The branch, master has been updated via f6712c70986 script:autobuild: Make sure we can send a failure mail via 41aa379abb3 python: Replace calls to deprecated methods via a15208f60bb samba-tool: Use ntstatus constants in gpo commands via a4530c153e3 samba-tool: Test gpo show/load handling of utf-16-le strings via 3b0d78a3fdc samba-tool: gpo show/load handle utf-16-le strings via e6032703606 samba-tool: gpo load provide option for replace vs merge via 6f373603720 samba-tool: gpo load set ntacl with SYSVOL file creation via e7737d6bb27 samba-tool: gpo load add Registry ext by default via a3452147129 samba-tool: gpo load extension names via 00e40f9f924 samba-tool: gpo load/remove increment GPT.INI via ea619d704e4 samba-tool: gpo load/remove bytes via dc6725336ad samba-tool: Test gpo load/remove commands via ee37e3cd32e samba-tool: gpo load/remove commands via a0f8d7ca05e samba-tool: Move smb_connection to a common file via d6194600c19 samba-tool: Move create_directory_hier to a common file via e40faf7a750 samba-tool: gpo show command list policies from 7e0eb0f31a2 s3:lib: Change file_modtime() to return an error code and a struct timespec.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f6712c709868bf87dfd3d92bec1f306d2a98116e Author: Andreas Schneider <a...@samba.org> Date: Wed Jan 25 17:08:58 2023 +0100 script:autobuild: Make sure we can send a failure mail We should not run into an exception if the file doesn't exist. Traceback (most recent call last): File "script/autobuild.py", line 1781, in <module> email_failure(-1, 'rebase', 'rebase', 'rebase', File "script/autobuild.py", line 1677, in email_failure f = open("%s/%s.stdout" % (gitroot, failed_tag), 'r') FileNotFoundError: [Errno 2] No such file or directory: 'samba-autobuild/rebase.stdout' Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Jan 30 10:00:27 UTC 2023 on atb-devel-224 commit 41aa379abb391ffab77238d65ee5ba11b9ab8538 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jan 19 08:37:03 2023 +1300 python: Replace calls to deprecated methods These aliases are deprecated and have been removed in Python 3.12. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a15208f60bbace89d99acbe8e3a8325740f5d6ab Author: David Mulder <dmul...@samba.org> Date: Wed Dec 7 10:56:54 2022 -0700 samba-tool: Use ntstatus constants in gpo commands Replace all the hard coded instances of ntstatus codes in the samba-tool gpo commands with constants from samba.ntstatus. Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a4530c153e38b205f0ffa7f30e06d2a4469fa58b Author: David Mulder <dmul...@suse.com> Date: Thu Mar 24 11:35:02 2022 -0600 samba-tool: Test gpo show/load handling of utf-16-le strings Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit 3b0d78a3fdcd2df1d6ee63f41e2d56688ccd83f1 Author: David Mulder <dmul...@suse.com> Date: Thu Mar 24 17:05:13 2022 +0000 samba-tool: gpo show/load handle utf-16-le strings Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit e60327036067d1b3141ec40200efeeb057aa93ff Author: David Mulder <dmul...@suse.com> Date: Thu Feb 17 10:38:46 2022 -0700 samba-tool: gpo load provide option for replace vs merge Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit 6f3736037203f21b8508f134dde6bd25867f5613 Author: David Mulder <dmul...@suse.com> Date: Wed Feb 16 03:11:34 2022 -0700 samba-tool: gpo load set ntacl with SYSVOL file creation Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit e7737d6bb27dd4b70782635eafa75f4d01450aa7 Author: David Mulder <dmul...@suse.com> Date: Tue Feb 15 14:45:41 2022 -0700 samba-tool: gpo load add Registry ext by default Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit a3452147129a0eea6a578c3d57aa828642986d89 Author: David Mulder <dmul...@suse.com> Date: Tue Feb 15 11:09:12 2022 -0700 samba-tool: gpo load extension names Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit 00e40f9f924f6354e5e8e9e0d0ee7077243a4b26 Author: David Mulder <dmul...@suse.com> Date: Mon Feb 14 13:34:39 2022 -0700 samba-tool: gpo load/remove increment GPT.INI Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit ea619d704e4d9f498104b20bb1c8a98a1a6df9d6 Author: David Mulder <dmul...@suse.com> Date: Mon Jan 24 09:21:47 2022 -0700 samba-tool: gpo load/remove bytes Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit dc6725336ad76fe425ef818a83272bd4cf7c937c Author: David Mulder <dmul...