From: David Mulder Date: Fri, 26 Jun 2020 21:34:02 +0000 (-0600) Subject: gpo: Extract Kerberos policy from Security extension X-Git-Tag: talloc-2.3.2~922 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89718761288b3a51a5727b5f8b40f0ade3348ff1;p=thirdparty%2Fsamba.git gpo: Extract Kerberos policy from Security extension Rewrite the extension to be easier to understand, and to remove references to gp_ext_setter. Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall --- diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py index 6fac91294d5..fde1f222692 100644 --- a/python/samba/gp_sec_ext.py +++ b/python/samba/gp_sec_ext.py @@ -26,26 +26,60 @@ except ImportError: pass -class inf_to_kdc_tdb(gp_ext_setter): - def mins_to_hours(self): - return '%d' % (int(self.val) / 60) +class gp_krb_ext(gp_inf_ext): + apply_map = { 'MaxTicketAge': 'kdc:user_ticket_lifetime', + 'MaxServiceAge': 'kdc:service_ticket_lifetime', + 'MaxRenewAge': 'kdc:renewal_lifetime' } + def process_group_policy(self, deleted_gpo_list, changed_gpo_list): + if self.lp.get('server role') != 'active directory domain controller': + return + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + for gpo in deleted_gpo_list: + self.gp_db.set_guid(gpo[0]) + for section in gpo[1].keys(): + if section == str(self): + for att, value in gpo[1][section].items(): + update_samba, _ = self.mapper().get(att) + update_samba(att, value) + self.gp_db.delete(section, att) + self.gp_db.commit() - def days_to_hours(self): - return '%d' % (int(self.val) * 24) + for gpo in changed_gpo_list: + if gpo.file_sys_path: + self.gp_db.set_guid(gpo.name) + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + continue + for section in inf_conf.sections(): + if section == str(self): + for key, value in inf_conf.items(section): + att = gp_krb_ext.apply_map[key] + (update_samba, value_func) = self.mapper().get(att) + update_samba(att, value_func(value)) + self.gp_db.commit() + + def mins_to_hours(self, val): + return '%d' % (int(val) / 60) - def set_kdc_tdb(self, val): - old_val = self.gp_db.gpostore.get(self.attribute) - self.logger.info('%s was changed from %s to %s' % (self.attribute, + def days_to_hours(self, val): + return '%d' % (int(val) * 24) + + def set_kdc_tdb(self, attribute, val): + old_val = self.gp_db.gpostore.get(attribute) + self.logger.info('%s was changed from %s to %s' % (attribute, old_val, val)) if val is not None: - self.gp_db.gpostore.store(self.attribute, get_string(val)) - self.gp_db.store(str(self), self.attribute, get_string(old_val) if old_val else None) + self.gp_db.gpostore.store(attribute, get_string(val)) + self.gp_db.store(str(self), attribute, get_string(old_val) \ + if old_val else None) else: - self.gp_db.gpostore.delete(self.attribute) - self.gp_db.delete(str(self), self.attribute) + self.gp_db.gpostore.delete(attribute) + self.gp_db.delete(str(self), attribute) def mapper(self): - return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit), + return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, + lambda val: val), 'kdc:service_ticket_lifetime': (self.set_kdc_tdb, self.mins_to_hours), 'kdc:renewal_lifetime': (self.set_kdc_tdb, @@ -55,6 +89,19 @@ class inf_to_kdc_tdb(gp_ext_setter): def __str__(self): return 'Kerberos Policy' + def rsop(self, gpo): + output = {} + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, inf_file) + inf_conf = self.parse(path) + if not inf_conf: + return output + for section in inf_conf.sections(): + output[section] = {k: v for k, v in inf_conf.items(section) \ + if gp_krb_ext.apply_map.get(k)} + return output + class inf_to_ldb(gp_ext_setter): '''This class takes the .inf file parameter (essentially a GPO file mapped @@ -146,19 +193,6 @@ class gp_sec_ext(gp_inf_ext): "PasswordComplexity": ("pwdProperties", inf_to_ldb), }, - "Kerberos Policy": {"MaxTicketAge": ( - "kdc:user_ticket_lifetime", - inf_to_kdc_tdb - ), - "MaxServiceAge": ( - "kdc:service_ticket_lifetime", - inf_to_kdc_tdb - ), - "MaxRenewAge": ( - "kdc:renewal_lifetime", - inf_to_kdc_tdb - ), - } } def process_group_policy(self, deleted_gpo_list, changed_gpo_list): diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 29357d7744d..f2927373dc0 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -24,7 +24,7 @@ from samba.gpclass import check_refresh_gpo_list, check_safe_path, \ check_guid, parse_gpext_conf, atomic_write_conf, get_deleted_gpos_list from subprocess import Popen, PIPE from tempfile import NamedTemporaryFile, TemporaryDirectory -from samba.gp_sec_ext import gp_sec_ext +from samba.gp_sec_ext import gp_krb_ext, gp_sec_ext from samba.gp_scripts_ext import gp_scripts_ext from samba.gp_sudoers_ext import gp_sudoers_ext from samba.gpclass import gp_inf_ext @@ -283,7 +283,7 @@ class GPOTests(tests.TestCase): machine_creds.set_machine_account() # Initialize the group policy extension - ext = gp_sec_ext(logger, self.lp, machine_creds, store) + ext = gp_krb_ext(logger, self.lp, machine_creds, store) ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): @@ -466,7 +466,7 @@ class GPOTests(tests.TestCase): gpos = ads.get_gpo_list(machine_creds.get_username()) gp_extensions = [] - gp_extensions.append(gp_sec_ext(logger, self.lp, machine_creds, store)) + gp_extensions.append(gp_krb_ext(logger, self.lp, machine_creds, store)) gp_extensions.append(gp_scripts_ext(logger, self.lp, machine_creds, store)) @@ -499,7 +499,7 @@ class GPOTests(tests.TestCase): 'A single policy should have been displayed') # Check the Security Extension - if type(ext) == gp_sec_ext: + if type(ext) == gp_krb_ext: self.assertIn('Kerberos Policy', ret.keys(), 'Kerberos Policy not found') self.assertIn('MaxTicketAge', ret['Kerberos Policy'], diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate index af2430938cd..39c5d2cf5cd 100755 --- a/source4/scripting/bin/samba-gpupdate +++ b/source4/scripting/bin/samba-gpupdate @@ -30,7 +30,7 @@ sys.path.insert(0, "bin/python") import optparse from samba import getopt as options from samba.gpclass import apply_gp, unapply_gp, GPOStorage, rsop -from samba.gp_sec_ext import gp_sec_ext +from samba.gp_sec_ext import gp_krb_ext, gp_sec_ext from samba.gp_ext_loader import get_gp_client_side_extensions from samba.gp_scripts_ext import gp_scripts_ext from samba.gp_sudoers_ext import gp_sudoers_ext @@ -84,6 +84,7 @@ if __name__ == "__main__": gp_extensions = [] if opts.target == 'Computer': gp_extensions.append(gp_sec_ext(logger, lp, creds, store)) + gp_extensions.append(gp_krb_ext(logger, lp, creds, store)) gp_extensions.append(gp_scripts_ext(logger, lp, creds, store)) gp_extensions.append(gp_sudoers_ext(logger, lp, creds, store)) for ext in machine_exts: