hbddlZddlZddlZddlZddlZddlZej jddddlm Z m Z ddl m Z ddl mZddlZddlmZddlmZmZddlmcmZddlZddlmZdd lmZdd lmZddl m!Z!dd l"m#Z#dd l$m%Z%dd l&m'Z'ddlm(Z(ddlm)Z)ddl*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2ddl3Z3ddlm4Z4ddl5m6Z6ddl7m8Z8ddl9Z9ddl:m;Z;mZ>m?Z?m@Z@ddl7mAZAmBZBmCZCddlmDZDddlEZddlmFZF ddlGmHZHeHddZIGdd ZKGd!d"ZLGd#d$eMZNGd%d&eNZOGd'd(eNZPGd)d*eNZQGd+d,eMZRGd-d.eRZS d/ZTd0ZU d1ZVGd2d3ZWd4ZXd5ZYd6ZZd7Z[d8Z\d9Z]d:Z^d;Z_d<Z`d=Zad>ZbdKd?Zcd@ZddLdAZedBZfdCZgdDZhdEZi dMdFZjdNdGZkdNdHZldIZmdJZny#eJ$r GddZIYwxYw)ONz bin/python) NTSTATUSError WERRORError) ConfigParser)StringIO) get_bytes)ABCMetaabstractmethod)Net)nbt)libsmb_samba_internal)LoadParm)UUID)NamedTemporaryFile)preg)misc)ndr_pack ndr_unpack)SMB_SIGNING_REQUIRED)log)blake2b) get_string)SamDB)system_session)UF_WORKSTATION_TRUST_ACCOUNTUF_SERVER_TRUST_ACCOUNTGPLINK_OPT_ENFORCEGPLINK_OPT_DISABLE GPO_INHERITGPO_BLOCK_INHERITANCE) AUTH_SESSION_INFO_DEFAULT_GROUPSAUTH_SESSION_INFO_AUTHENTICATED#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)security)netlogon)EnumGPOSTATEzAPPLY ENFORCE UNAPPLYceZdZdZdZdZy)r&N)__name__ __module__ __qualname__APPLYENFORCEUNAPPLY2/usr/lib/python3/dist-packages/samba/gp/gpclass.pyr&r&=sr2cTeZdZdZddZdZdZdZdZdZ d Z d Z d Z d Z d Zy)gp_loga[ Log settings overwritten by gpo apply The gp_log is an xml file that stores a history of gpo changes (and the original setting value). The log is organized like so: -864000000000 -36288000000000 7 1 1d 300 Each guid value contains a list of extensions, which contain a list of attributes. The guid value represents a GPO. The attributes are the values of those settings prior to the application of the GPO. The list of guids is enclosed within a user name, which represents the user the settings were applied to. This user may be the samaccountname of the local computer, which implies that these are machine policies. The applylog keeps track of the order in which the GPOs were applied, so that they can be rolled back in reverse, returning the machine to the state prior to policy application. Ncftj|_||_||_|rt j ||_nt jd|_||_ |jjd|z}|0t j|jd}||jd<yy)ag Initialize the gp_log param user - the username (or machine name) that policies are being applied to param gpostore - the GPOStorage obj which references the tdb which contains gp_logs param db_log - (optional) a string to initialize the gp_log gpuser[@name="%s"]Nusername) r&r._stategpostoreusernameetree fromstringgpdbElementr9find SubElementattrib)selfr9r<db_loguser_objs r3__init__zgp_log.