@suse.com> Date: Fri Jan 21 11:48:48 2022 -0700 samba-tool: Test gpo load/remove commands Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit ee37e3cd32e98088cf3b4faba4cc2a2ce3a70175 Author: David Mulder <dmul...@samba.org> Date: Tue Jun 29 19:38:02 2021 +0000 samba-tool: gpo load/remove commands These commands allow the setting of various group policies on the sysvol. Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> commit a0f8d7ca05e0cc65d328864f300ae67098526868 Author: David Mulder <dmul...@samba.org> Date: Wed Dec 7 11:32:30 2022 -0700 samba-tool: Move smb_connection to a common file This is in preparation for needing it here later. Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d6194600c19e12a58686199ce65daa45367371f6 Author: David Mulder <dmul...@samba.org> Date: Wed Dec 7 11:27:00 2022 -0700 samba-tool: Move create_directory_hier to a common file This is in preparation for needing it here later. Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e40faf7a750c3aeb4298b1a9c6647e372c063151 Author: David Mulder <dmul...@samba.org> Date: Thu Jun 3 17:05:42 2021 +0000 samba-tool: gpo show command list policies Signed-off-by: David Mulder <dmul...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Tested-by: Kees van Vloten <keesvanvlo...@gmail.com> ----------------------------------------------------------------------- Summary of changes: python/samba/netcmd/gpcommon.py | 55 ++ python/samba/netcmd/gpo.py | 564 +++++++++++++++------ python/samba/policies.py | 389 ++++++++++++++ python/samba/tests/audit_log_dsdb.py | 40 +- python/samba/tests/audit_log_pass_change.py | 28 +- python/samba/tests/gpo.py | 16 +- python/samba/tests/group_audit.py | 48 +- python/samba/tests/prefork_restart.py | 18 +- python/samba/tests/samba_tool/computer.py | 6 +- python/samba/tests/samba_tool/contact.py | 6 +- .../samba_tool/drs_clone_dc_data_lmdb_size.py | 10 +- python/samba/tests/samba_tool/gpo.py | 157 ++++++ python/samba/tests/samba_tool/join_lmdb_size.py | 10 +- python/samba/tests/samba_tool/ou.py | 6 +- python/samba/tests/samba_tool/passwordsettings.py | 4 +- .../samba/tests/samba_tool/promote_dc_lmdb_size.py | 10 +- .../samba/tests/samba_tool/provision_lmdb_size.py | 10 +- .../tests/samba_tool/provision_password_check.py | 4 +- python/samba/tests/upgradeprovisionneeddc.py | 8 +- script/autobuild.py | 10 +- source4/dsdb/tests/python/urgent_replication.py | 20 +- .../torture/drs/python/samba_tool_drs_showrepl.py | 46 +- 22 files changed, 1152 insertions(+), 313 deletions(-) create mode 100644 python/samba/netcmd/gpcommon.py create mode 100644 python/samba/policies.py Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/gpcommon.py b/python/samba/netcmd/gpcommon.py new file mode 100644 index 00000000000..ee5da4dfd13 --- /dev/null +++ b/python/samba/netcmd/gpcommon.py @@ -0,0 +1,55 @@ +# Samba common group policy functions +# +# Copyright Andrew Tridgell 2010 +# Copyright Amitay Isaacs 2011-2012 <ami...@gmail.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +import ldb +from samba.credentials import SMB_SIGNING_REQUIRED +from samba.samba3 import param as s3param +from samba.samba3 import libsmb_samba_internal as libsmb +from samba.netcmd import CommandError + +def get_gpo_dn(samdb, gpo): + '''Construct the DN for gpo''' + + dn = samdb.get_default_basedn() + dn.add_child(ldb.Dn(samdb, "CN=Policies,CN=System")) + dn.add_child(ldb.Dn(samdb, "CN=%s" % gpo)) + return dn + +def create_directory_hier(conn, remotedir): + elems = remotedir.replace('/', '\\').split('\\') + path = "" + for e in elems: + path = path + '\\' + e + if not conn.chkpath(path): + conn.mkdir(path) + +def smb_connection(dc_hostname, service, lp, creds): + # SMB connect to DC + # Force signing for the smb connection + saved_signing_state = creds.get_smb_signing() + creds.set_smb_signing(SMB_SIGNING_REQUIRED) + try: + # the SMB bindings rely on having a s3 loadparm + s3_lp = s3param.get_context() + s3_lp.load(lp.configfile) + conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds) + except Exception: + raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) + # Reset signing state + creds.set_smb_signing(saved_signing_state) + return conn diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 9cd08273aaa..bfd3e0f05f7 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -19,6 +19,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # import os +import sys import samba.getopt as options import ldb import re @@ -43,7 +44,6 @@ import samba.auth from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES from samba.netcmd.common import netcmd_finddc from samba import policy -from samba.samba3 import param as s3param from samba.samba3 import libsmb_samba_internal as libsmb from samba import NTSTATUSError import uuid @@ -62,13 +62,28 @@ from samba.gp_parse.gp_csv import GPAuditCsvParser from samba.gp_parse.gp_inf import GptTmplInfParser from samba.gp_parse.gp_aas import GPAasParser from samba import param -from samba.credentials import SMB_SIGNING_REQUIRED from samba.netcmd.common import attr_default from samba.common import get_bytes, get_string from configparser import ConfigParser from io import StringIO, BytesIO from samba.gp.vgp_files_ext import calc_mode, stat_from_mode import hashlib +import json +from samba.registry import str_regtype +from samba.ntstatus import ( + NT_STATUS_OBJECT_NAME_INVALID, + NT_STATUS_OBJECT_NAME_NOT_FOUND, + NT_STATUS_OBJECT_PATH_NOT_FOUND, + NT_STATUS_OBJECT_NAME_COLLISION, + NT_STATUS_ACCESS_DENIED +) +from samba.netcmd.gpcommon import ( + create_directory_hier, + smb_connection, + get_gpo_dn +) +from samba.policies import RegistryGroupPolicies +from samba.dcerpc.misc import REG_MULTI_SZ def gpo_flags_string(value): @@ -129,15 +144,6 @@ def dc_url(lp, creds, url=None, dc=None): return url -def get_gpo_dn(samdb, gpo): - '''Construct the DN for gpo''' - - dn = samdb.get_default_basedn() - dn.add_child(ldb.Dn(samdb, "CN=Policies,CN=System")) - dn.add_child(ldb.Dn(samdb, "CN=%s" % gpo)) - return dn - - def get_gpo_info(samdb, gpo=None, displayname=None, dn=None, sd_flags=(security.SECINFO_OWNER | security.SECINFO_GROUP | @@ -374,31 +380,6 @@ def copy_directory_local_to_remote(conn, localdir, remotedir, conn.savefile(r_name, data) -def create_directory_hier(conn, remotedir): - elems = remotedir.replace('/', '\\').split('\\') - path = "" - for e in elems: - path = path + '\\' + e - if not conn.chkpath(path): - conn.mkdir(path) - -def smb_connection(dc_hostname, service, lp, creds): - # SMB connect to DC - # Force signing for the smb connection - saved_signing_state = creds.get_smb_signing() - creds.set_smb_signing(SMB_SIGNING_REQUIRED) - try: - # the SMB bindings rely on having a s3 loadparm - s3_lp = s3param.get_context() - s3_lp.load(lp.configfile) - conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds) - except Exception: - raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) - # Reset signing state - creds.set_smb_signing(saved_signing_state) - return conn - - class GPOCommand(Command): def construct_tmpdir(self, tmpdir, gpo): """Ensure that the temporary directory structure used in fetch, @@ -621,7 +602,13 @@ class cmd_show(GPOCommand): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) - self.url = dc_url(self.lp, self.creds, H) + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) self.samdb_connect() @@ -640,13 +627,254 @@ class cmd_show(GPOCommand): self.outf.write("GPO : %s\n" % msg['name'][0]) self.outf.write("display name : %s\n" % msg['displayName'][0]) self.outf.write("path : %s\n" % msg['gPCFileSysPath'][0]) + if 'gPCMachineExtensionNames' in msg: + self.outf.write("Machine Exts : %s\n" % msg['gPCMachineExtensionNames'][0]) + if 'gPCUserExtensionNames' in msg: + self.outf.write("User Exts : %s\n" % msg['gPCUserExtensionNames'][0]) self.outf.write("dn : %s\n" % msg.dn) self.outf.write("version : %s\n" % attr_default(msg, 'versionNumber', '0')) self.outf.write("flags : %s\n" % gpo_flags_string(int(attr_default(msg, 'flags', 0)))) self.outf.write("ACL : %s\n" % secdesc_sddl) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + pol_file = '\\'.join([realm.lower(), 'Policies', gpo, + '%s\\Registry.pol']) + policy_defs = [] + for policy_class in ['MACHINE', 'USER']: + try: + pol_data = ndr_unpack(preg.file, + conn.loadfile(pol_file % policy_class)) + except NTSTATUSError as e: + if e.args[0] in [NT_STATUS_OBJECT_NAME_INVALID, + NT_STATUS_OBJECT_NAME_NOT_FOUND, + NT_STATUS_OBJECT_PATH_NOT_FOUND]: + continue # The file doesn't exist, so there is nothing to list + if e.args[0] == NT_STATUS_ACCESS_DENIED: + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + + for entry in pol_data.entries: + if entry.valuename == "**delvals.": + continue + defs = {} + defs['keyname'] = entry.keyname + defs['valuename'] = entry.valuename + defs['class'] = policy_class + defs['type'] = str_regtype(entry.type) + defs['data'] = entry.data + # Bytes aren't JSON serializable + if type(defs['data']) == bytes: + if