The branch, master has been updated
via d512b1a4bd1 gpo: Remove unused gp_ext_setter code
via 627fb5471b9 gpo: Extract Access policy from Security extension
via 89718761288 gpo: Extract Kerberos policy from Security extension
via bf74bf1c4ea gpo: Add RSOP output for Scripts Extension
via 1f631030410 gpo: Add RSOP output for Security Extension
via 5361f258006 gpo: Test samba-gpupdate --rsop
via f5202c7b551 gpo: Add --rsop option to samba-gpupdate
via 0f3066abbb1 gpo: Properly decode utf-8/16 inf files from bytes
via 70a38eb5485 gpo: Test proper decoding of utf-16 inf files
via 88b6266168a gpo: Apply Group Policy Sudo Rights
via 9679ba9577c gpo: Test Group Policy Sudo Rights
via e387aa937e5 gpo: Scripts gpo add warning about generated scripts
via edf4b6eb122 gpo: Scripts extension use 'gp_' prefix, not 'tmp'
via cd4efb95da2 gpo: Move all scripts to a sub-category in samba.admx
via b30a604f735 gpo: Apply Group Policy Weekly Scripts
via 7e5c842cba0 gpo: Test gpo weekly scripts apply
via 1810e4f10c9 gpo: Apply Group Policy Monthly Scripts
via 63703c9a07d gpo: Test gpo monthly scripts apply
via 42f043ab515 gpo: Apply Group Policy Hourly Scripts
via ae56a07ae70 gpo: Test gpo hourly scripts apply
from 182cde4f9eb lib: fix smb_strtox.[c|h] license header
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d512b1a4bd161431a498a6dab64fae49f77dfcf2
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 8 14:50:27 2020 -0600
gpo: Remove unused gp_ext_setter code
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(master): David Mulder <dmul...@samba.org>
Autobuild-Date(master): Thu Aug 6 18:01:49 UTC 2020 on sn-devel-184
commit 627fb5471b95595ce99e2effed0fe546ad334048
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 8 14:48:45 2020 -0600
gpo: Extract Access policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 89718761288b3a51a5727b5f8b40f0ade3348ff1
Author: David Mulder <dmul...@suse.com>
Date: Fri Jun 26 15:34:02 2020 -0600
gpo: Extract Kerberos policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit bf74bf1c4ea11074919a5197c7d8975658291cb1
Author: David Mulder <dmul...@suse.com>
Date: Mon Jul 6 11:16:45 2020 -0600
gpo: Add RSOP output for Scripts Extension
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 1f631030410c8dba0567e651346fc92facd0e22d
Author: David Mulder <dmul...@suse.com>
Date: Mon Jul 6 11:16:14 2020 -0600
gpo: Add RSOP output for Security Extension
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 5361f25800620819187f0294d5baf98131f303e8
Author: David Mulder <dmul...@suse.com>
Date: Tue Jul 7 10:35:25 2020 -0600
gpo: Test samba-gpupdate --rsop
Test that the rsop command produces the expected
output.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit f5202c7b551e38946837d8039b12e969d19bdf91
Author: David Mulder <dmul...@suse.com>
Date: Mon Jul 6 08:25:23 2020 -0600
gpo: Add --rsop option to samba-gpupdate
This command prints the Resultant Set of Policy
for applicable GPOs, for either the Computer or
User policy (depending on the target specified).
Policy specific output must be implemented for
each client side extension.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 0f3066abbb1b65e9cde8df9499483bf0768c273e
Author: David Mulder <dmul...@suse.com>
Date: Mon Jul 6 08:13:57 2020 -0600
gpo: Properly decode utf-8/16 inf files from bytes
This code was python 2 specific (string handling
has changed dramatically in python 3), and didn't
correctly decode utf-16 in python3. We should
instead read the file as bytes, then attempt a
utf-8 decode (the default), and try utf-16 if
encountering a decode failure.
