The branch, master has been updated via 709a6d6491f samba-tool: Add a gpo command for removing VGP Symbolic Link Group Policy via 5794c670ff7 samba-tool: Test gpo manage symlink remove command via 3fc89829a94 samba-tool: Add a gpo command for adding VGP Symbolic Link Group Policy via 7b2ecefd55d samba-tool: Test gpo manage symlink add command via 7e70d72d97f samba-tool: Add a gpo command for listing VGP Symbolic Link Group Policy via b9cba18528d samba-tool: Test gpo manage symlink list command via 7ac29c8eeb9 gpo: Apply Group Policy Symlink Policy from VGP via 33d2071b99d gpo: Test Group Policy VGP Symlink Policy from 7114150f437 vfs_aixacl: fix regression from f4c2f867f035fcbe3d547d5635d058b0aec7636a
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 709a6d6491f24c9325977770d2ab274cf6485b84 Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 12:39:42 2021 -0700 samba-tool: Add a gpo command for removing VGP Symbolic Link Group Policy Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Jan 27 07:32:03 UTC 2021 on sn-devel-184 commit 5794c670ff71c0189bd7caa3e75b21b6884d36b0 Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 12:11:09 2021 -0700 samba-tool: Test gpo manage symlink remove command Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit 3fc89829a94dfd1405eac4e6e5006781c4dfb5e7 Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 10:57:46 2021 -0700 samba-tool: Add a gpo command for adding VGP Symbolic Link Group Policy Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit 7b2ecefd55d11070a9ad4ed4dfd4862fca3ac8dd Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 10:26:57 2021 -0700 samba-tool: Test gpo manage symlink add command Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit 7e70d72d97f73220c18b2509d5916e092933a536 Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 10:08:15 2021 -0700 samba-tool: Add a gpo command for listing VGP Symbolic Link Group Policy Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit b9cba18528d6ffa71bfea9a147d2b16f2e057dc2 Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 09:49:48 2021 -0700 samba-tool: Test gpo manage symlink list command Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit 7ac29c8eeb98b0d2dc51b58d375fb38c4366255e Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 06:54:05 2021 -0700 gpo: Apply Group Policy Symlink Policy from VGP This adds a Group Policy extension which applies symlink policies set by Vintela Group Policy in the SYSVOL. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> commit 33d2071b99db8c6ead7074d4da4641965384124a Author: David Mulder <dmul...@suse.com> Date: Thu Jan 21 06:51:43 2021 -0700 gpo: Test Group Policy VGP Symlink Policy Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 15 +++ python/samba/netcmd/gpo.py | 251 ++++++++++++++++++++++++++++++++++- python/samba/tests/gpo.py | 74 +++++++++++ python/samba/tests/samba_tool/gpo.py | 87 ++++++++++++ python/samba/vgp_symlink_ext.py | 76 +++++++++++ source4/scripting/bin/samba-gpupdate | 2 + 6 files changed, 504 insertions(+), 1 deletion(-) create mode 100644 python/samba/vgp_symlink_ext.py Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 820e278198d..83511b4ddf6 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -884,6 +884,21 @@ <para>Show information for a GPO.</para> </refsect3> +<refsect3> + <title>gpo manage symlink list</title> + <para>List VGP Symbolic Link Group Policy from the sysvol</para> +</refsect3> + +<refsect3> + <title>gpo manage symlink add</title> + <para>Adds a VGP Symbolic Link Group Policy to the sysvol</para> +</refsect3> + +<refsect3> + <title>gpo manage symlink remove</title> + <para>Removes a VGP Symbolic Link Group Policy from the sysvol</para> +</refsect3> + <refsect2> <title>group</title> <para>Manage groups.</para> diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 8be7368282f..2a3ffdfe557 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -67,7 +67,7 @@ from samba.credentials import SMB_SIGNING_REQUIRED from samba.netcmd.common import attr_default from samba.common import get_bytes, get_string from configparser import ConfigParser -from io import StringIO +from io import StringIO, BytesIO def gpo_flags_string(value): @@ -2240,12 +2240,261 @@ class cmd_smb_conf(SuperCommand): subcommands["list"] = cmd_list_smb_conf() subcommands["set"] = cmd_set_smb_conf() +class cmd_list_symlink(Command): + """List VGP Symbolic Link Group Policy from the sysvol + +This command lists symlink settings from the sysvol that will be applied to winbind clients. + +Example: +samba-tool gpo manage symlink list {31B2F340-016D-11D2-945F-00C04FB984F9} + """ + + synopsis = "%prog <gpo> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + takes_args = ["gpo"] + + def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + vgp_xml = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\Unix', + 'Symlink\\manifest.xml']) + try: + xml_data = ET.fromstring(conn.loadfile(vgp_xml)) + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + return # The file doesn't exist, so there is nothing to list + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + + policy = xml_data.find('policysetting') + data = policy.find('data') + for file_properties in data.findall('file_properties'): + source = file_properties.find('source') + target = file_properties.find('target') + self.outf.write('ln -s %s %s\n' % (source.text, target.text)) + +class cmd_add_symlink(Command): + """Adds a VGP Symbolic Link Group Policy to the sysvol + +This command adds a symlink setting to the sysvol that will be applied to winbind clients. + +Example: +samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target + """ + + synopsis = "%prog <gpo> <source> <target> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + takes_args = ["gpo", "source", "target"] + + def run(self, gpo, source, target, H=None, sambaopts=None, credopts=None, + versionopts=None): + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\Unix\\Symlink']) + vgp_xml = '\\'.join([vgp_dir, 'manifest.xml']) + try: + xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml))) + policy = xml_data.getroot().find('policysetting') + data = policy.find('data') + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + # The file doesn't exist, so create the xml structure + xml_data = ET.ElementTree(ET.Element('vgppolicy')) + policysetting = ET.SubElement(xml_data.getroot(), + 'policysetting') + pv = ET.SubElement(policysetting, 'version') + pv.text = '1' + name = ET.SubElement(policysetting, 'name') + name.text = 'Symlink Policy' + description = ET.SubElement(policysetting, 'description') + description.text = 'Specifies symbolic link data' + data = ET.SubElement(policysetting, 'data') + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + file_properties = ET.SubElement(data, 'file_properties') + source_elm = ET.SubElement(file_properties, 'source') + source_elm.text = source + target_elm = ET.SubElement(file_properties, 'target') + target_elm.text = target + + out = BytesIO() + xml_data.write(out, encoding='UTF-8', xml_declaration=True) + out.seek(0) + try: + create_directory_hier(conn, vgp_dir) + conn.savefile(vgp_xml, out.read()) + except NTSTATUSError as e: + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + +class cmd_remove_symlink(Command): + """Removes a VGP Symbolic Link Group Policy from the sysvol + +This command removes a symlink setting from the sysvol from appling to winbind clients. + +Example: +samba-tool gpo manage symlink remove {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target + """ + + synopsis = "%prog <gpo> <source> <target> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + takes_args = ["gpo", "source", "target"] + + def run(self, gpo, source, target, H=None, sambaopts=None, credopts=None, + versionopts=None): + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\Unix\\Symlink']) + vgp_xml = '\\'.join([vgp_dir, 'manifest.xml']) + try: + xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml))) + policy = xml_data.getroot().find('policysetting') + data = policy.find('data') + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + raise CommandError("Cannot remove link from '%s' to '%s' " + "because it does not exist" % source, target) + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + for file_properties in data.findall('file_properties'): + source_elm = file_properties.find('source') + target_elm = file_properties.find('target') + if source_elm.text == source and target_elm.text == target: + data.remove(file_properties) + break + else: + raise CommandError("Cannot remove link from '%s' to '%s' " + "because it does not exist" % source, target) + + + out = BytesIO() + xml_data.write(out, encoding='UTF-8', xml_declaration=True) + out.seek(0) + try: + create_directory_hier(conn, vgp_dir) + conn.savefile(vgp_xml, out.read()) + except NTSTATUSError as e: + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + +class cmd_symlink(SuperCommand): + """Manage symlink Group Policy Objects""" + subcommands = {} + subcommands["list"] = cmd_list_symlink() + subcommands["add"] = cmd_add_symlink() + subcommands["remove"] = cmd_remove_symlink() + class cmd_manage(SuperCommand): """Manage Group Policy Objects""" subcommands = {} subcommands["sudoers"] = cmd_sudoers() subcommands["security"] = cmd_security() subcommands["smb_conf"] = cmd_smb_conf() + subcommands["symlink"] = cmd_symlink() class cmd_gpo(SuperCommand): """Group Policy Object (GPO) management.""" diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index a0dce8d96d7..de9ee70344d 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -28,6 +28,7 @@ from samba.gp_sec_ext import gp_krb_ext, gp_access_ext from samba.gp_scripts_ext import gp_scripts_ext from samba.gp_sudoers_ext import gp_sudoers_ext from samba.vgp_sudoers_ext import vgp_sudoers_ext +from samba.vgp_symlink_ext import vgp_symlink_ext from samba.gpclass import gp_inf_ext from samba.gp_smb_conf_ext import gp_smb_conf_ext import logging @@ -871,3 +872,76 @@ class GPOTests(tests.TestCase): # Unstage the Registry.pol file unstage_file(reg_pol) + + def test_vgp_symlink(self): + local_path = self.lp.cache_path('gpo_cache') + guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' + manifest = os.path.join(local_path, policies, guid, 'MACHINE', + 'VGP/VTLA/UNIX/SYMLINK/MANIFEST.XML') + logger = logging.getLogger('gpo_tests') + cache_dir = self.lp.get('cache directory') + store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) + + machine_creds = Credentials() + machine_creds.guess(self.lp) + machine_creds.set_machine_account() + + # Initialize the group policy extension + ext = vgp_symlink_ext(logger, self.lp, machine_creds, store) + + ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) + if