HIIIMMA QtWc:::IOO$AAdG$KLLLL  C00F J  cfTZF 1KLL M M M J  cfTZ3v;;1NOO P P P J  f % % % LL # # # J ) ) + + + +     J ) ) + + +   +c122222s47C,,D E J==%K"r*rerSr7r5rrs&H)-. J tALLLM9=636363636363r7rcleZdZdZdZejejejdZ e ddde dd gZ d d Z d S) cmd_aclcheckz.Check all GPOs have matching LDAP and DS ACLs.r rrrrrrrNc ||_||jd|_t |j|j||_|r'|dr|dd}||_n;t|j|j}t |j|j||_|t|j d}|D]}t|dd} t|\} } } n #t$rtd|zwxYwt|| |j|j } | | t"jt"jzt"jzt"j} d |vrtd |d d}t-t"j|}t#j|j }t7||}| ||kr+td | |d | d|dS)NTrrYrrrorrrrkzKCould not read nTSecurityDescriptor. This requires an Administrator accountzInvalid GPO ACL z on path (z ), should be )r'r[r(r\r`r]rHrrrrgrrrrrget_aclr rErFrGSEC_FLAG_MAXIMUM_ALLOWEDr rHrcrrr)rrrrrrrrrrrrrrrrrexpected_fs_sddls r5r)zcmd_aclcheck.runs((**--dg-MM $'4:q11  Ci(( CABB%KDHH'<>FFHHE")$**C*C*E*EFFJ*5*==  j))-==="lV[VcVcdnVoVoVoVoqzqzqz}M}M$NOOO>3 O Os DD:r*r+rSr7r5rrs88 H)-. tW#JQT3 ( ( (M -O-O-O-O-O-Or7rc eZdZdZdZejejejdZ e ddde dd e d d e e j ejd  gZ ddZdS) cmd_admxloadz Loads samba admx files to sysvolr rrrrrrrz --admx-dirz)Directory where admx templates are storedz samba/admx)rrrqNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}d |j d  d d g} | |nI#t$r<} | jd d krtd| jd dkrYd} ~ nd} ~ wwxYwt!j|D]j\} } } | D]_} | |d}t j | | }d ||gdd}d || g} t)||nI#t$r<} | jd d krtd| jd dkrYd} ~ nd} ~ wwxYwt+|d5} |||n7#t$r*} | jd d krtdYd} ~ nd} ~ wwxYwdddn #1swxYwYal|jddS)NTrrYrrsysvolrrrPoliciesPolicyDefinitionsr":The authenticated user does not have sufficient privilegesl5r=rraInstalling ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates. )r'r[r(r\rHr]rr`rr1rrrrargsrrwalkrrrrrrrr)rrrrradmx_dirrrsmb_dirr_dirnamedirsfilesfname path_in_admx full_pathsub_dirsmb_pathrs r5r)zcmd_admxload.runXs((**--dg-MM   Ci(( CABB%KDHH'<??  JJw       vayJ&&"$DEEEj(()((((  %'GH$5$5 Q Q GT5 Q Q&x<< GLL%88 ))Wl$;<<DDS$OO99gu%566)$8888$vayJ..*,LMMMj0010000  )T**QaQ h9999(QQQ6!9 22".0P#Q#QQ32222QQQQQQQQQQQQQQQQ Q( P Q Q Q Q Qsl?D E2EE7H I2I  I!K#(J  K K  J; 6K;K KK K r)rr r r,r-r:r.r/r0r1rrrrr1rdata_dirr2r)rSr7r5rrFs** H)-. tW#JQTC ) ) )|"M"',,~u~/?/?"N"N P P PMFJ8Q8Q8Q8Q8Q8Qr7rceZdZdZdZejejejdZ e ddde dd e d d d d gZ gdZ ddZdS)cmd_add_sudoersaAdds a Samba Sudoers Group Policy to the sysvol This command adds a sudo rule to the sysvol for applying to winbind clients. The command argument indicates the final field in the sudo rule. The user argument indicates the user specified in the parentheses. The users and