The existing code actually throws an exception on
the initial file read when the data is utf-16,
since it tries to decode the bytes to a utf-8
string.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 70a38eb5485bf82bf068aa3fbcb3cf799ff9ddff
Author: David Mulder <dmul...@suse.com>
Date: Tue Jul 7 11:10:10 2020 -0600
gpo: Test proper decoding of utf-16 inf files
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 88b6266168ace52f66ded9cedaea1a02eea6e441
Author: David Mulder <dmul...@suse.com>
Date: Fri Jun 26 12:35:20 2020 -0600
gpo: Apply Group Policy Sudo Rights
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 9679ba9577c70756e4bcaf17351fca4dbb1c8f31
Author: David Mulder <dmul...@suse.com>
Date: Fri Jun 26 12:37:11 2020 -0600
gpo: Test Group Policy Sudo Rights
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit e387aa937e576116d5487d18a829066ee75eb0b7
Author: David Mulder <dmul...@suse.com>
Date: Thu Jul 2 10:13:15 2020 -0600
gpo: Scripts gpo add warning about generated scripts
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit edf4b6eb1229bb0c8fdd46edc147376a96fc0a40
Author: David Mulder <dmul...@suse.com>
Date: Thu Jul 2 10:04:36 2020 -0600
gpo: Scripts extension use 'gp_' prefix, not 'tmp'
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit cd4efb95da2f4fc7644c5345e9a607ca9ff98927
Author: David Mulder <dmul...@suse.com>
Date: Fri Jun 26 13:10:43 2020 -0600
gpo: Move all scripts to a sub-category in samba.admx
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit b30a604f7353ddc6c3218f1547d56fbc1386a9cf
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 15:23:14 2020 -0600
gpo: Apply Group Policy Weekly Scripts
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 7e5c842cba08911c7b555bd9b37865e38c64c868
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 15:23:35 2020 -0600
gpo: Test gpo weekly scripts apply
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 1810e4f10c9aa729bb281c04574426d31b14c4c2
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 15:02:37 2020 -0600
gpo: Apply Group Policy Monthly Scripts
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 63703c9a07d22b6ab881afc6824b5cf4016375ec
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 15:03:03 2020 -0600
gpo: Test gpo monthly scripts apply
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 42f043ab5154e4c53a6b940c764ccade688ff439
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 14:14:09 2020 -0600
gpo: Apply Group Policy Hourly Scripts
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit ae56a07ae703ce7315edc27f600f184ff584903c
Author: David Mulder <dmul...@suse.com>
Date: Thu Jun 25 14:15:18 2020 -0600
gpo: Test gpo hourly scripts apply
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
libgpo/admx/en-US/samba.adml | 23 +++-
libgpo/admx/samba.admx | 33 ++++-
python/samba/gp_scripts_ext.py | 50 ++++++--
python/samba/gp_sec_ext.py | 229 ++++++++++++++++++-----------------
python/samba/gp_sudoers_ext.py | 85 +++++++++++++
python/samba/gpclass.py | 71 ++++++-----
python/samba/tests/gpo.py | 172 ++++++++++++++++++++++++--
source4/scripting/bin/samba-gpupdate | 15 ++-
8 files changed, 514 insertions(+), 164 deletions(-)
create mode 100644 python/samba/gp_sudoers_ext.py
Changeset truncated at 500 lines:
diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml
index b5fc5098638..577cb1aa0bb 100755
--- a/libgpo/admx/en-US/samba.adml
+++ b/libgpo/admx/en-US/samba.adml
@@ -7,13 +7,34 @@
<stringTable>
<string id="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9">Samba</string>
<string id="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6">Unix
Settings</string>
- <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">Daily
Scripts</string>
+ <string id="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA">Scripts</string>
+ <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">Daily</string>
+ <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">Hourly</string>
+ <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6">Monthly</string>
+ <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">Weekly</string>
+ <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">Sudo
Rights</string>
<string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help">This policy
setting allows you to execute commands, either local or on remote storage,
daily.</string>
+ <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help">This policy
