]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
samba-tool: Replace gpo command for adding Sudoers Group Policy
authorDavid Mulder <dmulder@suse.com>
Tue, 22 Dec 2020 20:34:19 +0000 (13:34 -0700)
committerJeremy Allison <jra@samba.org>
Sat, 13 Feb 2021 23:50:36 +0000 (23:50 +0000)
Replace it with the VGP command for adding
sudoers entries in an xml file.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
docs-xml/manpages/samba-tool.8.xml
python/samba/netcmd/gpo.py
selftest/knownfail.d/gpo [deleted file]

index 40bd55644e032e62a5dd2147b272781e5b4775f0..2be75c8a7e60d77986825f7834ada3febf57ace5 100644 (file)
        <para>Sets a VGP OpenSSH Group Policy to the sysvol</para>
 </refsect3>
 
+<refsect3>
+       <title>gpo manage sudoers add</title>
+       <para>Adds a Samba Sudoers Group Policy to the sysvol.</para>
+</refsect3>
+
 <refsect3>
        <title>gpo manage sudoers list</title>
        <para>List Samba Sudoers Group Policy from the sysvol.</para>
index ee951a41a85c2b1a886566e0a051c8e994e1103e..82494f57a20661145cd6c76e48cea125aec7c8e6 100644 (file)
@@ -1708,7 +1708,86 @@ fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL
 
     def run(self, gpo, command, user, users, groups=None, passwd=None,
             H=None, sambaopts=None, credopts=None, versionopts=None):
-        pass
+        self.lp = sambaopts.get_loadparm()
+        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
+
+        # We need to know writable DC to setup SMB connection
+        if H and H.startswith('ldap://'):
+            dc_hostname = H[7:]
+            self.url = H
+        else:
+            dc_hostname = netcmd_finddc(self.lp, self.creds)
+            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)
+
+        # SMB connect to DC
+        conn = smb_connection(dc_hostname,
+                              'sysvol',
+                              lp=self.lp,
+                              creds=self.creds)
+
+        realm = self.lp.get('realm')
+        vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo,
+                             'MACHINE\\VGP\\VTLA\\Sudo',
+                             'SudoersConfiguration'])
+        vgp_xml = '\\'.join([vgp_dir, 'manifest.xml'])
+        try:
+            xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml)))
+            policysetting = xml_data.getroot().find('policysetting')
+            data = policysetting.find('data')
+        except NTSTATUSError as e:
+            # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND,
+            # STATUS_OBJECT_PATH_NOT_FOUND
+            if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]:
+                # The file doesn't exist, so create the xml structure
+                xml_data = ET.ElementTree(ET.Element('vgppolicy'))
+                policysetting = ET.SubElement(xml_data.getroot(),
+                                              'policysetting')
+                pv = ET.SubElement(policysetting, 'version')
+                pv.text = '1'
+                name = ET.SubElement(policysetting, 'name')
+                name.text = 'Sudo Policy'
+                description = ET.SubElement(policysetting, 'description')
+                description.text = 'Sudoers File Configuration Policy'
+                apply_mode = ET.SubElement(policysetting, 'apply_mode')
+                apply_mode.text = 'merge'
+                data = ET.SubElement(policysetting, 'data')
+                load_plugin = ET.SubElement(data, 'load_plugin')
+                load_plugin.text = 'true'
+            elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+                raise CommandError("The authenticated user does "
+                                   "not have sufficient privileges")
+            else:
+                raise
+
+        sudoers_entry = ET.SubElement(data, 'sudoers_entry')
+        if passwd:
+            ET.SubElement(sudoers_entry, 'password')
+        command_elm = ET.SubElement(sudoers_entry, 'command')
+        command_elm.text = command
+        user_elm = ET.SubElement(sudoers_entry, 'user')
+        user_elm.text = user
+        listelement = ET.SubElement(sudoers_entry, 'listelement')
+        for u in users.split(','):
+            principal = ET.SubElement(listelement, 'principal')
+            principal.text = u
+            principal.attrib['type'] = 'user'
+        if groups is not None:
+            for g in groups.split():
+                principal = ET.SubElement(listelement, 'principal')
+                principal.text = g
+                principal.attrib['type'] = 'group'
+
+        out = BytesIO()
+        xml_data.write(out, encoding='UTF-8', xml_declaration=True)
+        out.seek(0)
+        try:
+            create_directory_hier(conn, vgp_dir)
+            conn.savefile(vgp_xml, out.read())
+        except NTSTATUSError as e:
+            if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED
+                raise CommandError("The authenticated user does "
+                                   "not have sufficient privileges")
+            raise
 
 class cmd_list_sudoers(Command):
     """List Samba Sudoers Group Policy from the sysvol
diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
deleted file mode 100644 (file)
index 8fe3fb5..0000000
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_vgp_sudoers_add