groups arguments are comma separated lists, which are combined to form the first field in the sudo rule. The --passwd argument specifies whether the sudo entry will require a password be specified. The default is False, meaning the NOPASSWD field will be specified in the sudo entry. Example: samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg The example command will generate the following sudoers entry: fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL z7%prog [groups] [options]rrrrrrrz--passwdroFz;Specify to indicate that sudo entry must provide a password)rrrqr)rhcommandr=userszgroups?Nc ||_| |jd|_|r'|dr|dd} ||_n;t |j|j} t|j|j| |_t| d|j|j} |j d} d | d |d d g}d |d g} tj tj| |}|d}|d}n7#t$$r)}|jddvrtj tjd}tj|d}tj|d}d|_tj|d}d|_tj|d}d|_tj|d}d|_tj|d}tj|d}d|_n!|jddkrt/dYd}~nd}~wwxYwtj|d}|rtj|d tj|d!}||_tj|d"}||_tj|d#}|d$D](}tj|d%}||_d"|jd&<)|=|D](}tj|d%}||_d'|jd&<)t5} || d(d)| d t;| || || dS#t$$r&}|jddkrt/dd}~wwxYw)*NTrrYrrrrrrrMACHINE\VGP\VTLA\SudoSudoersConfiguration manifest.xml policysettingrr34: vgppolicyversion1rmz Sudo Policy descriptionz!Sudoers File Configuration Policy apply_modemerge load_plugintruerr  sudoers_entrypasswordr0r= listelement, principalrgroupUTF-8encodingxml_declaration) r'r[r(r\rHr]rr`rrr1rr ElementTreerrgetrootfindrr!Element SubElementtextrrFrr*rseekrrr)!rrhr0r=r1groupspasswdrrrrrrrvgp_dirvgp_xmlxml_datar6rr_pvrmr>r?rArC command_elmuser_elmrEurGrNouts! r5r)zcmd_add_sudoers.runsY((**--dg-MM   Ci(( CABB%KDHH'<"*[*A*ABB " h.>.>.@.@.=!?!? ]=)<<}]F;;)  mM=II #F  ]=,GG ") }]F;; mD-@@ #)   j(("$DEEE !    % 2 dO<<  5 M- 4 4 4mM9== " =77 mM=AA S!! . .A k;??IIN'-I V $ $  \\^^ 3 3M+{CC !" +2  ((iisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s2A5F KDKK:8P44 Q$>!QQ$)NNNNNNrr r r,r-r:r.r/r0r1rrr2r\r)rSr7r5r/r/s&IH)-. tW#JQTC ) ) )z,Q S S SM@??JAE?CQQQQQQr7r/creZdZdZdZejejejdZ e ddde dd gZ d gZ d d Zd S)cmd_list_sudoerszList Samba Sudoers Group Policy from the sysvol This command lists sudo rules from the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9} r_rrrrrrrrhNcL||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d d g} tj || } nH#t$r;} | jd dvrYd} ~ dS| jd dkrt#dd} ~ wwxYw| d} | jd} | dD]}|dj}|dj}|d}g}|D]*}||d+t-|d kr d d|D}nd}|ddu}|rdnd}|d|d|d |}|jd!|zdS)"NTrrYrrrrrrrr3z!SudoersConfiguration\manifest.xmlrr7rr r6rrCr0r=rErGrFcRg|]$}|jddkr|jn d|jz%Srr=z%s%%rrRrTr\s r5 z(cmd_list_sudoers.run..NF">">">-.-.HV,<,F,F!&&!