Idg8ddlmZddlZddlmZddlmZddlmZddl m Z ddl m Z ddl mZmZddlmZdd lmZmZmZmZGd d eZGd d eZGddeZGddeZGddeZGddeZGddeZGddeZy)N) provision)dsdb)SamDB)system_session)security)ndr_pack ndr_unpack)_get_user_realm_domain)Command CommandError SuperCommandOptionceZdZdZdZej ejejdZ e ddde dd gZ d gZ d Zdd Zy )cmd_delegation_showz*Show the delegation setting of an account.z%prog [options] sambaoptscredopts versionopts-H--URL%LDB URL for database or target serverURLHhelptypemetavardest accountnamec|j}|j}d}||tjzs |jj d|dy|tj zs |jj d|dyd}|jD] }|j} |jd|dtj } t| d k(r| d j} d } |jtj"k(s|jtj$k(r%|jj d |d|dd} n<|jtj&k7r|jtj(k7rd} |j*tj,z}|j*tj.z}|j*tj0z}|j*tj2z}|r|s|sd} nL|r$|jj d|d|dd} |r$|jj d|d|dd} |j4sd} | r|r|j6j dd }|j6j d|d y#tj$r.} | j\} } | tj k7rYd} ~ d} ~ wwxYw)NzISecurity Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentityzWarning: DACL not present in z! zWarning: DACL in z lacks SELF_RELATIVE flag! Tz)scoperFzWarning: ACE in z denies access for trustee zWarning: ACE for trustee z. has unexpected CONTAINER_INHERIT flag set in z* has unexpected INHERITED_ACE flag set in z0 Principals that may delegate to this account: z*msDS-AllowedToActOnBehalfOfOtherIdentity:  )daclrrSEC_DESC_DACL_PRESENTerrfwriteSEC_DESC_SELF_RELATIVEacestrusteesearchldb SCOPE_BASElendnLdbErrorargsERR_NO_SUCH_OBJECTSEC_ACE_TYPE_ACCESS_DENIED!SEC_ACE_TYPE_ACCESS_DENIED_OBJECTSEC_ACE_TYPE_ACCESS_ALLOWED"SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECTflagsSEC_ACE_FLAG_INHERIT_ONLYSEC_ACE_FLAG_OBJECT_INHERITSEC_ACE_FLAG_CONTAINER_INHERITSEC_ACE_FLAG_INHERITED_ACE access_maskoutf)selfsamsecurity_descriptorr% desc_type warning_infofirstacer+reserrnum_ignore inherit_onlyobject_inheritcontainer_inherit inherited_aces 9/usr/lib/python3/dist-packages/samba/netcmd/delegation.pyshow_security_descriptorz,cmd_delegation_show.show_security_descriptor8s"''',, C  M N 8::: IIOO/ ~>45 6 99> 0CkkG (jj5 !3'*~~!7s8q=!!fiiGFH???xx8#M#MM "2<.A66=Yc!CD((hBBBH$O$OO99x'I'IIL YY)M)MMN HCCC II(K(KKMN;L$IIOO&?yIP'3nC%9:"F IIOO&?yIL'3nC%9:"F??IIOO'13!E "L#*)2!/0{> 0<< Q#0001 s"%JK 2#KK Nc|j}|j|}tj||j d}| |j } n|} t | t||} t|| \} } } | jdtj| ztjgd}t|dk(rtd|zt|dk(sJt|dj d d}|dj d }|dj d d }|j j#d t%|dj&z|j j#dt)|t*j,zz|j j#dt)|t*j.zz|r@|j j#d|D] }|j j#d|z"|. t1t2j4|}|j7| |yy#t8$r|j:j#dYywxYw)Nrealm session_info credentialslpsAMAccountName=%s)userAccountControlmsDS-AllowedToDelegateTo(msDS-AllowedToActOnBehalfOfOtherIdentity expressionr"attrsr Unable to find account name '%s'r#rXrYrZidxzAccount-DN: %s zUF_TRUSTED_FOR_DELEGATION: %s z.