Id ^dZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z mZddlmZmZddlmZddlmZddlmZdd lmZdd lmZdd lmZej8ej:zej<zej>zZ e jBe jDze jFze jHzZ%Gd d e&Z'dZ(dZ) ddZ* ddZ+dZ,ddZ-GddZ.GddZ/dZ0dZ1dZ2dZ3dZ4y) zNT Acls.N)param)securityxattridmap)ndr_pack ndr_unpack)smbd)libsmb_samba_internal)get_samba_logger) NTSTATUSError)system_session_unix) safe_tarfileceZdZdZy)XattrBackendErrorzA generic xattr backend error.N)__name__ __module__ __qualname____doc__./usr/lib/python3/dist-packages/samba/ntacls.pyrr3s(rrc|i|jd}|!tj|jdfS|jd}|!tj|jdfSy|dk(ry|dk(rp|tj|fStjtj j tj j|jddfS|dk(rt|tj|fS|jd }tj j tj j|d }tj|fStd |z) z$return the path to the eadb, or Nonezxattr_tdb:filez posix:eadbNNnativeeadbz private dirzeadb.tdbtdbzstate directoryz xattr.tdbzInvalid xattr backend choice %s) getsamba xattr_tdb posix_eadbospathabspathjoinr)lpbackendeadbfilerr state_dirdb_paths rcheckset_backendr*7s4FF+,  OORVV,<%=> >VVL)  !$$bff\&:; ; H  F   $$h/ /$$bggoobggll266-CXZd6e&fg g E   OOX. .01Iggoobggll9k&JKGOOW- - AG KLLrc tjj|tj}t tj|S#t $rYywxYwN)r xattr_native wrap_getxattrrXATTR_DOSATTRIB_NAME_S3 Exceptionr DOSATTRIB)r%file attributes r getdosinfor4SsP&&44T5:5R5RT eooy 11 s.A AAc|rt|||\}}|# |j||tj} n.t jj|tj} ttj| } | jdk(r | jS| jdk(r| jjS| jdk(r| jjS| jdk(r| jjSytj|t||S#t$r@t d|zt jj|tj} Y wxYw)NFail to open %sservice)r*r.rXATTR_NTACL_NAMEr0printrr-rNTACLversioninfosdr get_nt_aclSECURITY_SECINFO_FLAGS) r%r2 session_infor&r'direct_db_accessr< backend_objdbnamer3ntacls rgetntaclrJ]sD 0Wh Gf   U'55fd6;6L6LN **889>9O9OQI5;; 2 ==A ::  ]]a ::== ]]a ::== ]]a ::==  t5+'.0 0' U'&01!..<$rItAd|ztBjDj9|t0j:t=|YywxYw) a A wrapper for smbd set_nt_acl api. Args: lp (LoadParam): load param from conf file (str): a path to file or dir sddl (str): ntacl sddl string service (str): name of share service, e.g.: sysvol session_info (auth_session_info): session info for authentication Note: Get `session_info` with `samba.auth.user_session`, do not use the `admin_session` api. Returns: None z%s-%dr;TzDUnable to find UID for domain administrator %s, got id %d of type %drr7Nr6)r<rE)# isinstancestrrdom_sid descriptor from_sddlas_sddl sid_to_id owner_sidr ID_TYPE_UID ID_TYPE_BOTHDOMAIN_RID_ADMINSDOMAIN_RID_ADMINISTRATORr set_nt_aclrDrr!chown SECINFO_GROUP SECINFO_DACL SECINFO_SACLr*rr?r@rA wrap_setxattrr=rr0r>rr-)r%r2sddldomsidrEr&r' use_ntvfsskip_invalid_chownpassdbr<sidrBowner_id owner_type administratoradmin_id admin_typesd2rGrHrIs rsetntaclrjs, fc "j9I9I&JK J&#v& FH,, -S dC JtX5H5H$IJ I$  * *4 5 D(-- . zz# +!'