ads.connect(): + gpos = ads.get_gpo_list(machine_creds.get_username()) + + with TemporaryDirectory() as dname: + test_source = os.path.join(dname, 'test.source') + test_target = os.path.join(dname, 'test.target') + + # Stage the manifest.xml file with test data + stage = etree.Element('vgppolicy') + policysetting = etree.Element('policysetting') + stage.append(policysetting) + version = etree.Element('version') + version.text = '1' + policysetting.append(version) + data = etree.Element('data') + file_properties = etree.Element('file_properties') + source = etree.Element('source') + source.text = test_source + file_properties.append(source) + target = etree.Element('target') + target.text = test_target + file_properties.append(target) + data.append(file_properties) + policysetting.append(data) + ret = stage_file(manifest, etree.tostring(stage)) + self.assertTrue(ret, 'Could not create the target %s' % manifest) + + # Create test source + test_source_data = 'hello world!' + with open(test_source, 'w') as w: + w.write(test_source_data) + + # Process all gpos, with temp output directory + ext.process_group_policy([], gpos) + self.assertTrue(os.path.exists(test_target), + 'The test symlink was not created') + self.assertTrue(os.path.islink(test_target), + 'The test file is not a symlink') + self.assertIn(test_source_data, open(test_target, 'r').read(), + 'Reading from symlink does not produce source data') + + # Unapply the policy, ensure removal + gp_db = store.get_gplog(machine_creds.get_username()) + del_gpos = get_deleted_gpos_list(gp_db, []) + ext.process_group_policy(del_gpos, []) + self.assertFalse(os.path.exists(test_target), + 'The test symlink was not delete') + + # Verify RSOP + ret = ext.rsop([g for g in gpos if g.name == guid][0]) + self.assertIn('ln -s %s %s' % (test_source, test_target), + list(ret.values())[0]) + + # Unstage the manifest.xml file + unstage_file(manifest) diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py index 24b9c547ee2..910c56cec4f 100644 --- a/python/samba/tests/samba_tool/gpo.py +++ b/python/samba/tests/samba_tool/gpo.py @@ -31,6 +31,7 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.common import get_string from configparser import ConfigParser from io import StringIO +import xml.etree.ElementTree as etree source_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../..")) @@ -774,6 +775,92 @@ class GpoCmdTestCase(SambaToolCmdTest): # Unstage the Registry.pol file unstage_file(reg_pol) + def test_symlink_list(self): + lp = LoadParm() + lp.load(os.environ['SERVERCONFFILE']) + local_path = lp.get('path', 'sysvol') + vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies', + self.gpo_guid, 'Machine/VGP/VTLA/Unix', + 'Symlink/manifest.xml') + stage = etree.Element('vgppolicy') + policysetting = etree.SubElement(stage, 'policysetting') + pv = etree.SubElement(policysetting, 'version') + pv.text = '1' + name = etree.SubElement(policysetting, 'name') + name.text = 'Symlink Policy' + description = etree.SubElement(policysetting, 'description') + description.text = 'Specifies symbolic link data' + apply_mode = etree.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = etree.SubElement(policysetting, 'data') + file_properties = etree.SubElement(data, 'file_properties') + source = etree.SubElement(file_properties, 'source') + source.text = os.path.join(self.tempdir, 'test.source') + target = etree.SubElement(file_properties, 'target') + target.text = os.path.join(self.tempdir, 'test.target') + ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8')) + self.assertTrue(ret, 'Could not create the target %s' % vgp_xml) + + symlink = 'ln -s %s %s' % (source.text, target.text) + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "symlink", "list"), + self.gpo_guid, "-H", + "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertIn(symlink, out, 'The test entry was not found!') + + # Unstage the manifest.xml file + unstage_file(vgp_xml) + + def test_symlink_add(self): + source_text = os.path.join(self.tempdir, 'test.source') + target_text = os.path.join(self.tempdir, 'test.target') + symlink = 'ln -s %s %s' % (source_text, target_text) + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "symlink", "add"), + self.gpo_guid, + source_text, target_text, + "-H", "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertCmdSuccess(result, out, err, 'Symlink add failed') + + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "symlink", "list"), + self.gpo_guid, "-H", + "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertIn(symlink, out, 'The test entry was not found!') + + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "symlink", "remove"), + self.gpo_guid, + source_text, target_text, + "-H", "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertCmdSuccess(result, out, err, 'Symlink remove failed') + + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "symlink", "list"), + self.gpo_guid, "-H", + "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertNotIn(symlink, out, 'The test entry was not removed!') + def setUp(self): """set up a temporary GPO to work with""" super(GpoCmdTestCase, self).setUp() diff --git a/python/samba/vgp_symlink_ext.py b/python/samba/vgp_symlink_ext.py new file mode 100644 index 00000000000..20323a5d5ec --- /dev/null +++ b/python/samba/vgp_symlink_ext.py -- Samba Shared Repository