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s z) Services this account may delegate to: zmsDS-AllowedToDelegateTo: %s znWarning: Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity could not be unmarshalled! ) get_loadparmget_credentialsrprovision_paths_from_lpgetsamdbrrr r,r- binary_encode SCOPE_SUBTREEr/r intr>r(strr0boolrUF_TRUSTED_FOR_DELEGATION)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONr r descriptorrP RuntimeErrorr')r?rrrrrrVcredspathspathr@cleanedaccountrRdomainrFuacallowed allowed_fromarAs rOrunzcmd_delegation_show.runsG  # # %((,11"bffWoF 9;;DDD~'7 %".+AAD+F'jj$7**>:%;"00 LM s8q=AKOP P3x1}}#a&**12156a&**781vzz"LRSzT  *SQ^;< 9sT%C%CCDE F IS4#Q#QQRS T  IIOOH I F  @1 DE F  # H&01D1Dl&S# --c3FG $  @ !?@ @sI$I-,I-NNNN)__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsrri takes_options takes_argsrPrxrOrr&se4.H))..-- tW#JQT3 (M  JP0f0HrrceZdZdZdZej ejejdZ e ddde dd gZ d d gZ dd Zy )cmd_delegation_for_any_servicez3Set/unset UF_TRUSTED_FOR_DELEGATION for an account.(%prog [(on|off)] [options]rrrrrrrronoffNcd}|dk(rd}n|dk(rd}ntd|z|j}|j|} tj||j d} | | j } n|} t| t| |} t|| \} }}dtj| z}tj} | j||d |d y#t$r}t|d}~wwxYw) NFonToff0invalid argument: '%s' (choose from 'on', 'off')rRrSrWzTrusted-for-Delegation flags_strrstrict)r rarbrrcrdrerrr r-rfrrktoggle_userAccountFlags Exceptionr?rrrrrrrrVrorprqr@rrrRrs search_filterflagrGs rOrxz"cmd_delegation_for_any_service.runs D=B e^BQTYYZ Z  # # %((,11"bffWoF 9;;DDD~'7 %".+AAD+F',c.?.?.OO -- $  ' ' t2J+-d ( < $s# # $sC C8( C33C8ryrzr{r|r}r~rrrrrrrirrrxrrrOrrsf=9H))..-- tW#JQT3 (M  )JGK!$rrceZdZdZdZej ejejdZ e ddde dd gZ d d gZ dd Zy )cmd_delegation_for_any_protocolzOSet/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.rrrrrrrrrrNcd}|dk(rd}n|dk(rd}ntd|z|j}|j|d} tj||j d} | | j } n|} t| t| |} t|| \} }}d tj| z}tj} | j||d |d y#t$r}t|d}~wwxYw) NFrTrr)fallback_machinerRrSrWz&Trusted-to-Authenticate-for-Delegationr)r rarbrrcrdrerrr r-rfrrlrrrs rOrxz#cmd_delegation_for_any_protocol.runs D=B e^BQTYYZ Z  # # %((d(C11"bffWoF 9;;DDD~'7 %".+AAD+F',c.?.?.OO == $  ' ' t2Z+-d ( < $s# # $s C!! C:* C55C:ryrrrrOrrsfY9H))..-- tW#JQT3 (M  )JGK!$rrceZdZdZdZej ejejdZ e ddde dd gZ d d gZ dd Zy )cmd_delegation_add_servicezZAdd a service principal to msDS-AllowedToDelegateTo so that an account may delegate to it.)