__init__isnn    ((0DI d+DI 99>>"4t";<  '' 6:H&*HOOF # r2c|tjk(rg|jjd|jz}|jd}|t |dk(rtj |_y||_y||_y)a( Policy application state param value - APPLY, ENFORCE, or UNAPPLY The behavior of the gp_log depends on whether we are applying policy, enforcing policy, or unapplying policy. During an apply, old settings are recorded in the log. During an enforce, settings are being applied but the gp_log does not change. During an unapply, additions to the log should be ignored (since function calls to apply settings are actually reverting policy), but removals from the log are allowed. r8applylogNr)r&r/r@rBr9lenr.r;)rEvaluerG apply_logs r3statez gp_log.state~sf H$$ $yy~~&8499&DEH j1I C Na$7&nn # DKr2c|jS)zCheck the GPOSTATE )r;rEs r3 get_statezgp_log.get_states{{r2c||_|jjd|jz}|jd|z}|%t j |d}||j d<|jtjk(r|jd}|t j |d}|jd|z}|Dt j |d}dt|dz z|j d <||j d<yyy) z Log to a different GPO guid param guid - guid value of the GPO from which we're applying policy r8guid[@value="%s"]NguidrLrJz%dr(count) rTr@rBr9r>rCrDr;r&r.rK)rErTrGobjrMprevitems r3set_guidzgp_log.set_guids  99>>"4tyy"@Amm/$67 ;""8V4C"&CJJw  ;;(.. ( j1I !,,XzB >>"5"<=D|'' 6:'+s9~/A'B G$'+ G$ )r2c|jtjk(s|jtjk(ry|jj d|j z}|j d|jz}|Jd|j d|z}|%tj|d}||jd<|j d|z}|-tj|d }||jd<||_ yy) a Store an attribute in the gp_log param gp_ext_name - Name of the extension applying policy param attribute - The attribute being modified param old_val - The value of the attribute prior to policy application Nr8rSgpo guid was not setgp_ext[@name="%s"]gp_extr:attribute[@name="%s"] attribute) r;r&r0r/r@rBr9rTr>rCrDtext)rE gp_ext_namer_old_valrGguid_objextattrs r3storez gp_log.stores ;;(** *dkkX=M=M.M99>>"4tyy"@A==!4tyy!@A#;%;;#mm0;>? ;""8X6C!,CJJv xx/);< <##C5D"+DKK DI r2c|jjd|jz}|jd|jz}|Jd|jd|z}|"|jd|z}| |jSy)a- Retrieve a stored attribute from the gp_log param gp_ext_name - Name of the extension which applied policy param attribute - The attribute being retrieved return - The value of the attribute prior to policy application r8rSNr[r\r^)r@rBr9rTr`rErar_rGrcrdres r3retrievezgp_log.retrieves99>>"4tyy"@A==!4tyy!@A#;%;;#mm0;>? ?883i?@Dyy r2cL|jjd|jz}|jd|jz}|Jd|jd|z}|9|j d}|Dcic]}|j d|j c}SiScc}w)a Retrieve all stored attributes for this user, GPO guid, and CSE param gp_ext_name - Name of the extension which applied policy return - The values of the attributes prior to policy application r8rSr[r\r_r:)r@rBr9rTfindallrDr`)rErarGrcrdattrsres r3 retrieve_allzgp_log.retrieve_alls 99>>"4tyy"@A==!4tyy!