de}dZddlmZddlmZddlmZddlZddlZdZ d"dZ d"dZ d"d Z d"d Z d"d Zd"d Zd"d Zd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZd"dZdZ dZ!dZ"d Z# d#d!Z$y)$zFFunctions for setting up a Samba configuration (security descriptors).)security)ndr_pack)get_schema_descriptorNcd|z}|jD]\}}|j||}tjj ||}t |S)N%s)itemsreplacer descriptor from_sddlr)sddl_in domain_sidname_mapsddlnamesidsecs 2/usr/lib/python3/dist-packages/samba/descriptor.py sddl2binaryr&sY '>D~~'' s||D#&'    ' 'j 9C C=c(|i}d}t|||S)Nrr rrs rget_empty_descriptorr0s! D tZ 22rc(|i}d}t|||S)Nz9O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA)rrs rget_deletedobjects_descriptorr:s% D tZ 22rc(|i}d}t|||S)Na O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)rrs rget_config_descriptorrDs& AD tZ 22rc(|i}d}t|||S)NaD:(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)S:(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)rrs r get_config_partitions_descriptorr Zs% *D tZ 22rc(|i}d}t|||S)NaD:(A;;RPLCLORC;;;AU)(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;RO)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(AU;CISA;CCDCSDDT;;;WD)(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)rrs rget_config_sites_descriptorr"os& fD tZ 22rc(|i}d}t|||S)NziD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPLCLORC;;;BA)(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)rrs r!get_config_ntds_quotas_descriptorr$s% > ?Ahi -EOO4E0FF GImn U__->)?? @B_` (3u/@+AA BDcd }s5??+<'== >@[\ 1C8I4JJ KMno 5EOOZ$[\ 66%6* +{ :tc+&6679UVA   #6[9IIJ.0A   #5K8HHI8:A   #3c+6FFG8:A   #3c+6FFG8:A   # ffU$:c%//BS>T$UV 66%6* +{ :tc+&6679UVA   #6[9IIJ.0A   #5K8HHI8:A   #3c+6FFG8:A   #3c+6FFG8:A   #G#$J rctjd}|j|}i}g|d<|D]2}t|ddkDr|d|d<|dj |d4|S)zzReturn separate ACE of an ACL :param acl: A string representing the ACL :return: A hash with different parts z(\w+)?(\(.*?\))acesrflags)recompilefindalllenrW)aclptabhashes r chunck_aclrm8sv %&A ))C.C DDL " qt9q=aDDM V AaD!" Krctjd}|j|}i}|D]C}|ddk(r|d|d<|ddk(r|d|d<|ddk(r|d|d <|dd k(s<|d|d <E|S) z Return separate parts of the SDDL (owner, group, ...) :param sddl: An string containing the SDDL to chunk :return: A hash with the different chunk z([OGDS]:)(.*?)(?=(?:[GDS]:|$))rzO:rcownerzG:groupzD:daclzS:sacl)rdrerf)rrirjrkrls r chunck_sddlrsLs 45A ))D/C D   Q44<aDDM Q44<aDDM Q44<Q4DL Q44<Q4DL  Krc~tj}|j|_|j|_|j|_|j |_g}|j |j j}tdt|D]6}||}|jtjzr&|j|8g}|j|jj}tdt|D]6}||}|jtjzr&|j|8|S)zvGet the SD without any inherited ACEs :param sd: SD to strip :return: An SD with inherited ACEs stripped r)rr owner_sid group_sidtyperevisionrrrarangergrbSEC_ACE_FLAG_INHERITED_ACEsacl_addrqdacl_add)sdsd_cleanraiaces r get_clean_sdrds""$HHHGGHM H D wwww|| 1c$i 1gyy8>>>   c "   D wwww|| 1c$i 1gyy8>>>   c "   Orct|j|}t|j|}d}t|}t|} d|vrd}nd| vr|d| dk7rd| dd|dd}d|vrd|z}n d| vr|d| dk7r|d | dd|dd}d g} |r| jd | D](} | |vr| | vrt } t } t || }t | | }|d D]}| j ||d D]}| j |t | D])}|| vs| j|| j|+t| t| zd kDs|dk(rt| d k(r|ry|d| d}| D] }|d|d} | D] }|d|d} | |vr| | vr |d| d}| |vs| | vs!|d| d}+|S)a~Get the difference between 2 sd This function split the textual representation of ACL into smaller chunk in order to not to report a simple permutation as a difference :param refsddl: First sddl to compare :param cursddl: Second sddl to compare :param checkSacl: If false we skip the sacl checks :return: A string that explain difference between sddls rroz No owner in current SDz Owner mismatch: z (in ref) z (in current) rpz%s No group in current SDz Group mismatch: rqrrrarz Part z@ is different between reference and current here is the detail: z z% ACE is not present in the reference z# ACE is not present in the current z Reference ACL hasn't a z part z Current ACL hasn't a ) ras_sddlrsrWsetrmaddremoverg)refsdcursd domainsid checkSaclignoreAdditionalACEscursddlrefsddltxthash_curhash_refpartsparth_curh_refc_curc_refelemkitems r get_diff_sdsrsS5!)))4G5!)))4G C7#H7#Hh( H '!2hw6G!G"*7"3Xg5FHh*S0 H '!2hw6G!G"%x'8(7:KMHE V'E 8  0EEEEx~.Ex~.Ef   $ f   $ Z $:LLOLLO $ 5zCJ&*"9Uq+!?B4I"7D,/7C7"5D*-t5C5X $h"6rs6M!. 333,3*3$3333<3~ 3=3@3" 3 3 333;3|3 33HV(0 F59&+Lr