The branch, master has been updated via d512b1a4bd1 gpo: Remove unused gp_ext_setter code via 627fb5471b9 gpo: Extract Access policy from Security extension via 89718761288 gpo: Extract Kerberos policy from Security extension via bf74bf1c4ea gpo: Add RSOP output for Scripts Extension via 1f631030410 gpo: Add RSOP output for Security Extension via 5361f258006 gpo: Test samba-gpupdate --rsop via f5202c7b551 gpo: Add --rsop option to samba-gpupdate via 0f3066abbb1 gpo: Properly decode utf-8/16 inf files from bytes via 70a38eb5485 gpo: Test proper decoding of utf-16 inf files via 88b6266168a gpo: Apply Group Policy Sudo Rights via 9679ba9577c gpo: Test Group Policy Sudo Rights via e387aa937e5 gpo: Scripts gpo add warning about generated scripts via edf4b6eb122 gpo: Scripts extension use 'gp_' prefix, not 'tmp' via cd4efb95da2 gpo: Move all scripts to a sub-category in samba.admx via b30a604f735 gpo: Apply Group Policy Weekly Scripts via 7e5c842cba0 gpo: Test gpo weekly scripts apply via 1810e4f10c9 gpo: Apply Group Policy Monthly Scripts via 63703c9a07d gpo: Test gpo monthly scripts apply via 42f043ab515 gpo: Apply Group Policy Hourly Scripts via ae56a07ae70 gpo: Test gpo hourly scripts apply from 182cde4f9eb lib: fix smb_strtox.[c|h] license header
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d512b1a4bd161431a498a6dab64fae49f77dfcf2 Author: David Mulder <dmul...@suse.com> Date: Wed Jul 8 14:50:27 2020 -0600 gpo: Remove unused gp_ext_setter code Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): David Mulder <dmul...@samba.org> Autobuild-Date(master): Thu Aug 6 18:01:49 UTC 2020 on sn-devel-184 commit 627fb5471b95595ce99e2effed0fe546ad334048 Author: David Mulder <dmul...@suse.com> Date: Wed Jul 8 14:48:45 2020 -0600 gpo: Extract Access policy from Security extension Rewrite the extension to be easier to understand, and to remove references to gp_ext_setter. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 89718761288b3a51a5727b5f8b40f0ade3348ff1 Author: David Mulder <dmul...@suse.com> Date: Fri Jun 26 15:34:02 2020 -0600 gpo: Extract Kerberos policy from Security extension Rewrite the extension to be easier to understand, and to remove references to gp_ext_setter. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit bf74bf1c4ea11074919a5197c7d8975658291cb1 Author: David Mulder <dmul...@suse.com> Date: Mon Jul 6 11:16:45 2020 -0600 gpo: Add RSOP output for Scripts Extension Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 1f631030410c8dba0567e651346fc92facd0e22d Author: David Mulder <dmul...@suse.com> Date: Mon Jul 6 11:16:14 2020 -0600 gpo: Add RSOP output for Security Extension Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 5361f25800620819187f0294d5baf98131f303e8 Author: David Mulder <dmul...@suse.com> Date: Tue Jul 7 10:35:25 2020 -0600 gpo: Test samba-gpupdate --rsop Test that the rsop command produces the expected output. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit f5202c7b551e38946837d8039b12e969d19bdf91 Author: David Mulder <dmul...@suse.com> Date: Mon Jul 6 08:25:23 2020 -0600 gpo: Add --rsop option to samba-gpupdate This command prints the Resultant Set of Policy for applicable GPOs, for either the Computer or User policy (depending on the target specified). Policy specific output must be implemented for each client side extension. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 0f3066abbb1b65e9cde8df9499483bf0768c273e Author: David Mulder <dmul...@suse.com> Date: Mon Jul 6 08:13:57 2020 -0600 gpo: Properly decode utf-8/16 inf files from bytes This code was python 2 specific (string handling has changed dramatically in python 3), and didn't correctly decode utf-16 in python3. We should instead read the file as bytes, then attempt a utf-8 decode (the default), and try utf-16 if encountering a decode failure. The existing code actually throws an exception on the initial file read when the data is utf-16, since it tries to decode the bytes to a utf-8 string. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 70a38eb5485bf82bf068aa3fbcb3cf799ff9ddff Author: David Mulder <dmul...@suse.com> Date: Tue Jul 7 11:10:10 2020 -0600 gpo: Test proper decoding of utf-16 inf files Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 88b6266168ace52f66ded9cedaea1a02eea6e441 Author: David Mulder <dmul...