@A#;%;;#mm0;>? ?KK ,E?DEtDKK'2E E Fs;!B!cbg}|jjd|jz}|}|jd}|j|jd}|Dcgc]$}|j d|j df&}}|j d|j d|D|Scc}w) z Return a list of applied ext guids return - List of guids for gpos that have applied settings to the system. r8rJz guid[@count]rUrLT)reversec3&K|] \}}| ywNr1).0rUrTs r3 z+gp_log.get_applied_guids..sDkeTTDs)r@rBr9rkgetsortextend)rEguidsrGrM guid_objsgguids_by_counts r3get_applied_guidszgp_log.get_applied_guidss 99>>"4tyy"@A   j1I$%--n= +4"6&'$%55>155>"B"6"6##D#1 D^DD "6s)B,czg}|jjd|jz}|D]}|jd|z}|jd}i}|D]J}i} |jd} | D]} | j| | j d< | ||j d<L|j ||f|S)ai Return a list of applied ext guids return - List of tuples containing the guid of a gpo, then a dictionary of policies and their values prior policy application. These are sorted so that the most recently applied settings are removed first. r8rSr]r_r:)r@rBr9rkr`rDappend) rErwretrGrT guid_settingsextssettingsrd attr_dictrlres r3get_applied_settingszgp_log.get_applied_settingss99>>"4tyy"@A )D$MM*=*DEM ((2DH 9  K0!?D59YYIdkk&12?/8F+,  9 JJh' ( ) r2c`|jjd|jz}|jd|jz}|Jd|jd|z}|I|jd|z}|2|j |t |dk(r|j |yyyy)z Remove an attribute from the gp_log param gp_ext_name - name of extension from which to remove the attribute param attribute - attribute to remove r8rSNr[r\r^r)r@rBr9rTremoverKrhs r3deletez gp_log.delete s 99>>"4tyy"@A==!4tyy!@A#;%;;#mm0;>? ?883i?@D 4 s8q=OOC(!  r2c|jj|jtj|j dy)z Write gp_log changes to disk zutf-8N)r<rfr=r>tostringr@rPs r3commitz gp_log.commits) DMM5>>$))W+MNr2rq)r+r,r-__doc__rHrNrQrYrfrirmr{rrrr1r2r3r5r5Cs@$J+* , ,* ," ",)"Or2r5cHeZdZdZdZdZdZdZdZdZ dZ d Z d Z y ) GPOStoragec tjj|rtj||_ytj |dtjtjtjz|_y)Nr) ospathisfiletdbopenrTdbDEFAULTO_CREATO_RDWR)rElog_files r3rHzGPOStorage.__init__"sI 77>>( #xx)DHwwxCKKbii9OPDHr2c8|jjyrq)rtransaction_startrPs r3startzGPOStorage.start(s ""$r2c| t|jjt|S#t$rYywxYwrq)intrrtr TypeErrorrEkeys r3get_intzGPOStorage.get_int+s5 txx||IcN34 4  s ,/ ;;cJ|jjt|Srq)rrtrrs r3rtzGPOStorage.get1sxx||IcN++r2c `t|||jjt|Srq)r5rrtr)rEr9s r3 get_gplogzGPOStorage.get_gplog4s"dD$((,,y"?@@r2c`|jjt|t|yrq)rrfr)rErvals r3rfzGPOStorage.store7s y~y~6r2c8|jjyrq)rtransaction_cancelrPs r3cancelzGPOStorage.cancel: ##%r2cL|jjt|yrq)rrrrs r3rzGPOStorage.delete=s  #'r2c8|jjyrq)rtransaction_commitrPs r3rzGPOStorage.commit@rr2c8|jjyrq)rcloserPs r3__del__zGPOStorage.__del__Cs r2N) r+r,r-rHrrrtrrfrrrrr1r2r3rr!s6Q % ,A7&(&r2rc\eZdZeZdZedZedZdZ edZ edZ y)r]cZ||_||_||_|j||_yrq)lpcredsr=rgp_db)rErrr=rfs r3rHzgp_ext.__init__Js'   __X. r2cyrqr1)rEdeleted_gpo_listchanged_gpo_lists r3process_group_policyzgp_ext.process_group_policyP r2cyrqr1)rEpolicys r3readz gp_ext.readTrr2c|jjd}tjj |t |j }tjj|r|j|Sy)N gpo_cache) r cache_pathrrjoincheck_safe_pathupperexistsr)rEafile local_path data_files r3parsez gp_ext.parseXsZWW'' 4 GGLL_U-C-I-I-KL 77>>) $99Y' 'r2cyrqr1rPs r3__str__zgp_ext.