HEX

File: //lib/python3/dist-packages/samba/netcmd/__pycache__/gpo.cpython-310.pyc
o

�/ah[�@s2ddlZddlmZddlZddlZddlmmZ	ddl
Z
ddlZddlm
Z
ddlmZmZmZmZddlmZddlmZddlmZddlmZmZddlmZddlZddlZdd	lmZmZm Z dd
l!m"Z"ddlm#Z#ddl$m%Z&dd
l$m'Z(ddlm)Z)ddl*Z*ddl+m,Z,ddlm-Z-ddl.m/Z/ddl0m1Z1m2Z2m3Z3ddl4m5Z5ddl6m7Z7m8Z8m9Z9m:Z:ddl;m<Z<ddl=m>Z>ddl?m@Z@ddlm%Z%ddlAmBZBddl!mCZCddlDmEZEmFZFddlGmHZHddlImJZJmKZKddlLmMZMmNZNddlOZOdd�ZPd d!�ZQd"d#�ZRd$d%�ZSd�d&d'�ZTd(d)�ZUdddejVejWBejXBejYBfd*d+�ZZd,d-�Z[d.d/�Z\d0d1�Z]ej^fd2d3�Z_d4d5�Z`e(jae(jbBe(jcBe(jdBZed6d7�Zf	8	8d�d9d:�Zgd;d<�Zhd=d>�ZiGd?d@�d@e�ZjGdAdB�dBej�ZkGdCdD�dDej�ZlGdEdF�dFej�ZmGdGdH�dHej�ZnGdIdJ�dJej�ZoGdKdL�dLej�ZpGdMdN�dNej�ZqGdOdP�dPej�ZrGdQdR�dRej�ZsGdSdT�dTej�ZtGdUdV�dVej�ZuGdWdX�dXej�ZvGdYdZ�dZev�ZwGd[d\�d\ej�ZxGd]d^�d^ej�ZyGd_d`�d`e�ZzGdadb�dbe�Z{Gdcdd�dde�Z|Gdedf�dfe�Z}Gdgdh�dhe�Z~Gdidj�dje�ZGdkdl�dle�Z�Gdmdn�dne�Z�Gdodp�dpe�Z�Gdqdr�dre�Z�Gdsdt�dte�Z�Gdudv�dve�Z�Gdwdx�dxe�Z�Gdydz�dze�Z�Gd{d|�d|e�Z�Gd}d~�d~e�Z�Gdd��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�Gd�d��d�e�Z�dS)��N)�system_session)�Command�CommandError�Option�SuperCommand)�SamDB)�dsdb)�security)�
ndr_unpack�ndr_pack)�preg)� AUTH_SESSION_INFO_DEFAULT_GROUPS�AUTH_SESSION_INFO_AUTHENTICATED�#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)�
netcmd_finddc)�policy)�param)�libsmb_samba_internal)�
NTSTATUSError)�dsacl2fsacl)�nbt)�Net)�GPParser�GPNoParserException�GPGeneralizeException)�GPPolParser)�GPIniParser�GPTIniParser�GPFDeploy1IniParser�GPScriptsIniParser)�GPAuditCsvParser)�GptTmplInfParser)�GPAasParser)�SMB_SIGNING_REQUIRED)�attr_default)�	get_bytes�
get_string)�ConfigParser)�StringIO�BytesIO)�	calc_mode�stat_from_modecC�$t�|�}|sd}|Sd�|�}|S)zreturn gpo flags string�NONE� )r�
get_gpo_flags�join)�value�flags�ret�r4�2/usr/lib/python3/dist-packages/samba/netcmd/gpo.py�gpo_flags_stringJ�

�r6cCr,)zreturn gplink options stringr-r.)r�get_gplink_optionsr0)r1�optionsr3r4r4r5�gplink_options_stringTr7r:cCs�g}|��dkr
|S|�d�}|D]/}|sq|�d�}t|�dks(|d�d�s.td|��|�|ddd	�t|d
�d��q|S)z.parse a gPLink into an array of dn and options��]�;�rz[LDAP://zBadly formed gPLink '%s'�N���dnr9)�strip�split�len�
startswith�RuntimeError�append�int)�gplinkr3�a�g�dr4r4r5�parse_gplink^s

&rNcCsd�dd�|D��}|S)z4Encode an array of dn and options into gPLink stringr;css$�|]
}d|d|dfVqdS)z[LDAP://%s;%d]rBr9Nr4)�.0rLr4r4r5�	<genexpr>rs�"z encode_gplink.<locals>.<genexpr>)r0)�gplistr3r4r4r5�
encode_gplinkpsrRc
CsN|dur%|dur!zt||�}Wnty }ztd|��d}~wwd|}|S)zjIf URL is not specified, return URL for writable DC.
    If dc is provided, use that to construct ldap URLNzCould not find a DC for domain�ldap://)r�	ExceptionrG)�lp�creds�url�dc�er4r4r5�dc_urlvs
��rZcCs4|��}|�t�|d��|�t�|d|��|S)zConstruct the DN for gpo�CN=Policies,CN=SystemzCN=%s)�get_default_basedn�	add_child�ldb�Dn)�samdb�gporBr4r4r5�
get_gpo_dn�srbc
Cs�|��}|�t�|d��|}d}tj}|durdt�|�}|dur*dt�|�}|dur3|}tj}z|j|||gd�d|gd�}	W|	Stya}
z|durVd	|}nd
}t	||
��d}
~
ww)z0Get GPO information using gpo, displayname or dnr[z"(objectClass=groupPolicyContainer)Nz.(&(objectClass=groupPolicyContainer)(name=%s))z5(&(objectClass=groupPolicyContainer)(displayname=%s)))�nTSecurityDescriptor�
versionNumberr2�name�displayName�gPCFileSysPath�gPCMachineExtensionNames�gPCUserExtensionNames�
sd_flags:1:%d)�base�scope�
expression�attrs�controlsz!Cannot get information for GPO %szCannot get information for GPOs)
r\r]r^r_�SCOPE_ONELEVEL�
binary_encode�
SCOPE_BASE�searchrTr)r`ra�displaynamerB�sd_flags�policies_dn�base_dn�search_expr�search_scope�msgrY�mesgr4r4r5�get_gpo_info�s4��

��r|c
CsFd|}z|j|dgd�}W|Sty"}ztd||��d}~ww)z lists dn of containers for a GPOz(&(objectClass=*)(gPLink=*%s*))�gPLink)rmrnz'Could not find container(s) with GPO %sN)rsrTr)r`rarxrzrYr4r4r5�get_gpo_containers�s���r~c
Cs>z|j|tjddgd�d}Wnty"}ztd||��d}~wwd}tt||��}d|vrStt|dd��}|D]}|d��|��krQ|�	|�d	}nq<ntd
��|s_td|��t�
�}	||	_|rwt|�}
t�
|
tjd�|	d<nt�
|ddtjd�|	d
<z|�|	�WdSty�}ztd|��d}~ww)z!delete GPO link for the container�(objectClass=*)r}�rkrlrmrnr�Container '%s' does not existNFrBTz"No GPO(s) linked to this containerz%GPO '%s' not linked to this container�r0�d0z!Error removing GPO from container)rsr^rrrTr�strrbrN�lower�remove�MessagerBrR�MessageElement�FLAG_MOD_REPLACE�FLAG_MOD_DELETE�modify)r`�container_dnrarzrY�found�gpo_dnrQrL�m�
gplink_strr4r4r5�del_gpo_link�sJ
����
��
��r�cCs^g}|�d�r|dd��dd�}n|�d�r!|dd��dd�}t|�dkr-td|��|S)	z;Parse UNC string into a hostname, a service, and a filepathz\\r>N�\z//�/�zInvalid UNC string: %s)rFrDrE�
ValueError)�unc�tmpr4r4r5�	parse_unc�s

r�cCs�tjd||d�rt�Stjd||d�rt�Stjd||d�r!t�Stjd||d�r,t�Stjd||d�r7t�Stjd||d�rBt�Stjd||d�rMt�Stjd	||d�rXt�Stjd
||d�rct	�Stjd||d�rnt
�St�S)Nzfdeploy1\.ini$�r2zaudit\.csv$z
GptTmpl\.inf$z	GPT\.INI$z
scripts\.ini$zpsscripts\.ini$z	GPE\.INI$z.*\.ini$z.*\.pol$z.*\.aas$)�re�matchrr r!rrrrrr")rer2r4r4r5�find_parser�s*r�c	Cs$d}tj�|�s
t�|�|g}|g}|r�|��}|��}|j|td�}|jdd�d�|D]]}	|d|	d}
tj�||	d�}|	dt	j
@rX|�|
�|�|�t�|�q.|�|
�}t
||d	��
}
|
�|�Wd�n1stwYt|	d�}|�|�|�|d
�q.|sdSdS)N�.SAMBABACKUP��attribscS�|dS�Nrer4��xr4r4r5�<lambda>#�z2backup_directory_remote_to_local.<locals>.<lambda>��keyr�re�attrib�wb�.xml)�os�path�isdir�mkdir�pop�list�
attr_flags�sortr0�libsmb�FILE_ATTRIBUTE_DIRECTORYrH�loadfile�open�writer��parse�	write_xml)�conn�	remotedir�localdir�SUFFIX�r_dirs�l_dirs�r_dir�l_dir�dirlistrY�r_name�l_name�data�f�parserr4r4r5� backup_directory_remote_to_locals2



