b@ddlmZddlmZddlmZmZddlm Z m Z m Z ddl m Z ddlmZmZddlmZddlmZmZdd l mZdd lmZddlZdd lmZdd lmZmZm Z m!Z!d Z"GddeZ#GddeZ$GddeZ%GddeZ&GddeZ'GddeZ(Gdde Z)dS))DONT_USE_KERBEROSN)securityidmap)setntaclgetntacl getdosinfo)Ldb) ndr_unpack ndr_print)SamDB)parampassdb) provision)system_session_unix)system_session)Command CommandError SuperCommandOptioncd}|}|dkrd}tj}||j|r_ t t |}n"#t$r}td|d}~wwxYw| dd|j z |rtj |j }ntj}n#tdxYw|S) NFROLE_ACTIVE_DIRECTORY_DCT session_infolpUnable to open samdb:passdb backend samba_dsdb:%sz2Unable to read domain SID from configuration files) server_roles3param get_contextload configfiler r Exceptionrseturlrdom_sid domain_sidrget_domain_sid)ris_ad_dcrs3confsamdber's 4/usr/lib/python3/dist-packages/samba/netcmd/ntacl.pyget_local_domain_sidr.(sH..""K000  " "F KK B ;~'7'7!!!EE ; ; ;6:: : ;  #_uy%@AAA$  1!)%*:;;JJ.00J$#$$ $ s$A-- B 7BB ./CC/c eZdZdZdZejejejdZ e dddde d d d d d ge ddde ddde ddde dddgZ ddgZ ddZ dS) cmd_ntacl_setzSet ACLs on a file.z%prog [options] sambaoptscredopts versionoptsz-qz--quietzBe quiet store_truehelpaction--xattr-backendchoice%xattr backend type (native fs or tdb)nativetdbtyper7choices --eadb-file0Name of the tdb file where attributes are storedstringr7r? --use-ntvfsLSet the ACLs directly to the TDB or xattr for use with the ntvfs file server --use-s3fsHSet the ACLs for use with the default s3fs file server via the VFS layer --servicez:Name of the smb.conf service to use when applying the ACLsaclfileFNc H|} | } t| }|s|sd| dv}n|rd}t | ||t |t ||||  |r| ddSdS)Nsmbserver servicesF use_ntvfsservicePPlease note that POSIX permissions have NOT been changed, only the stored NT ACL) get_logger get_loadparmr.getrstrrwarning)selfrJrKrPuse_s3fsquiet xattr_backend eadb_filer3r2r4rQloggerrr's r-runzcmd_ntacl_set.run]s""  # # % %)"--   (9!:!::II  IZ$&&$  " " " "  o NNm n n n n n o o FFFNNNNNN__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsr takes_options takes_argsr^r_r-r0r0Fs&-H).- tYZ EEE x6] %( * * *}#U\deee}#q{G H H H|"lvB C C C{!]dlmmmMJ7<7;7;oooooor_r0cNeZdZdZdZejejejdZ dgZ ddZ dS)cmd_dosinfo_getz"Get DOS info of a file from xattr.%prog [options]r1rKNc|}tj}||jt ||}|r)|jt|dSdS)N) rTrr r!r"routfwriter )rXrKr3r2r4rr*dosinfos r-r^zcmd_dosinfo_get.runsx  # # % %$&& BM"""R&&  0 IOOIg.. / / / / / 0 0r_NNN) rbrcrdrerfrgrhrirjrkrmr^rnr_r-rprpxs],,'H).