diff options
author | David Mulder <dmulder@suse.com> | 2021-02-24 06:36:45 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2021-03-18 18:50:28 +0000 |
commit | 3f3c2b5b33864ac162ed578279244be0182c42f0 (patch) | |
tree | af456fe8eddfb08aed915a0667f1b624213f6eea /python | |
parent | 76868b50f3689107e101511322dbf749c26d8342 (diff) | |
download | samba-3f3c2b5b33864ac162ed578279244be0182c42f0.tar.gz |
samba-tool: Add a gpo command for listing VGP Host Access Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/netcmd/gpo.py | 68 |
1 files changed, 67 insertions, 1 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 6fcc01d6080..159aba8b788 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -3684,7 +3684,73 @@ samba-tool gpo manage access list {31B2F340-016D-11D2-945F-00C04FB984F9} takes_args = ["gpo"] def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): - pass + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + vgp_xml = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\VAS' + 'HostAccessControl\\Allow\\manifest.xml']) + try: + allow = ET.fromstring(conn.loadfile(vgp_xml)) + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + allow = None # The file doesn't exist, ignore it + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + if allow is not None: + policy = allow.find('policysetting') + data = policy.find('data') + for listelement in data.findall('listelement'): + adobject = listelement.find('adobject') + name = adobject.find('name') + domain = adobject.find('domain') + self.outf.write('+:%s\\%s:ALL\n' % (domain.text, name.text)) + + vgp_xml = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\VAS' + 'HostAccessControl\\Deny\\manifest.xml']) + try: + deny = ET.fromstring(conn.loadfile(vgp_xml)) + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + deny = None # The file doesn't exist, ignore it + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + if deny is not None: + policy = deny.find('policysetting') + data = policy.find('data') + for listelement in data.findall('listelement'): + adobject = listelement.find('adobject') + name = adobject.find('name') + domain = adobject.find('domain') + self.outf.write('-:%s\\%s:ALL\n' % (domain.text, name.text)) class cmd_access(SuperCommand): """Manage Host Access Group Policy Objects""" |