�
�r�cCs�tj�|�st�|�|g}|g}|rh|��}|��}|j|td�}|jdd�d�|D]7}|d|d}	tj�||d�}
|dt	j
@rV|�|	�|�|
�t�|
�q,|�|	�}t
|
d��|�q,|sdSdS)	Nr�cSr�r�r4r�r4r4r5r�Fr�z0copy_directory_remote_to_local.<locals>.<lambda>r�r�rer�r�)r�r�r�r�r�r�r�r�r0r�r�rHr�r�r�)r�r�r�r�r�r�r�r�rYr�r�r�r4r4r5�copy_directory_remote_to_local<s&



�r�Fc	Cs�|�|�s
|�|�|g}|g}|r}|��}|��}t�|�}	|	��|	D]S}
tj�||
�}|d|
}tj�|�rX|�	|�|�	|�z|�|�Wq%t
yW|sU�Yq%w|rkz|�|�Wq%t
yjYnwt|d��
�}
|�||
�q%|sdSdS)Nr��rb)�chkpathr�r�r��listdirr�r�r0r�rHrr�r��read�savefile)r�r�r��ignore_existing_dir�keep_existing_filesr�r�r�r�r�rYr�r�r�r4r4r5�copy_directory_local_to_remoteTs@




��
��r�cCsD|�dd��d�}d}|D]}|d|}|�|�s|�|�q
dS)Nr�r�r;)�replacerDr�r�)r�r��elemsr�rYr4r4r5�create_directory_hierys

��r�cCsf|��}|�t�zt��}|�|j�tj||||d�}Wn
t	y+t
d|��w|�|�|S)N�rUrVz"Error connecting to '%s' using SMB)�get_smb_signing�set_smb_signingr#�s3param�get_context�load�
configfiler��ConnrTr)�dc_hostname�servicerUrV�saved_signing_state�s3_lpr�r4r4r5�smb_connection�s
�
r�c@seZdZdd�Zdd�ZdS)�
GPOCommandc
Cs�|durt��}td||jd�tj�|�std|��tj�|d�}tj�|�s/t�	|�tj�||�}tj�|�rBtd|��z
t�	|�W||fSt
tfy_}ztd|��d}~ww)a�Ensure that the temporary directory structure used in fetch,
        backup, create, and restore is consistent.

        If --tmpdir is used the named directory must be present, which may
        contain a 'policy' subdirectory, but 'policy' must not itself have
        a subdirectory with the gpo name. The policy and gpo directories
        will be created.

        If --tmpdir is not used, a temporary directory is securely created.
        Nz5Using temporary directory %s (use --tmpdir to change))�filez'Temporary directory '%s' does not existrz8GPO directory '%s' already exists, refusing to overwritez%Error creating teporary GPO directory)�tempfile�mkdtemp�print�outfr�r�r�rr0r��IOError�OSError)�self�tmpdirrar��gpodirrYr4r4r5�construct_tmpdir�s,�
��
��zGPOCommand.construct_tmpdirc
CsJzt|jt�|j|jd�|_WdSty$}ztd|j|��d}~ww)z$make a ldap connection to the server�rW�session_info�credentialsrUzLDAP connection to %s failed N)rrWrrVrUr`rTr)r�rYr4r4r5�
samdb_connect�s���zGPOCommand.samdb_connectN)�__name__�
__module__�__qualname__r�r�r4r4r4r5r��s#r�c@�FeZdZdZdZejejejd�Z	e
dddeddd	�gZd
dd�Z
d
S)�cmd_listallzList all GPOs.�%prog [options]��	sambaopts�versionopts�credopts�-H�--URL�%LDB URL for database or target server�URL�H��help�type�metavar�destNc
Cs�|��|_|j|jdd�|_t|j|j|�|_|��t|jd�}|D]Q}|j	�
d|dd�|j	�
d|dd�|j	�
d|d	d�|j	�
d
|j�|j	�
dt|dd
��|j	�
dt
tt|dd����|j	�
d�q#dS)NT��fallback_machine�GPO          : %s
rer�display name : %s
rf�path         : %s
rg�dn           : %s
�version      : %s
rd�0�flags        : %s
r2�
)�get_loadparmrU�get_credentialsrVrZrWr�r|r`r�r�rBr$r6rI)r�rr�r�r�rzr�r4r4r5�run�s
 �zcmd_listall.run�NNNN�r�r�r��__doc__�synopsisr9�SambaOptions�VersionOptions�CredentialsOptions�takes_optiongroupsrr��
takes_optionsrr4r4r4r5r����
��r�c@sLeZdZdZdZdgZejejej	d�Z
edddedd	d
�gZ
ddd
�ZdS)�cmd_listzList GPOs for an account.z&%prog <username|machinename> [options]�accountnamer�r�r�r�r�rrNc	CsL|��|_|j|jdd�|_t|j|j|�|_|��z|jjdt	�
|�t	�
|�fd�}|dj}Wn
ty@t
d|��wz|jj|t	jdgd�d}d	|dv}Wn
tyct
d
|��wttB}	|jdurw|j�d�rw|	tO}	tjj|j|j||	d�}
|
j}g}d}
t	�|jt|����}	|jj|t	jd
dgd�d}d
|v�r`tt|d
d��}|D]�}|
s�|dtj@s�q�|dtj@r�q�z+tjtj Btj!B}|jj|dt	jgd�d|gd�}|ddd}t"tj#|�}Wnt�y|j$�%d|d�Yq�wztj�&||tj'tj(Btj)B�Wnt*�y-|j$�%d|j�Yq�wt+t,|ddd��}|�rB|tj-@�rBq�|�sL|tj.@�rLq�|�/|ddd|dddf�q�t+t,|dd��}|tj0@�rpd}
||j�1�k�ryn|��}q�|�r�d	}nd}|j$�%d||f�|D]}|j$�%d|d|df��q�dS)NTrz?(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User)))rmrzFailed to find account %s�objectClass)rkrlrn�computerz!Failed to find objectClass for %s�ldap)�lp_ctxrB�session_info_flagsr}�	gPOptionsr9rB)rerfr2rcrj)rkrlrnrorcz8Failed to fetch gpo object with nTSecurityDescriptor %s
zFailed access check on %s
r2rfreF�userzGPOs for %s %s
z
    %s %s
r@)2rrUrrVrZrWr�r`rsr^rqrBrTrrrr
rrFr�samba�auth�user_session�security_tokenr_r��parentrNr�GPLINK_OPT_ENFORCE�GPLINK_OPT_DISABLEr	�
SECINFO_OWNER�
SECINFO_GROUP�SECINFO_DACLr
�
descriptorr�r��access_check�SEC_STD_READ_CONTROL�SEC_ADS_LIST�SEC_ADS_READ_PROPrGrIr$�GPO_FLAG_MACHINE_DISABLE�GPO_FLAG_USER_DISABLErH�GPO_BLOCK_INHERITANCEr\)r�rrr�r�r�rz�user_dn�is_computerr#�session�token�gpos�inheritrB�glistrLru�gmsg�secdesc_ndr�secdescr2�	gpoptions�msg_strr4r4r5r�s�
�����
�����
����(�3 �zcmd_list.runr)r�r�r�rr�
takes_argsr9rrrrrr�rrr4r4r4r5r�s���rc@sFeZdZdZdZejejejd�Z	dgZ
edded�gZ
dd	d
�ZdS)�cmd_showzShow information for a GPO.�%prog <gpo> [options]r�rar�r��rrNc
	CsT|��|_|j|jdd�|_t|j|j|�|_|��z
t|j|�d}Wn
t	y2t
d|��wz|dd}ttj
|�}|��}	Wnt	yPd}	Ynw|j�d|dd�|j�d	|d
d�|j�d|dd�|j�d
|j�|j�dt|dd��|j�dttt|dd����|j�d|	�|j�d�dS)NTrr�GPO '%s' does not existrcz<hidden>rrer	rfr
rgrrrdr
rr2zACL          : %s
r)rrUrrVrZrWr�r|r`rTrr
r	r0�as_sddlr�r�rBr$r6rI)
r�rarr�r�r�rzr@rA�secdesc_sddlr4r4r5rks0
�� zcmd_show.runr�r�r�r�rrr9rrrrrDrr�rrr4r4r4r5rEZs��rEc@�JeZdZdZdZejejejd�Z	dgZ
edded�gZ
		dd	d
�ZdS)�cmd_getlinkzList GPO Links for a container.�%prog <container_dn> [options]r�r�r�r�rGNc	Cs6|��|_|j|jdd�|_t|j|j|�|_|��z|jj|t	j
ddgd�d}Wn
ty8td|��wd|vr�|dr�|j
�d|�tt|dd��}|D]9}t|j|d	d
�}|j
�d|ddd�|j
�d
|ddd�|j
�dt|d��|j
�d�qUdS|j
�d|�dS)NTrrr}r�rr�zGPO(s) linked to DN %s
rB)rBz    GPO     : %s
rez    Name    : %s
rfz    Options : %s
r9rzNo GPO(s) linked to DN=%s
)rrUrrVrZrWr�r`rsr^rrrTrr�r�rNr�r|r:)	r�r�rr�r�r�rzrQrLr4r4r5r�s2
����zcmd_getlink.runrrKr4r4r4r5rM�����rMc	@sleZdZdZdZejejejd�Z	ddgZ
edded�ed	d
ddd
d�edddddd�gZ
		ddd�ZdS)�cmd_setlinkz(Add or update a GPO link to a container.�$%prog <container_dn> <gpo> [options]r�r�rar�r�rGz	--disable�disabledF�
store_truezDisable policy�r�default�actionrz	--enforce�enforcedzEnforce policyNc	
Cs|��|_|j|jdd�|_t|j|j|�|_|��d}	|r$|	tjO}	|r+|	tj	O}	zt
|j|d�d}
Wn
tyCt
d|��wtt|j|��}z|jj|tjddgd�d}
Wn
tyit
d	|��wd
}d|
vr�tt|
dd��}
d}d
}|
D]}|d��|��kr�|	|d<d}nq�|r�t
d
|��|
�d||	d��n
g}
|
�||	d��t|
�}t��}t�|j|�|_|r�t�|tjd�|d<n
t�|tjd�|d<z|j�|�Wnty�}zt
d|��d}~ww|j� d�t!��"|||||�dS)NTrr�rarHrr}r�r�FrBr9z)GPO '%s' already linked to this containerrA�	new_valuezError adding GPO LinkzAdded/Updated GPO link
)#rrUrrVrZrWr�rr,r+r|r`rTrr�rbrsr^rrrNr��insertrHrRr�r_rBr�r��FLAG_MOD_ADDr�r�r�rMr)r�r�rarrRrWr�r�r��gplink_optionsrzr��existing_gplinkrQr�rLr�r�rYr4r4r5r�sn


