From: David Mulder Date: Wed, 27 Jan 2021 20:21:32 +0000 (-0700) Subject: samba-tool: Add a gpo command for adding VGP Files Group Policy X-Git-Tag: tevent-0.11.0~1801 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6334307ae70ac51499ae0ed2a04eb646fd362f83;p=thirdparty%2Fsamba.git samba-tool: Add a gpo command for adding VGP Files Group Policy Signed-off-by: David Mulder Reviewed-by: Jeremy Allison --- diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index faefa55037d..343acbc34a9 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -904,6 +904,11 @@ List VGP Files Group Policy from the sysvol + + gpo manage files add + Add VGP Files Group Policy to the sysvol + + group Manage groups. diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 198ffe351ef..81676971f0e 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -2585,7 +2585,88 @@ samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source. def run(self, gpo, source, target, user, group, mode, H=None, sambaopts=None, credopts=None, versionopts=None): - pass + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + if not os.path.exists(source): + raise CommandError("Source '%s' does not exist" % source) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + vgp_dir = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\VGP\\VTLA\\Unix\\Files']) + vgp_xml = '\\'.join([vgp_dir, 'manifest.xml']) + try: + xml_data = ET.ElementTree(ET.fromstring(conn.loadfile(vgp_xml))) + policy = xml_data.getroot().find('policysetting') + data = policy.find('data') + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + # The file doesn't exist, so create the xml structure + xml_data = ET.ElementTree(ET.Element('vgppolicy')) + policysetting = ET.SubElement(xml_data.getroot(), + 'policysetting') + pv = ET.SubElement(policysetting, 'version') + pv.text = '1' + name = ET.SubElement(policysetting, 'name') + name.text = 'Files' + description = ET.SubElement(policysetting, 'description') + description.text = 'Represents file data to set/copy on clients' + data = ET.SubElement(policysetting, 'data') + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + file_properties = ET.SubElement(data, 'file_properties') + source_elm = ET.SubElement(file_properties, 'source') + source_elm.text = os.path.basename(source) + target_elm = ET.SubElement(file_properties, 'target') + target_elm.text = target + user_elm = ET.SubElement(file_properties, 'user') + user_elm.text = user + group_elm = ET.SubElement(file_properties, 'group') + group_elm.text = group + for ptype, shift in [('user', 6), ('group', 3), ('other', 0)]: + permissions = ET.SubElement(file_properties, 'permissions') + permissions.set('type', ptype) + if int(mode, 8) & (0o4 << shift): + ET.SubElement(permissions, 'read') + if int(mode, 8) & (0o2 << shift): + ET.SubElement(permissions, 'write') + if int(mode, 8) & (0o1 << shift): + ET.SubElement(permissions, 'execute') + + out = BytesIO() + xml_data.write(out, encoding='UTF-8', xml_declaration=True) + out.seek(0) + source_data = open(source, 'rb').read() + sysvol_source = '\\'.join([vgp_dir, os.path.basename(source)]) + try: + create_directory_hier(conn, vgp_dir) + conn.savefile(vgp_xml, out.read()) + conn.savefile(sysvol_source, source_data) + except NTSTATUSError as e: + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise class cmd_files(SuperCommand): """Manage Files Group Policy Objects""" diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index 960b8e57125..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_files_add