The branch, master has been updated
via e5e0a9a7318 gpo: Don't free talloc pointer held elsewhere
via c2ce101bfde gpo: vgp_sudoers_ext handle missing and dispersed
principal names
via d771314ee0d gpo: Ensure that vgp_sudoers_ext handles
missing/dispersed principal names
via 9a00edcc240 gpo: Add rsop output for vgp_openssh_ext
via d4d9d8591e6 gpo: vgp_openssh_ext create the config dir
via a8b4b8082a1 gpo: Improve the samba-gpupdate --rsop output
via 66ac3c1959c gpo: Add admxload warning about Windows templates
via a5928566a0e gpo: Ensure that samba-gpupdate doesn't require ad-dc
via f914b42d27b gpo: Test to ensure that samba-gpupdate doesn't require
ad-dc
from b145434f24f smbXsrv_client: move the connection passing to
smb2srv_client_mc_negprot_send/recv
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e5e0a9a7318db25a6213a2516db824caddca8f1e
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 15:02:02 2021 -0700
gpo: Don't free talloc pointer held elsewhere
Freeing this pointer produces the following error:
ERROR: talloc_free with references at ../../libgpo/pygpo.c:481
reference at ../../pytalloc_util.c:164
reference at ../../pytalloc_util.c:164
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Mon Mar 8 19:08:07 UTC 2021 on sn-devel-184
commit c2ce101bfdee664ea447fe1938dd0a1181ea8a98
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 09:46:49 2021 -0700
gpo: vgp_sudoers_ext handle missing and dispersed principal names
If we don't anticipate a missing principal name,
the extension crashes. Also, principal names could
be in dispersed listelements.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit d771314ee0de75d9e436d2d20290faae95e37160
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 14:01:48 2021 -0700
gpo: Ensure that vgp_sudoers_ext handles missing/dispersed principal names
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 9a00edcc240b4bba17a0846019713e10bfc2448f
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 09:46:15 2021 -0700
gpo: Add rsop output for vgp_openssh_ext
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit d4d9d8591e62ff5598e4ca2a54e036aefb5d0c01
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 09:45:03 2021 -0700
gpo: vgp_openssh_ext create the config dir
We should create the /etc/ssh/sshd_config.d dir
if it doesn't exist.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit a8b4b8082a14ec2927e845587cd3e4f1a9b95a54
Author: David Mulder <dmul...@suse.com>
Date: Fri Feb 26 09:43:30 2021 -0700
gpo: Improve the samba-gpupdate --rsop output
Use the CSE name based on the class name, not the
module name. Also ignore the Local Policy gpo.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 66ac3c1959c19d8d4e6f03f7784f8996a84cae96
Author: David Mulder <dmul...@suse.com>
Date: Wed Feb 24 12:43:55 2021 -0700
gpo: Add admxload warning about Windows templates
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit a5928566a0e93eec5e3420cd03536d32c7c7c779
Author: David Mulder <dmul...@suse.com>
Date: Wed Feb 24 12:35:10 2021 -0700
gpo: Ensure that samba-gpupdate doesn't require ad-dc
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit f914b42d27b0a7868e461aa4ee64a954fe8e1d97
Author: David Mulder <dmul...@suse.com>
Date: Wed Feb 24 10:53:17 2021 -0700
gpo: Test to ensure that samba-gpupdate doesn't require ad-dc
Running samba-gpupdate on a client is causing an
error in gp_access_ext, due to it attempting to
access sam.ldb before detecting whether we are on
an ad-dc.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
libgpo/pygpo.c | 1 -
python/samba/gp_sec_ext.py | 4 ++--
python/samba/gpclass.py | 9 +++++++-
python/samba/netcmd/gpo.py | 6 ++++++
python/samba/tests/gpo.py | 34 ++++++++++++++++++++++++++++---
python/samba/tests/gpo_member.py | 44 ++++++++++++++++++++++++++++++++++++++++
python/samba/vgp_openssh_ext.py | 23 +++++++++++++++++++++
python/samba/vgp_sudoers_ext.py | 10 +++++++--
source4/selftest/tests.py | 1 +
9 files changed, 123 insertions(+), 9 deletions(-)
create mode 100644 python/samba/tests/gpo_member.py
Changeset truncated at 500 lines:
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index 29c8b11886e..c527143ec70 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -478,7 +478,6 @@ static PyObject *py_ads_get_gpo_list(ADS *self, PyObject
*args, PyObject *kwds)
}
out:
- TALLOC_FREE(gpo_ctx);
TALLOC_FREE(frame);
return ret;
}
diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py
index a9f5bbe5a6c..45a7884df3b 100644
--- a/python/samba/gp_sec_ext.py
+++ b/python/samba/gp_sec_ext.py
@@ -115,8 +115,7 @@ class gp_access_ext(gp_inf_ext):
object to update the parameter to Samba4. Not registry oriented whatsoever.