�����
��zcmd_setlink.run)NFFNNNrKr4r4r4r5rP�s&�
�
���rPc@�LeZdZdZdZejejejd�Z	ddgZ
edded�gZ
				dd
d�Zd	S)
�cmd_dellinkz!Delete GPO link from a container.rQr��	containerrar�r�rGNcCs�|��|_|j|jdd�|_t|j|j|�|_|��zt|j|d�dWn
t	y3t
d|��wt�|j|�}t
|j||�|j�d�t��|||||�dS)NTrrXrrHzDeleted GPO link.
)rrUrrVrZrWr�r|r`rTrr^r_r�r�r�rMr)r�r`rarr�r�r�r�r4r4r5r$s
�zcmd_dellink.runrrKr4r4r4r5r_����r_c@rL)�cmd_listcontainersz%List all linked containers for a GPO.rFr�rar�r�rGNcCs�|��|_|j|jdd�|_t|j|j|�|_|��t|j|�}t	|�r>|j
�d|�|D]}|j
�d|d�q/dS|j
�d|�dS)NTrzContainer(s) using GPO %s
z    DN: %s
rBzNo Containers using GPO %s
)rrUrrVrZrWr�r~r`rEr�r�)r�rarr�r�r�rzr�r4r4r5rKs
�zcmd_listcontainers.runrrKr4r4r4r5rb:rOrbc@rL)�cmd_getinheritancez%Get inheritance flag for a container.rNr�r�r�r�rGNcCs�|��|_|j|jdd�|_t|j|j|�|_|��z|jj|t	j
ddgd�d}Wn
ty8td|��wd}d|vrGt
|dd�}|tjkrT|j�d�dS|j�d	�dS)
NTrrr$r�rr�z$Container has GPO_BLOCK_INHERITANCE
zContainer has GPO_INHERIT
)rrUrrVrZrWr�r`rsr^rrrTrrIrr7r�r�)r�r�rr�r�r�rz�inheritancer4r4r5ros(
���
zcmd_getinheritance.runrrKr4r4r4r5rc^rOrcc@r^)
�cmd_setinheritancez$Set inheritance flag on a container.z.%prog <container_dn> <block|inherit> [options]r�r��
inherit_stater�r�rGNc
Cs2|��dkr
tj}n|��dkrtj}ntd|��|��|_|j|jdd�|_t	|j|j|�|_
|��z|jj
|tjddgd�d	}Wn
tyRtd
|��wt��}	t�|j|�|	_d|vrpt�t|�tjd�|	d<nt�t|�tjd�|	d<z	|j�|	�WdSty�}
ztd||
��d}
~
ww)
N�blockr=zUnknown inheritance state (%s)Trrr$r�rr�rYz"Error setting inheritance state %s)r�rr7�GPO_INHERITrrrUrrVrZrWr�r`rsr^rrrTr�r_rBr�r�r�r[r�)r�r�rfrr�r�r�rdrzr�rYr4r4r5r�s<
�����zcmd_setinheritance.runrrKr4r4r4r5re�rarec@sReZdZdZdZejejejd�Z	dgZ
edded�edd	ed�gZ
d
dd�Zd
S)�	cmd_fetchzDownload a GPO.rFr�rar�r�rG�--tmpdir�,Temporary directory for copying policy filesNc
CsB|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_|��z
t	|j
|�d}Wn
tyKtd|��wt
|dd�}	z	t|	�\}
}}Wn
tyjtd	|	��wt|||j|jd
�}
|�||�\}}zt|
||�Wnty�}ztd|��d}~ww|j�d|�dS)
NTrrS��rXrrHrg�Invalid GPO path (%s)r��Error copying GPO from DC�GPO copied to %s
)rrUrrVrFrWrrZr�r|r`rTrr�r�r�r�r�r�r�r�)r�rarr�r�r�r�r�rzr��dom_namer��	sharepathr�r�rYr4r4r5r�s<
��
�
��z
cmd_fetch.run�NNNNNrKr4r4r4r5ri�s��ric	@s~eZdZdZdZejejejd�Z	dgZ
edded�edd	ed�ed
ddd
d�eddded�gZ
		ddd�Zedd��ZdS)�
cmd_backupz
Backup a GPO.rFr�rar�r�rGrjrkz--generalizez"Generalize XML entities to restoreFrS�rrUrV�
--entitiesz4File to export defining XML entities for the restore�ent_file)rrrNc	
CsR|��|_|j|jdd�|_|r|�d�r|dd�}	||_nt|j|j�}	t|j|j|	d�|_|��z
t	|j
|�d}
Wn
tyKtd|��wt
|
dd�}z	t|�\}}
}Wn
tyjtd	|��wt|	|
|j|jd
�}|�||�\}}zt|||�Wnty�}ztd|��d}~ww|j�d|�|r�|j�d
�t�|j||�}ddl}d�dd�t|��|�d�d�D��}|r�t|d��
}|�|�Wd�n1s�wY|j�d|�n|j�d�|j�|�dD]-}||
v�r&ttj�||d�d��}|�|
|d�Wd�n	1�s!wYq�dS)NTrrSrlrmrrHrgrnr�rorpz(
Attempting to generalize XML entities:
r;css*�|]}d�|d�d�|d�VqdS)z<!ENTITY {} "{}
">r@z&;rN)�formatrC)rO�entr4r4r5rP@s�"�z!cmd_backup.run.<locals>.<genexpr>r@r��wz$Entities successfully written to %s
z
Entities:
�rhri�	.SAMBAEXTr�)rrUrrVrFrWrrZr�r|r`rTrr�r�r�r�r�r�r�r�rt�generalize_xml_entities�operatorr0�sorted�items�
itemgetterr�r�r�)r�rarr��
generalizer�r�r�rwr�rzr�rqr�rrr�r�rY�entitiesr~�entsr��extr4r4r5rsn
��
�
��
�
���
���zcmd_backup.runc	Csbi}tj�|�s
t�|�|g}|g}|r�|��}|��}t�|�}|��|D]�}	tj�||	�}
tj�||	�}tj�|
�rT|�	|
�|�	|�tj�|�sSt�|�q(|
�
d�r�tj�|
�dd�}t|�}
z't
|
d��}|��}Wd�n1s|wYt�|�}|
�|||�}Wq(ty�|�d|�Yq(wtj�|
|�s�t�|
|�q(|s|S)Nr�����rz%SKIPPING: Generalizing failed for %s
)r�r��existsr�r�r�r�r0r�rH�endswith�basenamer�r�r��ET�
fromstring�generalize_xmlrr��samefile�shutil�copy2)r��	sourcedir�	targetdirr�r�r�r�r�r�rYr�r��to_parser��ltempr��concrete_xml�found_entitiesr4r4r5r}RsH




