From 111f07fd58b7a7f798cc10e40a44e7fcdd8e207f Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 6 Nov 2020 10:44:28 -0700 Subject: [PATCH] samba-tool: Add a gpo command for listing Security Group Policies Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall --- python/samba/netcmd/gpo.py | 49 +++++++++++++++++++++++++++++++++++++- selftest/knownfail.d/gpo | 1 - 2 files changed, 48 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 0958bd090b4..c20e9853067 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -67,6 +67,7 @@ from samba.credentials import SMB_SIGNING_REQUIRED from samba.netcmd.common import attr_default from samba.common import get_bytes from configparser import ConfigParser +from io import StringIO def gpo_flags_string(value): @@ -1999,6 +2000,12 @@ PasswordComplexity Password must meet complexity requirements class cmd_list_security(Command): """List Samba Security Group Policy from the sysvol + +This command lists security settings from the sysvol that will be applied to winbind clients. +These settings only apply to the ADDC. + +Example: +samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9} """ synopsis = "%prog [options]" @@ -2017,7 +2024,47 @@ class cmd_list_security(Command): takes_args = ["gpo"] def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): - pass + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp, fallback_machine=True) + + # We need to know writable DC to setup SMB connection + if H and H.startswith('ldap://'): + dc_hostname = H[7:] + self.url = H + else: + dc_hostname = netcmd_finddc(self.lp, self.creds) + self.url = dc_url(self.lp, self.creds, dc=dc_hostname) + + # SMB connect to DC + conn = smb_connection(dc_hostname, + 'sysvol', + lp=self.lp, + creds=self.creds) + + realm = self.lp.get('realm') + inf_file = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf']) + try: + inf_data = ConfigParser(interpolation=None) + inf_data.optionxform=str + raw = conn.loadfile(inf_file) + try: + inf_data.readfp(StringIO(raw.decode())) + except UnicodeDecodeError: + inf_data.readfp(StringIO(raw.decode('utf-16'))) + except NTSTATUSError as e: + if e.args[0] == 0xC0000033: # STATUS_OBJECT_NAME_INVALID + return # The file doesn't exist, so there is nothing to list + if e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + raise + + for section in inf_data.sections(): + if section not in ['Kerberos Policy', 'System Access']: + continue + for key, value in inf_data.items(section): + self.outf.write('%s = %s\n' % (key, value)) class cmd_security(SuperCommand): """Manage Security Group Policy Objects""" diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index e959220472b..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_security_list -- 2.47.3