source: branches/samba-3.5.x/source4/scripting/bin/get-descriptors

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago

Samba 3.5.0: Initial import
File size: 6.0 KB
Line 
1#!/usr/bin/python
2#
3# Unix SMB/CIFS implementation.
4# A script to compare differences of security descriotors between
5# a remote host and the local Ldb
6# Needs the local domain, the remote domain, IP of the remote host
7# Username and password for the remote domain, must be at least
8# Domain Administrator
9#
10# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
11# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
12#
13# Based on the original in EJS:
14# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
15#
16# This program is free software; you can redistribute it and/or modify
17# it under the terms of the GNU General Public License as published by
18# the Free Software Foundation; either version 3 of the License, or
19# (at your option) any later version.
20#
21# This program is distributed in the hope that it will be useful,
22# but WITHOUT ANY WARRANTY; without even the implied warranty of
23# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24# GNU General Public License for more details.
25#
26# You should have received a copy of the GNU General Public License
27# along with this program. If not, see <http://www.gnu.org/licenses/>.
28#
29
30import getopt
31import optparse
32import sys
33import os
34import base64
35import re
36
37sys.path.insert(0, "bin/python")
38
39import samba
40from samba.auth import system_session
41import samba.getopt as options
42from samba import param
43from samba.ndr import ndr_pack, ndr_unpack
44from samba.dcerpc import security
45from samba import Ldb
46from samba.samdb import SamDB
47from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
48
49parser = optparse.OptionParser("get-descriptor [options]")
50sambaopts = options.SambaOptions(parser)
51credopts = options.CredentialsOptions(parser)
52parser.add_option_group(credopts)
53
54parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
55 help="set local domain")
56parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
57 help="set remote domain")
58parser.add_option("--host", type="string", metavar="HOST",
59 help="Ip of the remote host used for comparison")
60parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
61
62lp = sambaopts.get_loadparm()
63creds = credopts.get_credentials(lp)
64
65opts = parser.parse_args()[0]
66
67class DescrGetter:
68 def __init__(self, localdomain, remotedomain):
69 self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
70 self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
71 options=["modules:paged_searches"])
72 self.local_domain = localdomain.replace(".", ",DC=")
73 self.local_domain = "DC=" + self.local_domain
74 self.remote_domain = remotedomain.replace(".", ",DC=")
75 self.remote_domain = "DC=" + self.remote_domain
76 self.local_map = {}
77 self.remote_map = {}
78
79 def get_domain_local_sid(self):
80 res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
81 self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
82
83 def get_domain_remote_sid(self):
84 res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
85 self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
86
87 def add_to_ldif(self, dn, descr):
88 ldif_entry = ["dn: " + dn,
89 "changetype: modify",
90 "replace: nTSecurityDescriptor",
91 "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr))]
92
93 for line in ldif_entry:
94 length = 79
95 if len(line) <= length + 1:
96 print line
97 else:
98 for i in range(len(line) / length + 1):
99 if i == 0:
100 l = line[i * length:((i + 1) * length)]
101 else:
102 l = " " + line[(i * length):((i + 1) * length)]
103 print l
104 print "\n"
105
106 def write_as_sddl(self, dn, descr):
107 print dn
108 print descr + "\n"
109
110 def read_descr_by_base(self, search_base):
111 res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
112 for entry in res:
113 dn = entry["dn"].__str__().replace(self.local_domain, "")
114
115 if "nTSecurityDescriptor" in entry:
116 desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
117 self.local_map[dn] = desc_obj
118
119 res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
120 for entry in res:
121 dn = entry["dn"].__str__().replace(self.remote_domain, "")
122
123 if "nTSecurityDescriptor" in entry:
124 desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
125 self.remote_map[dn] = desc_obj
126
127 def read_desc(self):
128 self.read_descr_by_base("CN=Schema,CN=Configuration,")
129 self.read_descr_by_base("CN=Configuration,")
130 self.read_descr_by_base("")
131
132 def write_desc_to_ldif(self):
133 key_list_local = self.local_map.keys()
134 key_list_remote = self.remote_map.keys()
135 for key in key_list_remote:
136 if key in key_list_local:
137 sddl = self.remote_map[key].as_sddl(self.remote_sid)
138 sddl_local = self.local_map[key].as_sddl(self.local_sid)
139 if sddl != sddl_local:
140 descr = security.descriptor.from_sddl(sddl, self.local_sid)
141 if opts.as_ldif:
142 self.add_to_ldif(key + self.local_domain, descr)
143 else:
144 self.write_as_sddl(key, descr.as_sddl(self.local_sid))
145
146 def run(self):
147 self.get_domain_local_sid()
148 self.get_domain_remote_sid()
149 self.read_desc()
150 self.write_desc_to_ldif()
151
152desc = DescrGetter(opts.local_domain, opts.remote_domain)
153desc.run()
Note: See TracBrowser for help on using the repository browser.