�

�
�	��)z"cmd_backup.generalize_xml_entities)NNFNNNN)r�r�r�rrr9rrrrrDrr�rr�staticmethodr}r4r4r4r5rt�s,����	
�Artc@sVeZdZdZdZejejejd�Z	dgZ
edded�edd	ed�gZ
	
	
d
dd�Zd
S)�
cmd_createzCreate an empty GPO.z%prog <displayname> [options]r�rtr�r�rGrjrkNc!
Cs�|��|_|j|jdd�|_t|j|jd�}|r7|�d�r7|dd�}||_tjtj	Btj
B}	|j||	d�}
n!tjtj	Btj
B}	|j|j�d�|	d�}
|
j
}t|j|j|d	�|_|��t|j|d
�}|jdkrntd|��tt���}d
|��}
|
|_|
j}d|||
f}|�||
�\|_}||_z%t�tj� |d��t�tj� |d��d}t!tj� |d�d��"|�Wnt#y�}ztd|��d}~wwt$|�\}}}||_%t&|||j|jd�}||_'|j�(�z�t)|j|
�}t*�+�}||_,t*�-dt*j.d�|d<|j�/|�t*�+�}t*�0|jdt|��|_,t*�-dt*j.d�|d<|j�/|�t*�+�}t*�0|jdt|��|_,t*�-dt*j.d�|d<|j�/|�t1j2t1j3Bt1j4B}t|j|
|d�d}|dd}t5t1j6|��7�}t1�8|j�9��}t:||�}t1j6�;||�}t<||�t1j2t1j3Bt1j4Bt1j=B}|�>|||�t?|||�t*�+�}||_,t*�-|t*j@d�|d<t*�-|t*j@d �|d!<t*�-d"t*j@d#�|d$<t*�-d%t*j@d&�|d'<t*�-d"t*j@d(�|d)<d*g} |jjA|| d+�Wnt#�y�|j�B��w|j�C�|jD�"d,||
f�dS)-NTr)rVrUrSrl)�addressr2�realm)�domainr2rm)rtrz%A GPO already existing with name '%s'z{%s}z\\%s\sysvol\%s\Policies\%s�Machine�Userz[General]
Version=0
zGPT.INIrzzError Creating GPO filesr��groupPolicyContainerr�a01�
CN=User,%sr`�
CN=Machine,%s)rarurcrf�a02rg�a03r
rd�a05�2�gpcFunctionalityVersion�a07r2�a04zpermissive_modify:0)rozGPO '%s' created as %s
)ErrUrrVrrFrWr�NBT_SERVER_LDAP�
NBT_SERVER_DS�NBT_SERVER_WRITABLE�finddc�get�pdc_dns_namerZr�r|r`�countrr��uuid�uuid4�upper�gpo_name�
dns_domainr�r�r�r�r�r�r0r�r�rTr�rrr�r��transaction_startrbr^r�rBr�r[�addr_r	r-r.r/r
r0rI�dom_sid�get_domain_sidr�	from_sddlr��SECINFO_PROTECTED_DACL�set_aclr�r�r��transaction_cancel�transaction_commitr�)!r�rtrr�r�r�r��netr�r2�	cldap_retrz�guidrar��unc_pathr��gpt_contentsrYrqr�rrr�r�r��ds_sd_flags�	ds_sd_ndr�ds_sd�
domain_sid�sddl�fs_sd�sioror4r4r5r�s�
����

��
�
��

���
�
zcmd_create.runrsrKr4r4r4r5r��s���r�c	s�eZdZdZdZejejejd�Z	ddgZ
edded�ed	d
ed�edded�ed
dddd�gZ
ddd�Z		d�fdd�	Z�ZS)�cmd_restorez!Restore a GPO to a new container.z/%prog <displayname> <backup location> [options]r�rt�backupr�r�rGrjrkrvz8File defining XML entities to insert into DOCTYPE headerz--restore-metadataz7Keep the old GPT.INI file and associated version numberFrSrur;c
Cs d}tj�|�s
t�|�|g}|g}|�r|��}|��}t�|�}	|	��|	D]�}
tj�||
�}tj�||
�}tj�|�rU|�	|�|�	|�tj�|�sTt�|�q)|�
d��r	tj�|�dd�}
t|
�}zJt
|d��;}|��}d}|�|�r�|t|�d�}|�t�|||��n
|�t�||��|�|dd��Wd�n1s�wYWq)ty�|dd�|}t�||dd��|j�d|
�|j�d�Yq)ddl}|��|dd�|}t�||dd��|j�d	|�|j�d�Yq)q)|sdSdS)
Nr�r�r�r�z&<?xml version="1.0" encoding="utf-8"?>zWARNING: No such parser for %s
z.WARNING: Falling back to simple copy-restore.
rz%WARNING: Error during parsing for %s
)r�r�r�r�r�r�r�r0r�rHr�r�r�r�r�rFrE�load_xmlr�r��write_binaryrr�r�r�r��	traceback�	print_exc)r�r�r��
dtd_headerr�r�r�r�r�r�rYr�r�r�r�r�r��xml_head�
original_filer�r4r4r5� restore_from_backup_to_local_dir+s^




�
����z,cmd_restore.restore_from_backup_to_local_dirNc

s�d}
tj�|�std|��|durRd}
tj�|�s td|��t|d��!}|��}tjd|tjd�dur9td��|
|�	�7}
Wd�n1sIwY|
d	7}
t
t|��||||||�ze|�
||j|
�|	}
t|j|j|jd
|
d�t|j|j�}dD]A}tj�||d
�}tj�|�r�t|d��}|��}Wd�n1s�wYt��}||_t�|tj|�||<|j�|�q�WdSty�}z+ddl}|��|j� t!|�d�|j� d�t"�}|�|j||||�td|��d}~ww)Nr;z"Backup directory does not exist %sz<!DOCTYPE foobar [
zEntities file does not exist %sr�z*(\s*<!ENTITY\s*[a-zA-Z0-9_]+\s*.*?>)+\s*\Zr�zPEntities file does not appear to conform to format
e.g. <!ENTITY entity "value">z
]>
T)r�r�r{r|r�rrz%Failed to restore GPO -- deleting...
zFailed to restore: %s)#r�r�r�rr�r�r�r��	MULTILINErC�superr�rr�r�r�r�rrrbr`r�r0r^r�rBr�r�r�rTr�r�r�r�r��cmd_del)r�rtr�rr�r�r�r�r��restore_metadatar��
entities_file�entities_content�keep_new_filesr�r��ext_filer�r�r�rYr��cmd��	__class__r4r5rost�����
�
�
�
���
��zcmd_restore.run)r;�NNNNNNN)r�r�r�rrr9rrrrrDrr�rr�r�
__classcell__r4r4r�r5r�s&���
D�r�c@rL)r�z
Delete a GPO.rFr�rar�r�rGNcCs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_|��zt	|j
|d�d}t|dd�}Wn
tyTt
d	|��wt|�\}	}
}t||
|j|jd
�}|j
��z[t|j
|�}t|�r�|j�d|�|D]}
t|j
|
d|�|j�d
|
d�q�t|j
|�}|j
�t�|j
dt|���|j
�t�|j
dt|���|j
�|�|�|�Wn
ty�|j
���w|j
��|j�d|�dS)NTrrSrlrmrXrrgrHr�zGPO %s is linked to containers
rBz    Removed link from %s.
r�r�zGPO %s deleted.
)rrUrrVrFrWrrZr�r|r`r�rTrr�r�r�r~rEr�r�r�rb�deleter^r_�deltreer�r�)r�rarr�r�r�r�rzr�rqr�rrr�r�r�r4r4r5r�sJ
�
�

�
zcmd_del.runrrKr4r4r4r5r��rOr�c@r�)�cmd_aclcheckz.Check all GPOs have matching LDAP and DS ACLs.r�r�r�r�r�r�rrNc	Csp|��|_|j|jdd�|_t|j|j|�|_|r(|�d�r(|dd�}||_nt|j|j�}t|j|j|d�|_|��t	|j
d�}|D]p}t|dd�}z	t|�\}	}
}Wn
t
yetd|��wt||
|j|jd	�}|�|tjtjBtjBtj�}
d
|vr�td��|d
d}ttj|���}t�|j
���}t||�}|
�|�|kr�td|
�|�||f��qEdS)
NTrrSrlrmrgrrnr�rczKCould not read nTSecurityDescriptor. This requires an Administrator accountz-Invalid GPO ACL %s on path (%s), should be %s)rrUrrVrZrWrFrr�r|r`r�r�r�rr��get_aclr	r-r.r/�SEC_FLAG_MAXIMUM_ALLOWEDr
r0rIr�r�r)r�rr�r�r�r�rzr�r�rqr�rrr�r�r�r�r��expected_fs_sddlr4r4r5rs>
�
�
��zcmd_aclcheck.runrrr4r4r4r5r�rr�c	@sfeZdZdZdZejejejd�Z	e
dddeddd	�e
d
deej
�e��d�d
�gZ		ddd�ZdS)�cmd_admxloadz Loads samba admx files to sysvolr�r�r�r�r�r�rrz
--admx-dirz)Directory where admx templates are storedz
samba/admx)rrrUNc
Cs.|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}d�	|j�
d	���d
dg�}z|�|�Wn%t
yt}	z|	jdd
krbtd��|	jddkrj�WYd}	~	nd}	~	wwt�|�D]�\}
}}|D]�}
|
�|d�}tj�	|
|
�}d�	||g��dd�}d�	||
g�}zt||�Wn%t
y�}	z|	jdd
kr�td��|	jddkrĂWYd}	~	nd}	~	wwt|d��0}z
|�||���Wnt
y�}	z|	jdd
kr�td��WYd}	~	nd}	~	wwWd�n	1�swYq�qz|j�d�dS)NTrrSrlrm�sysvolr�r�r��Policies�PolicyDefinitionsr�"�:The authenticated user does not have sufficient privilegesl5r;r�r�aInstalling ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates.
)rrUrrVrFrWrrZr�r0r�r�r�r�argsrr��walkr�r�r�r�r�r�r�r�)r�rr�r�r��admx_dirr�r��smb_dirrY�dirname�dirs�files�fname�path_in_admx�	full_path�sub_dir�smb_pathr�r4r4r5rTsn
���������������zcmd_admxload.runrs)r�r�r�rrr9rrrrrr�r�r�r0r�data_dirrrr4r4r4r5r�Bs"�
����r�c@s`eZdZdZdZejejejd�Z	e
dddeddd	�e
d
ddd
d�gZgd�Z
		ddd�ZdS)�cmd_add_sudoersa�Adds a Samba Sudoers Group Policy to the sysvol

This command adds a sudo rule to the sysvol for applying to winbind clients.