@suse.com> Date: Fri Jun 26 12:35:20 2020 -0600 gpo: Apply Group Policy Sudo Rights Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 9679ba9577c70756e4bcaf17351fca4dbb1c8f31 Author: David Mulder <dmul...@suse.com> Date: Fri Jun 26 12:37:11 2020 -0600 gpo: Test Group Policy Sudo Rights Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit e387aa937e576116d5487d18a829066ee75eb0b7 Author: David Mulder <dmul...@suse.com> Date: Thu Jul 2 10:13:15 2020 -0600 gpo: Scripts gpo add warning about generated scripts Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit edf4b6eb1229bb0c8fdd46edc147376a96fc0a40 Author: David Mulder <dmul...@suse.com> Date: Thu Jul 2 10:04:36 2020 -0600 gpo: Scripts extension use 'gp_' prefix, not 'tmp' Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit cd4efb95da2f4fc7644c5345e9a607ca9ff98927 Author: David Mulder <dmul...@suse.com> Date: Fri Jun 26 13:10:43 2020 -0600 gpo: Move all scripts to a sub-category in samba.admx Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit b30a604f7353ddc6c3218f1547d56fbc1386a9cf Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 15:23:14 2020 -0600 gpo: Apply Group Policy Weekly Scripts Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 7e5c842cba08911c7b555bd9b37865e38c64c868 Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 15:23:35 2020 -0600 gpo: Test gpo weekly scripts apply Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 1810e4f10c9aa729bb281c04574426d31b14c4c2 Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 15:02:37 2020 -0600 gpo: Apply Group Policy Monthly Scripts Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 63703c9a07d22b6ab881afc6824b5cf4016375ec Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 15:03:03 2020 -0600 gpo: Test gpo monthly scripts apply Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 42f043ab5154e4c53a6b940c764ccade688ff439 Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 14:14:09 2020 -0600 gpo: Apply Group Policy Hourly Scripts Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ae56a07ae703ce7315edc27f600f184ff584903c Author: David Mulder <dmul...@suse.com> Date: Thu Jun 25 14:15:18 2020 -0600 gpo: Test gpo hourly scripts apply Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: libgpo/admx/en-US/samba.adml | 23 +++- libgpo/admx/samba.admx | 33 ++++- python/samba/gp_scripts_ext.py | 50 ++++++-- python/samba/gp_sec_ext.py | 229 ++++++++++++++++++----------------- python/samba/gp_sudoers_ext.py | 85 +++++++++++++ python/samba/gpclass.py | 71 ++++++----- python/samba/tests/gpo.py | 172 ++++++++++++++++++++++++-- source4/scripting/bin/samba-gpupdate | 15 ++- 8 files changed, 514 insertions(+), 164 deletions(-) create mode 100644 python/samba/gp_sudoers_ext.py Changeset truncated at 500 lines: diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml index b5fc5098638..577cb1aa0bb 100755 --- a/libgpo/admx/en-US/samba.adml +++ b/libgpo/admx/en-US/samba.adml @@ -7,13 +7,34 @@ <stringTable> <string id="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9">Samba</string> <string id="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6">Unix Settings</string> - <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">Daily Scripts</string> + <string id="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA">Scripts</string> + <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">Daily</string> + <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">Hourly</string> + <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6">Monthly</string> + <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">Weekly</string> + <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">Sudo Rights</string> <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help">This policy setting allows you to execute commands, either local or on remote storage, daily.</string> + <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help">This policy setting allows you to execute commands, either local or on remote storage, hourly.</string> + <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy setting allows you to execute commands, either local or on remote storage, monthly.</string> + <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy setting allows you to execute commands, either local or on remote storage, weekly.</string> + <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy configures the sudoers file with the lines specified.