diff options
author | David Mulder <dmulder@suse.com> | 2020-11-06 10:44:28 -0700 |
---|---|---|
committer | David Mulder <dmulder@samba.org> | 2020-12-09 17:38:28 +0000 |
commit | 111f07fd58b7a7f798cc10e40a44e7fcdd8e207f (patch) | |
tree | b601feca90e0df6a7b25d2d932ba403c7bcfe32c /python | |
parent | aba8ece11d21aafbb3b42a3c24b18c5f9c5559f7 (diff) | |
download | samba-111f07fd58b7a7f798cc10e40a44e7fcdd8e207f.tar.gz |
samba-tool: Add a gpo command for listing Security Group Policies
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/netcmd/gpo.py | 49 |
1 files changed, 48 insertions, 1 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 0958bd090b4..c20e9853067 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -67,6 +67,7 @@ from samba.credentials import SMB_SIGNING_REQUIRED from samba.netcmd.common import attr_default from samba.common import get_bytes from configparser import ConfigParser +from io import StringIO def gpo_flags_string(value): @@ -1999,6 +2000,12 @@ PasswordComplexity Password must meet complexity requirements class cmd_list_security(Command): """List Samba Security Group Policy from the sysvol + +This command lists security settings from the sysvol that will be applied to winbind clients. +These settings only apply to the ADDC. + +Example: +samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9} """ synopsis = "%prog <gpo> [options]" @@ -2017,7 +2024,47 @@ class cmd_list_security(Command): takes_args = ["gpo"] def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): - pass + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + inf_file = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf']) + try: + inf_data = ConfigParser(interpolation=None) + inf_data.optionxform=str + raw = conn.loadfile(inf_file) + try: + inf_data.readfp(StringIO(raw.decode())) + except UnicodeDecodeError: + inf_data.readfp(StringIO(raw.decode('utf-16'))) + except NTSTATUSError as e: + if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID + return # The file doesn't exist, so there is nothing to list + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + + for section in inf_data.sections(): + if section not in ['Kerberos Policy', 'System Access']: + continue + for key, value in inf_data.items(section): + self.outf.write('%s = %s\n' % (key, value)) class cmd_security(SuperCommand): """Manage Security Group Policy Objects""" |