IdI\ddlmZddlmZddlmZmZddlm Z m Z m Z ddl m Z ddlmZmZddlmZddlmZmZdd l mZdd lmZddlZdd lmZdd lmZmZm Z m!Z!d Z"GddeZ#GddeZ$GddeZ%GddeZ&GddeZ'GddeZ(Gdde Z)y))DONT_USE_KERBEROSN)securityidmap)setntaclgetntacl getdosinfo)Ldb) ndr_unpack ndr_print)SamDB)parampassdb) provision)system_session_unix)system_session)Command CommandError SuperCommandOptioncd}|j}|dk(rd}tj}|j|j|r5 t t |}|jdd|jz |r!tjj}|Stj} |S#t$r}td|d}~wwxYw#tdxYw) NFROLE_ACTIVE_DIRECTORY_DCT session_infolpUnable to open samdb:passdb backend samba_dsdb:%sz2Unable to read domain SID from configuration files) server_roles3param get_contextload configfiler r Exceptionrseturlrdom_sid domain_sidrget_domain_sid)ris_ad_dcrs3confsamdber's 4/usr/lib/python3/dist-packages/samba/netcmd/ntacl.pyget_local_domain_sidr.(sH.."K00  "F KK  ;~'7!E  #_uyy%@A$ !))%*:*:;J   ..0J  ;6: : ;$#$ $s* B;!C$C; C CC C%c JeZdZdZdZej ejejdZ e dde jde dd d de d d d ddge ddde ddde ddde ddde ddde dddg Z dd gZ d#d"Zy!)$ cmd_ntacl_setzSet ACLs on a file.z%prog [options] sambaoptscredopts versionoptsz-qz--quiet store_truehelpaction-v --verbose Be verbose--xattr-backendchoice%xattr backend type (native fs or tdb)nativetdbtyper7choices --eadb-file0Name of the tdb file where attributes are storedstringr7rB --use-ntvfsLSet the ACLs directly to the TDB or xattr for use with the ntvfs file server --use-s3fsHSet the ACLs for use with the default s3fs file server via the VFS layer --recursive;Set the ACLs for directories and their contents recursively--follow-symlinksFollow symlinks --servicez:Name of the smb.conf service to use when applying the ACLsaclpathNc 4 j}| jts|sdjdvn|rd  f d}|| rtj j |rzt j| D]`\}}}|D](}|tj j||*|D](}|tj j||*br|jdyy)Nsmbserver servicesFc l sNtjj|r/rjj d|zyt d|z rtjj|rjj d|zn\tjj |rjj d|znjj d|z t|tt   S#t$r}t d|d|d}~wwxYw) Nignored symlink: %s 'symlink: %s: requires --follow-symlinks symlink: %s dir: %s file: %s  use_ntvfsserviceCould not set acl for : ) osrRislinkoutfwriterisdirrstrrr#) _pathr,rQr' eadb_filefollow_symlinksr recursiveselfr^r]verbose xattr_backends r-_setntacl_pathz)cmd_ntacl_set.run.._setntacl_pathns"rww~~e'<IIOO$;e$CD"#LPU#VWW77>>%(IIOOOe$;<WW]]5)IIOOK%$78IIOOL5$89 P % # #J 3 5 - )*3(/11 P"UA#NOO Ps/$D D3D..D3 followlinksPPlease note that POSIX permissions have NOT been changed, only the stored NT ACL) get_logger get_loadparmr.getrarRrewalkjoinwarning)rkrQrRr]use_s3fsquietrlrmrhr3r2r4rjrir^loggerrnrootdirsfilesnamer'rs`` ` ``` ``` @@r-runzcmd_ntacl_set.runas"  # # %)"- (9!::I I P P6 t t,%'WWT%O =!dE!