summaryrefslogtreecommitdiffstats
path: root/source4/scripting/bin/get-descriptors
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/scripting/bin/get-descriptors
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source4/scripting/bin/get-descriptors')
-rwxr-xr-xsource4/scripting/bin/get-descriptors154
1 files changed, 154 insertions, 0 deletions
diff --git a/source4/scripting/bin/get-descriptors b/source4/scripting/bin/get-descriptors
new file mode 100755
index 0000000..6e69222
--- /dev/null
+++ b/source4/scripting/bin/get-descriptors
@@ -0,0 +1,154 @@
+#!/usr/bin/env python3
+#
+# Unix SMB/CIFS implementation.
+# A script to compare differences of security descriotors between
+# a remote host and the local Ldb
+# Needs the local domain, the remote domain, IP of the remote host
+# Username and password for the remote domain, must be at least
+# Domain Administrator
+#
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
+# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009
+#
+# Based on the original in EJS:
+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import optparse
+import sys
+import base64
+
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.auth import system_session
+import samba.getopt as options
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+from samba import Ldb
+from samba.samdb import SamDB
+from ldb import SCOPE_SUBTREE, SCOPE_BASE
+
+parser = optparse.OptionParser("get-descriptors [options]")
+sambaopts = options.SambaOptions(parser)
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+
+parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN",
+ help="set local domain")
+parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN",
+ help="set remote domain")
+parser.add_option("--host", type="string", metavar="HOST",
+ help="Ip of the remote host used for comparison")
+parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true")
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+opts = parser.parse_args()[0]
+
+if not opts.host or not opts.localdomain or not opts.remote_domain:
+ parser.print_usage()
+ sys.exit(1)
+
+class DescrGetter:
+
+ def __init__(self, localdomain, remotedomain):
+ self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"])
+ self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp,
+ options=["modules:paged_searches"])
+ self.local_domain = localdomain.replace(".", ",DC=")
+ self.local_domain = "DC=" + self.local_domain
+ self.remote_domain = remotedomain.replace(".", ",DC=")
+ self.remote_domain = "DC=" + self.remote_domain
+ self.local_map = {}
+ self.remote_map = {}
+
+ def get_domain_local_sid(self):
+ res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE)
+ self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+ def get_domain_remote_sid(self):
+ res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE)
+ self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
+ def add_to_ldif(self, dn, descr):
+ ldif_entry = ["dn: " + dn,
+ "changetype: modify",
+ "replace: nTSecurityDescriptor",
+ "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr)).decode('utf8')]
+
+ for line in ldif_entry:
+ length = 79
+ if len(line) <= length + 1:
+ print(line)
+ else:
+ for i in range(len(line) / length + 1):
+ if i == 0:
+ l = line[i * length:((i + 1) * length)]
+ else:
+ l = " " + line[(i * length):((i + 1) * length)]
+ print(l)
+ print("\n")
+
+ def write_as_sddl(self, dn, descr):
+ print(dn)
+ print(descr + "\n")
+
+ def read_descr_by_base(self, search_base):
+ res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+ for entry in res:
+ dn = entry["dn"].__str__().replace(self.local_domain, "")
+
+ if "nTSecurityDescriptor" in entry:
+ desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+ self.local_map[dn] = desc_obj
+
+ res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"])
+ for entry in res:
+ dn = entry["dn"].__str__().replace(self.remote_domain, "")
+
+ if "nTSecurityDescriptor" in entry:
+ desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0])
+ self.remote_map[dn] = desc_obj
+
+ def read_desc(self):
+ self.read_descr_by_base("CN=Schema,CN=Configuration,")
+ self.read_descr_by_base("CN=Configuration,")
+ self.read_descr_by_base("")
+
+ def write_desc_to_ldif(self):
+ key_list_local = self.local_map.keys()
+ key_list_remote = self.remote_map.keys()
+ for key in key_list_remote:
+ if key in key_list_local:
+ sddl = self.remote_map[key].as_sddl(self.remote_sid)
+ sddl_local = self.local_map[key].as_sddl(self.local_sid)
+ if sddl != sddl_local:
+ descr = security.descriptor.from_sddl(sddl, self.local_sid)
+ if opts.as_ldif:
+ self.add_to_ldif(key + self.local_domain, descr)
+ else:
+ self.write_as_sddl(key, descr.as_sddl(self.local_sid))
+
+ def run(self):
+ self.get_domain_local_sid()
+ self.get_domain_remote_sid()
+ self.read_desc()
+ self.write_desc_to_ldif()
+
+desc = DescrGetter(opts.local_domain, opts.remote_domain)
+desc.run()