__str___rr2ciSrqr1)rEgpos r3rsopz gp_ext.rsopcs r2N) r+r,r-r __metaclass__rHr rrrrrr1r2r3r]r]GsaM/       r2r]ceZdZdZy) gp_inf_extc,t|dj}td}t|_ |j t |j|S#t$r-|j t |jdY|SwxYw)Nrb interpolationutf-16) rrrstr optionxform read_filerdecodeUnicodeDecodeError)rErrinf_confs r3rzgp_inf_ext.readisi&++-d3" B   x 8 9" B   x h(?@ A Bs(A2BBNr+r,r-rr1r2r3rrhsr2rceZdZdZy) gp_pol_extcjt|dj}ttj|S)Nr)rrrrfilerErraws r3rzgp_pol_ext.readus(9d#((*$))S))r2Nrr1r2r3rrts*r2rceZdZdZy) gp_xml_extct|dj} tj|j S#t $r'tj|j dcYSwxYw)Nrr)rrr>r?rrrs r3rzgp_xml_ext.read{s\9d#((* :##CJJL1 1! :##CJJx$89 9 :s"?-A/.A/Nrr1r2r3rrzs:r2rcfeZdZdZeZdZdZdZdZ dZ dZ dZ e d Ze d Zd d Zy ) gp_applierzGroup Policy Applier/Unapplier/Modifier The applier defines functions for monitoring policy application, removal, and modification. It must be a multi-derived class paired with a subclass of gp_ext. c|jj||jjt||||jj y)aLAdd an attribute and value to the Group Policy cache guid - The GPO guid which applies this policy attribute - The attribute name of the policy being applied value - The value of the policy being applied Normally called by the subclass apply() function after applying policy. N)rrYrfrrrErTr_rLs r3cache_add_attributezgp_applier.cache_add_attributes@ D! TIu5 r2c|jj||jjt|||jj y)aRemove an attribute from the Group Policy cache guid - The GPO guid which applies this policy attribute - The attribute name of the policy being unapplied Normally called by the subclass unapply() function when removing old policy. N)rrYrrrrErTr_s r3cache_remove_attributez!gp_applier.cache_remove_attributes> D! #d)Y/ r2c|jj||jjt||S)zRetrieve the value stored in the cache for the given attribute guid - The GPO guid which applies this policy attribute - The attribute name of the policy )rrYrirrs r3cache_get_attribute_valuez$gp_applier.cache_get_attribute_values1 D!zz""3t9i88r2c|jj||jjt|S)zRetrieve all attribute/values currently stored for this gpo+policy guid - The GPO guid which applies this policy )rrYrmr)rErTs r3cache_get_all_attribute_valuesz)gp_applier.cache_get_all_attribute_valuess/ D!zz&&s4y11r2c6|jjS)zSReturn the current apply state return - APPLY|ENFORCE|UNAPPLY )rrQrPs r3cache_get_apply_statez gp_applier.cache_get_apply_stateszz##%%r2cdjg|Dcgc] }t|c}}tt||zjScc}w)a"Generate an attribute name from arbitrary data name - A name to ensure uniqueness args - Any arbitrary set of args, str or bytes return - A blake2b digest of the data, the attribute The importance here is the digest of the data makes the attribute reproducible and uniquely identifies it. Hashing the name with the data ensures we