&">">">r7ALLrD NOPASSWD:r= ALL=()r/%s )r'r[r(r\rHr]rr`rrr1rrrrrr!rrOfindallrRextendrGrr)rrhrrrrrrrrWrXr_rrentryr0r= listelements principalsrEuname nopasswordnp_entryps r5r)zcmd_list_sudoers.run"s((**--dg-MM   Ci(( CABB%KDHH'<">2<">">">??J//47J'19||rH&+eeTTT888WWEA IOOFQJ ' ' ' ' ( ('D++ E05E+ !E++E0r*r^rSr7r5r`r` s'H)-. tW#JQTC ) ) )M J3(3(3(3(3(3(r7r`cteZdZdZdZejejejdZ e ddde dd gZ d d gZ dd Zd S)cmd_remove_sudoersaRemoves a Samba Sudoers Group Policy from the sysvol This command removes a sudo rule from the sysvol from applying to winbind clients. Example: samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL' %prog [options]rrrrrrrrhroNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d} d | d |d d g} d | d g} tj tj|| } | d} | d}nQ#t$$rD}|jddvrt)d|jddkrt)dd}~wwxYwi}|dD]}|dj}|dj}|d}g}|D]*}||d+t1|dkr d d|D}nd}|ddu}|rdnd}|d |d!|d"|}|||<||vrt)d#|z|||t7}| |d$d%|d t=|| || | dS#t$$r&}|jddkrt)dd}~wwxYw)&NTrrYrrrrrrrr3r4r5r6rrr7z"The specified entry does not existrr rCr0r=rErGrFcRg|]$}|jddkr|jn d|jz%Srcrdres r5rfz*cmd_remove_sudoers.run..rgr7rhrDrir=rjrkr/,Cannot remove '%s' because it does not existrIrJ)!r'r[r(r\rHr]rr`rrr1rrrMrrrNrOrr!rrmrRrnrGkeysrr*rrSrrr)rrhrorrrrrrrrVrWrXr6rr_entriesr0r=rprqrErrrsrtrur]s r5r)zcmd_remove_sudoers.runos((**--dg-MM   Ci(( CABB%KDHH'<>&D99]33LJ+ D D !!+"5"5k"B"BCCCC:""">">2<">">">?? ++t3J'19||rH&+eeTTT888WWEAGAJJ   & &M % &'' ' GEN###iisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s1A5F G?GG8N O!N;;Or*r^rSr7r5rxrxWs/H)-. tW#JQTC ) ) )M !JGGGGGGr7rxcdeZdZdZiZeed<eed<eed<dS) cmd_sudoersz#Manage Sudoers Group Policy ObjectsrrrN)rr r r, subcommandsr/r`rxrSr7r5rrsS--K(**K**,,K..00Kr7rcxeZdZdZdZejejejdZ e ddde dd gZ gd Z d d Zd S)cmd_set_securitya Set Samba Security Group Policy to the sysvol This command sets a security setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. These settings only apply to the ADDC. Example: samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10 Possible policies: MaxTicketAge Maximum lifetime for user ticket Defined in hours MaxServiceAge Maximum lifetime for service ticket Defined in minutes MaxRenewAge Maximum lifetime for user ticket renewal Defined in minutes MinimumPasswordAge Minimum password age Defined in days MaximumPasswordAge Maximum password age Defined in days MinimumPasswordLength Minimum password length Defined in characters PasswordComplexity Password must meet complexity requirements 1 is Enabled, 0 is Disabled r_rrrrrrr)rhrvalue?Nc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j} |j d} d | d |d g} d | d g} td } t| _| | } | t#|nE#t&$r8| t#|dYnwxYwnG#t($r:}|jddkrt-d|jddvrYd}~nd}~wwxYwdddddddd}||}| |s| ||| |||nQ| ||t7| |dkr| |t#}| | t?