o

�/a@�@s4
dd
lm
Z

ddlmZ
ddlmZmZ
ddlm	Z	m
Z
mZ
ddlm
Z

ddlmZmZ
ddlmZ
ddlmZmZ
dd	lmZ
dd
lmZ
ddlZddlmZ
ddlmZmZm Z m!Z!
d
d�Z"Gdd�de�Z#Gdd�de�Z$Gdd�de�Z%Gdd�de�Z&Gdd�de�Z'Gdd�de�Z(Gdd�de �Z)dS)�)
�DONT_USE_KERBEROSN)�security�idmap)�setntacl�getntacl�
getdosinfo)
�Ldb)�
ndr_unpack�	ndr_print)
�SamDB)�param�passdb)
�	provision)
�system_session_unix)
�system_session)�Command�CommandError�SuperCommand�Optionc

Cs�d
}
|��}|dkrd}
t
��}|�|j�

|
r<z	tt�|d�}Wnty2
}
ztd|��
d}~w
w|�	dd|j
�
z|
rHt�|j
�
}W|St��}W|S


td�
�
)	NF�ROLE_ACTIVE_DIRECTORY_DCT��session_info�lp�Unable to open samdb:�passdb backend�
samba_dsdb:%sz2Unable to read domain SID from configuration files)�server_role�s3param�get_context�load�
configfilerr�	Exceptionr�set�urlr�dom_sid�
domain_sidr
�get_domain_sid)r�is_ad_dcr�s3conf�samdb�
er%�r+�4/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py�get_local_domain_sid(s0








�

��


��
r-c
@s�eZ
dZd
ZdZejejejd�Z	e
ddddd�e
d	d
ddd
gd�e
dddd�e
dddd�e
dddd�e
dddd�gZddgZ				ddd�
Z
dS) �
cmd_ntacl_setzSet ACLs on a file.z%prog <acl> <file> [options]��	sambaopts�credopts�versionoptsz-qz--quietzBe quiet�
store_true��help�action�--xattr-backend�choice�%xattr backend type (native fs or tdb)�native�tdb��typer5�choices�--eadb-file�0Name of the tdb file where attributes are stored�string�r5r=�--use-ntvfs�LSet the ACLs directly to the TDB or xattr for use with the ntvfs file server�
--use-s3fs�HSet the ACLs for use with the default s3fs file server via the VFS layer�	--servicez:Name of the smb.conf service to use when applying the ACLs�acl�fileFNcCsn|��}|	�
�}
t|
�
}|s|sd
|
�d�
v}n|rd}t|
||
t|�
t�||||d�	
|r5|�d�

dSdS)N�smb�server servicesF��	use_ntvfs�service�PPlease note that POSIX permissions have NOT been changed, only the stored NT ACL)�
get_logger�get_loadparmr-�getr�strr�warning)�selfrHrIrM�use_s3fs�quiet�
xattr_backend�	eadb_filer1r0r2rN�loggerrr%r+r+r,�run]s(












�

�zcmd_ntacl_set.run�	FFFNNNNNN��__name__�
__module__�__qualname__�__doc__�synopsis�options�SambaOptions�CredentialsOptions�VersionOptions�takes_optiongroupsr�
takes_options�
takes_argsr[r+r+r+r,r.Fs,


�

�


�



�r.c@s6eZ
dZd
ZdZejejejd�Z	dg
Z
ddd�
ZdS)	�cmd_dosinfo_getz"Get DOS info of a file from xattr.�%prog <file> [options]r/rINcCsB|��}t
��}|�|j�

t||
�}|r|j�t|�
�

dSdS)
N)	rQrrrr r�outf�writer
)rUrIr1r0r2rr(�dosinfor+r+r,r[�s





�zcmd_dosinfo_get.run�NNN)r^r_r`rarbrcrdrerfrgrir[r+r+r+r,rjxs



�rjc
@s�eZ
dZd
ZdZejejejd�Z	e
dddd�e
dd	d
ddgd
�e
dddd�e
dddd�e
dddd�e
dddd�gZdg
Z				ddd�
Z
dS)�
cmd_ntacl_getzGet ACLs of a file.rkr/z	--as-sddlzOutput ACL in the SDDL formatr3r4r7r8r9r:r;r<r?r@rArBrCzKGet the ACLs directly from the TDB or xattr used with the ntvfs file serverrEzKGet the ACLs for use via the VFS layer used by the default s3fs file serverrGz9Name of the smb.conf service to use when getting the ACLsrIFNc	Csz|��}t
|�
}|s|sd
|�d�
v}n|rd}t||
t�||||
d�}
|r3|j�|
�|�
d�

dS|j�t|
�
�

dS)NrJrKF��direct_db_accessrN�

)	rQr-rRrrrlrm�as_sddlr
)rUrIrMrVrtrXrYr1r0r2rNrr%rHr+r+r,r[�s"









�
zcmd_ntacl_get.runr\r]r+r+r+r,rp�s,



�

�


�



�rpc
@s�eZ
dZd
ZdZdeji
Zedddd�edd	d
d�edd
d
d�edddd�edddddgd�edddd
d�eddd
d�edddd
d�gZ	gd�
Z
			 	 	 	 			d#d!d"�
Zd S)$�cmd_ntacl_changedomsidzChange the domain SID for ACLsz9%prog <Orig-Domain-SID> <New-Domain-SID> <file> [options]r0rGz#Name of the smb.conf service to userArBrCrDr3r4rErFr?r@r7r8r9r:r;r<z-rz--recursivez;Set the ACLs for directories and their contents recursivelyz--follow-symlinkszFollow symlinksz-vz	--verbosez
Be verbose)�old_domain_sid�new_domain_sidrIFNc

s
���}
|	�
��t��
�
�	s|sd
��d�
v�	n|rd�	�	s$�s$td�
�
zt�|
�
�Wnty?
}
ztd|
|f�
�
d}~w
wzt�|�
�Wnty[
}
ztd||f�
�
d}~w
w�
�������	�
�f
dd����fdd	�}�|�

|
r�tj	�
|�
r�||�

�	r�|
�d
�

dSdS)NrJrKFz0Must provide a share name with --service=<share>zCould not parse old sid %s: %sc
sd
�r
�j�
d
|�

zt�|t��	�
��d�}
Wnty,
}
ztd||f�
�
d}~w
w|
���
}�r<�j�
d|�

��fdd�}||
j�
|
_||
j�
|
_|
j	r_|
j	j
D]}||j�
|_qV|
jro|
jj
D]}||j�
|_qf|
���
}�r~�j�
d|�

||kr��r��j�
d�

d	Szt
�||
�t��	�
��d
�	
WdSty�
}
ztd||f�
�
d}~w
w)Nz	file: %s
rqzCould not get acl for %s: %szbefore:
%s
c
s*|��\}
}|
�
krt
�d
�|f�
S|S)Nz%s-%i)�splitrr$)�sid�dom�rid)rwrvr+r,�replace_domain_sid(
s



zNcmd_ntacl_changedomsid.run.<locals>.changedom_sids.<locals>.replace_domain_sidz
after:
%s
znothing to do
TrLzCould not set acl for %s: %s)rlrmrrr!rrt�	owner_sid�	group_sid�sacl�aces�trustee�daclr)rIrHr*�	orig_sddlr|�ace�new_sddl)
r%rYrrwrvrUrNrM�verboserXr+r,�changedom_sids
sb









�
��























�	
��z2cmd_ntacl_changedomsid.run.<locals>.changedom_sidsc
sVtj
|�
d
�D]!\}
}}|D]}�tj�|
|��

q|D]}�tj�|
|��

qqdS)N)
�followlinks)�os�walk�path�join)rI�root�dirs�files�
f�
d)r��follow_symlinksr+r,�recursive_changedom_sidsN
s