setting allows you to execute commands, either local or on remote storage,
hourly.</string>
+ <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy
setting allows you to execute commands, either local or on remote storage,
monthly.</string>
+ <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy
setting allows you to execute commands, either local or on remote storage,
weekly.</string>
+ <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy
configures the sudoers file with the lines specified.</string>
</stringTable>
<presentationTable>
<presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">
<listBox refId="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6">Script and
arguments</listBox>
</presentation>
+ <presentation id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">
+ <listBox refId="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238">Script and
arguments</listBox>
+ </presentation>
+ <presentation id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6">
+ <listBox refId="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60">Script and
arguments</listBox>
+ </presentation>
+ <presentation id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">
+ <listBox refId="LST_1E7198A6_7850_4CAB_B656_BC18752564FC">Script and
arguments</listBox>
+ </presentation>
+ <presentation id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">
+ <listBox refId="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F">Sudoers
commands</listBox>
+ </presentation>
</presentationTable>
</resources>
</policyDefinitionResources>
diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx
index f2921ff1885..a4e26cf388f 100755
--- a/libgpo/admx/samba.admx
+++ b/libgpo/admx/samba.admx
@@ -10,14 +10,45 @@
<category name="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6"
displayName="$(string.CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6)">
<parentCategory ref="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9" />
</category>
+ <category name="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA"
displayName="$(string.CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA)">
+ <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />
+ </category>
</categories>
<policies>
<policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Machine"
displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)"
explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)"
presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)"
key="Software\Policies\Samba\Unix Settings">
- <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />
+ <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<elements>
<list id="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6"
key="Software\Policies\Samba\Unix Settings\Daily Scripts" valueName="Daily
Scripts" />
</elements>
</policy>
+ <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Machine"
displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)"
explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)"
presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)"
key="Software\Policies\Samba\Unix Settings">
+ <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
+ <supportedOn ref="windows:SUPPORTED_WindowsVista" />
+ <elements>
+ <list id="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238"
key="Software\Policies\Samba\Unix Settings\Hourly Scripts" valueName="Hourly
Scripts" />
+ </elements>
+ </policy>
+ <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Machine"
displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)"
explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)"
presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)"
key="Software\Policies\Samba\Unix Settings">
+ <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
+ <supportedOn ref="windows:SUPPORTED_WindowsVista" />
+ <elements>
+ <list id="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60"
key="Software\Policies\Samba\Unix Settings\Monthly Scripts" valueName="Monthly
Scripts" />
+ </elements>
+ </policy>
+ <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Machine"
displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)"
explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)"
presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)"
key="Software\Policies\Samba\Unix Settings">
+ <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" />
+ <supportedOn ref="windows:SUPPORTED_WindowsVista" />