</string> </stringTable> <presentationTable> <presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061"> <listBox refId="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6">Script and arguments</listBox> </presentation> + <presentation id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1"> + <listBox refId="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238">Script and arguments</listBox> + </presentation> + <presentation id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6"> + <listBox refId="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60">Script and arguments</listBox> + </presentation> + <presentation id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674"> + <listBox refId="LST_1E7198A6_7850_4CAB_B656_BC18752564FC">Script and arguments</listBox> + </presentation> + <presentation id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3"> + <listBox refId="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F">Sudoers commands</listBox> + </presentation> </presentationTable> </resources> </policyDefinitionResources> diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx index f2921ff1885..a4e26cf388f 100755 --- a/libgpo/admx/samba.admx +++ b/libgpo/admx/samba.admx @@ -10,14 +10,45 @@ <category name="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" displayName="$(string.CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6)"> <parentCategory ref="CAT_3338C1DD_8A00_4273_8547_158D8B8C19E9" /> </category> + <category name="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" displayName="$(string.CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA)"> + <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" /> + </category> </categories> <policies> <policy name="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061" class="Machine" displayName="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" explainText="$(string.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help)" presentation="$(presentation.POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061)" key="Software\Policies\Samba\Unix Settings"> - <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" /> + <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" /> <supportedOn ref="windows:SUPPORTED_WindowsVista" /> <elements> <list id="LST_2E9A4684_3C0E_415B_8FD6_D4AF68BC8AC6" key="Software\Policies\Samba\Unix Settings\Daily Scripts" valueName="Daily Scripts" /> </elements> </policy> + <policy name="POL_825D441F_905E_4C7E_9E4B_03013697C6C1" class="Machine" displayName="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" explainText="$(string.POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help)" presentation="$(presentation.POL_825D441F_905E_4C7E_9E4B_03013697C6C1)" key="Software\Policies\Samba\Unix Settings"> + <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" /> + <supportedOn ref="windows:SUPPORTED_WindowsVista" /> + <elements> + <list id="LST_1AA93D59_6372_4F1E_90BB_D4CBBBB77238" key="Software\Policies\Samba\Unix Settings\Hourly Scripts" valueName="Hourly Scripts" /> + </elements> + </policy> + <policy name="POL_D298F3BD_44D9_426D_AF11_3163D31582F6" class="Machine" displayName="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" explainText="$(string.POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help)" presentation="$(presentation.POL_D298F3BD_44D9_426D_AF11_3163D31582F6)" key="Software\Policies\Samba\Unix Settings"> + <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" /> + <supportedOn ref="windows:SUPPORTED_WindowsVista" /> + <elements> + <list id="LST_8BC6757D_B1FB_4780_83B4_F85F27BF6E60" key="Software\Policies\Samba\Unix Settings\Monthly Scripts" valueName="Monthly Scripts" /> + </elements> + </policy> + <policy name="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674" class="Machine" displayName="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" explainText="$(string.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help)" presentation="$(presentation.POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674)" key="Software\Policies\Samba\Unix Settings"> + <parentCategory ref="CAT_2B6D622C_5721_4C23_A2D6_5C70D6E059BA" /> + <supportedOn ref="windows:SUPPORTED_WindowsVista" /> + <elements> + <list id="LST_1E7198A6_7850_4CAB_B656_BC18752564FC" key="Software\Policies\Samba\Unix Settings\Weekly Scripts" valueName="Weekly Scripts" /> + </elements> + </policy> + <policy name="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3" class="Machine" displayName="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)" explainText="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help)" presentation="$(presentation.