The command argument indicates the final field in the sudo rule.
The user argument indicates the user specified in the parentheses.
The users and groups arguments are comma separated lists, which are combined to
form the first field in the sudo rule.
The --passwd argument specifies whether the sudo entry will require a password
be specified. The default is False, meaning the NOPASSWD field will be
specified in the sudo entry.

Example:
samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg

The example command will generate the following sudoers entry:
fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL
    z7%prog <gpo> <command> <user> <users> [groups] [options]r�r�r�r�r�rrz--passwdrSFz;Specify to indicate that sudo entry must provide a password)rVrUr)ra�commandr%�userszgroups?Nc!
Cs�|��|_|	j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}
d	�
|
��d
|ddg�}d	�
|d
g�}zt�
t�|�|���}|���d�}|�d�}Wnity�}z]|jddvr�t�
t�d��}t�|��d�}t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}t�|d�}d|_n|jddkr�td���WYd}~nd}~wwt�|d�}|r�t�|d �t�|d!�}||_t�|d"�}||_t�|d#�}|�d$�D]}t�|d%�}||_d"|jd&<�q|du�r.|��D]}t�|d%�}||_d'|jd&<�qt�} |j| d(dd)�| �d�zt||�|�|| ���WdSt�yh}z
|jddk�rctd���d}~ww)*NTrrSrlrmr�r�r�r�r��MACHINE\VGP\VTLA\Sudo�SudoersConfiguration�manifest.xml�
policysettingr�r��3�4�:�	vgppolicy�version�1rezSudo Policy�descriptionz!Sudoers File Configuration Policy�
apply_mode�merge�load_plugin�truer�r��
sudoers_entry�passwordr�r%�listelement�,�	principalr�group�UTF-8��encoding�xml_declaration) rrUrrVrFrWrrZr�r�r0r�r��ElementTreer�r��getroot�findrr��Element�
SubElement�textrrDr�r)r��seekr�r�r�)!r�rar�r%r��groups�passwdrr�r�r�r�r�r��vgp_dir�vgp_xml�xml_datarr�rY�pvrerr	rr
�command_elm�user_elmr�urrL�outr4r4r5r�s�
��
����


��zcmd_add_sudoers.run)NNNNNN�r�r�r�rrr9rrrrrr�rrDrr4r4r4r5r��s$�
����r�c@�LeZdZdZdZejejejd�Z	e
dddeddd	�gZd
gZ
ddd
�ZdS)�cmd_list_sudoersz�List Samba Sudoers Group Policy from the sysvol

This command lists sudo rules from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�D]R}|�d�j}|�d�j}|�d�}g}|D]
}|�|�d��q�t|�d
kr�d�
dd�|D��}nd}|�d�dk}|r�dnd}d||||f}|j�d |�q�dS)!NTrrSrlrmr�r�r�r�r�r�z!SudoersConfiguration\manifest.xmlrrr�r�rr�r
r�r%rrrcS�*g|]}|jddkr|jnd|j�qS�rr%z%s%%�r�r�rOr&r4r4r5�
<listcomp>J�
��z(cmd_list_sudoers.run.<locals>.<listcomp>�ALLr�
 NOPASSWD:r;�%s ALL=(%s)%s %s�%s
)rrUrrVrFrWrrZr�r�r0r�r�r�r�rr�rr�findallr�extendrEr�r�)r�rarr�r�r�r�r�r�r!r"rYrr��entryr�r%�listelements�
principalsr�uname�
nopassword�np_entry�pr4r4r5rs\
����





��zcmd_list_sudoers.runrr(r4r4r4r5r*��
��r*c@sNeZdZdZdZejejejd�Z	e
dddeddd	�gZd
dgZ
dd
d�ZdS)�cmd_remove_sudoersaRemoves a Samba Sudoers Group Policy from the sysvol

This command removes a sudo rule from the sysvol from applying to winbind clients.

Example:
samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL'
    �%prog <gpo> <entry> [options]r�r�r�r�r�rrrar7Nc
Csh|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}	d	�
|	��d
|ddg�}
d	�
|
d
g�}zt�
t�|�|���}|���d�}
|
�d�}Wn#ty�}z|jddvrtd��|jddkr�td���d}~wwi}|�d�D]N}|�d�j}|�d�j}|�d�}g}|D]
}|�|�d��q�t|�dkr�d�
dd�|D��}nd}|�d�dk}|r�dnd }d!||||f}|||<q�||��vr�td"|��|�||�t�}|j|d#dd$�|�d�zt||
�|�||� ��WdSt�y3}z
|jddk�r.td���d}~ww)%NTrrSrlrmr�r�r�r�r�r�r�r�rr�rrz"The specified entry does not existr�r�r
r�r%rrrcSr+r,r-r.r4r4r5r/�r0z*cmd_remove_sudoers.run.<locals>.<listcomp>r1rr2r;r3�,Cannot remove '%s' because it does not existrr)!rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rr5rr6rE�keysr�r)r�rr�r�r�)r�rar7rr�r�r�r�r�r�r r!r"rr�rY�entriesr�r%r8r9rr:r;r<r=r'r4r4r5rks�
����



�
�

��zcmd_remove_sudoers.runrr(r4r4r4r5r?Ss�
��r?c@�2eZdZdZiZe�ed<e�ed<e�ed<dS)�cmd_sudoersz#Manage Sudoers Group Policy Objectsr�r�r�N)r�r�r�r�subcommandsr�r*r?r4r4r4r5rE��

rEc@�ReZdZdZdZejejejd�Z	e
dddeddd	�gZgd
�Z
		ddd
�ZdS)�cmd_set_securitya
Set Samba Security Group Policy to the sysvol

This command sets a security setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.
These settings only apply to the ADDC.

Example:
samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10

Possible policies:
MaxTicketAge            Maximum lifetime for user ticket
                        Defined in hours

MaxServiceAge           Maximum lifetime for service ticket
                        Defined in minutes

MaxRenewAge             Maximum lifetime for user ticket renewal
                        Defined in minutes

MinimumPasswordAge      Minimum password age
                        Defined in days

MaximumPasswordAge      Maximum password age
                        Defined in days

MinimumPasswordLength   Minimum password length
                        Defined in characters

PasswordComplexity      Password must meet complexity requirements
                        1 is Enabled, 0 is Disabled
    rFr�r�r�r�r�rr)rar�value?Nc
Cs&|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}	|j�	d�}
d	�
|
��d
|dg�}d	�
|dg�}z.tdd
�}
t
|
_|	�|�}z|
�t|����Wnty~|
�t|�d���YnwWn%ty�}z|jddkr�td��|jddvr��WYd}~nd}~wwdddddddd�}||}|
�|�s�|
�|�|dur�|
�|||�n|
�||�t|
�|��dkr�|
�|�t�}|
�|�zt|	|�|	� |t!|�"���WdSt�y}z
|jddk�r
td���d}~ww)NTrrSrlrmr�r�r�r�r�z$MACHINE\Microsoft\Windows NT\SecEditzGptTmpl.inf��
interpolation�utf-16rr�r�)rr�Kerberos Policy�
System Access)�MaxTicketAge�
MaxServiceAge�MaxRenewAge�MinimumPasswordAge�MaximumPasswordAge�MinimumPasswordLength�PasswordComplexity)#rrUrrVrFrWrrZr�r�r0r�r'r��optionxformr��readfpr(�decode�UnicodeDecodeErrorrr�r�has_section�add_section�set�
remove_optionrEr9�remove_sectionr�r�r�r%�getvalue)r�rarr1rr�r�r�r�r�r��inf_dir�inf_file�inf_data�rawrY�section_map�sectionr'r4r4r5r�s|
��

������	




��zcmd_set_security.runrsr(r4r4r4r5rI�s �
���rIc@r))�cmd_list_securityaList Samba Security Group Policy from the sysvol

This command lists security settings from the sysvol that will be applied to winbind clients.
These settings only apply to the ADDC.

Example:
samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|dg�}	z.tdd�}
t
|
_|�|	�}z|
�t|����Wntyw|
�t|�d
���YnwWn&ty�}z|jddkr�WYd}~dS|jddkr�td���d}~ww|
��D]}
|
dvr�q�|
�|
�D]\}}|j�d||f�q�q�dS)NTrrSrlrmr�r�r�r�r�z0MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.infrKrMrrr�r�)rNrO�%s = %s
)rrUrrVrFrWrrZr�r�r0r�r'r�rWr�rXr(rYrZrr�r�sectionsr�r�r�)r�rarr�r�r�r�r�r�rbrcrdrYrfr�r1r4r4r5rJsR
��

������zcmd_list_security.runrr(r4r4r4r5rg1�	�
��rgc@�(eZdZdZiZe�ed<e�ed<dS)�cmd_securityz$Manage Security Group Policy Objectsr]r�N)r�r�r�rrFrIrgr4r4r4r5rlu�

rlc@r))�cmd_list_smb_confz�List Samba smb.conf Group Policy from the sysvol

This command lists smb.conf settings from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage smb_conf list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
CsZ|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|dg�}	ztt
j|�|	��}
Wn&ty|}z|jdd
krlWYd}~dS|jddkrwtd���d}~wwd}t��}
|
jD]$}t|j�|kr�|
�|jt|j��|
�	|j�}|j�d|j|f�q�dS)NTrrSrlrmr�r�r�r�r�zMACHINE\Registry.polrrr�r�� Software\Policies\Samba\smb_confrh)rrUrrVrFrWrrZr�r�r0r�r
rr�r�rr�rr�LoadParmrCr%�keynamer]�	valuenamer�r�r�r�)r�rarr�r�r�r�r�r��pol_file�pol_datarYrqrUr7�valr4r4r5r�sF
����
��zcmd_list_smb_conf.runrr(r4r4r4r5rn{r>rnc@rH)�cmd_set_smb_confa%Sets a Samba smb.conf Group Policy to the sysvol