don't falsely identify a match which is the same text in a different file. Using this attribute generator is optional. r2rrr hexdigest)rEr:argsargdatas r3generate_attributezgp_applier.generate_attributesGxx7T7;C3;<yt+,6688F <4 224@E  T65;F;!::4@H$,NN$4 C 5K!O V(;IMit&; DLLy%B6B Cr2)NN)r+r,r-rrrrrrrrrrr rrrr1r2r3rrs_ M  92& 9)      Cr2rc0eZdZdZdZdZd dZdddZy) gp_file_applierzGroup Policy File Applier/Unapplier/Modifier Subclass of abstract class gp_applier for monitoring policy applied via a file. cL|g}|j||j|Srq)rvr)rE value_hashfilesseprs r3__generate_valuez gp_file_applier.__generate_value s#| Exx~r2c||dgfS|j|}d|dvrd|fS|dt|dkDr|ddfSgfS)zYParse a value return - A unique HASH, followed by the file list N/rr()splitrK)rErLrrs r3 __parse_valuezgp_file_applier.__parse_values^ =8O{{3 $q'>: 7D A DH= =2= =r2:ct|tk7r|j||\}}|D]7}tjj |s#tj |9|j||yrq)rr_gp_file_applier__parse_valuerrrunlinkr)rErTr_r r_rs r3rzgp_file_applier.unapplys` ;$ ))%5HAu Dww~~d# $  ##D)4r2)rc|j||}|j||\}} ||k7sW|jtjk(s6t | D cgc]!} t jj| #c} s|j||| ny||} |j|| |} |j||| ycc} w)a( applier_func MUST return a list of files created by the applier. This applier is for policies which only apply to a single file (with a couple small exceptions). This applier will remove any policy applied by this GPO which doesn't match the new policy. N) rrrr&r/allrrrr _gp_file_applier__generate_valuer) rErTr_r rrrrb old_val_hash old_val_filesfr  new_values r3rzgp_file_applier.apply&s00yA&*&8&8#&F# m J &**,0@0@@MBq*BC LLy- 8 d#))*eSA    y)<Cs&CN)r)r+r,r-rrrrrr1r2r3r r s"  >5KN=r2r ct||}|j|jdtjtj z}|j SN)rrrealm)domainflags)r finddcrtr NBT_SERVER_LDAP NBT_SERVER_DS pdc_dns_namerrnet cldap_rets r3get_dc_hostnamer,CsL Eb !C "&&/#:M:M:=:K:K;L NI  ! !!r2ct||}|j|jdtjtj z}|j Sr!)r r%rtr r&r'pdc_namer)s r3get_dc_netbios_hostnamer/IsL Eb !C "&&/#:M:M:=:K:K;L NI   r2c<tj}gd}|jdr|jd}tj tj ztjz} |j|tjd|d|zg}|jdk7r$tjtj d||_d |j$d j'vr#t)|j$d d d |_d |j$d j'vr#t)|j$d d d |_d |j$d j'vr(|j$d d d j/|_d |j$d j'vr(|j$d d d j/|_d|j$d j'vr(|j$d dd j/|_d|j$d j'vr#t7|j$d dd |_d|j$d j'vr#t7|j$d dd |_d|j$d j'vr-|j=t?|j$d dd |S#t$rtjdwxYw)N) cn displayNamer$gPCFileSysPathgPCFunctionalityVersiongPCMachineExtensionNamesgPCUserExtensionNames gPCWQLFilterr:nTSecurityDescriptor versionNumberzLDAP://(objectclass=*)z sd_flags:1:%d)controlsz4Failed to fetch gpo object with nTSecurityDescriptorr(zget_gpo: search failedr9rr$r3r2r:r5r6r8) rGROUP_POLICY_OBJECT startswithlstripr# SECINFO_OWNER SECINFO_GROUP SECINFO_DACLsearchldb SCOPE_BASE ExceptionrerrorrULdbErrorERR_NO_SUCH_OBJECTds_pathmsgskeysrversionoptionsr file_sys_path display_namer:rmachine_extensionsuser_extensions set_sec_descbytes)samdbgpo_dnryrlsd_flagsress r3get_gporXSs !A E#y)&&&&'%%&Hll63>>3De%4x%?