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)" key="Software\Policies\Samba\Unix Settings"> + <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" /> + <supportedOn ref="windows:SUPPORTED_WindowsVista" /> + <elements> + <list id="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F" key="Software\Policies\Samba\Unix Settings\Sudo Rights" valueName="Sudo Rights" /> + </elements> + </policy> </policies> </policyDefinitions> diff --git a/python/samba/gp_scripts_ext.py b/python/samba/gp_scripts_ext.py index f83f367a5d7..9bd828d0687 100644 --- a/python/samba/gp_scripts_ext.py +++ b/python/samba/gp_scripts_ext.py @@ -19,11 +19,22 @@ from samba.gpclass import gp_pol_ext from base64 import b64encode from tempfile import NamedTemporaryFile +intro = ''' +### autogenerated by samba +# +# This file is generated by the gp_scripts_ext Group Policy +# Client Side Extension. To modify the contents of this file, +# modify the appropriate Group Policy objects which apply +# to this machine. DO NOT MODIFY THIS FILE DIRECTLY. +# + +''' + class gp_scripts_ext(gp_pol_ext): def __str__(self): - return 'Unix Settings/Daily Scripts' + return 'Unix Settings/Scripts' - def process_group_policy(self, deleted_gpo_list, changed_gpo_list, cdir='/etc/cron.daily'): + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, cdir=None): for gpo in deleted_gpo_list: self.gp_db.set_guid(gpo[0]) if str(self) in gpo[1]: @@ -34,7 +45,11 @@ class gp_scripts_ext(gp_pol_ext): for gpo in changed_gpo_list: if gpo.file_sys_path: - section_name = 'Software\\Policies\\Samba\\Unix Settings\\Daily Scripts' + reg_key = 'Software\\Policies\\Samba\\Unix Settings' + sections = { '%s\\Daily Scripts' % reg_key : '/etc/cron.daily', + '%s\\Monthly Scripts' % reg_key : '/etc/cron.monthly', + '%s\\Weekly Scripts' % reg_key : '/etc/cron.weekly', + '%s\\Hourly Scripts' % reg_key : '/etc/cron.hourly' } self.gp_db.set_guid(gpo.name) pol_file = 'MACHINE/Registry.pol' path = os.path.join(gpo.file_sys_path, pol_file) @@ -42,12 +57,33 @@ class gp_scripts_ext(gp_pol_ext): if not pol_conf: continue for e in pol_conf.entries: - if e.keyname == section_name and e.data.strip(): - attribute = b64encode(e.data.encode()).decode() + if e.keyname in sections.keys() and e.data.strip(): + cron_dir = sections[e.keyname] if not cdir else cdir + attribute = '%s:%s' % (e.keyname, + b64encode(e.data.encode()).decode()) old_val = self.gp_db.retrieve(str(self), attribute) if not old_val: - with NamedTemporaryFile(mode="w+", delete=False, dir=cdir) as f: - f.write('#!/bin/sh\n%s' % e.data) + with NamedTemporaryFile(prefix='gp_', mode="w+", + delete=False, dir=cron_dir) as f: + contents = '#!/bin/sh\n%s' % intro + contents += '%s\n' % e.data + f.write(contents) os.chmod(f.name, 0o700) self.gp_db.store(str(self), attribute, f.name) self.gp_db.commit() + + def rsop(self, gpo): + output = {} + pol_file = 'MACHINE/Registry.pol' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + return output + for e in pol_conf.entries: + key = e.keyname.split('\\')[-1] + if key.endswith('Scripts') and e.data.strip(): + if key not in output.keys(): + output[key] = [] + output[key].append(e.data) + return output diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py index 6eab975e6fe..5e230f73c3c 100644 --- a/python/samba/gp_sec_ext.py +++ b/python/samba/gp_sec_ext.py @@ -16,7 +16,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os.path -from samba.gpclass import gp_ext_setter, gp_inf_ext +from samba.gpclass import gp_inf_ext from samba.auth import system_session from samba.compat import get_string try: @@ -26,26 +26,60 @@ except ImportError: pass -class inf_to_kdc_tdb(gp_ext_setter): - def mins_to_hours(self): - return '%d' % (int(self.val) / 60) +class gp_krb_ext(gp_inf_ext): + apply_map = { 'MaxTicketAge': 'kdc:user_ticket_lifetime', + 'MaxServiceAge': 'kdc:service_ticket_lifetime', + 'MaxRenewAge': 'kdc:renewal_lifetime' } + def process_group_policy(self, deleted_gpo_list, changed_gpo_list): + if self.lp.get('server role') != 'active directory domain controller': + return + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + for gpo in deleted_gpo_list: + self.gp_db.set_guid(gpo[0]) + for section in gpo[1].keys(): + if section == str(self): + for