'''
- def __init__(self, *args):
- super().__init__(*args)
+ def load_ldb(self):
try:
self.ldb = SamDB(self.lp.samdb_url(),
session_info=system_session(),
@@ -132,6 +131,7 @@ class gp_access_ext(gp_inf_ext):
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
if self.lp.get('server role') != 'active directory domain controller':
return
+ self.load_ldb()
inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 1b29711f245..51b006f7f7f 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -515,11 +515,18 @@ def rsop(lp, creds, logger, store, gp_extensions, target):
print('%s Policy\n' % target)
term_width = shutil.get_terminal_size(fallback=(120, 50))[0]
for gpo in gpos:
+ if gpo.display_name.strip() == 'Local Policy':
+ continue # We never apply local policy
print('GPO: %s' % gpo.display_name)
print('='*term_width)
for ext in gp_extensions:
ext = ext(logger, lp, creds, store)
- print(' CSE: %s' % ext.__module__.split('.')[-1])
+ cse_name_m = re.findall("'([\w\.]+)'", str(type(ext)))
+ if len(cse_name_m) > 0:
+ cse_name = cse_name_m[-1].split('.')[-1]
+ else:
+ cse_name = ext.__module__.split('.')[-1]
+ print(' CSE: %s' % cse_name)
print(' ' + ('-'*int(term_width/2)))
for section, settings in ext.rsop(gpo).items():
print(' Policy Type: %s' % section)
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 2928ebcf7ce..818c46ddb1a 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1669,6 +1669,12 @@ class cmd_admxload(Command):
if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
raise CommandError("The authenticated user does "
"not have sufficient
privileges")
+ self.outf.write('Installing ADMX templates to the Central Store '
+ 'prevents Windows from displaying its own templates '
+ 'in the Group Policy Management Console. You will '
+ 'need to install these templates '
+ 'from https://www.microsoft.com/en-us/download/102157 '
+ 'to continue using Windows Administrative Templates. ')
class cmd_add_sudoers(Command):
"""Adds a Samba Sudoers Group Policy to the sysvol
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 2ff3e5e593e..f849ff2c031 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -493,18 +493,46 @@ class GPOTests(tests.TestCase):
principal_list.append(group)
sudoers_entry.append(principal_list)
data.append(sudoers_entry)
+ # Ensure an empty principal doesn't cause a crash
+ sudoers_entry = etree.SubElement(data, 'sudoers_entry')
+ command = etree.SubElement(sudoers_entry, 'command')
+ command.text = 'ALL'
+ user = etree.SubElement(sudoers_entry, 'user')
+ user.text = 'ALL'
+ # Ensure having dispersed principals still works
+ sudoers_entry = etree.SubElement(data, 'sudoers_entry')
+ command = etree.SubElement(sudoers_entry, 'command')
+ command.text = 'ALL'
+ user = etree.SubElement(sudoers_entry, 'user')
+ user.text = 'ALL'
+ listelement = etree.SubElement(sudoers_entry, 'listelement')
+ principal = etree.SubElement(listelement, 'principal')
+ principal.text = 'fakeu2'
+ principal.attrib['type'] = 'user'
+ listelement = etree.SubElement(sudoers_entry, 'listelement')
+ group = etree.SubElement(listelement, 'principal')
+ group.text = 'fakeg2'
+ group.attrib['type'] = 'group'
policysetting.append(data)
ret = stage_file(manifest, etree.tostring(stage))
self.assertTrue(ret, 'Could not create the target %s' % manifest)
# Process all gpos, with temp output directory
data = 'fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL'
+ data2 = 'fakeu2,fakeg2% ALL=(ALL) NOPASSWD: ALL'
+ data_no_principal = 'ALL ALL=(ALL) NOPASSWD: ALL'
with TemporaryDirectory() as dname:
ext.process_group_policy([], gpos, dname)
sudoers = os.listdir(dname)
- self.assertEquals(len(sudoers), 1, 'The sudoer file was not
created')
- self.assertIn(data,
- open(os.path.join(dname, sudoers[0]), 'r').read(),
+ self.assertEquals(len(sudoers), 3, 'The sudoer file was not
created')
+ output = open(os.path.join(dname, sudoers[0]), 'r').read() + \
+ open(os.path.join(dname, sudoers[1]), 'r').read() + \
+ open(os.path.join(dname, sudoers[2]), 'r').read()
+ self.assertIn(data, output,
+ 'The sudoers entry was not applied')
+ self.assertIn(data2, output,
+ 'The sudoers entry was not applied')
+ self.assertIn(data_no_principal, output,
'The sudoers entry was not applied')
# Remove policy
diff --git a/python/samba/tests/gpo_member.py b/python/samba/tests/gpo_member.py