+ <elements>
+ <list id="LST_1E7198A6_7850_4CAB_B656_BC18752564FC"
key="Software\Policies\Samba\Unix Settings\Weekly Scripts" valueName="Weekly
Scripts" />
+ </elements>
+ </policy>
+ <policy name="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3" class="Machine"
displayName="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)"
explainText="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help)"
presentation="$(presentation.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)"
key="Software\Policies\Samba\Unix Settings">
+ <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />
+ <supportedOn ref="windows:SUPPORTED_WindowsVista" />
+ <elements>
+ <list id="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F"
key="Software\Policies\Samba\Unix Settings\Sudo Rights" valueName="Sudo Rights"
/>
+ </elements>
+ </policy>
</policies>
</policyDefinitions>
diff --git a/python/samba/gp_scripts_ext.py b/python/samba/gp_scripts_ext.py
index f83f367a5d7..9bd828d0687 100644
--- a/python/samba/gp_scripts_ext.py
+++ b/python/samba/gp_scripts_ext.py
@@ -19,11 +19,22 @@ from samba.gpclass import gp_pol_ext
from base64 import b64encode
from tempfile import NamedTemporaryFile
+intro = '''
+### autogenerated by samba
+#
+# This file is generated by the gp_scripts_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+
class gp_scripts_ext(gp_pol_ext):
def __str__(self):
- return 'Unix Settings/Daily Scripts'
+ return 'Unix Settings/Scripts'
- def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
cdir='/etc/cron.daily'):
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
cdir=None):
for gpo in deleted_gpo_list:
self.gp_db.set_guid(gpo[0])
if str(self) in gpo[1]:
@@ -34,7 +45,11 @@ class gp_scripts_ext(gp_pol_ext):
for gpo in changed_gpo_list:
if gpo.file_sys_path:
- section_name = 'Software\\Policies\\Samba\\Unix
Settings\\Daily Scripts'
+ reg_key = 'Software\\Policies\\Samba\\Unix Settings'
+ sections = { '%s\\Daily Scripts' % reg_key : '/etc/cron.daily',
+ '%s\\Monthly Scripts' % reg_key :
'/etc/cron.monthly',
+ '%s\\Weekly Scripts' % reg_key :
'/etc/cron.weekly',
+ '%s\\Hourly Scripts' % reg_key :
'/etc/cron.hourly' }
self.gp_db.set_guid(gpo.name)
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
@@ -42,12 +57,33 @@ class gp_scripts_ext(gp_pol_ext):
if not pol_conf:
continue
for e in pol_conf.entries:
- if e.keyname == section_name and e.data.strip():
- attribute = b64encode(e.data.encode()).decode()
+ if e.keyname in sections.keys() and e.data.strip():
+ cron_dir = sections[e.keyname] if not cdir else cdir
+ attribute = '%s:%s' % (e.keyname,
+ b64encode(e.data.encode()).decode())
old_val = self.gp_db.retrieve(str(self), attribute)
if not old_val:
- with NamedTemporaryFile(mode="w+", delete=False,
dir=cdir) as f:
- f.write('#!/bin/sh\n%s' % e.data)
+ with NamedTemporaryFile(prefix='gp_', mode="w+",
+ delete=False, dir=cron_dir) as f:
+ contents = '#!/bin/sh\n%s' % intro
+ contents += '%s\n' % e.data
+ f.write(contents)
os.chmod(f.name, 0o700)
self.gp_db.store(str(self), attribute, f.name)
self.gp_db.commit()
+
+ def rsop(self, gpo):
+ output = {}
+ pol_file = 'MACHINE/Registry.pol'
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, pol_file)
+ pol_conf = self.parse(path)
+ if not pol_conf:
+ return output
+ for e in pol_conf.entries:
+ key = e.keyname.split('\\')[-1]
+ if key.endswith('Scripts') and e.data.strip():
+ if key not in output.keys():
+ output[key] = []
+ output[key].append(e.data)
+ return output
diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py
index 6eab975e6fe..5e230f73c3c 100644
--- a/python/samba/gp_sec_ext.py
+++ b/python/samba/gp_sec_ext.py
@@ -16,7 +16,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os.path
-from samba.gpclass import gp_ext_setter, gp_inf_ext
+from samba.gpclass import gp_inf_ext
from samba.auth import system_session
from samba.compat import get_string
try:
@@ -26,26 +26,60 @@ except ImportError:
pass
-class inf_to_kdc_tdb(gp_ext_setter):
- def mins_to_hours(self):
- return '%d' % (int(self.val) / 60)
+class gp_krb_ext(gp_inf_ext):
+ apply_map = { 'MaxTicketAge': 'kdc:user_ticket_lifetime',
+ 'MaxServiceAge': 'kdc:service_ticket_lifetime',
+ 'MaxRenewAge': 'kdc:renewal_lifetime' }
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+ if self.lp.get('server role') != 'active directory domain controller':
+ return
+ inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ for gpo in deleted_gpo_list:
+ self.gp_db.set_guid(gpo[0])
+ for section in gpo[1].keys():
+ if section == str(self):
+ for att, value in gpo[1][section].items():
+ update_samba, _ = self.mapper().get(att)
+ update_samba(att, value)
+ self.gp_db.delete(section, att)
+ self.gp_db.commit()
- def days_to_hours(self):
- return '%d' % (int(self.val) * 24)
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ self.gp_db.set_guid(gpo.name)
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ continue
+ for section in inf_conf.sections():
+ if section == str(self):
+ for key, value in inf_conf.items(section):
+ att = gp_krb_ext.apply_map[key]
+ (update_samba, value_func) = self.mapper().get(att)
+ update_samba(att, value_func(value))
+ self.gp_db.commit()
- def set_kdc_tdb(self, val):
- old_val = self.gp_db.gpostore.get(self.attribute)
- self.logger.info('%s was changed from %s to %s' % (self.attribute,
+ def mins_to_hours(self, val):
+ return '%d' % (int(val) / 60)
+
+ def days_to_hours(self, val):
+ return '%d' % (int(val) * 24)
+
+ def set_kdc_tdb(self, attribute, val):
+ old_val = self.gp_db.gpostore.get(attribute)
+ self.logger.info('%s was changed from %s to %s' % (attribute,
old_val, val))
if val is not None:
- self.gp_db.gpostore.store(self.attribute, get_string(val))
- self.gp_db.store(str(self), self.attribute, get_string(old_val) if
old_val else None)
+ self.gp_db.gpostore.store(attribute, get_string(val))
+ self.gp_db.store(str(self), attribute, get_string(old_val) \
+ if old_val else None)
else:
- self.gp_db.gpostore.delete(self.attribute)
- self.gp_db.delete(str(self), self.attribute)
+ self.gp_db.gpostore.delete(attribute)
+ self.gp_db.delete(str(self), attribute)
def mapper(self):
- return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
+ return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb,
+ lambda val: val),
'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
self.mins_to_hours),
'kdc:renewal_lifetime': (self.set_kdc_tdb,
@@ -55,15 +89,28 @@ class inf_to_kdc_tdb(gp_ext_setter):
def __str__(self):
return 'Kerberos Policy'
-
-class inf_to_ldb(gp_ext_setter):
+ def rsop(self, gpo):
+ output = {}
+ inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ return output
+ for section in inf_conf.sections():
+ output[section] = {k: v for k, v in inf_conf.items(section) \
+ if gp_krb_ext.apply_map.get(k)}
+ return output
+
+
+class gp_access_ext(gp_inf_ext):
'''This class takes the .inf file parameter (essentially a GPO file mapped
to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
object to update the parameter to Samba4. Not registry oriented whatsoever.
'''
- def __init__(self, logger, gp_db, lp, creds, key, value):
- super(inf_to_ldb, self).__init__(logger, gp_db, lp, creds, key, value)
+ def __init__(self, *args):
+ super().__init__(*args)
try:
self.ldb = SamDB(self.lp.samdb_url(),
session_info=system_session(),
@@ -72,41 +119,73 @@ class inf_to_ldb(gp_ext_setter):
except (NameError, LdbError):
raise Exception('Failed to load SamDB for assigning Group Policy')
- def ch_minPwdAge(self, val):
+ apply_map = { 'MinimumPasswordAge': 'minPwdAge',
+ 'MaximumPasswordAge': 'maxPwdAge',
+ 'MinimumPasswordLength': 'minPwdLength',
+ 'PasswordComplexity': 'pwdProperties' }
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+ if self.lp.get('server role') != 'active directory domain controller':
+ return
+ inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ for gpo in deleted_gpo_list:
+ self.gp_db.set_guid(gpo[0])
+ for section in gpo[1].keys():
+ if section == str(self):
+ for att, value in gpo[1][section].items():
+ update_samba, _ = self.mapper().get(att)
+ update_samba(att, value)
+ self.gp_db.delete(section, att)
+ self.gp_db.commit()
+
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ self.gp_db.set_guid(gpo.name)
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ continue
+ for section in inf_conf.sections():
+ if section == str(self):
+ for key, value in inf_conf.items(section):
+ att = gp_access_ext.apply_map[key]
+ (update_samba, value_func) = self.mapper().get(att)
+ update_samba(att, value_func(value))
+ self.gp_db.commit()
+
+ def ch_minPwdAge(self, attribute, val):
old_val = self.ldb.get_minPwdAge()
self.logger.info('KDC Minimum Password age was changed from %s to %s'
% (old_val, val))
- self.gp_db.store(str(self), self.attribute, str(old_val))
+ self.gp_db.store(str(self), attribute, str(old_val))
self.ldb.set_minPwdAge(val)