att, value in gpo[1][section].items(): + update_samba, _ = self.mapper().get(att) + update_samba(att, value) + self.gp_db.delete(section, att) + self.gp_db.commit() - def days_to_hours(self): - return '%d' % (int(self.val) * 24) + for gpo in changed_gpo_list: + if gpo.file_sys_path: + self.gp_db.set_guid(gpo.name) + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + continue + for section in inf_conf.sections(): + if section == str(self): + for key, value in inf_conf.items(section): + att = gp_krb_ext.apply_map[key] + (update_samba, value_func) = self.mapper().get(att) + update_samba(att, value_func(value)) + self.gp_db.commit() - def set_kdc_tdb(self, val): - old_val = self.gp_db.gpostore.get(self.attribute) - self.logger.info('%s was changed from %s to %s' % (self.attribute, + def mins_to_hours(self, val): + return '%d' % (int(val) / 60) + + def days_to_hours(self, val): + return '%d' % (int(val) * 24) + + def set_kdc_tdb(self, attribute, val): + old_val = self.gp_db.gpostore.get(attribute) + self.logger.info('%s was changed from %s to %s' % (attribute, old_val, val)) if val is not None: - self.gp_db.gpostore.store(self.attribute, get_string(val)) - self.gp_db.store(str(self), self.attribute, get_string(old_val) if old_val else None) + self.gp_db.gpostore.store(attribute, get_string(val)) + self.gp_db.store(str(self), attribute, get_string(old_val) \ + if old_val else None) else: - self.gp_db.gpostore.delete(self.attribute) - self.gp_db.delete(str(self), self.attribute) + self.gp_db.gpostore.delete(attribute) + self.gp_db.delete(str(self), attribute) def mapper(self): - return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit), + return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, + lambda val: val), 'kdc:service_ticket_lifetime': (self.set_kdc_tdb, self.mins_to_hours), 'kdc:renewal_lifetime': (self.set_kdc_tdb, @@ -55,15 +89,28 @@ class inf_to_kdc_tdb(gp_ext_setter): def __str__(self): return 'Kerberos Policy' - -class inf_to_ldb(gp_ext_setter): + def rsop(self, gpo): + output = {} + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + return output + for section in inf_conf.sections(): + output[section] = {k: v for k, v in inf_conf.items(section) \ + if gp_krb_ext.apply_map.get(k)} + return output + + +class gp_access_ext(gp_inf_ext): '''This class takes the .inf file parameter (essentially a GPO file mapped to a GUID), hashmaps it to the Samba parameter, which then uses an ldb object to update the parameter to Samba4. Not registry oriented whatsoever. ''' - def __init__(self, logger, gp_db, lp, creds, key, value): - super(inf_to_ldb, self).__init__(logger, gp_db, lp, creds, key, value) + def __init__(self, *args): + super().__init__(*args) try: self.ldb = SamDB(self.lp.samdb_url(), session_info=system_session(), @@ -72,41 +119,73 @@ class inf_to_ldb(gp_ext_setter): except (NameError, LdbError): raise Exception('Failed to load SamDB for assigning Group Policy') - def ch_minPwdAge(self, val): + apply_map = { 'MinimumPasswordAge': 'minPwdAge', + 'MaximumPasswordAge': 'maxPwdAge', + 'MinimumPasswordLength': 'minPwdLength', + 'PasswordComplexity': 'pwdProperties' } + def process_group_policy(self, deleted_gpo_list, changed_gpo_list): + if self.lp.get('server role') != 'active directory domain controller': + return + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + for gpo in deleted_gpo_list: + self.gp_db.set_guid(gpo[0]) + for section in gpo[1].keys(): + if section == str(self): + for att, value in gpo[1][section].items(): + update_samba, _ = self.mapper().get(att) + update_samba(att, value) + self.gp_db.delete(section, att) + self.gp_db.commit() + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + self.gp_db.set_guid(gpo.name) + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + continue + for section in inf_conf.sections(): + if section == str(self): + for key, value in inf_conf.items(section): + att = gp_access_ext.apply_map[key] + (update_samba, value_func) = self.mapper().get(att) + update_samba(att, value_func(value)) + self.gp_db.commit() + + def ch_minPwdAge(self, attribute, val): old_val = self.ldb.get_minPwdAge() self.logger.info('KDC Minimum Password age was changed from %s to %s' % (old_val, val)) - self.gp_db.store(str(self), self.attribute, str(old_val)) + self.gp_db.store(str(self), attribute, str(old_val)) self.ldb.set_minPwdAge(val) - def ch_maxPwdAge(self, val): + def