This command sets an smb.conf setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage smb_conf set {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes
    r@r�r�r�r�r�rr�ra�settingrJNc
sZ|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}	|j�	d�}
d	�
|
��d
|dg�}d	�
|dg�}ztt
j|	�|��}
Wn*ty�}z|jd
dvrqt
��}
n|jd
dkr|td���WYd}~nd}~ww|dur��dd�|
jD�vr�td����fdd�|
jD�}||
_t|�|
_nSt|���dvr�d}d}n"t|���dvr�d}d
}nt|���r�d}tt|��}nd}t|�}t
��}d|_t��|_||_||_t|
j�}|� |�||
_t|�|
_zt!|	|�|	�"|t#|
��WdSt�y,}z
|jd
dk�r'td���d}~ww)NTrrSrlrmr�r�r�r�r��MACHINEzRegistry.polr)rrr�r�cSsg|]}|j�qSr4�rr�rOrYr4r4r5r/�sz(cmd_set_smb_conf.run.<locals>.<listcomp>rAcsg|]	}|j�kr|�qSr4rzr{�rxr4r5r/�s
�)�yesrr�r@)�no�falser
ro)$rrUrrVrFrWrrZr�r�r0r�r
rr�r�rr�rrCrE�num_entriesr&�	isnumericrIr%r7rqrrrr�r�rHr�r�r)r�rarxr1rr�r�r�r�r�r��pol_dirrsrtrYrC�etyperur4r|r5r�s~
�
���
�




��zcmd_set_smb_conf.runrsr(r4r4r4r5rv��	�
���rvc@rk)�cmd_smb_confz$Manage smb.conf Group Policy Objectsr�r]N)r�r�r�rrFrnrvr4r4r4r5r�	rmr�c@r))�cmd_list_symlinkz�List VGP Symbolic Link Group Policy from the sysvol

This command lists symlink settings from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage symlink list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
CsN|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�D]}|�d�}|�d�}|j�d|j|jf�q�dS)NTrrSrlrmr�r�r�r�r��MACHINE\VGP\VTLA\UnixzSymlink\manifest.xmlrrr�r�rr��file_properties�source�targetzln -s %s %s
�rrUrrVrFrWrrZr�r�r0r�r�r�r�rr�rrr5r�r�r)r�rarr�r�r�r�r�r�r!r"rYrr�r�r�r�r4r4r5r;	sD
����




�zcmd_list_symlink.runrr(r4r4r4r5r�#	r>r�c@rH)�cmd_add_symlinkz�Adds a VGP Symbolic Link Group Policy to the sysvol

This command adds a symlink setting to the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target
    �'%prog <gpo> <source> <target> [options]r�r�r�r�r�rr�rar�r�Nc
Cs,|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}	|j�	d�}
d	�
|
��d
|dg�}d	�
|dg�}zt�
t�|	�|���}
|
���d
�}|�d�}WnWty�}zK|jddvr�t�
t�d��}
t�|
��d
�}t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}n|jddkr�td���WYd}~nd}~wwt�|d�}t�|d�}||_t�|d�}||_t�}|
j|ddd�|�d�zt|	|�|	�||���WdSt�y}z
|jddk�rtd���d}~ww)NTrrSrlrmr�r�r�r�r��MACHINE\VGP\VTLA\Unix\Symlinkr�rr�rrrrrrezSymlink PolicyrzSpecifies symbolic link datar�r�r�r�r�rr)rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rrrrr)r�rr�r�r�)r�rar�r�rr�r�r�r�r�r�r r!r"rr�rYrr#rerr��
source_elm�
target_elmr'r4r4r5r|	sr
��
����

��zcmd_add_symlink.runrr(r4r4r4r5r�d	��
���r�c@rH)�cmd_remove_symlinkaRemoves a VGP Symbolic Link Group Policy from the sysvol

This command removes a symlink setting from the sysvol from appling to winbind clients.

Example:
samba-tool gpo manage symlink remove {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target
    r�r�r�r�r�r�rrr�Nc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}	|j�	d�}
d	�
|
��d
|dg�}d	�
|dg�}zt�
t�|	�|���}
|
���d
�}|�d�}Wn&ty�}z|jddvr�td||��|jddkr�td���d}~ww|�d�D]}|�d�}|�d�}|j|kr�|j|kr�|�|�nq�td||��t�}|
j|ddd�|�d�zt|	|�|	�||���WdSty�}z|jddkr�td���d}~ww)NTrrSrlrmr�r�r�r�r�r�r�rr�rrz>Cannot remove link from '%s' to '%s' because it does not existr�r�r�r�r�rr)rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rr5rr�r)r�rr�r�r�)r�rar�r�rr�r�r�r�r�r�r r!r"rr�rYr�r�r�r'r4r4r5r�	sr
������


���

��zcmd_remove_symlink.runrr(r4r4r4r5r��	r�r�c@rD)�cmd_symlinkz#Manage symlink Group Policy Objectsr�r�r�N)r�r�r�rrFr�r�r�r4r4r4r5r�
rGr�c@r))�cmd_list_filesz�List VGP Files Group Policy from the sysvol

This command lists files which will be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�D]1}|�d�j}|�d�j}|�d�j}|�d�j}t|�}dt|�||||f}|j�d|�q�dS)NTrrSrlrmr�r�r�r�r�r�zFiles\manifest.xmlrrr�r�rr�r�r�r�r%rz%s	%s	%s	%s -> %sr4)rrUrrVrFrWrrZr�r�r0r�r�r�r�rr�rrr5rr*r+r�r�)r�rarr�r�r�r�r�r�r!r"rYrr�r7r�r�r%r�moder=r4r4r5r3
sP
����


��zcmd_list_files.runrr(r4r4r4r5r�
r>r�c@rH)�
cmd_add_filesaAdd VGP Files Group Policy to the sysvol

This command adds files which will be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600
    z=%prog <gpo> <source> <target> <user> <group> <mode> [options]r�r�r�r�r�rr)rar�r�r%rr�Nc#
Cs&|��|_|	j|jdd�|_tj�|�std|��|r+|�d�r+|dd�}||_	nt
|j|j�}t|j|j|d�|_	t|d|j|jd�}|j�
d	�}
d
�|
��d|dg�}d
�|d
g�}zt�t�|�|���}|���d�}|�d�}WnWty�}zK|jddvr�t�t�d��}t�|��d�}t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}n|jddkr�td���WYd}~nd}~wwt�|d�}t�|d�}tj�|�|_t�|d�}||_t�|d�}||_t�|d�}||_d D]@\}}t�|d!�}|�d"|�t|d#�d$|>@�rt�|d%�t|d#�d&|>@�r/t�|d'�t|d#�d(|>@�r?t�|d)�q�t�} |j| d*dd+�| � d�t!|d,��"�}!d
�|tj�|�g�}"zt#||�|�$|| �"��|�$|"|!�WdSt�y�}z
|jddk�r�td���d}~ww)-NTrzSource '%s' does not existrSrlrmr�r�r�r�r��MACHINE\VGP\VTLA\Unix\Filesr�rr�rrrrrre�Filesrz+Represents file data to set/copy on clientsr�r�r�r�r�r%r))r%�)rr�)�otherr�permissionsrr?r~r�r>r�r@�executerrr�)%rrUrrVr�r�r�rrFrWrrZr�r�r0r�r�rr�r�rrrr�rrrr�r]rIr)r�rr�r�r�r�)#r�rar�r�r%rr�rr�r�r�r�r�r�r r!r"rr�rYrr#rerr�r�r�r%�	group_elm�ptype�shiftr�r'�source_data�
sysvol_sourcer4r4r5ry
s�
��
�����

��zcmd_add_files.runrr(r4r4r4r5r�a
r�r�c@�ReZdZdZdZejejejd�Z	e
dddeddd	�gZd
dgZ
		dd
d�ZdS)�cmd_remove_filesaRemove VGP Files Group Policy from the sysvol

This command removes files which would be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files remove {31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/doc/target.txt
    z%prog <gpo> <target> [options]r�r�r�r�r�rrrar�Nc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}	d	�
|	��d
|dg�}
d	�
|
dg�}zt�
t�|�|���}|���d
�}
|
�d�}Wn%ty�}z|jddvr�td|��|jddkr�td���d}~ww|�d�D]%}|�d�}|�d�}|j|kr�d	�
|
|jg�}|�|�|�|�nq�td|��t�}|j|ddd�|�d�zt||
�|�||���WdSty�}z|jddkr�td���d}~ww)NTrrSrlrmr�r�r�r�r�r�r�rr�rrz1Cannot remove file '%s' because it does not existr�r�r�r�r�rr)rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rr5r�unlinkr�r)r�rr�r�r�)r�rar�rr�r�r�r�r�r�r r!r"rr�rYr�r�r�r�r'r4r4r5r�
sn
�����




��

��zcmd_remove_files.runrr(r4r4r4r5r��
r�r�c@rD)�	cmd_filesz!Manage Files Group Policy Objectsr�r�r�N)r�r�r�rrFr�r�r�r4r4r4r5r�&rGr�c@r))�cmd_list_opensshz�List VGP OpenSSH Group Policy from the sysvol

This command lists openssh options from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage openssh list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Csn|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�}|�d�D]#}|�d�jr�q�|�d�D]}|j�d|�d�j|�d�jf�q�q�dS)NTrrSrlrmr�r�r�r�r�zMACHINE\VGP\VTLA\SshCfgzSshD\manifest.xmlrrr�r�rr�r��
configsection�sectionname�keyvaluepairz%s %s
r�r1�rrUrrVrFrWrrZr�r�r0r�r�r�r�rr�rrr5rr�r�)r�rarr�r�r�r�r�r�r!r"rYrr�r�r��kvr4r4r5rEsN
����





���zcmd_list_openssh.runrr(r4r4r4r5r�-r>r�c@rH)�cmd_set_openssha"Sets a VGP OpenSSH Group Policy to the sysvol

This command sets an openssh setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes
    z'%prog <gpo> <setting> [value] [options]r�r�r�r�r�rrrwNc
CsD|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}	|j�	d�}
d	�
|
��d
|dg�}d	�
|dg�}zt�
t�|	�|���}
|
���d
�}|�d�}|�d�}Wnrty�}zf|jddvr�t�
t�d��}
t�|
��d
�}t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}t�|d�}t�|d�}t�|d�n|jddkr�td���WYd}~nd}~ww|du�r.|�d�D]?}|�d�jr�q�i}|�d�D]	}|||�d �<q�||��v�r|||_q�t�|d�}t�|d �}||_t�|d!�}||_q�n9|�d�D]3}|�d�j�r>�q3i}|�d�D]}|||�d �j<�qE||��v�ra|�||��q3td"|��t�}|
j|d#dd$�|�d�zt|	|�|	�||� ��WdSt�y�}z
|jddk�r�td���d}~ww)%NTrrSrlrmr�r�r�r�r�zMACHINE\VGP\VTLA\SshCfg\SshDr�rr�r�rrrrrrezConfiguration Filerz+Represents Unix configuration file settingsr	r
r�r�r�r�r�r�r1rArr)!rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rrrrr5rBr�r)r�rr�r�r�)r�rarxr1rr�r�r�r�r�r�r r!r"rr�r�rYrr#rerr	r��settingsr�r�r��dvaluer'r4r4r5r�s�
��

����
��

��zcmd_set_openssh.runrsr(r4r4r4r5r�qr�r�c@rk)�cmd_opensshz#Manage OpenSSH Group Policy Objectsr�r]N)r�r�r�rrFr�r�r4r4r4r5r��rmr�c@r))�cmd_list_startupz�List VGP Startup Script Group Policy from the sysvol

This command lists the startup script policies currently set on the sysvol.

Example:
samba-tool gpo manage scripts startup list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�D]6}|�d�}d	�
d	|��d
|dd|jg�}|�d�}|�d�}|dur�|j}nd}|j�d|||jf�q�dS)NTrrSrlrmr�r�r�r�r�r�zScripts\Startup\manifest.xmlrrr�r�rr�r�scriptzMACHINE\VGP\VTLA\Unix\Scripts�Startup�
parameters�run_as�rootz@reboot %s %s %sr�)r�rarr�r�r�r�r�r�r!r"rYrr�rr��script_pathr�r�r4r4r5rsX
����



�


��zcmd_list_startup.runrr(r4r4r4r5r��r>r�c@sbeZdZdZdZejejejd�Z	e
dddeddd	�e
d
ddd
dd�gZgd�Z
		ddd�ZdS)�cmd_add_startupz�Adds VGP Startup Script Group Policy to the sysvol

This command adds a startup script policy to the sysvol.

Example:
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
    z.%prog <gpo> <script> [args] [run_as] [options]r�r�r�r�r�rrz
--run-once�run_onceFrSz#Whether to run the script only oncerT)rar�zargs?zrun_as?Nc

Cs�|��|_|j|jdd�|_tj�|�std|��|r+|�d�r+|dd�}
||_	nt
|j|j�}
t|j|j|
d�|_	t|
d|j|jd�}|j�
d	�}d
�|��d|dg�}
d
�|
d
g�}zt�t�|�|���}|���d�}|�d�}WnWty�}zK|jddvr�t�t�d��}t�|��d�}t�|d�}d|_t�|d�}d|_t�|d�}d|_t�|d�}n|jddkr�td���WYd}~nd}~wwt|d���}t�|d�}t�|d�}tj�|�|_t�|d�}t�|�� ��!�|_|du�r
t�|d�}|�"d ��"d!�|_|du�rt�|d"�}||_|du�r&t�|d#�t#�}|j$|d$dd%�|�%d�d
�|
tj�|�g�}zt&||
�|�'||���|�'||�WdSt�yq}z
|jddk�rltd���d}~ww)&NTrzScript '%s' does not existrSrlrmr�r�r�r�r��%MACHINE\VGP\VTLA\Unix\Scripts\Startupr�rr�rrrrrrezUnix Scriptsrz6Represents Unix scripts to run on Group Policy clientsr�r�r�rr��hashr��"�'r�r�rr)(rrUrrVr�r�r�rrFrWrrZr�r�r0r�r�rr�r�rrrr�rrrr�r�r��hashlib�md5�	hexdigestr�rCr)r�rr�r�)r�rar�r�r�r�rr�r�r�r�r�r�r r!r"rr�rYrr#rer�script_datar�
script_elmr�r��
run_as_elmr'�
sysvol_scriptr4r4r5rRs�
��
�����




��zcmd_add_startup.runr�r(r4r4r4r5r�8s$�
�
���r�c@r�)�cmd_remove_startupz�Removes VGP Startup Script Group Policy from the sysvol

This command removes a startup script policy from the sysvol.

Example:
samba-tool gpo manage scripts startup remove {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
    z%prog <gpo> <script> [options]r�r�r�r�r�rrrar�Nc
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}	d	�
|	��d
|dg�}
d	�
|
dg�}zt�
t�|�|���}|���d
�}
|
�d�}Wn%ty�}z|jddvr�td|��|jddkr�td���d}~ww|�d�D]}|�d�}|jtj�|�d	d��kr�|�|�nq�td|��t�}|j|ddd�|�d�zt||
�|� ||�!��WdSty�}z|jddkr�td���d}~ww)NTrrSrlrmr�r�r�r�r�r�r�rr�rrz3Cannot remove script '%s' because it does not existr�r�rr�r�rr)"rrUrrVrFrWrrZr�r�r0r�r�rr�r�rrrr�rr5rr�r�r�r�r�r)r�rr�r�r�)r�rar�rr�r�r�r�r�r�r r!r"rr�rYrr�r'r4r4r5r�sh
�����

��

��zcmd_remove_startup.runrr(r4r4r4r5r��r�r�c@rD)�cmd_startupz+Manage Startup Scripts Group Policy Objectsr�r�r�N)r�r�r�rrFr�r�r�r4r4r4r5r��rGr�c@seZdZdZiZe�ed<dS)�cmd_scriptsz#Manage Scripts Group Policy Objects�startupN)r�r�r�rrFr�r4r4r4r5r��sr�c@r))�
cmd_list_motdz�List VGP MOTD Group Policy from the sysvol

This command lists the Message of the Day from the sysvol that will be applied
to winbind clients.

Example:
samba-tool gpo manage motd list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
C�*|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|ddg�}	z
t�
|�|	��}
Wn&ty|}z|jd
dvrlWYd}~dS|jd
dkrwtd���d}~ww|
�d�}|�d�}
|
�d�}|j�|j�dS)NTrrSrlrmr�r�r�r�r�r�zMOTD\manifest.xmlrrr�r�rr�r�rrUrrVrFrWrrZr�r�r0r�r�r�r�rr�rrr�r�r�r�rarr�r�r�r�r�r�r!r"rYrr�rr4r4r5r
�>
����



zcmd_list_motd.runrr(r4r4r4r5r�
rjr�c@r�)�cmd_set_motdaSets a VGP MOTD Group Policy to the sysvol

This command sets the Message of the Day to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Message for today"
    �%prog <gpo> [value] [options]r�r�r�r�r�rrrarJNc
C�*|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}	d	�
|	��d
|dg�}
d	�
|
dg�}|dur]|�|�dSz
t
�|�|��}Wnity�}
z]|
jd
dvr�t
�t
�d��}t
�|��d�}t
�|d�}d|_t
�|d�}d|_t
�|d�}d|_t
�|d�}d|_t
�|d�}t
�|d�}d|_n|
jd
dkr�td���WYd}
~
nd}
~
wwt
�|d�}||_t�}|j|ddd �|�d
�zt||
�|�||���WdSt�y}
z
|
jd
dk�rtd���d}
~
ww)!NTrrSrlrmr�r�r�r�r�zMACHINE\VGP\VTLA\Unix\MOTDr�rrrrrrre�	Text Filer�Represents a Generic Text Filer	r�r��filename�motdr�r�rrr�rrUrrVrFrWrrZr�r�r0r�r�r�r�r�rr�rrrrrrr)r�rr�r�r��r�rar1rr�r�r�r�r�r�r r!r"rYrr#rerr	r�r�rr'r4r4r5r\
�v
��

����

��zcmd_set_motd.runrsr(r4r4r4r5r�C
r�r�c@rk)�cmd_motdz.Manage Message of the Day Group Policy Objectsr�r]N)r�r�r�rrFr�r�r4r4r4r5r��
rmr�c@r))�cmd_list_issuez�List VGP Issue Group Policy from the sysvol

This command lists the Prelogin Message from the sysvol that will be applied
to winbind clients.

