The branch, master has been updated via 7b86c18 selftest: Add python blackbox tests for samba-tool ntacl get/set via f9cee8d samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID via 7b5ba30 samba_tool: Fix ntacl get to correctly output in sddl via c19208e s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL from 558fa4c s4 dns: Revert erroneous push from wrong branch
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7b86c18f38412c621b3c316776067d949b0b0bbb Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 5 18:13:53 2012 +1000 selftest: Add python blackbox tests for samba-tool ntacl get/set Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Sep 5 15:47:55 CEST 2012 on sn-devel-104 commit f9cee8d832495798beb025c16afed5bd6a13799b Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 5 18:12:52 2012 +1000 samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID This gets the SID for the local machine correctly. We also add options for --use-ntvfs and --use-s3fs to help control exactly which database is being read and written. Andrew Bartlett commit 7b5ba3013867ae77d516b5ac3cd264fbaf5ca372 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 5 17:06:33 2012 +1000 samba_tool: Fix ntacl get to correctly output in sddl commit c19208e93ce401b5ef0b752b32648926f9f39824 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 5 15:16:40 2012 +1000 s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL ----------------------------------------------------------------------- Summary of changes: source4/scripting/python/samba/netcmd/ntacl.py | 76 ++++++++++++++------ .../scripting/python/samba/provision/__init__.py | 4 +- .../python/samba/tests/samba_tool/ntacl.py | 69 +++++++++++++++++- 3 files changed, 124 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py index 661af80..92239a7 100644 --- a/source4/scripting/python/samba/netcmd/ntacl.py +++ b/source4/scripting/python/samba/netcmd/ntacl.py @@ -21,7 +21,7 @@ import samba.getopt as options from samba.dcerpc import security, idmap from samba.ntacls import setntacl, getntacl from samba import Ldb -from samba.ndr import ndr_unpack +from samba.ndr import ndr_unpack, ndr_print from samba.samdb import SamDB from samba.samba3 import param as s3param, passdb, smbd from samba import provision @@ -55,31 +55,42 @@ class cmd_ntacl_set(Command): Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", choices=["native","tdb"]), Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr for use with the ntvfs file server", action="store_true"), + Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server via the VFS layer", action="store_true") ] takes_args = ["acl","file"] - def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None, + def run(self, acl, file, use_ntvfs=False, use_s3fs=False, + quiet=False,xattr_backend=None,eadb_file=None, credopts=None, sambaopts=None, versionopts=None): + logger = self.get_logger() lp = sambaopts.get_loadparm() - path = lp.private_path("secrets.ldb") - creds = credopts.get_credentials(lp) - creds.set_kerberos_state(DONT_USE_KERBEROS) try: - ldb = Ldb(path, session_info=system_session(), credentials=creds, - lp=lp) + samdb = SamDB(session_info=system_session(), + lp=lp) except Exception, e: - raise CommandError("Unable to read domain SID from configuration files", e) - attrs = ["objectSid"] - res = ldb.search(expression="(objectClass=*)", - base="flatname=%s,cn=Primary Domains" % lp.get("workgroup"), - scope=SCOPE_BASE, attrs=attrs) - if len(res) !=0: - domainsid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) - setntacl(lp, file, acl, str(domainsid), xattr_backend, eadb_file) - else: + raise CommandError("Unable to open samdb:", e) + + if not use_ntvfs and not use_s3fs: + use_ntvfs = "smb" in lp.get("server services") + elif use_s3fs: + use_ntvfs = False + + try: + domain_sid = security.dom_sid(samdb.domain_sid) + except: raise CommandError("Unable to read domain SID from configuration files") + s3conf = s3param.get_context() + s3conf.load(lp.configfile) + # ensure we are using the right samba_dsdb passdb backend, no matter what + s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) + + setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs) + + if use_ntvfs: + logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL") class cmd_ntacl_get(Command): @@ -97,19 +108,42 @@ class cmd_ntacl_get(Command): Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", choices=["native","tdb"]), Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"), + Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true") ] takes_args = ["file"] - def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None, + def run(self, file, use_ntvfs=False, use_s3fs=False, + as_sddl=False, xattr_backend=None, eadb_file=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() - acl = getntacl(lp, file, xattr_backend, eadb_file) + try: + samdb = SamDB(session_info=system_session(), + lp=lp) + except Exception, e: + raise CommandError("Unable to open samdb:", e) + + if not use_ntvfs and not use_s3fs: + use_ntvfs = "smb" in lp.get("server services") + elif use_s3fs: + use_ntvfs = False + + + s3conf = s3param.get_context() + s3conf.load(lp.configfile) + # ensure we are using the right samba_dsdb passdb backend, no matter what + s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) + + acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs) if as_sddl: - anysid = security.dom_sid(security.SID_NT_SELF) - self.outf.write(acl.info.as_sddl(anysid)+"\n") + try: + domain_sid = security.dom_sid(samdb.domain_sid) + except: + raise CommandError("Unable to read domain SID from configuration files") + self.outf.write(acl.as_sddl(domain_sid)+"\n") else: - acl.dump() + self.outf.write(ndr_print(acl)) class cmd_ntacl_sysvolreset(Command): diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index e1f0571..12904a7 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1477,7 +1477,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) fsacl_sddl = fsacl.as_sddl(domainsid) if fsacl_sddl != acl: - raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl)) + raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) for name in files: fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access) @@ -1485,7 +1485,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) fsacl_sddl = fsacl.as_sddl(domainsid) if fsacl_sddl != acl: - raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl, acl)) + raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, direct_db_access): diff --git a/source4/scripting/python/samba/tests/samba_tool/ntacl.py b/source4/scripting/python/samba/tests/samba_tool/ntacl.py index 913a79b..d00b9a0 100644 --- a/source4/scripting/python/samba/tests/samba_tool/ntacl.py +++ b/source4/scripting/python/samba/tests/samba_tool/ntacl.py @@ -22,9 +22,10 @@ import os import time import ldb from samba.tests.samba_tool.base import SambaToolCmdTest +import random -class NtACLCmdTestCase(SambaToolCmdTest): - """Tests for samba-tool ntacl subcommands""" +class NtACLCmdSysvolTestCase(SambaToolCmdTest): + """Tests for samba-tool ntacl sysvol* subcommands""" def test_ntvfs(self): @@ -68,3 +69,67 @@ class NtACLCmdTestCase(SambaToolCmdTest): self.assertEquals(err,"","Shouldn't be any error messages") self.assertEquals(out,"","Shouldn't be any output messages") +class NtACLCmdGetSetTestCase(SambaToolCmdTest): + """Tests for samba-tool ntacl get/set subcommands""" + + acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" + + + def test_ntvfs(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join(path,"pytests"+str(int(100000*random.random()))) + open(tempf, 'w').write("empty") + + (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf, + "--use-ntvfs") + self.assertCmdSuccess(result) + self.assertEquals(out,"","Shouldn't be any output messages") + self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err) + + def test_s3fs(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join(path,"pytests"+str(int(100000*random.random()))) + open(tempf, 'w').write("empty") + + (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf, + "--use-s3fs") + + self.assertCmdSuccess(result) + self.assertEquals(err,"","Shouldn't be any error messages") + self.assertEquals(out,"","Shouldn't be any output messages") + + def test_ntvfs_check(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join(path,"pytests"+str(int(100000*random.random()))) + open(tempf, 'w').write("empty") + + (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf, + "--use-ntvfs") + self.assertCmdSuccess(result) + self.assertEquals(out,"","Shouldn't be any output messages") + self.assertIn("Please note that POSIX permissions have NOT been changed, only the stored NT ACL", err) + + # Now check they were set correctly + (result, out, err) = self.runsubcmd("ntacl", "get", tempf, + "--use-ntvfs", "--as-sddl") + self.assertCmdSuccess(result) + self.assertEquals(err,"","Shouldn't be any error messages") + self.assertEquals(self.acl+"\n", out, "Output should be the ACL") + + def test_s3fs_check(self): + path = os.environ['SELFTEST_PREFIX'] + tempf = os.path.join(path,"pytests"+str(int(100000*random.random()))) + open(tempf, 'w').write("empty") + + (result, out, err) = self.runsubcmd("ntacl", "set", self.acl, tempf, + "--use-s3fs") + self.assertCmdSuccess(result) + self.assertEquals(out,"","Shouldn't be any output messages") + self.assertEquals(err,"","Shouldn't be any error messages") + + # Now check they were set correctly + (result, out, err) = self.runsubcmd("ntacl", "get", tempf, + "--use-s3fs", "--as-sddl") + self.assertCmdSuccess(result) + self.assertEquals(err,"","Shouldn't be any error messages") + self.assertEquals(self.acl+"\n", out,"Output should be the ACL") -- Samba Shared Repository