pass
-class inf_to_kdc_tdb(gp_ext_setter):
- def mins_to_hours(self):
- return '%d' % (int(self.val) / 60)
+class gp_krb_ext(gp_inf_ext):
+ apply_map = { 'MaxTicketAge': 'kdc:user_ticket_lifetime',
+ 'MaxServiceAge': 'kdc:service_ticket_lifetime',
+ 'MaxRenewAge': 'kdc:renewal_lifetime' }
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
+ if self.lp.get('server role') != 'active directory domain controller':
+ return
+ inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ for gpo in deleted_gpo_list:
+ self.gp_db.set_guid(gpo[0])
+ for section in gpo[1].keys():
+ if section == str(self):
+ for att, value in gpo[1][section].items():
+ update_samba, _ = self.mapper().get(att)
+ update_samba(att, value)
+ self.gp_db.delete(section, att)
+ self.gp_db.commit()
- def days_to_hours(self):
- return '%d' % (int(self.val) * 24)
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ self.gp_db.set_guid(gpo.name)
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ continue
+ for section in inf_conf.sections():
+ if section == str(self):
+ for key, value in inf_conf.items(section):
+ att = gp_krb_ext.apply_map[key]
+ (update_samba, value_func) = self.mapper().get(att)
+ update_samba(att, value_func(value))
+ self.gp_db.commit()
+
+ def mins_to_hours(self, val):
+ return '%d' % (int(val) / 60)
- def set_kdc_tdb(self, val):
- old_val = self.gp_db.gpostore.get(self.attribute)
- self.logger.info('%s was changed from %s to %s' % (self.attribute,
+ def days_to_hours(self, val):
+ return '%d' % (int(val) * 24)
+
+ def set_kdc_tdb(self, attribute, val):
+ old_val = self.gp_db.gpostore.get(attribute)
+ self.logger.info('%s was changed from %s to %s' % (attribute,
old_val, val))
if val is not None:
- self.gp_db.gpostore.store(self.attribute, get_string(val))
- self.gp_db.store(str(self), self.attribute, get_string(old_val) if old_val else None)
+ self.gp_db.gpostore.store(attribute, get_string(val))
+ self.gp_db.store(str(self), attribute, get_string(old_val) \
+ if old_val else None)
else:
- self.gp_db.gpostore.delete(self.attribute)
- self.gp_db.delete(str(self), self.attribute)
+ self.gp_db.gpostore.delete(attribute)
+ self.gp_db.delete(str(self), attribute)
def mapper(self):
- return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
+ return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb,
+ lambda val: val),
'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
self.mins_to_hours),
'kdc:renewal_lifetime': (self.set_kdc_tdb,
def __str__(self):
return 'Kerberos Policy'
+ def rsop(self, gpo):
+ output = {}
+ inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, inf_file)
+ inf_conf = self.parse(path)
+ if not inf_conf:
+ return output
+ for section in inf_conf.sections():
+ output[section] = {k: v for k, v in inf_conf.items(section) \
+ if gp_krb_ext.apply_map.get(k)}
+ return output
+
class inf_to_ldb(gp_ext_setter):
'''This class takes the .inf file parameter (essentially a GPO file mapped
"PasswordComplexity": ("pwdProperties",
inf_to_ldb),
},
- "Kerberos Policy": {"MaxTicketAge": (
- "kdc:user_ticket_lifetime",
- inf_to_kdc_tdb
- ),
- "MaxServiceAge": (
- "kdc:service_ticket_lifetime",
- inf_to_kdc_tdb
- ),
- "MaxRenewAge": (
- "kdc:renewal_lifetime",
- inf_to_kdc_tdb
- ),
- }
}
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
check_guid, parse_gpext_conf, atomic_write_conf, get_deleted_gpos_list
from subprocess import Popen, PIPE
from tempfile import NamedTemporaryFile, TemporaryDirectory
-from samba.gp_sec_ext import gp_sec_ext
+from samba.gp_sec_ext import gp_krb_ext, gp_sec_ext
from samba.gp_scripts_ext import gp_scripts_ext
from samba.gp_sudoers_ext import gp_sudoers_ext
from samba.gpclass import gp_inf_ext
machine_creds.set_machine_account()
# Initialize the group policy extension
- ext = gp_sec_ext(logger, self.lp, machine_creds, store)
+ ext = gp_krb_ext(logger, self.lp, machine_creds, store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
gp_extensions = []
- gp_extensions.append(gp_sec_ext(logger, self.lp, machine_creds, store))
+ gp_extensions.append(gp_krb_ext(logger, self.lp, machine_creds, store))
gp_extensions.append(gp_scripts_ext(logger, self.lp, machine_creds,
store))
'A single policy should have been displayed')
# Check the Security Extension
- if type(ext) == gp_sec_ext:
+ if type(ext) == gp_krb_ext:
self.assertIn('Kerberos Policy', ret.keys(),
'Kerberos Policy not found')
self.assertIn('MaxTicketAge', ret['Kerberos Policy'],
import optparse
from samba import getopt as options
from samba.gpclass import apply_gp, unapply_gp, GPOStorage, rsop
-from samba.gp_sec_ext import gp_sec_ext
+from samba.gp_sec_ext import gp_krb_ext, gp_sec_ext
from samba.gp_ext_loader import get_gp_client_side_extensions
from samba.gp_scripts_ext import gp_scripts_ext
from samba.gp_sudoers_ext import gp_sudoers_ext
gp_extensions = []
if opts.target == 'Computer':
gp_extensions.append(gp_sec_ext(logger, lp, creds, store))
+ gp_extensions.append(gp_krb_ext(logger, lp, creds, store))
gp_extensions.append(gp_scripts_ext(logger, lp, creds, store))
gp_extensions.append(gp_sudoers_ext(logger, lp, creds, store))
for ext in machine_exts:
projects / thirdparty / samba.git / commitdiff
