diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2012-10-05 10:19:17 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-10-09 15:24:44 +0200 |
| commit | 2f0753b456c4d9b4eb52f128a83c8ba19adde160 (patch) | |
| tree | 639c0718640bf25f86394e5bf5c104da0e754d10 /source4/scripting/python/samba/ntacls.py | |
| parent | 1c35c22e62253835e1c82fd44fe8532f6e79dbb9 (diff) | |
| download | samba-2f0753b456c4d9b4eb52f128a83c8ba19adde160.tar.gz samba-2f0753b456c4d9b4eb52f128a83c8ba19adde160.tar.xz samba-2f0753b456c4d9b4eb52f128a83c8ba19adde160.zip | |
samba-tool: skip chown in sysvolreset when it would fail on a GID
This skips the chown of the files if (for example) the domain Admins group
were to own the file and not be able to because the group maps only to a GID.
This essentially papers over the problem, but may be enough to get us past
the Samba 4.0 release.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 9 15:24:44 CEST 2012 on sn-devel-104
Diffstat (limited to 'source4/scripting/python/samba/ntacls.py')
| -rw-r--r-- | source4/scripting/python/samba/ntacls.py | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index 2108a6432d4..44cbbe95591 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -21,7 +21,7 @@ import os import samba.xattr_native, samba.xattr_tdb, samba.posix_eadb -from samba.dcerpc import security, xattr +from samba.dcerpc import security, xattr, idmap from samba.ndr import ndr_pack, ndr_unpack from samba.samba3 import smbd @@ -82,10 +82,43 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True): return smbd.get_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL) -def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True): +def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None): sid = security.dom_sid(domsid) sd = security.descriptor.from_sddl(sddl, sid) + if not use_ntvfs and skip_invalid_chown: + # Check if the owner can be resolved as a UID + (owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid) + if ((owner_type != idmap.ID_TYPE_UID) and (owner_type != idmap.ID_TYPE_BOTH)): + # Check if this particular owner SID was domain admins, + # because we special-case this as mapping to + # 'administrator' instead. + if sd.owner_sid == security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINS)): + administrator = security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINISTRATOR)) + (admin_id, admin_type) = passdb.sid_to_id(administrator) + + # Confirm we have a UID for administrator + if ((admin_type == idmap.ID_TYPE_UID) or (admin_type == idmap.ID_TYPE_BOTH)): + + # Set it, changing the owner to 'administrator' rather than domain admins + sd2 = security.descriptor.from_sddl(sddl, sid) + sd2.owner_sid = administrator + + smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2) + + # and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set + use_ntvfs = True + else: + raise XattrBackendError("Unable to find UID for domain administrator %s, got id %d of type %d" % (administrator, admin_id, admin_type)) + else: + # For all other owning users, reset the owner to root + # and then set the ACL without changing the owner + # + # This won't work in test environments, as it tries a real (rather than xattr-based fake) chown + + os.chown(file, 0, 0) + smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) + if use_ntvfs: (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile) ntacl = xattr.NTACL() |