| | | | tC|"dS#t($r&}|jddkrt-dd}~wwxYw)NTrrYrrrrrrrz$MACHINE\Microsoft\Windows NT\SecEditz GptTmpl.inf interpolationutf-16rrr )r8r:Kerberos Policy System Access) MaxTicketAge MaxServiceAge MaxRenewAgeMinimumPasswordAgeMaximumPasswordAgeMinimumPasswordLengthPasswordComplexity)#r'r[r(r\rHr]rr`rrr1rr(r optionxformrreadfpr)decodeUnicodeDecodeErrorrr!r has_section add_sectionset remove_optionrGr:remove_sectionrrrr&getvalue)rrhrr2rrrrrrrinf_dirinf_fileinf_datarawr_ section_mapsectionr]s r5r)zcmd_set_security.runs((**--dg-MM   Ci(( CABB%KDHH'< >????? @   vayJ&&"$DEEEvay 88898888  *;*;(9/>/>2A/>  f%##G,, *   ) ) )   LL&% 0 0 0 0  " "7F 3 3 38##G,,--22''000jjs  !$ 0 0 0 MM(Icllnn$=$= > > > > >   vayJ&&"$DEEE  sU1G 4F?G?G?GGG H 0HH AL M)!M  Mrr^rSr7r5rrs@'H)-. tW#JQTC ) ) )M -,,J=A'+DDDDDDr7rcreZdZdZdZejejejdZ e ddde dd gZ d gZ d d Zd S)cmd_list_securityaList Samba Security Group Policy from the sysvol This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the ADDC. Example: samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9} r_rrrrrrrrhNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d g} td } t| _|| } | t#| nE#t&$r8| t#| d YnwxYwnJ#t($r=} | jddkrYd} ~ dS| jddkrt-dd} ~ wwxYw| D]B} | dvr| | D]%\}}|j|d|d&CdS)NTrrYrrrrrrrz0MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.infrrrr8rr )rr = r&)r'r[r(r\rHr]rr`rrr1rr(rrrrr)rrrr!rsectionsrrr)rrhrrrrrrrrrrr_rrr2s r5r)zcmd_list_security.runNs((**--dg-MM   Ci(( CABB%KDHH'< >????? @   vayJ&&vayJ&&"$DEEE    ((** < ||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d g} ttj|| } nJ#t $r=} | jd d krYd} ~ dS| jd dkrt%dd} ~ wwxYwd} t'j} | jD]}t-|j| krl| |jt5|j| |j}|j|jd|ddS)NTrrYrrrrrrrzMACHINE\Registry.polrr8rr  Software\Policies\Samba\smb_confrr&)r'r[r(r\rHr]rr`rrr1rr r rrrr!rrLoadParmr~r&keynamer valuenamerrrr)rrhrrrrrrrpol_filepol_datar_rr[rovals r5r)zcmd_list_smb_conf.runs$((**--dg-MM   Ci(( CABB%KDHH'<.sEEEqq{EEEr7r|c*g|]}|jk |SrSr)rTr_rs r5rfz(cmd_set_smb_conf.run..s/+++Q;')))))r7)yesrBr=rB)nofalser$r)$r'r[r(r\rHr]rr`rrr1rr r rrrr!rr~rG num_entriesr' isnumericrKr&rorrrrrrJrrr )rrhrr2rrrrrrrpol_dirrrr_r~etypers ` r5r)zcmd_set_smb_conf.runs((**--dg-MM   Ci(( CABB%KDHH'<AI#G,,AKAFAF8+,,G NN1   &H #&w<> J JO$))(33F$))(33F