- def ch_maxPwdAge(self, val):
+ def ch_maxPwdAge(self, attribute, val):
old_val = self.ldb.get_maxPwdAge()
self.logger.info('KDC Maximum Password age was changed from %s to %s'
% (old_val, val))
- self.gp_db.store(str(self), self.attribute, str(old_val))
+ self.gp_db.store(str(self), attribute, str(old_val))
self.ldb.set_maxPwdAge(val)
- def ch_minPwdLength(self, val):
+ def ch_minPwdLength(self, attribute, val):
old_val = self.ldb.get_minPwdLength()
self.logger.info(
'KDC Minimum Password length was changed from %s to %s'
% (old_val, val))
- self.gp_db.store(str(self), self.attribute, str(old_val))
+ self.gp_db.store(str(self), attribute, str(old_val))
self.ldb.set_minPwdLength(val)
- def ch_pwdProperties(self, val):
+ def ch_pwdProperties(self, attribute, val):
old_val = self.ldb.get_pwdProperties()
self.logger.info('KDC Password Properties were changed from %s to %s'
% (old_val, val))
- self.gp_db.store(str(self), self.attribute, str(old_val))
+ self.gp_db.store(str(self), attribute, str(old_val))
self.ldb.set_pwdProperties(val)
- def days2rel_nttime(self):
+ def days2rel_nttime(self, val):
seconds = 60
minutes = 60
hours = 24
sam_add = 10000000
- val = (self.val)
val = int(val)
return str(-(val * seconds * minutes * hours * sam_add))
@@ -116,91 +195,23 @@ class inf_to_ldb(gp_ext_setter):
"maxPwdAge": (self.ch_maxPwdAge, self.days2rel_nttime),
# Could be none, but I like the method assignment in
# update_samba
- "minPwdLength": (self.ch_minPwdLength, self.explicit),
- "pwdProperties": (self.ch_pwdProperties, self.explicit),
+ "minPwdLength": (self.ch_minPwdLength, lambda val: val),
+ "pwdProperties": (self.ch_pwdProperties, lambda val: val),
}
def __str__(self):
return 'System Access'
-
-class gp_sec_ext(gp_inf_ext):
- '''This class does the following two things:
- 1) Identifies the GPO if it has a certain kind of filepath,
- 2) Finally parses it.
- '''
-
- count = 0
-
- def __str__(self):
- return "Security GPO extension"
-
- def apply_map(self):
- return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
- inf_to_ldb),
- "MaximumPasswordAge": ("maxPwdAge",
- inf_to_ldb),
- "MinimumPasswordLength": ("minPwdLength",
- inf_to_ldb),
- "PasswordComplexity": ("pwdProperties",
- inf_to_ldb),
- },
- "Kerberos Policy": {"MaxTicketAge": (
- "kdc:user_ticket_lifetime",
- inf_to_kdc_tdb
- ),
- "MaxServiceAge": (
- "kdc:service_ticket_lifetime",
- inf_to_kdc_tdb
- ),
- "MaxRenewAge": (
- "kdc:renewal_lifetime",
- inf_to_kdc_tdb
- ),
- }
- }
-
- def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
- if self.lp.get('server role') != 'active directory domain controller':
- return
+ def rsop(self, gpo):
+ output = {}
inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
- apply_map = self.apply_map()
- for gpo in deleted_gpo_list:
- self.gp_db.set_guid(gpo[0])
- for section in gpo[1].keys():
- current_section = apply_map.get(section)
- if not current_section:
- continue
- for key, value in gpo[1][section].items():
- setter = None
- for _, tup in current_section.items():
- if tup[0] == key:
- setter = tup[1]
- if setter:
- value = value.encode('ascii', 'ignore') \
- if value else value
- setter(self.logger, self.gp_db, self.lp, self.creds,
- key, value).delete()
- self.gp_db.delete(section, key)
- self.gp_db.commit()
-
- for gpo in changed_gpo_list:
- if gpo.file_sys_path:
- self.gp_db.set_guid(gpo.name)
- path = os.path.join(gpo.file_sys_path, inf_file)
- inf_conf = self.parse(path)
- if not inf_conf:
- continue
- for section in inf_conf.sections():
- current_section = apply_map.get(section)
- if not current_section:
- continue
- for key, value in inf_conf.items(section):
- if current_section.get(key):
- (att, setter) = current_section.get(key)
- value = value.encode('ascii', 'ignore')
- setter(self.logger, self.gp_db, self.lp,
- self.creds, att, value).update_samba()
- self.gp_db.commit()
-
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ return output
+ for section in inf_conf.sections():
+ output[section] = {k: v for k, v in inf_conf.items(section) \
+ if gp_access_ext.apply_map.get(k)}
+ return output
diff --git a/python/samba/gp_sudoers_ext.py b/python/samba/gp_sudoers_ext.py
new file mode 100644
index 00000000000..cbebc8f06e3
--- /dev/null
+++ b/python/samba/gp_sudoers_ext.py
@@ -0,0 +1,85 @@
+# gp_sudoers_ext samba gpo policy
+# Copyright (C) David Mulder <dmul...@suse.com> 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
--
Samba Shared Repository