!1!1",,!?: 5,, ,:ASAS3S||x//68C]C]:^0^__ ( 0 0FHDeDe;f1f g )/)9)9-)H&: 5#4#44*HZHZ:ZC$1CMOO4c$ ') !%I+,rwDFNPZv[-[\\q!$**))*))* #% 0Wh Gf     B))&*.0F0FQVY    , ,T53I3I-5e_ >  (", 8 B'&01""00u7M7M19%B  Bs:+L>>ANNc&d}d}d}d}d}d}d}d}d } d} d} d} d} d}d}d}d}d}d}d}d}d}d }d }d }d }d }d}d}||z}||zr||zr||| z|z|z| z|zz}||zr||| z|z|z|z| z|zz}||zr||| zz}||zr||z}|S)zMTakes the access mask of a DS ACE and transform them in a File ACE mask. r7r8r: @iiiiiir)ldmRIGHT_DS_CREATE_CHILDRIGHT_DS_DELETE_CHILDRIGHT_DS_LIST_CONTENTS ACTRL_DS_SELFRIGHT_DS_READ_PROPERTYRIGHT_DS_WRITE_PROPERTYRIGHT_DS_DELETE_TREERIGHT_DS_LIST_OBJECTRIGHT_DS_CONTROL_ACCESSFILE_READ_DATAFILE_LIST_DIRECTORYFILE_WRITE_DATA FILE_ADD_FILEFILE_APPEND_DATAFILE_ADD_SUBDIRECTORYFILE_CREATE_PIPE_INSTANCE FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_TRAVERSEFILE_DELETE_CHILDFILE_READ_ATTRIBUTESFILE_WRITE_ATTRIBUTESDELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZESTANDARD_RIGHTS_ALLfilemasks rldapmask2filemaskrsp!+ * * *M * * * * * &N & &O &M & & & &L &M &L &M & & & *F *L *I *K *K *((H $$31G+G{-@@3 46B C- .0< => $${_</ 02? @4 57D E 5 56  ""4}DE ""// Orc~tjj||}tj}|j|_|j|_|j |_|j |_|jj}tdt|D]}||}|j tjtjfvs6t|jtjk7s]|j tj"ztj$z|_t|jtj&k(r"|j tj(z|_t+|j,|_|j/||s|S|j1|S)z This function takes an the SDDL representation of a DS ACL and return the SDDL representation of this ACL adapted for files. It's used for Policy object provision r)rrOrPrS group_sidtyperevisiondaclacesrangelen"SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECTSEC_ACE_TYPE_ACCESS_ALLOWEDrMtrusteeSID_BUILTIN_PREW2KflagsSEC_ACE_FLAG_OBJECT_INHERITSEC_ACE_FLAG_CONTAINER_INHERITSID_CREATOR_OWNERSEC_ACE_FLAG_INHERIT_ONLYr access_maskdacl_addrQ)dssddlrcrQreffdescrriaces r dsacl2fsaclr!sE    ' ' 4C  "F}}F}}F((FKllFO 88==D 1c$i !1g 88CC <<> >BEckkBRV^VqVqBq H$H$HH8KrKrrCI3;;8#=#==II(J(JJ /@CO OOC  !  >># rcdeZdZdZdZ ddZ ddZddZdZdZ d Z dd Z dd Z dd Z d Zy) SMBHelperzb A wrapper class for SMB connection smb_path: path with separator "\" other than "/" c ||_||_yr,)smb_connrN)selfrrNs r__init__zSMBHelper.__init__Hs   rNcd|vsJ|jj|||}|r|j|jS|SN/)sinfor)rget_aclrQrN)rsmb_pathrQrrntacl_sds rrzSMBHelper.get_aclLsP("""==((/45@)B29x -FhFrcTd|vsJt|tst|tjsJt|tr+tjj ||j }nt|tjr|}|j j|||yr)rLrMrrOrP domain_sidrset_acl)rrrrrtmp_descs rrzSMBHelper.set_aclVs("""(C(JxATAT,UVU h $**44XtOH ("5"5 6H h$)*5  7rcPd|vsJ|jj|tS)zM List file and dir base names in smb_path without recursive. r)attribs)rlistSMB_FILE_ATTRIBUTE_FLAGSrrs rrzSMBHelper.listds-("""}}!!