$@B  yyA~ll31135 5AI#((1+**,, O4Q78 #((1+""$$ G,Q/0 388A;++--((1+&67:AAC ((**!]3A6==? !!!##!V$Q'..0!SXXa[%5%5%77"388A;/I#J1#MN#((1+"2"2"44 ,C DQ GH!!1!1!33 uSXXa[)?@CDE H1  HI s .(K;; LceZdZdZdZdZy)GP_LINKcbg|_g|_|j|t||_yrq) link_names link_optsgpo_parse_gplinkrgp_opts)rEgPLink gPOptionss r3rHzGP_LINK.__init__s) f%9~ r2c|jjdD]}|stjd|j d}|jd\}}tjdj |tjdj ||j j||jjt|y)N]z!gpo_parse_gplink: processing link[;zgpo_parse_gplink: link: {}zgpo_parse_gplink: opt: {}) rrrdebugr>formatr\r}r]r)rEr`p link_namelink_opts r3r^zGP_LINK.gpo_parse_gplinks&&s+ 1A II9 : A"#''#, Ix II299)D E II188B C OO " "9 - NN ! !#h- 0 1r2ct|jt|jk7r tdt|jS)NzLink names and opts mismatch)rKr\r] RuntimeErrorrPs r3 num_linkszGP_LINK.num_linkss7 t 3t~~#6 6=> >4??##r2N)r+r,r-rHr^rmr1r2r3rZrZs& 1$r2rZcddg}|j|jtjdj ||}|j dk7r3tj tjdj |t|jddd}|jdd}tjdj ||||fS)NdnuserAccountControlz(sAMAccountName={})r(z"Failed to find samAccountName '{}'rz!Found dn {} for samaccountname {}) rBget_default_basednrC SCOPE_SUBTREErgrUrGrHrrJrinfo)rTsamaccountnamerlrWuacros r3find_samaccountrvs ' (E ,,u//133D3D,33NCU LC yyA~ll311 0 7 7 G   chhqk./2 3C !T BHH 0 7 7N KL 7Nr2c|j|tjdddg}|jdk7r$tjtj dd|j dvr3tjtjdj||j ddd}d}d|j dvr|j ddd}ntjdt||S) Nr:r`rar(zget_gpo_link: no resultrz2get_gpo_link: no 'gPLink' attribute found for '{}'z,get_gpo_link: no 'gPOptions' attribute found) rBrCrDrUrGrHrJERR_NO_SUCH_ATTRIBUTErgrrfrZ)rTlink_dnrWr`ras r3 get_gpo_linkrzs ,,w(8[*A CC yyA~ll3113LMM sxx{ "ll344 @ G G P  XXa[ "1 %FIchhqk!HHQK ,Q/  @A 69 %%r2ct|jdz ddD]p}|j|tzdk7} |j|tzrt j dI|r-| st j dct j d t||j|} ttj| j} tjj| |tjtj ztj"zt)|| _|| _| r|j/d| n|j/d| t j d||j|fzsy#t$$r-} t j d| j&zYd} ~ d} ~ wwxYw#t0j2$r}} | j4\} }t j d |j|z| t0j6k(r+t j d |j|zYd} ~ 3Yd} ~ yd} ~ wwxYw) Nr(rzskipping disabled GPOzNskipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been setzNadding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been setz/skipping GPO "%s" as object has no access to itz7add_gplink_to_gpo_list: added GPLINK #%d %s to GPO listzfailed to get gpo: %szskipping empty gpo: %s)rangermr]rrrrfrXr\rr# descriptorget_sec_desc_bufsamba access_checkSEC_STD_READ_CONTROL SEC_ADS_LISTSEC_ADS_READ_PROPrErOrlink link_typeinsertrCrGrrH)rTgpo_listforced_gpo_listrygp_linkronly_add_forced_gpostokeni is_forcednew_gposec_desceenumestrs r3add_gplink_to_gpo_listrs 7$$&q("b 10B&&q),>>1D   Q "4 4 II- .   )* )* BeW%7%7%:;G %h&9&9&-&>&>&@B++He,4,I,I,4,A,A-B,4,F,F-GHw3+<+<${2TF< 99>,,s55?A A XXa[ ))+$$& sGC ;9: ~~fAAjj%%eB29K&MG ))S3J-Jw55-/>>@&& I  y>S!9!9!;!B!B!DE E   ' ' *d 2 0 AIMN&ui8 'uh'0''*~~';UD ??%::+/($$& - 2 I  y>S!9!9!;!B!B!DE E   ' ' *d 2 0 AIMN&ui8 'uh'0''*'9'9';UD ??%::+/($$& - 2 )%b%RG D CgMN&ug6 'uh'.'*'7'7';UD OOAs..~/=/2/@/@BC O ##M<<  vv t $ 4<<  vv t $ .<<  vv t $ ||    sl3$K48$L9&O6$M> O4L6$L11L69M; $M66M;>O$N;5O;OOOOc :|j}tjj||} tj|d|j|D] }|dtjzr/t||tjj||dI|dj}td|}tjj||djdd} |j|j| |j!tj"|j$tjj|| y#t $r)}|j t jk7rYd}~Ld}~wwxYw) Ni)moderDr:F)rdirrr)rrrrmakedirsOSErrorerrnoEEXISTrlibsmbFILE_ATTRIBUTE_DIRECTORY cache_gpo_dirrreplacewriteloadfilerrenamer:) conncachesub_dir loc_sub_dir local_dirrfdata local_namerfnames r3rrs---/K UK0I IE*7# C ?V<< < $rww||GU6]'K Lv,,.J"%Y?AGGLL%-8@@dKE GGDMM%( ) GGI IIaffbggll9jA B C  77ell "  #sE(( F1FFctjd|}d|jvr;tjd|j}||jddzd}d|vrt j j |St|)Nz/|\\sysvolr(z..)rerlowerindexrrrr)rdirsldirss r3rrsv 88Hd #D4::<4::<0EKK)A-./ 4ww||T"" $-r2c,|j}|jttj|d||}|j||j d}|D]/}|j st||t|j 1y)Nr)rrr) get_smb_signingset_smb_signingrrConnrrNrr)rrrgpossaved_signing_staterrgpo_objs r3check_refresh_gpo_listrs//1 ./ ;;{H5 AD -.{+JP$$ dJ8M8M(NOPr2c|j}t|Dcgc]}|jc}}|Dcgc] }||vs| }}|j|Scc}wcc}wrq)r{setr:r)rr applied_gposrh current_guidsrT deleted_gposs r3get_deleted_gpos_listrs\**,L.A./M%1OTT5NDOLO  % %l 33/OsA AAc|jtjjd|}t t j |dS)Nrr()rrrrrrgpo_get_sysvol_gpt_version)rrgpt_paths r3 gpo_versionrs<}}RWW\\+t<=H s--h7: ;;r2c J|j|}t||}t||||} t|| } t |||| |r"| } |jtjng} | D]} | js| j} t| jj}t||}||j| k7s`t j d| z| j#| |jtj$|j'|D]>} |||||}|dk(r|j)| | nt+||j(| | @| D]_} | js| j} t| jj}t||}|j=| d|za|j?y#t j d|zYyxYw#t,$r}t j dt/|zt1j2\}}}t5j6|d\}}}}t j d||t9|j:t/|fzYd}~rd}~wwxYw)Nz0Failed downloading gpt cache from '%s' using SMBzGPO %s has changedComputerzFailed to apply extension %sr|z %s:%d: %s: %sz%i) rr,rrrrrFrNr&r/rNr:rrrrrsr}r.rrdrop_privilegesrErsysexc_info traceback extract_tbrr+rfr)rrrf gp_extensionsr=targetforcerrrdel_gpos changed_gposrrTrrLrdrrtbfilename line_numbers r3apply_gprsj OOH %E!%,K  UB 9D$UD1H{Bt<    H$$%  -G((<*>r*B2*F 'Hk1a IIo;)-a)9)93q6)CC D   s$G!/;H!G= J" BJJ"c|j|}|jtj|j |j }|j |D]>} |||||}|dk(r|j|gnt||j|g@|jy#t$rL} tjdt|ztjdt| zYd} ~ d} ~ wwxYw)NrzFailed to unapply extension %sz Message was: )rrNr&r0rr{rrrrErrFrr) rrrfrr=rrrrdrs r3 unapply_gprs OOH %E KK  !))%*A*A*CDH KKM  b%51C#((26#*B*B (".  LLN   II7#c(B C IIoA. /  s&;B44 D =ADD c t|tk(rO|jDcgc] \}}d|zd|dt||dzz"}}}ddj |zSt|t k(r9|Dcgc]}d|zdt||dzzz}}ddj |zSt |tjrd|dzzt|zSd|dzzt|zScc}}wcc}w)N z[ z ] = r) z[ %s ]) rdictr __rsop_valsrr isinstancenumbersNumberrr)valslevelkvr~s r3rrs DzT JJL*Aq5yA{1eAg/FGG**diin$$ dt GKL!s5y8k!U1W&===LLdiin$$ dGNN +a=3t9, ,a=:d#33 3*Ms %C/8C5c (t||}t||||}t||||tdtd|zt j dd}|D]} | j jdk(r"td| j ztd|z|D]T} | ||||} tjd tt| } t| dkDr| d jd d } n| jjd d } td | ztd dt|dz zz| j!