IOOOv{{{FKKKH I I I I J Jrvr*r^rSr7r5rr' s'H)-. tW#JQTC ) ) )M J'J'J'J'J'J'Jr7rcxeZdZdZdZejejejdZ e ddde dd gZ gd Z d d Zd S)cmd_add_symlinkzAdds a VGP Symbolic Link Group Policy to the sysvol This command adds a symlink setting to the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target '%prog [options]rrrrrrrrhrrNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j} |j d} d | d |d g} d | d g} tj tj| | } | d }|jd}n#t$$r}|jddvrtj tjd} tj| d }tj|d}d|_tj|d}d|_tj|d}d|_tj|d}n!|jddkrt/dYd}~nd}~wwxYwtj|d}tj|d}||_tj|d}||_t1}| |dd|d t7| | | | |dS#t$$r&}|jddkrt/dd}~wwxYw)NTrrYrrrrrrrMACHINE\VGP\VTLA\Unix\Symlinkr5r6rrr7r;r<r=rmzSymlink Policyr>zSpecifies symbolic link datarr rrrrIrJ)r'r[r(r\rHr]rr`rrr1rrrMrrrNrOrr!rPrQrRrr*rrSrrr)rrhrrrrrrrrrrVrWrXrrr_r6rYrmr>r source_elm target_elmr]s r5r)zcmd_add_symlink.run sl((**--dg-MM   Ci(( CABB%KDHH'<"*[*A*ABB " h.>.>.@.@.=!?!? ]=)<<}]F;;,  mM=II #A  }]F;;j(("$DEEE  *-.?@@]?H==  ]?H==  iisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s2A0F JC'JJ8M M;!M66M;r*r^rSr7r5rrh s9H)-. tW#JQTC ) ) )M -,,JHL@@@@@@r7rcxeZdZdZdZejejejdZ e ddde dd gZ gd Z d d Zd S)cmd_remove_symlinkaRemoves a VGP Symbolic Link Group Policy from the sysvol This command removes a symlink setting from the sysvol from appling to winbind clients. Example: samba-tool gpo manage symlink remove {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target rrrrrrrrrNc||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j} |j d} d | d |d g} d | d g} tj tj| | } | d }|jd}nU#t$$rH}|jddvrt)d|z||jddkrt)dd}~wwxYw|dD]Y}|d}|d}|j|kr"|j|kr||nZt)d|z|t1}| |dd|d t7| | | | |dS#t$$r&}|jddkrt)dd}~wwxYw)NTrrYrrrrrrrrr5r6rrr7z>Cannot remove link from '%s' to '%s' because it does not existrr rrrrIrJ)r'r[r(r\rHr]rr`rrr1rrrMrrrNrOrr!rrmrRrr*rrSrrr)rrhrrrrrrrrrrVrWrXrrr_rrrr]s r5r)zcmd_remove_symlink.run sH((**--dg-MM   Ci(( CABB%KDHH'<> M MO(--h77J(--h77J&((Z_-F-F O,,, ;=C DEKMM MiisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s2A0F GAGG8K L!!LLr*r^rSr7r5rr s9H)-. tW#JQTC ) ) )M -,,JHL<<<<<<r7rcdeZdZdZiZeed<eed<eed<dS) cmd_symlinkz#Manage symlink Group Policy ObjectsrrrN)rr r r,rrrrrSr7r5rr sS--K**,,K(**K..00Kr7rcreZdZdZdZejejejdZ e ddde dd gZ d gZ d d Zd S)cmd_list_fileszList VGP Files Group Policy from the sysvol This command lists files which will be copied from the sysvol and applied to winbind clients. Example: samba-tool gpo manage files list {31B2F340-016D-11D2-945F-00C04FB984F9} r_rrrrrrrrhNc ||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d d g} tj || } nH#t$r;} | jd dvrYd} ~ dS| jd dkrt#dd} ~ wwxYw| d} | jd} | dD]}|dj}|dj}|dj}|dj}t+|}t-|d|d|d|d| }|jd|zdS)NTrrYrrrrrrrrzFiles\manifest.xmlrr7rr r6rrrrr=rH z -> rl)r'r[r(r\rHr]rr`rrr1rrrrrr!rrOrmrRr+r,rr)rrhrrrrrrrrWrXr_rrrorrr=rHmoderus r5r)zcmd_list_files.run7 s{((**--dg-MM   Ci(( CABB%KDHH'< [options]rrrrrrr)rhrrr=rHrNc H ||_| |jd|_tj|std|z|r'|dr|dd} ||_ n;t|j|j} t|j|j| |_ t| d|j|j} |j d } d | d |d g}d |d g} t!jt!j| |}|d}|jd}n#t,$r}|jddvrt!jt!jd}t!j|d}t!j|d}d|_t!j|d}d|_t!j|d}d|_t!j|d}n!|jddkrtdYd}~nd}~wwxYwt!j|d}t!j|d}tj||_t!j|d}||_t!j|d}||_t!j|d}||_d D]\}}t!j|d!}|d"|t;|d#d$|zzrt!j|d%t;|d#d&|zzrt!j|d't;|d#d(|zzrt!j|d)t=} || d*d+| dtC|d,"}!d |tj|g}" tG| || $|| "| $|"|!dS#t,$r&}|jddkrtdd}~wwxYw)-NTrzSource '%s' does not existrYrrrrrrrMACHINE\VGP\VTLA\Unix\Filesr5r6rrr7r;r<r=rmFilesr>z+Represents file data to set/copy on clientsrr rrrr=rH))r=)rHr)otherr permissionsrrArrr@rrBexecuterIrJr)%r'r[r(r\rrrrrHr]rr`rrr1rrrMrrrNrOrr!rPrQrRrrrKr*rrSrrrr)#rrhrrr=rHrrrrrrrrrVrWrXrrr_r6rYrmr>rrrr[ group_elmptypeshiftrr] source_data sysvol_sources# r5r)zcmd_add_files.run} s((**--dg-MM w~~f%% F;fDEE E  Ci(( CABB%KDHH'<@AA))Wn566 ~bmDMM'4J4J&K&KLLH%%'',,_==F6;v&&DD   vay@@@>"*[*A*ABB " h.>.>.@.@.=!?!? ]=)<<}]F;;#  mM=II #P  }]F;;j(("$DEEE  *-.?@@]?H== '**622 ]?H==  =&99 M/7;;  E 6 6LE5-GGK OOFE * * *4||se|, 3 k62224||se|, 4 k73334||se|, 6 k9555iisWdCCC  64((--//  7BG,<, [options]rrrrrrrrhrNc\||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d} d | d |d g} d | d g} tj tj|| } | d } | jd}nT#t$$rG}|jddvrt)d|z|jddkrt)dd}~wwxYw|dD]}|d}|d}|j|krHd | |jg}||||nt)d|zt3}| |dd|d t9|| || |dS#t$$r&}|jddkrt)dd}~wwxYw)NTrrYrrrrrrrrr5r6rrr7z1Cannot remove file '%s' because it does not existrr rrrrIrJ)r'r[r(r\rHr]rr`rrr1rrrMrrrNrOrr!rrmrRunlinkrr*rrSrrr)rrhrrrrrrrrrVrWrXrrr_rrrrr]s r5r)zcmd_remove_files.run sc((**--dg-MM   Ci(( CABB%KDHH'<@AA))Wn566 ~bmDMM'4J4J&K&KLLH%%'',,_==F6;v&&DD   vay@@@"$028$9:::j(("$DEEE  $||,=>> E EO(--h77J(--h77J&((GZ_#=>> F### O,,, )  ;=C DEE EiisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s2A0F GAGG8K;; L+!L&&L+r*r^rSr7r5rr s0H)-. tW#JQTC ) ) )M "J@D>>>>>>r7rcdeZdZdZiZeed<eed<eed<dS) cmd_filesz!Manage Files Group Policy ObjectsrrrN)rr r r,rrrrrSr7r5rr* sP++K(.