(4L!MMrc:t|tjzS)ze Check whether the attrib value is a directory. attrib is from list method. )boollibsmbFILE_ATTRIBUTE_DIRECTORY)rattribs ris_dirzSMBHelper.is_dirks FV<<<==rc|r|dz|zS|S)z$ Join path with '\' \r)rrootnames rr$zSMBHelper.joinss&*td{T!3t3rcDd|vsJ|jj|S)Nr)rloadfilers rrzSMBHelper.loadfileys%("""}}%%h//rcD|jD]\}}|j||}t|trJ|jj |s|jj ||j||r|jj||y)z1 Create files as defined in tree rN) itemsr$rLdictrchkpathmkdir create_treesavefile)rtreerrcontentfullnames rrzSMBHelper.create_tree}s"ZZ\ :MD'yy40H'4(}},,X6MM''1  8 < &&x9 :rci}|j|D]W}|d}|j||}|j|dr|j|||<D|j |||<Y|S)a Get the tree structure via smb conn self.smb_conn.list example: [ { 'attrib': 16, 'mtime': 1528848309, 'name': 'dir1', 'short_name': 'dir1', 'size': 0L }, { 'attrib': 32, 'mtime': 1528848309, 'name': 'file0.txt', 'short_name': 'file0.txt', 'size': 10L } ] rrr)rr$rget_treer)rrritemrrs rrzSMBHelper.get_treesw,IIh' 5D*!]]H]=T !]]84T  5 rc.i}|j|D]~}|d}|j||}|j|dr"|j|j |P|j |}|j |j||<|S)z> Get ntacl for each file and dir via smb conn rrr)rr$rupdate get_ntaclsrrQrN)rrntaclsrrrrs rrzSMBHelper.get_ntaclssIIh' BD* dooxo@A<<1#+#3#3DLL#Ax  B rc|jD]R}|d}|j|dr|jj|8|jj |Ty)Nrr)rrrdeltreeunlink)rrrs r delete_treezSMBHelper.delete_treesTIIK +D* %%d+ $$T*  +r)FNNr))rrrrrrrrrr$rrrrrrrrrrAsN ).(,G)- 7N>4 0 :@ +rrc eZdZdZddZdZy) NtaclsHelperc||_||_tj|_|jj |d|jj dv|_y)Nsmbzserver services)r<rNs3param get_contextr%loadrr`)rr< smb_conf_pathrNs rrzNtaclsHelper.__init__sL  %%'  ]#$''++.?"@@rNc| |j}t|j||||j}|r|j |j S|S)N)rFr<)r`rJr%r<rQrN)rr"rErQrFrs rrJzNtaclsHelper.getntaclsO  ##~~  GGT<-LL" 29x -FhFrc`t|j|||j||jS)N)r`)rjr%rNr`)rr"rrEs rrjzNtaclsHelper.setntacls(x|"&..2 2r)FN)rrrrrJrjrrrrrsA G2rrcnt|dzd5}|j|dddy#1swYyxYw)N.NTACLw)openwrite)dstntacl_sddl_strfs r_create_ntacl_filers3 cHnc " a    s+4c|dz}tjj|syt|d5}|j cdddS#1swYyxYw)Nrr)r!r"existsrread)src ntacl_filers r_read_ntacl_filersHxJ 77>>* % j# !vvxs A  Ac t}t|trtj|}t ||}d}t j}|g}|g}|r|j} |j} |j| D]} |j| | d} tjj| | d} |j| dr8|j| |j| tj| n7|j!| }t#| d5}|j%|ddd |j'| d}t)| ||rt3j"|d5}tj4|D]5}tjj||}|j7||7 dddt9j:|y#1swYxYw#t*$rF} |j-d | d | j.d |j1d | zd zYd} ~ d} ~ wwxYw#1swY}xYw)aa Backup all files and dirs with ntacl for the serive behind smb_conn. 1. Create a temp dir as container dir 2. Backup all files with dir structure into container dir 3. Generate file.NTACL files for each file and dir in container dir 4. Create a tar file from container dir(without top level folder) 5. Delete container dir rrrrwbNTrQzFailed to get the ntacl for z: r7z!The permissions for %s may not bez restored correctlyw:gzrmodearcname)r rLrMrrNrtempfilemkdtemppoprr$r!r"rappendrrrrrrr errorargswarningtarfilelistdiraddshutilrmtree)rdest_tarfile_pathrNlogger smb_helper remotedirlocaldirr_dirsl_dirsr_dirl_direr_namel_namedatarrtarrr"s r backup_onliner s F'3""7+8W-JI!H[FZF   %0 6A__UAfI6FWW\\%63F  8- f% f% !