Please Help,
I am trying to use a local object to read perms from, then modify local group
domain/hostname from
localhost to some remote hostname, then add to new Perms object for remote object and
set,
but it always applies the local group instead of the remote group when applied to the
remote object
Example:
1) set permissions with Win2K on local folder/file, including a locally defined group
that matches a local group
on another host.
2) loop through all ACE's if $ace->{Domain} eq "$ENV{LOCALHOST}", then lookup SID for
matching group on
remote host and replace in ace object.
3) create new Perms object for remote object.
4) remove all entries on remote perm object
5) add new entries from list of entries copied then modified from local object.
6) set on remote object.
Local group always applied on remote host even after resolving remote SID
and modifying perms objects before adding and setting on remote object.
PS: is there any new versions of Win32::Perms planned or available that I can get
=========================================================
use lib "../lib"; # DEFINES GLOBAL PACKAGES TO IMPORT, FUNCTIONS AND VARIABLES
use utils;
my $host = undef;
my $group = undef;
my $option = undef;
my $viewLog = undef;
my $numArgs = scalar(@ARGV);
my @newPerms = ();
my $objReadPerms = undef;
my $objSetPerms = undef;
my $found = undef;
my $target = undef;
my $drive = undef;
my $recurse = undef;
my $container = undef;
if($numArgs > 0)
{
for($i = 0; $i < $numArgs; $i++)
{
if(uc($ARGV[$i]) eq "-DEBUG")
{
$debug = 1;
&printRunEnv;
}
}
}
# Read in current group/hosts definitions
&readGroups;
&openLog;
print LOG "====================================================================\n";
print LOG ">>>> Running Change File/Folder Permissions script at " . localtime() . "
<<<<\n";
print LOG "====================================================================\n";
print "\n\tDo you wish to view log for errors when complete? (y/n) ";
chomp($viewLog = <STDIN>);
# Call main routine
&main;
close(LOG);
close(STDERR);
&viewLog if($viewLog =~ /y/i);
exit;
sub main()
{
do {
system("cls") if(!$debug);
print <<END;
You MUST first create the target file or folder
on your local host if it does not already exist,
then configure it with the desired permissions,
which will then be read and used to propagate to
the same file/folder if exists on selected remote
hosts.
If the target is a folder, you have the option to
recursively set permissions on all subfolders/files.
ONLY DACL security entries can and will be modified,
without changing the SACL auditing entries, or the
owner and primary group.
ALL LOCALHOST User/Group names specified will be
replaced with REMOTE hostname by default, allowing
you to set permissions on remote hosts that match
local User/Groups on that host.
END
do {
undef($target);
undef($drive);
undef($recurse);
undef($container);
undef($found);
print "\n\tPlease enter the full path to the target
file/folder:\n";
print "\n\t>>> ";
chomp($target = <STDIN>);
$target =~ s/\\/\//g;
if(-e "$target")
{
$found = 1;
print "found = $found\n" if($debug);
if(-d "$target")
{
$container = 1;
print "\n\tDo you wish to recursively modify
permissions on this folder? (y|n)\n";
print "\n\t>>> ";
chomp($recurse = <STDIN>);
$recurse = ($recurse =~ /y/i) ? 1 : undef;
}
# separate to drive:\\path components
$target =~ s/^(\w{1}):(.*)$/\2/;
$drive = $1;
}
else
{
print "\n\tERROR: $error{12} for $target\n";
print "\n\tDo you wish to re-enter name? (y|n)\n";
chomp($ans = <STDIN>);
last if($ans !~ /y/i);
}
} until ($found);
last if(!$found);
if(&readPerms) # Read perms of local object
{
&modPerms if(&selHosts);
}
else
{
print "\nERROR: $error{69} for ${drive}:${target}.\n";
}
print "\n\n\tDo you wish to modify permsissions for more
files/folders? (y|n)\n";
print "\n\t>>> ";
chomp($done = <STDIN>);
} while ($done =~ /y/i);
print "\n\tAre sure you want to exit? (y/n) ";
chomp($ans = <STDIN>);
&main if($ans !~ /y/i);
}
sub modPerms()
{
print "\n\t>>> modPerms <<<\n" if($debug);
print "\n\tAre sure you want to continue? (y/n) ";
chomp($ans = <STDIN>);
return if($ans !~ /y/i);
print "\n\n";
foreach $group (@selGroups)
{
$i=1;
$numHosts = scalar(@{$selHosts{$group}});
foreach $host (@{$selHosts{$group}})
{
# Check for host available
if(! &isHostAvail($host))
{
print "\nERROR: $error{68} on $host. Reason:
$error{1}.\n" if($debug);
print LOG "ERROR: $error{68} on $host. Reason:
$error{1}.\n";
next;
}
($debug)
? print "\tApplying permissions to ${drive}:${target} on
$group selected hosts ... " . $i++ . " of $numHosts"
: print "\tApplying permissions to ${drive}:${target} on
$group selected hosts ... " . $i++ . " of $numHosts\r";
if(&isRemoteFileFound($host,$drive,$target))
{
if(&applyPerms($host))
{
print "\n\tINFO: $info{30} on $host.\n"
if($debug);
print LOG "INFO: $info{30} on $host.\n";
}
else
{
print "\n\tERROR: $error{68} on $host.\n"
if($debug);
print LOG "ERROR: $error{68} on $host.\n";
}
}
else
{
print "\n\tERROR: $error{68} on $host. Reason:
${drive}:${target} $error{12}.\n" if($debug);
print LOG "ERROR: $error{68} on $host. Reason:
${drive}:${target} $error{12}.\n";
}
}
}
}
sub applyPerms($)
{
my $host = shift;
my $path = "\\\\$host\\$drive\$\\$target";