- J000000r_rpc eZdZdZdZejejejdZ e ddde dd d d d g e ddde ddde ddde dddgZ dgZ ddZ dS) cmd_ntacl_getzGet ACLs of a file.rqr1z --as-sddlzOutput ACL in the SDDL formatr5r6r9r:r;r<r=r>rArBrCrDrEzKGet the ACLs directly from the TDB or xattr used with the ntvfs file serverrGzKGet the ACLs for use via the VFS layer used by the default s3fs file serverrIz9Name of the smb.conf service to use when getting the ACLsrKFNc |} t| } |s|sd| dv}n|rd}t| |t |||| } |r2|j| | dzdS|jt| dS)NrMrNFdirect_db_accessrQ ) rTr.rUrrrsrtas_sddlr )rXrKrPrYr}r[r\r3r2r4rQrr'rJs r-r^zcmd_ntacl_get.runs # # % %)"--   (9!:!::II  Ir*,,$ (1& (((  , IOOCKK 33d: ; ; ; ; ; IOOIcNN + + + + +r_r`rarnr_r-rxrxs'H).- {!@VVV x6] %( * * *}#U\deee}#pzF G G G|"oyE F F F{!\cklllMJ279=7;,,,,,,r_rxc (eZdZdZdZdejiZedddedd d ed d d edddedddddgedddd eddd edddd gZ gdZ d"d!Z d S)#cmd_ntacl_changedomsidzChange the domain SID for ACLsz9%prog [options]r2rIz#Name of the smb.conf service to userCrDrErFr5r6rGrHrArBr9r:r;r<r=r>z-rz --recursivez;Set the ACLs for directories and their contents recursivelyz--follow-symlinkszFollow symlinksz-vz --verbosez Be verbose)old_domain_sidnew_domain_sidrKFNc  } | ts|sddvn|rdsst d t j|n'#t$r}t d|d|d}~wwxYw t j|n'#t$r}t d|d|d}~wwxYw f d fd}|| r*tj |r ||r| d dSdS) NrMrNFz0Must provide a share name with --service=zCould not parse old sid : c  r jd|z t |t }n'#t$r}t d|d|d}~wwxYw|}r jd|z fd}||j|_||j|_|j r$|j j D]}||j |_ |j r$|j j D]}||j |_ |}r jd|z||krr jdd S t || t dS#t$r}t d |d|d}~wwxYw) Nz file: %s rzzCould not get acl for rz before: %s ct|\}}|krtjd|fzS|S)Nz%s-%i)splitrr&)siddomridrrs r-replace_domain_sidzNcmd_ntacl_changedomsid.run..changedom_sids..replace_domain_sid(s? YY[[ c.((#+G~s6K,KLLL r_z after: %s znothing to do TrOzCould not set acl for )rsrtrrr#rr} owner_sid group_sidsaclacestrusteedaclr)rKrJr, orig_sddlracenew_sddlr'r\rrrrXrQrPverboser[s r-changedom_sidsz2cmd_ntacl_changedomsid.run..changedom_sidssh 5  t 3444 Or#244,(09'. 000 O O O"lTTT11#MNNN O J//I = ) ;<<<       /.s}==CM..s}==CMx B8=BBC"4"4S["A"ACKKx B8=BBC"4"4S["A"ACKK{{:..H ;  9:::H$$7IOO$5666t O',..&"#,!(****** O O O"lTTT11#MNNN Os/"A A)A$$A)?$F%% G /GG ctj|D]b\}}}|D]+}tj||,|D]+}tj||,cdS)N) followlinks)oswalkpathjoin)rKrootdirsfilesfdrfollow_symlinkss r-recursive_changedom_sidsz.recursive_changedom_sidsNs%'WT%O%O%O : :!dE::A"N27<<a#8#89999::A"N27<<a#8#89999:  : :r_zQPlease note that POSIX permissions have NOT been changed, only the stored NT ACL.) rSrTr.rUrrr&r#rrisdirrW)rXold_domain_sid_strnew_domain_sid_strrKrPrYrQr[r\r2 recursiverrr]r,rrr'rrrs` ` ``` `` @@@@@r-r^zcmd_ntacl_changedomsid.runs?""  # # % %)"--   (9!:!::II  I D DBDD D 8%-.@AANN 8 8 8, 2 2 2AA 788 8 8 8%-.@AANN 8 8 8, 2 2 2AA 788 8 87 O7 O7 O7 O7 O7 O7 O7 O7 O7 O7 O7 O7 O7 Or : : : : : : t  +t,, + $ $T * * *  ? NN> ? ? ? ? ? ? ?s08B B1B,,B15C C.C))C.) FFNNNNFFF) rbrcrdrerfrgrhrkrrlrmr^rnr_r-rrs((JH W)  6     &  ! ! !  "  ! ! !  C     8u%  ' ' '   N  ! ! !  " ! ! !     ! ! !C&MP>==J !m?m?m?m?m?m?r_rceZdZdZdZejejejdZ e ddde dd dgZ d d Z d S)cmd_ntacl_sysvolresetz?Reset sysvol ACLs to defaults (including correct ACLs on GPOs).rqr1rEz/Set the ACLs for use with the ntvfs file serverr5r6rGz6Set the ACLs for use with the default s3fs file serverFNc |}||}|t|}|dd} |dd} t t|} n"#t$r} td| d} ~ wwxYw|s|sd|dv}n|rd}tj | j } tj}||j|d d | jztj t'| d zt'tjz}tj tj}t-j|d }||\}}|t2jkr"|t2jkrtd |z||\}}|t2jkr"|t2jkrtd |z|r|dt=j| | | ||| |d | !|| dS)NrnetlogonsysvolrrrMrNFrr-zSID %s is not mapped to a UIDzSID %s is not mapped to a GIDrRrealm)rP)"rTget_credentialsset_kerberos_staterrSrUr rr#rrr&r'rr r!r"r$r%rVDOMAIN_RID_ADMINISTRATORSID_BUILTIN_ADMINISTRATORSrPDB sid_to_idr ID_TYPE_UID ID_TYPE_BOTH ID_TYPE_GIDrWr setsysvolacllower domain_dn)rXrPrYr3r2r4rcredsr]rrr+r,r'r*LA_sidBA_sid s4_passdbLA_uidLA_typeBA_gidBA_types r-r^zcmd_ntacl_sysvolreset.runns  # # % %((,,   !2333""66&*--)) ;~'7'7!!!EE ; ; ;6:: : ;  (9!:!::II  I%e&677 $&& BM""" #_uy%@AAA!#j//$'#(*-h.O*P*P#QRR!("EFFJvzz*:;;<< &//77 u( ( (W8J-J-J>GHH H%//77 u( ( (W8J-J-J>GHH H  o NNm n n nuh%vz!vvg44668I8I!Y 8 8 8 8 8 8B## C-B==C)FFNNN) rbrcrdrerfrgrhrirjrkrrlr^rnr_r-rr_sII'H).- }#T]ijjj|"ZcopppM -27;181818181818r_rcHeZdZdZdZejejejdZ ddZ dS)cmd_ntacl_sysvolcheckzBCheck sysvol ACLs match defaults (including correct ACLs on GPOs).rqr1Nc b|}||}|t|}|dd}|dd} t t|} n"#t$r} td| d} ~ wwxYwtj | j } tj| ||| |d| |dS)Nrrrrrr)rTrrrrSrUr rr#rrr&r'rchecksysvolaclrr) rXr3r2r4rrr]rrr+r,r's r-r^zcmd_ntacl_sysvolcheck.runs$  # # % %((,,   !2333""66&*--)) ;~'7'7B???EE ; ; ;6:: : ;%e&677  &!+!#!6!6!8!8%//:K:K!# % % % % %rrv) rbrcrdrerfrgrhrirjrkr^rnr_r-rrsTLL'H).- %%%%%%r_rceZdZdZiZeed<eed<eed<eed<e ed<e ed<dS) cmd_ntaclzNT ACLs manipulation.r$rU changedomsid sysvolreset sysvolcheckrN) rbrcrdre subcommandsr0rxrrrrprnr_r-rrsK&K&K"8"8":":K!6!6!8!8K !6!6!8!8K  / 1 1K r_r)*samba.credentialsr samba.getoptgetoptrg samba.dcerpcrr samba.ntaclsrrrsambar samba.ndrr r samba.samdbr samba.samba3r rrrsamba.auth_utilrr samba.authr samba.netcmdrrrrr.r0rprxrrrrrnr_r-rs&0/////((((((((7777777777++++++++11111111////// %%%%%% 2 2 2 2 2 2 2 2 2 2r_