diff options
Diffstat (limited to 'source4/scripting/bin/get-descriptors')
| -rwxr-xr-x | source4/scripting/bin/get-descriptors | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/source4/scripting/bin/get-descriptors b/source4/scripting/bin/get-descriptors new file mode 100755 index 0000000..6e69222 --- /dev/null +++ b/source4/scripting/bin/get-descriptors @@ -0,0 +1,154 @@ +#!/usr/bin/env python3 +# +# Unix SMB/CIFS implementation. +# A script to compare differences of security descriotors between +# a remote host and the local Ldb +# Needs the local domain, the remote domain, IP of the remote host +# Username and password for the remote domain, must be at least +# Domain Administrator +# +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 +# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009 +# +# Based on the original in EJS: +# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import optparse +import sys +import base64 + +sys.path.insert(0, "bin/python") + +import samba +from samba.auth import system_session +import samba.getopt as options +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security +from samba import Ldb +from samba.samdb import SamDB +from ldb import SCOPE_SUBTREE, SCOPE_BASE + +parser = optparse.OptionParser("get-descriptors [options]") +sambaopts = options.SambaOptions(parser) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN", + help="set local domain") +parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN", + help="set remote domain") +parser.add_option("--host", type="string", metavar="HOST", + help="Ip of the remote host used for comparison") +parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true") + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +opts = parser.parse_args()[0] + +if not opts.host or not opts.localdomain or not opts.remote_domain: + parser.print_usage() + sys.exit(1) + +class DescrGetter: + + def __init__(self, localdomain, remotedomain): + self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"]) + self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp, + options=["modules:paged_searches"]) + self.local_domain = localdomain.replace(".", ",DC=") + self.local_domain = "DC=" + self.local_domain + self.remote_domain = remotedomain.replace(".", ",DC=") + self.remote_domain = "DC=" + self.remote_domain + self.local_map = {} + self.remote_map = {} + + def get_domain_local_sid(self): + res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE) + self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def get_domain_remote_sid(self): + res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE) + self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def add_to_ldif(self, dn, descr): + ldif_entry = ["dn: " + dn, + "changetype: modify", + "replace: nTSecurityDescriptor", + "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr)).decode('utf8')] + + for line in ldif_entry: + length = 79 + if len(line) <= length + 1: + print(line) + else: + for i in range(len(line) / length + 1): + if i == 0: + l = line[i * length:((i + 1) * length)] + else: + l = " " + line[(i * length):((i + 1) * length)] + print(l) + print("\n") + + def write_as_sddl(self, dn, descr): + print(dn) + print(descr + "\n") + + def read_descr_by_base(self, search_base): + res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) + for entry in res: + dn = entry["dn"].__str__().replace(self.local_domain, "") + + if "nTSecurityDescriptor" in entry: + desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) + self.local_map[dn] = desc_obj + + res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) + for entry in res: + dn = entry["dn"].__str__().replace(self.remote_domain, "") + + if "nTSecurityDescriptor" in entry: + desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) + self.remote_map[dn] = desc_obj + + def read_desc(self): + self.read_descr_by_base("CN=Schema,CN=Configuration,") + self.read_descr_by_base("CN=Configuration,") + self.read_descr_by_base("") + + def write_desc_to_ldif(self): + key_list_local = self.local_map.keys() + key_list_remote = self.remote_map.keys() + for key in key_list_remote: + if key in key_list_local: + sddl = self.remote_map[key].as_sddl(self.remote_sid) + sddl_local = self.local_map[key].as_sddl(self.local_sid) + if sddl != sddl_local: + descr = security.descriptor.from_sddl(sddl, self.local_sid) + if opts.as_ldif: + self.add_to_ldif(key + self.local_domain, descr) + else: + self.write_as_sddl(key, descr.as_sddl(self.local_sid)) + + def run(self): + self.get_domain_local_sid() + self.get_domain_remote_sid() + self.read_desc() + self.write_desc_to_ldif() + +desc = DescrGetter(opts.local_domain, opts.remote_domain) +desc.run() |