��z<cmd_ntacl_changedomsid.run.<locals>.recursive_changedom_sidszQPlease note that POSIX permissions have NOT been changed, only the stored NT ACL.)rPrQr-rRrrr$r!r�r��isdirrT)rU�old_domain_sid_str�new_domain_sid_strrIrMrVrNrXrYr0�	recursiver�r�rZr*r�r+)r�r%rYr�rrwrvrUrNrMr�rXr,r[�sF







�



���



���9


�zcmd_ntacl_changedomsid.run)	FFNNNNFFF)r^r_r`rarbrcrdrgrrhrir[r+r+r+r,ru�sx

�


�

�

�


�



�



�


�



��(







�ruc@sPeZ
dZd
ZdZejejejd�Z	e
dddd�e
dd	dd�gZ	
	ddd
�
ZdS)�cmd_ntacl_sysvolresetz?Reset sysvol ACLs to defaults (including correct ACLs on GPOs).rkr/rCz/Set the ACLs for use with the ntvfs file serverr3r4rEz6Set the ACLs for use with the default s3fs file serverFNcCs�
|��}|�
|�
}|�t�

|��}|�d
d�}	|�d
d�}
z	tt�|d�}Wnty8
}
zt	d|��
d}~w
w|
sE|sEd|�d�
v}
n|rId}
t
�|j�
}
t
��}|�|j�

|�d	d
|j�
t
�t|
�
dtt
j�
�
}t
�t
j�
}t�|�d	�
�
}|�|�
\}}|tjkr�|tjkr�t	d|�
�
|�|�
\}}|tjkr�|tjkr�t	d
|�
�
|
r�|�d�

tj||	|
|||
|�d�
� �|�!�||
d�

dS)Nr��netlogon�sysvolrrrJrKFrr�
-zSID %s is not mapped to a UIDzSID %s is not mapped to a GIDrO�realm)
rM)"rQ�get_credentials�set_kerberos_staterrPrRrrr!rrr$r%rrrr r"r#rS�DOMAIN_RID_ADMINISTRATOR�SID_BUILTIN_ADMINISTRATORSr
�PDB�	sid_to_idr�ID_TYPE_UID�ID_TYPE_BOTH�ID_TYPE_GIDrTr�setsysvolacl�lower�	domain_dn)rUrMrVr1r0r2r�credsrZr�r�r)r*r%r(�LA_sid�BA_sid�	s4_passdb�LA_uid�LA_type�BA_gid�BA_typer+r+r,r[n
sT









�

��





�
�











�zcmd_ntacl_sysvolreset.run)FFNNN)
r^r_r`rarbrcrdrerfrgrrhr[r+r+r+r,r�_
s



�
�
�r�c@s0eZ
dZd
ZdZejejejd�Z	ddd�
Z
dS)�cmd_ntacl_sysvolcheckzBCheck sysvol ACLs match defaults (including correct ACLs on GPOs).rkr/Nc
Cs�|��}|
�
|�
}|�t�

|��}|�d
d�}|�d
d�}z	tt�|d�}	Wnty8
}

zt	d|
��
d}
~
w
wt
�|	j�
}t
�|	||||�d�
��|	��|�
dS)Nr�r�r�rrr�)rQr�r�rrPrRrrr!rrr$r%r�checksysvolaclr�r�)rUr1r0r2rr�rZr�r�r)r*r%r+r+r,r[�
s$











��



�zcmd_ntacl_sysvolcheck.runro)r^r_r`rarbrcrdrerfrgr[r+r+r+r,r��
s



�r�c@sPeZ
dZd
ZiZe�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<dS)	�	cmd_ntaclzNT ACLs manipulation.r"rR�changedomsid�sysvolreset�sysvolcheckrN)r^r_r`ra�subcommandsr.rprur�r�rjr+r+r+r,r��
s











r�)*�samba.credentialsr�samba.getopt�getoptrc�samba.dcerpcrr�samba.ntaclsrrr�sambar�	samba.ndrr	r
�samba.samdbr�samba.samba3rrr
r�samba.auth_utilrr��
samba.authr�samba.netcmdrrrrr-r.rjrprur�r�r�r+r+r+r,�<module>
s,









2/#C