%prog [options]rrrrrrrr principalNc|j}|j|}tj||j d} | | j } n|} t | t||} t|| \} } }| jdtj| ztjdg}t|dk(rtd|zt|dk(sJtj}|dj |_tj"|gtj$d|d< | j'|y#t($r}t|d}~wwxYw NrRrSrWrYr[rr^r#)rarbrrcrdrerrr r,r-rfrgr/r Messager0MessageElement FLAG_MOD_ADDmodifyrr?rrrrrrrVrorprqr@rrrRrsrFmsgrGs rOrxzcmd_delegation_add_service.run<sS # # %((,11"bffWoF 9;;DDD~'7 %".+AAD+F'jj$7**>:%;"00 :;= s8q=AKOP P3x1}}kkmQ*-*<*:%;"00 :;= s8q=AKOP P3x1}}kkmQ*-*<*z3cmd_delegation_add_principal.run..s8Cs{{i'8szACE for principal 'zl' already present in Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account ''.01RRefused to update attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account ':': a conflicting attribute update occurred simultaneously.)4rarbrrcrdrerrr r,r-rfrgr/r rdom_sidSID_BUILTIN_ADMINISTRATORSrm SD_REVISIONrevisionr&r)r owner_sidr rnr%aclSECURITY_ACL_REVISION_ADSnum_acesschema_format_valuedecoder*anyrEr6r8SEC_ADS_GENERIC_ALLr=r+appendrrr0rrrrr1r2ERR_NO_SUCH_ATTRIBUTE)r?rrrrrrrVrorprqr@rrrI account_resdatar security_descr% cleanedprinc princ_resr*rEnew_datarrGrHrs @rOrxz cmd_delegation_add_principal.runs, # # %((,11"bffWoF 9;;DDD~'7 %". 6k3G1jj*   n -.##=> !@ { q !>{m1MN N;1$%$1~!! 6A"? < (()L)LMI$//1M%-%9%9M ""*"@"@"*"A"A#BM &/M #D 5 *8+>+> E !%%D <<<>D$>>DMDM4IsC aJJ*="00>+?%(%6%6&1]4  y>Q !@ 1MN N9~"#"$$  # #!   ! 4 66-@3$455 5N|| (XXFCc///"#}%/011 #3'' (s$;O O7O47Q  d|d< | jA|y#t$$rtd |d wxYwcc}w#tjB$rA}|jD\}} |tjFk(rtd|dt|d}~wwxYw)NrRrSrWrZr[rr^r#r_z@Attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account 'z' not present!rrzkDACL not present on Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account 'z'!rrrrrz"Unable to find ACE for principal 'z\' in Security Descriptor of attribute msDS-AllowedToActOnBehalfOfOtherIdentity for account 'rrrrr)$rarbrrcrdrerrr r,r-rfrgr/r r rrmrnr%rrrr*r+rrrr0rrrrr1r2r)r?rrrrrrrVrorprqr@rrrIrrrr%rrrold_acesrEr*rrrGrHs rOrxz cmd_delegation_del_principal.run9s # # %((,11"bffWoF 9;;DDD~'7 %". 6k3G1jj*   n -.##=> !@ { q AKOP P;1$%$1~!! 6A"? <"++6-~ GH H 1&x':':DAM!! <"+,7-r ;< <4IsC aJJ*="00>+?%(%6%6&1]4  y>Q !@ 1MN N9~"#"$$  # #!   ! 4 66=ryrrrrOrr'sfu:H))..-- tW#JS 2M  -JKOk(rrceZdZdZiZeed<eed<eed<eed<e ed<e ed<e ed<y ) cmd_delegationzDelegation management.showzfor-any-servicezfor-any-protocolz add-servicez del-servicez add-principalz del-principalN) rzr{r|r} subcommandsrrrrrrrrrrOrrsg K-/K%C%EK!"&E&GK"#!;!=K !;!=K #?#AK #?#AK rr) samba.getoptgetoptrr-sambarr samba.samdbr samba.authr samba.dcerpcr samba.ndrrr samba.netcmd.commonr samba.netcmdr r r rrrrrrrrrrrrOrs* %!*6UH'UHp3$W3$l3$g3$l4$4$n4$4$nL(7L(^}(7}(@ B\ Br