=D"277<<d#;<= =D"277<<d#;<= =  NNm n ) FFFFNNNNNFFN)__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsr SUPPRESS_HELP takes_options takes_argsrrr-r0r0Fs-H))..-- tYV%9%9,Ot[|LI x6] %( *}#U\de}#q{G H|"lvB C}#`iuv"):<P{!]dlm MJ7 [options]r1fileNc|j}tj}|j|jt ||}|r%|j jt|yy)N) rsrr r!r"rrcrdr )rkrr3r2r4rr*dosinfos r-rzcmd_dosinfo_get.runsW  # # %$$& BMM"R&  IIOOIg. / rNNN) rrrrrrrrrrrrrrr-rrs=,'H))..-- J0rrc eZdZdZdZej ejejdZ e ddde dd d d d g e ddde ddde ddde dddgZ dgZ ddZ y) cmd_ntacl_getzGet ACLs of a file.rr1z --as-sddlzOutput ACL in the SDDL formatr5r6r<r=r>r?r@rArDrErFrGrHzKGet the ACLs directly from the TDB or xattr used with the ntvfs file serverrJzKGet the ACLs for use via the VFS layer used by the default s3fs file serverrPz9Name of the smb.conf service to use when getting the ACLsrNc N|j} t| } |s|sd| jdv}n|rd}t| |t |||| } |r.|j j | j| dzy|j j t| y)NrTrUFdirect_db_accessr^ ) rsr.rtrrrcrdas_sddlr )rkrr]rxrrmrhr3r2r4r^rr'rQs r-rzcmd_ntacl_get.runs # # %)"- (9!::I Ir*,$ (1& (  IIOOCKK 3d: ; IIOOIcN +r) FFFNNNNNN)rrrrrrrrrrrrrrrrr-rrs'H))..-- {!@V x6] %( *}#U\de}#pzF G|"oyE F{!\cklMJ279=7;,rrc eZdZdZdZdej iZedddedd d ed d d edddedddddgedddd eddd edddd gZ gdZ d!d Z y)"cmd_ntacl_changedomsidzChange the domain SID for ACLsz9%prog [options]r2rPz#Name of the smb.conf service to userFrGrHrIr5r6rJrKrDrEr<r=r>r?r@rAz-rrLrMrNrOr9r:r;)old_domain_sidnew_domain_sidrRNc ` j} | jts|sdjdvn|rds s t d t j | t j |   f d fd}| r'tjj|r||r| jd yy#t$r}t d|d|d}~wwxYw#t$r}t d|d|d}~wwxYw) NrTrUFz0Must provide a share name with --service=zCould not parse old sid r`c @ sNtjj|r/ rjj d|zyt d|zrtjj|rjj d|zn\tjj |rjj d|znjj d|z t |t}|j}rjj d |z fd }||j|_ ||j|_ |jr2|jjD]}||j|_|j r2|j jD]}||j|_|j}rjj d |z||k(rrjj d y t# || t y#t$r}t d|d|d}~wwxYw#t$r}t d|d|d}~wwxYw)NrWrXrYrZr[rzCould not get acl for r`z before: %s cl|j\}}|k(rtjd|fzS|S)Nz%s-%i)splitrr&)siddomridrrs r-replace_domain_sidzNcmd_ntacl_changedomsid.run..changedom_sids..replace_domain_sidQs: YY[ c.(#++G~s6K,KLL rz after: %s znothing to do Tr\r_)rarRrbrcrdrrerrr#r owner_sid group_sidsaclacestrusteedaclr)rgrQr, orig_sddlracenew_sddlr'rhrirrrrjrkr^r]rlrms r-changedom_sidsz2cmd_ntacl_changedomsid.run..changedom_sids3s6"rww~~e'<IIOO$;e$CD"#LPU#VWW77>>%(IIOOOe$;<WW]]5)IIOOK%$78IIOOL5$89 Pr$24,(09'. 