**62&$'"1GGDM" 6!+!3!3FD!3!I"6>:! 6 6 ,6 :(cJJx( (D77<<$/D GGD$G ' ((  MM(%""! 6 $affQi12BVK4 566 6 ((s11G5 HAI5G>  I ;I  IIc B|jdjddd}tj}t }t |||}t j|D]\}} } t jj||} t jj|| } | D]y} t jj|| }t jj| | }tj||||j||d}t||{| D]}t jj||}t jj| |}tj||||j||d}t||t!|d5}|j#}t!|d5}|j%|d d d d d d t'j |d 5}t j(|D]5}t jj||}|j+|| 7 d d d t-j.|y #1swYxYw#1swYdxYw#1swY8xYw) z< Backup files and ntacls to a tarfile for a service rr7startTrrbrNrrr)rstriprsplitrrr rr!walkr"relpathr$r rrJr create_filerrrr rrrr)src_service_pathrrrNr<tempdirrE ntacls_helperdirpathdirnames filenames rel_dirpath dst_dirpathdirnamerrrfilenamesrc_filerdst_filerrr"s rbackup_offliner7*s;%%c*11#q9"=G G&(L -AM(*0@(A)$9ggoog5EoF ggll7K8   4G'',,w0C'',,{G4C JJsL' 2*33Ct3TN sN 3  4" )H'',,w1C'',,{H5C   S, 8*33Ct3TN sN 3c4 )H}}#t_)NN4() ) ) ))< ,6 :(cJJw' (D77<<.D GGD$G ' ((  MM')) ) ) ((s14JI< #JAJ<J JJ Jc t}|jdjddd}tj}|j }t j|}t|||} t} tj|5} | j|dddtj|D]@\} } }tjj!| |}tjj#tjj%||}| D]}|j'drtjj%| |}tjj%||}tjj)|st+j,|| |t/|}|r| j1||| |j3d|zd z|D]}|j'drtjj%| |}tjj%||}tjj5|st+j6|| |t/|}|r| j1||| n|j3d |zd zt|d 5}|j9}t|d 5}|j;|ddddddCt=j>|y#1swYyxYw#1swY:xYw#1swYNxYw) z> Restore files and ntacls from a tarfile to a service rr7r")r"Nr#rz)Failed to restore ntacl for directory %s.z) Please check the permissions are correctz$Failed to restore ntacl for file %s.r%r) r r&r'rrget_domain_sidrrNrr r r extractallr!r(r"r)normpathr$endswithisdirr rrrjr isfiler*rrrr)src_tarfile_pathdst_service_path samdb_connrrr<r, dom_sid_strrNr-rErr.r/r0r1r2r3rrrr4r5rr6s rbackup_restorerCZs F%%c*11#q9"=G G++-K{+G -AM&(L & '#1 ' "#)+(8(-$9ggoogWo= gg&& GGLL); 79   GG##H-ggll7G4ggll;8ww}}S)JJsL':!1#!6!!**3 MNNCcIEFG G " -H$$X.ggll7H5ggll;9ww~~c*$$S,@!1#!6!!**3 MNN#IC#O#N$OP#t_-#==?Dc4-H t,---! -+(-T MM']##V----s0LL7 L+ 2L7L(+L4 0L77M )NNTN)NNTFNN)T)5rr!rrsamba.xattr_nativersamba.xattr_tdbsamba.posix_eadb samba.samba3rr samba.dcerpcrrr samba.ndrrrr r r samba.loggerr r samba.auth_utilr rr FILE_ATTRIBUTE_SYSTEMrFILE_ATTRIBUTE_ARCHIVEFILE_ATTRIBUTE_HIDDENr SECINFO_OWNERrZr[r\rDr0rr*r4rJrjrrrrrrr r7rCrrrrPs+$  )//*8)/)"77!::;!889"778 "//!//0!../"../ ) )M82" #0N%)05"&d8N4n@~+~+B22: 9x-`<r