Example:
samba-tool gpo manage issue list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
Cr�)NTrrSrlrmr�r�r�r�r�r�zIssue\manifest.xmlrrr�r�rr�rr�r�r4r4r5r�
r�zcmd_list_issue.runrr(r4r4r4r5r��
rjr�c@r�)�
cmd_set_issueaSets a VGP Issue Group Policy to the sysvol

This command sets the Prelogin Message to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage issue set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome to Samba!"
    r�r�r�r�r�r�rrrarJNc
Cr�)!NTrrSrlrmr�r�r�r�r�zMACHINE\VGP\VTLA\Unix\Issuer�rrrrrrrer�rr�r	r�r�r��issuer�r�rrrr�r�r4r4r5rr�zcmd_set_issue.runrsr(r4r4r4r5r��
r�r�c@rk)�	cmd_issuez!Manage Issue Group Policy Objectsr�r]N)r�r�r�rrFr�r�r4r4r4r5r�Grmr�c@r))�cmd_list_accessz�List VGP Host Access Group Policy from the sysvol

This command lists host access rules from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage access list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rFr�r�r�r�r�rrraNc
CsH|��|_|j|jdd�|_|r|�d�r|dd�}||_nt|j|j�}t|j|j|d�|_t|d|j|jd�}|j�	d�}d	�
|��d
|dg�}	z
t�
|�|	��}
Wn(ty}}z|jdd
vrgd}
n|jddkrrtd���WYd}~nd}~ww|
dur�|
�d�}|�d�}
|
�d�D]}|�d�}|�d�}|�d�}|j�d|j|jf�q�d	�
|��d
|dg�}	z
t�
|�|	��}Wn(ty�}z|jdd
vr�d}n|jddkr�td���WYd}~nd}~ww|du�r |�d�}|�d�}
|
�d�D] }|�d�}|�d�}|�d�}|j�d|j|jf��qdSdS)NTrrSrlrmr�r�r�r�r�z8MACHINE\VGP\VTLA\VASHostAccessControl\Allow\manifest.xmlrrr�r�rr�r�adobjectrer�z+:%s\%s:ALL
z7MACHINE\VGP\VTLA\VASHostAccessControl\Deny\manifest.xmlz-:%s\%s:ALL
r�)r�rarr�r�r�r�r�r�r!�allowrYrr�rr�rer��denyr4r4r5resv
�����




����





�zcmd_list_access.runrr(r4r4r4r5r�Mr>r�c@rH)�cmd_add_accessz�Adds a VGP Host Access Group Policy to the sysvol

This command adds a host access setting to the sysvol for applying to winbind
clients.

Example:
samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
    z0%prog <gpo> <allow/deny> <cn> <domain> [options]r�r�r�r�r�rr)rar��cnr�Nc	!
Cs�|��|_|j|jdd�|_|r|�d�r|dd�}	||_nt|j|j�}	t|j|j|	d�|_t|	d|j|jd�}
|j�	d�}|d	krPd
�
|��d|dg�}n|d
kr`d
�
|��d|dg�}ntd|��d
�
|dg�}
zt
�t
�|
�|
���}|���d�}|�d�}Wn`ty�}zT|jddvr�t
�t
�d��}t
�|��d�}t
�|d�}d|_t
�|d�}d|_t
�|d�}d|_t
�|d�}d|_t
�|d�}n|jddkr�td���WYd}~nd}~wwt|j|j|d�}t|t�|j|jd �}|j|��tjd!|gd"�d#�}t|�dk�rtd$|��t|dd%d&�}|d'v�r-td(|��t
�|d)�}t
�|d*�}|� �|_t
�|d+�}|d,k�rUt|dd-d&�|_nt
�|d.�}d/|_d0|t|dd1d&�f|_t
�|d2�}t
�|d�}t|dd1d&�|_t
�|d3�}||_t
�|d*�}||_t!�} |j"| d4dd5�| �#d�zt$|
|�|
�%|
| �&��WdSt�y�}z
|jddk�r�td���d}~ww)6NTrrSrlrmr�r�r�r�r�r��+MACHINE\VGP\VTLA\VASHostAccessControl\Allowr��*MACHINE\VGP\VTLA\VASHostAccessControl\Deny�BThe entry type must be either 'allow' or 'deny'. Unknown type '%s'r�rr�rrrrrrezHost Access Controlrz0Represents host access control data (pam_access)r	r
r�r�r�z(cn=%s))�userPrincipalName�samaccountnamerr�z!Unable to find user or group "%s"r���)r%rz%s is not a user or grouprrr7r%r��	groupattr�samAccountNamez%s\%sr�r�r�rr)'rrUrrVrFrWrrZr�r�r0r�rr�rr�r�rrrr�rrrrrrs�	domain_dnr^�
SCOPE_SUBTREErEr&r�r)r�rr�r�r�)!r�rar�r�r�rr�r�r�r�r�r�r r!r"rr�rYrr#rerr	rWr`�res�objectclassrr7r�r��
domain_elmr'r4r4r5r�s�
����
�����
�


�

��zcmd_add_access.runrr(r4r4r4r5r��r�r�c@rH)�cmd_remove_accessaRemove a VGP Host Access Group Policy from the sysvol

This command removes a host access setting from the sysvol for applying to
winbind clients.

Example:
samba-tool gpo manage access remove {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
    z2%prog <gpo> <allow/deny> <name> <domain> [options]r�r�r�r�r�rr)rar�rer�Nc	
Cs:|��|_|j|jdd�|_|r|�d�r|dd�}	||_nt|j|j�}	t|j|j|	d�|_t|	d|j|jd�}
|j�	d�}|d	krPd
�
|��d|dg�}n|d
kr`d
�
|��d|dg�}ntd|��d
�
|dg�}
zt
�t
�|
�|
���}|���d�}|�d�}Wn%ty�}z|jddvr�td|��|jddkr�td���d}~ww|�d�D]*}|�d�}|�d�}|�d�}|dur�|j|kr�|dur�|j|kr�|�|�nq�td|��t�}|j|ddd�|�d�zt|
|�|
�|
|���WdSt�y}z
|jddk�rtd���d}~ww)NTrrSrlrmr�r�r�r�r�r�r�r�r�r�r�rr�rrz0Cannot remove %s entry because it does not existr�r�rr�rer�rr)rrUrrVrFrWrrZr�r�r0r�rr�rr�r�rrrr�r5rr�r)r�rr�r�r�)r�rar�rer�rr�r�r�r�r�r�r r!r"rr�rYrr��name_elmr�r'r4r4r5rGs~
�������



��

��zcmd_remove_access.runrr(r4r4r4r5r�.r�r�c@rD)�
cmd_accessz'Manage Host Access Group Policy Objectsr�r�r�N)r�r�r�rrFr�r�r�r4r4r4r5r��rGr�c@sxeZdZdZiZe�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<e�ed<e�ed	<e
�ed
<e�ed<dS)
�
cmd_managezManage Group Policy Objects�sudoersr	�smb_conf�symlinkr��openssh�scriptsr�r��accessN)r�r�r�rrFrErlr�r�r�r�r�r�r�r�r4r4r4r5r��s








r�c@s�eZdZdZiZe�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<e�ed<e�ed	<e
�ed
<e�ed<e�ed<e�ed
<e�ed<e�ed<e�ed<e�ed<e�ed<dS)�cmd_gpoz%Group Policy Object (GPO) management.�listallr��show�getlink�setlink�dellink�listcontainers�getinheritance�setinheritance�fetch�create�del�aclcheckr��restore�admxload�manageN)r�r�r�rrFr�rrErMrPr_rbrcrerir�r�r�rtr�r�r�r4r4r4r5r��s(















r�)NN)FF)�r��samba.getopt�getoptr9r^r��xml.etree.ElementTree�etreerr�r�r��
samba.authr�samba.netcmdrrrr�samba.samdbrr&r�samba.dcerpcr	�	samba.ndrr
rr�samba.securityr
rr�samba.netcmd.commonrr�samba.samba3rr�rr�rr��samba.ntaclsrr�	samba.netr�samba.gp_parserrr�samba.gp_parse.gp_polr�samba.gp_parse.gp_inirrrr�samba.gp_parse.gp_csvr �samba.gp_parse.gp_infr!�samba.gp_parse.gp_aasr"�samba.credentialsr#r$�samba.commonr%r&�configparserr'�ior(r)�samba.vgp_files_extr*r+r�r6r:rNrRrZrbr-r.r/�SECINFO_SACLr|r~r�r��
IGNORECASEr�r��FILE_ATTRIBUTE_SYSTEMr��FILE_ATTRIBUTE_ARCHIVE�FILE_ATTRIBUTE_HIDDENr�r�r�r�r�r�r�rrErMrPr_rbrcrerirtr�r�r�r�r�r�r*r?rErIrgrlrnrvr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r4r4r4r5�<module>s


	���
�.&���
�%.%u0/Z'$,6;
$J?LxMavD?cAZVFmXDwJkT@_@_]a