# Convert any LOCALHOST user/group to remote host in @newPerms list of ACE's
# Return with an error if any local user or group in list of ACE's does not
# exist on remote host.
print "\nnewPerms list BEFORE convert\n" if($debug);
foreach $perm (@newPerms) { next if($perm->{Account} !~ /TESTLOCAL/i); print
"objPerm = $perm\n"; foreach $key (sort(keys(%{$perm}))) { print "$key =
$perm->{$key}\n"; } }
return(undef) if(! &convLocalToRemote($host)); # CONVERT local host to remote
host groups if match
print "\nnewPerms list AFTER convert\n" if($debug);
foreach $perm (@newPerms) { next if($perm->{Account} !~ /TESTLOCAL/i); print
"objPerm = $perm\n"; foreach $key (sort(keys(%{$perm}))) { print "$key =
$perm->{$key}\n"; } }
# get a reference to a Perms object for the target file/folder
if($objSetPerms = new Win32::Perms( "$path" ))
{
# Clear existing entries from Perms object
if($objSetPerms->Remove(-1))
{
# Add newPerms ACE entries to Perms object
if($objSetPerms->Add(@newPerms))
{
# Commit change to remote target file/folder
# ONLY MODIFY DACL with SetDacl method passing list of
arguments
($objSetPerms->SetDacl( $path, $recurse, $container ))
? return(1) : return(undef);
}
}
undef($objSetPerms);
if($objSetPerms = new Win32::Perms( "$path" ))
{
$objSetPerms->Get([EMAIL PROTECTED]);
print "\ntempPerms list AFTER SETDACL\n" if($debug);
foreach $perm (@tempPerms) { next if($perm->{Account} !~
/TESTLOCAL/i); print "objPerm = $perm\n"; foreach $key (sort(keys(%{$perm}))) {
print "$key = $perm->{$key}\n"; } }
}
}
return(undef);
}
sub readPerms()
{
print "\nobjReadPerms = new Win32::Perms( \"${drive}:${target}\" )\n"
if($debug);
if($objReadPerms = new Win32::Perms( "${drive}:${target}" ))
{
($objReadPerms->Get([EMAIL PROTECTED])) ? return(1) : return(undef);
undef($objReadPerms);
}
return(undef);
}
sub convLocalToRemote($)
{
my $host = shift;
my $sid = undef;
my $uid = undef;
# TEST: Convert LOCALHOST\TESTLOCAL group to REMOTEHOST\TESTLOCAL group
# in global list of ACE's newPerms to be applied to remote object
foreach $objPerm (@newPerms)
{
if($objPerm->{Domain} eq "$ENV{LOCALHOST}")
{
# IF matches localhost, then convert remote host name and SID
# for matching local entry
$uid = $objPerm->{Account};
$objPerm->{Domain} = "$host";
if($sid = &convUIDtoSID($uid,$host))
{
$objPerm->{SID} = "$sid";
}
else
{
print "\n\tERROR: $error{71} for $uid on $host\n"
if($debug);
print LOG "ERROR: $error{71} for $uid on $host\n";
return(undef);
}
}
}
return(1);
}
sub convUIDtoSID($$)
{
print "\n\n>>> convUIDtoSID <<<\n" if($debug);
my $uid = shift;
my $host = shift;
my $sid = Win32::Perms::ResolveSid($uid,$dummy,$host);
print "\n uid = $uid, host = $host, sid = $sid\n" if($debug);
return ($sid);
}
sub isRemoteFileFound($$$)
{
my $host = shift;
my $drive = shift;
my $path = shift;
print "drive = $drive, path = $path\n" if($debug);
if(-e "\\\\$host\\$drive\$\\$path"){ return(1); } else { return(undef); }
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