new file mode 100644
index 00000000000..3d614f53d04
--- /dev/null
+++ b/python/samba/tests/gpo_member.py
@@ -0,0 +1,44 @@
+# Unix SMB/CIFS implementation. Tests for smb manipulation
+# Copyright (C) David Mulder <dmul...@suse.com> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from samba import gpo, tests
+from samba.gpclass import GPOStorage
+from samba.param import LoadParm
+from samba.credentials import Credentials
+from samba.gp_sec_ext import gp_access_ext
+import logging
+
+class GPOTests(tests.TestCase):
+ def setUp(self):
+ super(GPOTests, self).setUp()
+ self.server = os.environ["SERVER"]
+ self.dc_account = self.server.upper() + '$'
+ self.lp = LoadParm()
+ self.lp.load_default()
+ self.creds = self.insta_creds(template=self.get_credentials())
+
+ def tearDown(self):
+ super(GPOTests, self).tearDown()
+
+ def test_sec_ext_load_on_member(self):
+ logger = logging.getLogger('gpo_tests')
+ cache_dir = self.lp.get('cache directory')
+ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+ try:
+ gp_access_ext(logger, self.lp, self.creds, store)
+ except Exception:
+ self.fail('Initializing gp_access_ext should not require ad-dc')
diff --git a/python/samba/vgp_openssh_ext.py b/python/samba/vgp_openssh_ext.py
index 488bfa728ae..7a49395151c 100644
--- a/python/samba/vgp_openssh_ext.py
+++ b/python/samba/vgp_openssh_ext.py
@@ -66,6 +66,8 @@ class vgp_openssh_ext(gp_xml_ext):
attribute = get_string(b64encode(get_bytes(gpo.name) +
get_bytes(cfg_dir)))
fname = self.gp_db.retrieve(str(self), attribute)
+ if not os.path.isdir(cfg_dir):
+ os.mkdir(cfg_dir, 0o640)
if fname and os.path.exists(fname):
f = open(fname, 'w')
else:
@@ -80,3 +82,24 @@ class vgp_openssh_ext(gp_xml_ext):
self.gp_db.store(str(self), attribute, f.name)
self.gp_db.commit()
f.close()
+
+ def rsop(self, gpo):
+ output = {}
+ if gpo.file_sys_path:
+ xml = 'MACHINE/VGP/VTLA/SshCfg/SshD/manifest.xml'
+ path = os.path.join(gpo.file_sys_path, xml)
+ xml_conf = self.parse(path)
+ if not xml_conf:
+ return output
+ policy = xml_conf.find('policysetting')
+ data = policy.find('data')
+ configfile = data.find('configfile')
+ for configsection in configfile.findall('configsection'):
+ if configsection.find('sectionname').text:
+ continue
+ for kv in configsection.findall('keyvaluepair'):
+ if str(self) not in output.keys():
+ output[str(self)] = {}
+ output[str(self)][kv.find('key').text] = \
+ kv.find('value').text
+ return output
diff --git a/python/samba/vgp_sudoers_ext.py b/python/samba/vgp_sudoers_ext.py
index 573ec9fb4d1..bae6cb1c382 100644
--- a/python/samba/vgp_sudoers_ext.py
+++ b/python/samba/vgp_sudoers_ext.py
@@ -49,7 +49,10 @@ class vgp_sudoers_ext(gp_xml_ext):
for entry in data.findall('sudoers_entry'):
command = entry.find('command').text
user = entry.find('user').text
- principals = entry.find('listelement').findall('principal')
+ listelements = entry.findall('listelement')
+ principals = []
+ for listelement in listelements:
+ principals.extend(listelement.findall('principal'))
if len(principals) > 0:
uname = ','.join([u.text if u.attrib['type'] == 'user'
\
else '%s%%' % u.text for u in principals])
@@ -96,7 +99,10 @@ class vgp_sudoers_ext(gp_xml_ext):
for entry in data.findall('sudoers_entry'):
command = entry.find('command').text
user = entry.find('user').text
- principals = entry.find('listelement').findall('principal')
+ listelements = entry.findall('listelement')
+ principals = []
+ for listelement in listelements:
+ principals.extend(listelement.findall('principal'))
if len(principals) > 0:
uname = ','.join([u.text if u.attrib['type'] == 'user' \
else '%s%%' % u.text for u in principals])
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 4c9ddccd01b..bc8fea83474 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -806,6 +806,7 @@ planpythontestsuite("chgdcpass:local",
"samba.tests.dcerpc.rpcecho")
planoldpythontestsuite("nt4_dc", "samba.tests.netbios",
extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc:local", "samba.tests.gpo",
extra_args=['-U"$USERNAME%$PASSWORD"'])
+planoldpythontestsuite("ad_member", "samba.tests.gpo_member",
extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab",
extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
--
Samba Shared Repository