**K&K,,..Kr7rcreZdZdZdZejejejdZ e ddde dd gZ d gZ d d Zd S)cmd_list_opensshzList VGP OpenSSH Group Policy from the sysvol This command lists openssh options from the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage openssh list {31B2F340-016D-11D2-945F-00C04FB984F9} r_rrrrrrrrhNc ||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d d g} tj || } nH#t$r;} | jd dvrYd} ~ dS| jd dkrt#dd} ~ wwxYw| d} | jd} | d}|dD]}|djr|dD]R}|j|djd|djdSdS)NTrrYrrrrrrrzMACHINE\VGP\VTLA\SshCfgzSshD\manifest.xmlrr7rr r6rr configsection sectionname keyvaluepairrr/r2r&r'r[r(r\rHr]rr`rrr1rrrrrr!rrOrmrRrr)rrhrrrrrrrrWrXr_rrrrkvs r5r)zcmd_list_openssh.runI s((**--dg-MM   Ci(( CABB%KDHH'< [value] [options]rrrrrrrrNcT ||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j} |j d} d | d |d g} d | d g} tj tj| | } | d }|jd}|d}n[#t$$rM}|jddvrtj tjd} tj| d }tj|d}d|_tj|d}d|_tj|d}d|_tj|d}d|_tj|d}tj|d}tj|d}tj|dn!|jddkrt/dYd}~nd}~wwxYw||dD]}|djri}|dD]}|||d <||vr|||_stj|d}tj|d }||_tj|d!}||_n|dD]}|djri}|dD]}|||d j< ||vr|||t/d"|zt7}| |d#d$|d t=| | | | | dS#t$$r&}|jddkrt/dd}~wwxYw)%NTrrYrrrrrrrzMACHINE\VGP\VTLA\SshCfg\SshDr5r6rrrr7r;r<r=rmzConfiguration Filer>z+Represents Unix configuration file settingsr?r@rrrr rrr2r|rIrJ)!r'r[r(r\rHr]rr`rrr1rrrMrrrNrOrr!rPrQrRrrmr}rr*rrSrrr)rrhrr2rrrrrrrrVrWrXrrrr_r6rYrmr>r?rsettingsrrrdvaluer]s r5r)zcmd_set_openssh.run s6((**--dg-MM   Ci(( CABB%KDHH'<"*[*A*ABB " h.>.>.@.@.=!?!? ]=)<<}]F;;0  mM=II #P  ]=,GG ") }]F;;]4>> " j/ J J  m];;;;j(("$DEEE <;;;;' 4  !+!3!3O!D!D ( (  %%m449'//??22B/1HRWWU^^,,hmmoo---2HW%**#%=#O#OL- e< >  %%m449'//??77B46HRWWU^^011hmmoo--!(('):;;;;&(35<(=>>>iisWdCCC    !$ 0 0 0 MM'388:: . . . . .   vayJ&&"$DEEE   s2BF K8+EK33K8=8S77 T'!T""T'rr^rSr7r5rru s9H)-. tW#JQTC ) ) )M .--J>B'+\\\\\\r7rcJeZdZdZiZeed<eed<dS) cmd_opensshz#Manage OpenSSH Group Policy ObjectsrrN)rr r r,rrrrSr7r5rr s@--K**,,K(**Kr7rcreZdZdZdZejejejdZ e ddde dd gZ d gZ d d Zd S)cmd_list_startupzList VGP Startup Script Group Policy from the sysvol This command lists the startup script policies currently set on the sysvol. Example: samba-tool gpo manage scripts startup list {31B2F340-016D-11D2-945F-00C04FB984F9} r_rrrrrrrrhNc ||_||jd|_|r'|dr|dd}||_n;t |j|j}t|j|j||_t|d|j|j}|j d}d | d |d d g} tj || } nH#t$r;} | jd dvrYd} ~ dS| jd dkrt#dd} ~ wwxYw| d} | jd} | dD]}|d}d d | d |dd|jg}|d}|d}||j}nd}|jd|d|d|jdS)NTrrYrrrrrrrrzScripts\Startup\manifest.xmlrr7rr r6rrEscriptzMACHINE\VGP\VTLA\Unix\ScriptsStartup parametersrun_asrootz@reboot r/r)rrhrrrrrrrrWrXr_rrrEr script_pathrr s r5r)zcmd_list_startup.run s((**--dg-MM   Ci(( CABB%KDHH'<>K%)),77J %%h//F! IOOO&&&+++2