diff options
author | David Mulder <dmulder@suse.com> | 2021-03-02 15:05:46 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2021-03-18 18:50:28 +0000 |
commit | 482046c56ba2bbc4a464bbc518877501598e4e31 (patch) | |
tree | b35c1822e109f1942c2db059504ba812ef651403 /python | |
parent | 996a0bd2e46fa9e164f390561c64dd5d954eb7e2 (diff) | |
download | samba-482046c56ba2bbc4a464bbc518877501598e4e31.tar.gz |
samba-tool: Add a gpo command for adding VGP Host Access Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/netcmd/gpo.py | 105 |
1 files changed, 104 insertions, 1 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index cbb9b390da7..f9a17f64a2b 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -3779,7 +3779,110 @@ samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow go def run(self, gpo, etype, cn, domain, H=None, sambaopts=None, credopts=None, versionopts=None): - pass + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + if etype == 'allow': + vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\VAS' + 'HostAccessControl\\Allow']) + elif etype == 'deny': + vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\VAS' + 'HostAccessControl\\Deny']) + else: + raise CommandError("The entry type must be either 'allow' or " + "'deny'. Unknown type '%s'" % etype) + vgp_xml = '\\'.join([vgp_dir, 'manifest.xml']) + try: + xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml))) + policy = xml_data.getroot().find('policysetting') + data = policy.find('data') + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + # The file doesn't exist, so create the xml structure + xml_data = ET.ElementTree(ET.Element('vgppolicy')) + policysetting = ET.SubElement(xml_data.getroot(), + 'policysetting') + pv = ET.SubElement(policysetting, 'version') + pv.text = '1' + name = ET.SubElement(policysetting, 'name') + name.text = 'Host Access Control' + description = ET.SubElement(policysetting, 'description') + description.text = 'Represents host access control data (pam_access)' + apply_mode = ET.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = ET.SubElement(policysetting, 'data') + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + url = dc_url(self.lp, self.creds, dc=domain) + samdb = SamDB(url=url, session_info=system_session(), + credentials=self.creds, lp=self.lp) + + res = samdb.search(base=samdb.domain_dn(), + scope=ldb.SCOPE_SUBTREE, + expression="(cn=%s)" % cn, + attrs=['userPrincipalName', + 'samaccountname', + 'objectClass']) + if len(res) == 0: + raise CommandError('Unable to find user or group "%s"' % cn) + + objectclass = get_string(res[0]['objectClass'][-1]) + if objectclass not in ['user', 'group']: + raise CommandError('%s is not a user or group' % cn) + + listelement = ET.SubElement(data, 'listelement') + etype = ET.SubElement(listelement, 'type') + etype.text = objectclass.upper() + entry = ET.SubElement(listelement, 'entry') + if objectclass == 'user': + entry.text = get_string(res[0]['userPrincipalName'][-1]) + else: + groupattr = ET.SubElement(data, 'groupattr') + groupattr.text = 'samAccountName' + entry.text = '%s\\%s' % (domain, + get_string(res[0]['samaccountname'][-1])) + adobject = ET.SubElement(listelement, 'adobject') + name = ET.SubElement(adobject, 'name') + name.text = get_string(res[0]['samaccountname'][-1]) + domain_elm = ET.SubElement(adobject, 'domain') + domain_elm.text = domain + etype = ET.SubElement(adobject, 'type') + etype.text = objectclass + + out = BytesIO() + xml_data.write(out, encoding='UTF-8', xml_declaration=True) + out.seek(0) + try: + create_directory_hier(conn, vgp_dir) + conn.savefile(vgp_xml, out.read()) + except NTSTATUSError as e: + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise class cmd_access(SuperCommand): """Manage Host Access Group Policy Objects""" |