ch_maxPwdAge(self, attribute, val): old_val = self.ldb.get_maxPwdAge() self.logger.info('KDC Maximum Password age was changed from %s to %s' % (old_val, val)) - self.gp_db.store(str(self), self.attribute, str(old_val)) + self.gp_db.store(str(self), attribute, str(old_val)) self.ldb.set_maxPwdAge(val) - def ch_minPwdLength(self, val): + def ch_minPwdLength(self, attribute, val): old_val = self.ldb.get_minPwdLength() self.logger.info( 'KDC Minimum Password length was changed from %s to %s' % (old_val, val)) - self.gp_db.store(str(self), self.attribute, str(old_val)) + self.gp_db.store(str(self), attribute, str(old_val)) self.ldb.set_minPwdLength(val) - def ch_pwdProperties(self, val): + def ch_pwdProperties(self, attribute, val): old_val = self.ldb.get_pwdProperties() self.logger.info('KDC Password Properties were changed from %s to %s' % (old_val, val)) - self.gp_db.store(str(self), self.attribute, str(old_val)) + self.gp_db.store(str(self), attribute, str(old_val)) self.ldb.set_pwdProperties(val) - def days2rel_nttime(self): + def days2rel_nttime(self, val): seconds = 60 minutes = 60 hours = 24 sam_add = 10000000 - val = (self.val) val = int(val) return str(-(val * seconds * minutes * hours * sam_add)) @@ -116,91 +195,23 @@ class inf_to_ldb(gp_ext_setter): "maxPwdAge": (self.ch_maxPwdAge, self.days2rel_nttime), # Could be none, but I like the method assignment in # update_samba - "minPwdLength": (self.ch_minPwdLength, self.explicit), - "pwdProperties": (self.ch_pwdProperties, self.explicit), + "minPwdLength": (self.ch_minPwdLength, lambda val: val), + "pwdProperties": (self.ch_pwdProperties, lambda val: val), } def __str__(self): return 'System Access' - -class gp_sec_ext(gp_inf_ext): - '''This class does the following two things: - 1) Identifies the GPO if it has a certain kind of filepath, - 2) Finally parses it. - ''' - - count = 0 - - def __str__(self): - return "Security GPO extension" - - def apply_map(self): - return {"System Access": {"MinimumPasswordAge": ("minPwdAge", - inf_to_ldb), - "MaximumPasswordAge": ("maxPwdAge", - inf_to_ldb), - "MinimumPasswordLength": ("minPwdLength", - inf_to_ldb), - "PasswordComplexity": ("pwdProperties", - inf_to_ldb), - }, - "Kerberos Policy": {"MaxTicketAge": ( - "kdc:user_ticket_lifetime", - inf_to_kdc_tdb - ), - "MaxServiceAge": ( - "kdc:service_ticket_lifetime", - inf_to_kdc_tdb - ), - "MaxRenewAge": ( - "kdc:renewal_lifetime", - inf_to_kdc_tdb - ), - } - } - - def process_group_policy(self, deleted_gpo_list, changed_gpo_list): - if self.lp.get('server role') != 'active directory domain controller': - return + def rsop(self, gpo): + output = {} inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' - apply_map = self.apply_map() - for gpo in deleted_gpo_list: - self.gp_db.set_guid(gpo[0]) - for section in gpo[1].keys(): - current_section = apply_map.get(section) - if not current_section: - continue - for key, value in gpo[1][section].items(): - setter = None - for _, tup in current_section.items(): - if tup[0] == key: - setter = tup[1] - if setter: - value = value.encode('ascii', 'ignore') \ - if value else value - setter(self.logger, self.gp_db, self.lp, self.creds, - key, value).delete() - self.gp_db.delete(section, key) - self.gp_db.commit() - - for gpo in changed_gpo_list: - if gpo.file_sys_path: - self.gp_db.set_guid(gpo.name) - path = os.path.join(gpo.file_sys_path, inf_file) - inf_conf = self.parse(path) - if not inf_conf: - continue - for section in inf_conf.sections(): - current_section = apply_map.get(section) - if not current_section: - continue - for key, value in inf_conf.items(section): - if current_section.get(key): - (att, setter) = current_section.get(key) - value = value.encode('ascii', 'ignore') - setter(self.logger, self.gp_db, self.lp, - self.creds, att, value).update_samba() - self.gp_db.commit() - + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + return output + for section in inf_conf.sections(): + output[section] = {k: v for k, v in inf_conf.items(section) \ + if gp_access_ext.apply_map.get(k)} + return output diff --git a/python/samba/gp_sudoers_ext.py b/python/samba/gp_sudoers_ext.py new file mode 100644 index 00000000000..cbebc8f06e3 --- /dev/null +++ b/python/samba/gp_sudoers_ext.py @@ -0,0 +1,85 @@ +# gp_sudoers_ext samba gpo policy +# Copyright (C) David Mulder <dmul...@suse.com> 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License -- Samba Shared Repository