0 J/I ) ;<  /s}}=CM.s}}=CMxx88==BC"4S[["ACKBxx88==BC"4S[["ACKB{{:.H  9:H$IIOO$56 P',.&"#,!(*C P"UA#NOO PT P"UA#NOO Ps0/I?I> I;%I66I;> JJJctj|D]`\}}}|D](}tjj||*|D](}tjj||*by)Nro)rarurRrv)rgr{r|r}fdrris r-recursive_changedom_sidsz.recursive_changedom_sidswsr%'WWU%P :!dE:A"277<<a#89::A"277<<a#89:  :rzQPlease note that POSIX permissions have NOT been changed, only the stored NT ACL.) rrrsr.rtrrr&r#rarRrerw)rkold_domain_sid_strnew_domain_sid_strrRr]rxr^rmrhr2rjrirlrzr,rrr'rrrs` ` ``` ``` @@@@@r-rzcmd_ntacl_changedomsid.run s1"  # # %)"- (9!::I IBD D 8%--.@AN  8%--.@AN B PB PH : t t, $T *  NN> ? u 8 2A 78 8 8  8 2A 78 8 8s0%C,;D, D 5DD  D-D((D-) FFNNNNFFF) rrrrrrrrrrrrrrr-rrs(JH W))  6   &  !  "  !  C   8u%  '   N  !  " !     !C&MP>J !x?rrceZdZdZdZej ejejdZ e ddde dd dgZ d d Z y ) cmd_ntacl_sysvolresetz?Reset sysvol ACLs to defaults (including correct ACLs on GPOs).rr1rHz/Set the ACLs for use with the ntvfs file serverr5r6rJz6Set the ACLs for use with the default s3fs file serverNc |j}|j|}|jt|j }|j dd} |j dd} t t|} |s|sd|j dv}n|rd}tj| j} tj}|j|j |j#d d | j$ztjt'| d zt'tj(z}tjtj*}t-j.|j d }|j1|\}}|t2j4k7r!|t2j6k7rtd |z|j1|\}}|t2j8k7r!|t2j6k7rtd |z|r|j;d t=j>| | | ||| |j djA| jC|| y#t$r} td| d} ~ wwxYw#tD$r8} | jFstd| jFd| jH| d} ~ wwxYw)NrRnetlogonsysvolrrrTrUFrr-zSID %s is not mapped to a UIDzSID %s is not mapped to a GIDrqrealm)r]Could not access r`)%rsget_credentialsset_kerberos_staterrrrtr rr#rrr&r'rr r!r"r$r%rfDOMAIN_RID_ADMINISTRATORSID_BUILTIN_ADMINISTRATORSrPDB sid_to_idr ID_TYPE_UID ID_TYPE_BOTH ID_TYPE_GIDrwr setsysvolacllower domain_dnOSErrorfilenamestrerror)rkr]rxr3r2r4rcredsrzrrr+r,r'r*LA_sidBA_sid s4_passdbLA_uidLA_typeBA_gidBA_types r-rzcmd_ntacl_sysvolreset.runs{  # # %((,   !23"66&*-) ;~'7!E (9!::I I%%e&6&67 $$& BMM" #_uyy%@A!!#j/$'#(*-h.O.O*P#QR!!("E"EFJJvzz*:;< &//7 u(( (W8J8J-J>GH H%//7 u(( (W8J8J-J>GH H  NNm n R  " "5(F#)6:#%66'?#8#8#:EOOO%' )  ;6: : ; R::!21::,b MqQ Q Rs1,C(!AD( D1 C==D E3EEr) rrrrrrrrrrrrrr-rrs5L'H))..-- RrrceZdZdZiZeed<eed<eed<eed<e ed<e ed<y) cmd_ntaclzNT ACLs manipulation.r$rt changedomsid sysvolreset sysvolcheckrN) rrrr subcommandsr0rrrrrrrr-rrsVK&K&K"8":K!6!8K !6!8K  / 1K rr)*samba.credentialsr samba.getoptgetoptr samba.dcerpcrr samba.ntaclsrrrsambar samba.ndrr r samba.samdbr samba.samba3r rrrsamba.auth_utilrra samba.authr samba.netcmdrrrrr.r0rrrrrrrrr-rs&0(77+1/ %