entry.type == REG_MULTI_SZ: + data = defs['data'].decode('utf-16-le') + defs['data'] = data.rstrip('\x00').split('\x00') + else: + defs['data'] = list(defs['data']) + policy_defs.append(defs) + self.outf.write("Policies :\n") + json.dump(policy_defs, self.outf, indent=4) self.outf.write("\n") +class cmd_load(GPOCommand): + """Load policies onto a GPO. + + Reads json from standard input until EOF, unless a json formatted + file is provided via --content. + + Example json_input: + [ + { + "keyname": "Software\\Policies\\Mozilla\\Firefox\\Homepage", + "valuename": "StartPage", + "class": "USER", + "type": "REG_SZ", + "data": "homepage" + }, + { + "keyname": "Software\\Policies\\Mozilla\\Firefox\\Homepage", + "valuename": "URL", + "class": "USER", + "type": "REG_SZ", + "data": "google.com" + }, + { + "keyname": "Software\\Microsoft\\Internet Explorer\\Toolbar", + "valuename": "IEToolbar", + "class": "USER", + "type": "REG_BINARY", + "data": [0] + }, + { + "keyname": "Software\\Policies\\Microsoft\\InputPersonalization", + "valuename": "RestrictImplicitTextCollection", + "class": "USER", + "type": "REG_DWORD", + "data": 1 + } + ] + + Valid class attributes: MACHINE|USER|BOTH + Data arrays are interpreted as bytes. + + The --machine-ext-name and --user-ext-name options are multi-value inputs + which respectively set the gPCMachineExtensionNames and gPCUserExtensionNames + ldap attributes on the GPO. These attributes must be set to the correct GUID + names for Windows Group Policy to work correctly. These GUIDs represent + the client side extensions to apply on the machine. Linux Group Policy does + not enforce this constraint. + {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is provided by default, which + enables most Registry policies. + """ + + synopsis = "%prog <gpo> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_args = ['gpo'] + + takes_options = [ + Option("-H", help="LDB URL for database or target server", type=str), + Option("--content", help="JSON file of policy inputs", type=str), + Option("--machine-ext-name", + action="append", dest="machine_exts", + default=['{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'], + help="A machine extension name to add to gPCMachineExtensionNames"), + Option("--user-ext-name", + action="append", dest="user_exts", + default=['{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'], + help="A user extension name to add to gPCUserExtensionNames"), + Option("--replace", action='store_true', default=False, + help="Replace the existing Group Policies, rather than merging") + ] + + def run(self, gpo, H=None, content=None, + machine_exts=['{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'], + user_exts=['{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'], + replace=False, sambaopts=None, credopts=None, versionopts=None): + if content is None: + policy_defs = json.loads(sys.stdin.read()) + elif os.path.exists(content): + with open(content, 'rb') as r: + policy_defs = json.load(r) + else: + raise CommandError("The JSON content file does not exist") + + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + self.url = dc_url(self.lp, self.creds, H) + self.samdb_connect() + reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H) + for ext_name in machine_exts: + reg.register_extension_name(ext_name, 'gPCMachineExtensionNames') + for ext_name in user_exts: + reg.register_extension_name(ext_name, 'gPCUserExtensionNames') + try: + if replace: + reg.replace_s(policy_defs) + else: + reg.merge_s(policy_defs) + except NTSTATUSError as e: + if e.args[0] == NT_STATUS_ACCESS_DENIED: + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + +class cmd_remove(GPOCommand): + """Remove policies from a GPO. + + Reads json from standard input until EOF, unless a json formatted + file is provided via --content. + + Example json_input: + [ + { + "keyname": "Software\\Policies\\Mozilla\\Firefox\\Homepage", + "valuename": "StartPage", + "class": "USER", + }, + { + "keyname": "Software\\Policies\\Mozilla\\Firefox\\Homepage", + "valuename": "URL", + "class": "USER", + }, + { + "keyname": "Software\\Microsoft\\Internet Explorer\\Toolbar", + "valuename": "IEToolbar", + "class": "USER" + }, + { + "keyname": "Software\\Policies\\Microsoft\\InputPersonalization", + "valuename": "RestrictImplicitTextCollection", + "class": "USER" + } + ] + + Valid class attributes: MACHINE|USER|BOTH + """ + + synopsis = "%prog <gpo> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_args = ['gpo'] + + takes_options = [ + Option("-H", help="LDB URL for database or target server", type=str), + Option("--content", help="JSON file of policy inputs", type=str), + Option("--machine-ext-name", + action="append", default=[], dest="machine_exts", + help="A machine extension name to remove from gPCMachineExtensionNames"), + Option("--user-ext-name", + action="append", default=[], dest="user_exts", + help="A user extension name to remove from gPCUserExtensionNames") + ] + + def run(self, gpo, H=None, content=None, machine_exts=[], user_exts=[], + sambaopts=None, credopts=None, versionopts=None): + if content is None: + policy_defs = json.loads(sys.stdin.read()) + elif os.path.exists(content): + with open(content, 'rb') as r: + policy_defs = json.load(r) + else: + raise CommandError("The JSON content file does not exist") + + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + self.url = dc_url(self.lp, self.creds, H) + self.samdb_connect() + reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H) + for ext_name in machine_exts: + reg.unregister_extension_name(ext_name, 'gPCMachineExtensionNames') + for ext_name in user_exts: + reg.unregister_extension_name(ext_name, 'gPCUserExtensionNames') + try: + reg.remove_s(policy_defs) + except NTSTATUSError as e: + if e.args[0] == NT_STATUS_ACCESS_DENIED: + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + class cmd_getlink(GPOCommand): """List GPO Links for a container.""" @@ -1645,10 +1873,10 @@ class cmd_admxload(Command): try: conn.mkdir(smb_dir) except NTSTATUSError as e: - if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + if e.args[0] == NT_STATUS_ACCESS_DENIED: raise CommandError("The authenticated user does " "not have sufficient privileges") - elif e.args[0] != 0xC0000035: # STATUS_OBJECT_NAME_COLLISION + elif e.args[0] != NT_STATUS_OBJECT_NAME_COLLISION: raise for dirname, dirs, files in os.walk(admx_dir): @@ -1660,16 +1888,16 @@ class cmd_admxload(Command): try: create_directory_hier(conn, sub_dir) except NTSTATUSError as e: - if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + if e.args[0] == NT_STATUS_ACCESS_DENIED: raise CommandError("The authenticated user does " "not have sufficient privileges") - elif e.args[0] != 0xC0000035: # STATUS_OBJECT_NAME_COLLISION + elif e.args[0] != NT_STATUS_OBJECT_NAME_COLLISION: raise with open(full_path, 'rb') as f: try: conn.savefile(smb_path, f.read()) except NTSTATUSError as e: - if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + if e.args[0] == NT_STATUS_ACCESS_DENIED: raise CommandError("The authenticated user does " "not have sufficient privileges") self.outf.write('Installing ADMX templates to the Central Store ' @@ -1745,9 +1973,9 @@ fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL policysetting = xml_data.getroot().find('policysetting') data = policysetting.find('data') except NTSTATUSError as e: - # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, - # STATUS_OBJECT_PATH_NOT_FOUND - if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + if e.args[0] in [NT_STATUS_OBJECT_NAME_INVALID, + NT_STATUS_OBJECT_NAME_NOT_FOUND, + NT_STATUS_OBJECT_PATH_NOT_FOUND]: # The file doesn't exist, so create the xml structure xml_data = ET.ElementTree(ET.Element('vgppolicy')) policysetting = ET.SubElement(xml_data.getroot(), @@ -1763,7 +1991,7 @@ fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL data = ET.SubElement(policysetting, 'data') load_plugin = ET.SubElement(data, 'load_plugin') load_plugin.text = 'true' - elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + elif e.args[0] == NT_STATUS_ACCESS_DENIED: raise CommandError("The authenticated user does " "not have sufficient privileges") else: @@ -1794,7 +2022,7 @@ fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL create_directory_hier(conn, vgp_dir) conn.savefile(vgp_xml, out.read()) except NTSTATUSError as e: - if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + if e.args[0] == NT_STATUS_ACCESS_DENIED: raise CommandError("The authenticated user does " "not have sufficient privileges") raise @@ -1848,12 +2076,12 @@ samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9} try: xml_data = ET.fromstring(conn.loadfile(vgp_xml)) except NTSTATUSError as e: - # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, - # STATUS_OBJECT_PATH_NOT_FOUND - if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: -- Samba Shared Repository