| j#D]p\} }td| ztddt|dz zztt%|j'dtddt|dz zzrtd dt|dz zzWtdd|zzy)NzResultant Set of Policyz %s Policy )x2)fallbackrrzGPO: %s=z '([\w\.]+)'r|.z CSE: %sz -r)z Policy Type: %sz rz%s )r,rrprintshutilget_terminal_sizerOstriprrkrrrKrr,rrrrr>)rrrfrr=rrr term_widthrrd cse_name_mcse_namesectionrs r3rrs!%,K  UB 9D;E48 #$ -& !))9=a@J)    % % '> 9  i'.../ c*n  2Cb%51CNCS NCJ:"%b>//4R8>>//4R8 +( ) $#c*Q,//0 1%(XXg%6%<%<%> 8!+g56fC 1 $5 567k(+22489fC 1 $5 567  8 $#c*Q,//0 1 2 fJ'())r2cddlm}|j}||j|n|j |j d}t d}|j|||fS)Nr)param gpext.confr) samba.samba3r get_contextload load_default state_pathrr)smb_confs3paramrext_confparsers r3parse_gpext_confr(4s]-    B  }}\*H  -F KK v:r2c|jd}tddtjj |5}|j |tj |j|dddy#1swYyxYw)Nrzw+F)rrr)r#rrrdirnamerrr:)rr'r&rs r3atomic_write_confr+As^}}\*H e9R S$WX Q !&&(#$$$s 2A88Bc||ddk7s|ddk7st|dk7ry t|dy #t$rYywxYw) Nr{r|}&F)rLT)rKr ValueError)rTs r3 check_guidr2HsL Aw#~bSCIO T1  s / ;;c~tjj|syt|syt |\}}||j vr|j ||j|d||j|d||j|d|rdnd|j|d|rdndt||y) NFDllNameProcessGroupPolicyNoMachinePolicy01 NoUserPolicyT) rrrr2r(sections add_sectionrr+)rTr:rr$machiner9rr's r3register_gp_extensionr=Ss 77>>$  d !(+JB 6??$$4  JJtY% JJt)40 JJt&wC@ JJt^DSc:b&! r2cBt|\}}i}|jD]{}i||<|j|d||d<|j|d||d<t|j|d ||d<t|j|d ||d<}|S)Nr4r5r6 MachinePolicyr9 UserPolicy)r(r:rtr)r$rr'resultsrTs r3list_gp_extensionsrBhs *IAvG!P #)::dI#> i JJt1 2  *+FJJt%678 8  o&*-fjj~.N*O&O l#P Nr2ct|syt|\}}||jvr|j|t ||y)NFT)r2r(r:remove_sectionr+)rTr$rr's r3unregister_gp_extensionrEvsE d !(+JB v  d#b&! r2cXtj|tj|y)z( Set current process privileges N)rsetegidseteuid)r=uidgids r3set_privilegesrKs JJsOJJsOr2cJtj}|dk(s tdtj|j }tj|j }t|||d}d} ||}td|d|r||S#t$r }|}Yd}~#d}~wwxYw)zG Run supplied function with privileges for specified username. rz)Not enough permissions to drop privilegesNroot)rgetuidrEpwdgetpwnampw_uidpw_gidrK) r=funcr current_uiduser_uiduser_gidoutexcrs r3rrs))+K ! CDD||H%,,H||H%,,H8Xx0 C CDk 6;*  J s5B B"BB")F)r0)NTTrq)orrrrrrOrrrrr configparserriorr samba.commonrabcrr xml.etree.ElementTreer> ElementTreer samba.netr samba.dcerpcr rr r samba.gpor samba.paramr uuidrtempfilerrr samba.ndrrrsamba.credentialsrsamba.gp.util.loggingrhashlibrrr samba.samdbr samba.authrrC samba.dsdbrrrrrrr r!r"r#samba.securityr$rr%r& ImportErrorr5robjectr]rrrrr r,r/rXrZrvrzrrrrrrrrrrrrrr(r+r2r=rBrErKrr1r2r3ros$  < ,%"'%% 8 '*2%#% YY}}!!J 78H[O[O|##LVB  ** ::~C~CB9=j9=x," 20 d$$0 &"2Bh&v$rC( P4 <3l* 4)> $=A*  a"s=GGG