diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2019-01-29 13:25:55 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-02-01 03:36:17 +0100 |
commit | 5bfad1b2b08031b99834c9ca39c1900d52c8eb0d (patch) | |
tree | 042e8c8500570a42cac896eb549b7a83de0ef543 | |
parent | 1e0db9726bb91ff967c896686d129aa30563697d (diff) | |
download | samba-5bfad1b2b08031b99834c9ca39c1900d52c8eb0d.tar.gz |
netcmd: Improve error handling of gpo aclcheck as non-admin
Reading the nTSecurityDescriptor attribute over LDAP requires admin
creds. However, if you don't specify admin creds, then you get an error
like this:
bin/samba-tool gpo aclcheck
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
File "bin/python/samba/netcmd/__init__.py", line 184, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/gpo.py", line 1536, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
This patch adds an explicit check/error message to make the problem
clearer.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | python/samba/netcmd/gpo.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 1b5e927f633..95fe5d6d439 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -1533,6 +1533,10 @@ class cmd_aclcheck(GPOCommand): fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED) + if 'nTSecurityDescriptor' not in m: + raise CommandError("Could not read nTSecurityDescriptor. " + "This requires an Administrator account") + ds_sd_ndr = m['nTSecurityDescriptor'][0] ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() |