%PDF- %PDF- Mini Shell
Mini Shell

Direktori : /lib/python3/dist-packages/samba/netcmd/__pycache__/
Current File : //lib/python3/dist-packages/samba/netcmd/__pycache__/gpo.cpython-312.pyc
�

�I�d]�����ddlZddlZddlmZddlZddlZddlmcm	Z
ddlZddlZddl
mZddlmZmZmZmZddlmZddlmZddlmZddlmZmZddlmZddlZddl
Zdd	l
mZm Z m!Z!dd
l"m#Z#ddlm$Z$ddl%m&Z'dd
lm(Z(ddl)Z)ddl*m+Z+ddlm,Z,ddl-m.Z.ddl/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7m8Z8m9Z9ddl:m;Z;ddl<m=Z=ddl>m?Z?ddlm@Z@ddl"mAZAddlBmCZCmDZDddlEmFZFddlGmHZHmIZIddlJmKZKmLZLddlMZMddlNZNddlOmPZPddlQmRZRmSZSmTZTmUZUmVZVddlWmXZXmYZYmZZZdd l[m\Z\dd!l]m^Z^dd"l_m`Z`maZambZbd#�Zcd$�Zdd%�Zed&�Zfd�d'�Zgdddej�ej�zej�zej�zfd(�Zld)�Zmd*�Znd+�Zoej�fd,�Zqd-�Zre'j�e'j�ze'j�ze'j�zZwd.�Zx		d�d/�ZyGd0�d1e�ZzGd2�d3ez�Z{Gd4�d5ez�Z|Gd6�d7ez�Z}Gd8�d9ez�Z~Gd:�d;ez�ZGd<�d=ez�Z�Gd>�d?ez�Z�Gd@�dAez�Z�GdB�dCez�Z�GdD�dEez�Z�GdF�dGez�Z�GdH�dIez�Z�GdJ�dKez�Z�GdL�dMez�Z�GdN�dOe��Z�GdP�dQez�Z�GdR�dSez�Z�GdT�dUe�Z�GdV�dWez�Z�GdX�dYe�Z�GdZ�d[ez�Z�Gd\�d]e�Z�Gd^�d_ez�Z�Gd`�dae�Z�Gdb�dce�Z�Gdd�dee�Z�Gdf�dgez�Z�Gdh�die�Z�Gdj�dke�Z�Gdl�dmez�Z�Gdn�doez�Z�Gdp�dqe�Z�Gdr�dse�Z�Gdt�duez�Z�Gdv�dwez�Z�Gdx�dye�Z�Gdz�d{e�Z�Gd|�d}ez�Z�Gd~�de�Z�Gd��d�e�Z�Gd��d�ez�Z�Gd��d�ez�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�ez�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�ez�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�ez�Z�Gd��d�ez�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�Gd��d�e�Z�y)��N)�system_session)�Command�CommandError�Option�SuperCommand)�SamDB)�dsdb)�security)�
ndr_unpack�ndr_pack)�preg)� AUTH_SESSION_INFO_DEFAULT_GROUPS�AUTH_SESSION_INFO_AUTHENTICATED�#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)�
netcmd_finddc)�policy)�libsmb_samba_internal)�
NTSTATUSError)�dsacl2fsacl)�nbt)�Net)�GPParser�GPNoParserException�GPGeneralizeException)�GPPolParser)�GPIniParser�GPTIniParser�GPFDeploy1IniParser�GPScriptsIniParser)�GPAuditCsvParser)�GptTmplInfParser)�GPAasParser)�param)�attr_default)�	get_bytes�
get_string)�ConfigParser)�StringIO�BytesIO)�	calc_mode�stat_from_mode)�str_regtype)�NT_STATUS_OBJECT_NAME_INVALID�NT_STATUS_OBJECT_NAME_NOT_FOUND�NT_STATUS_OBJECT_PATH_NOT_FOUND�NT_STATUS_OBJECT_NAME_COLLISION�NT_STATUS_ACCESS_DENIED)�create_directory_hier�smb_connection�
get_gpo_dn)�RegistryGroupPolicies)�REG_MULTI_SZ)�register_gp_extension�list_gp_extensions�unregister_gp_extensionc�^�tj|�}|sd}|Sdj|�}|S)zreturn gpo flags string�NONE� )r�
get_gpo_flags�join)�value�flags�rets   �2/usr/lib/python3/dist-packages/samba/netcmd/gpo.py�gpo_flags_stringrC[s5��� � ��'�E�����J��h�h�u�o���J�c�^�tj|�}|sd}|Sdj|�}|S)zreturn gplink options stringr;r<)r�get_gplink_optionsr>)r?�optionsrAs   rB�gplink_options_stringrHes6���'�'��.�G�����J��h�h�w����JrDc�8�g}|j�dk(r|S|jd�}|D]l}|s�|jd�}t|�dk7s|djd�st	d|z��|j|ddd	t
|d
�d���n|S)z.parse a gPLink into an array of dn and options��]�;�rz[LDAP://zBadly formed gPLink '%s'�N���dnrG)�strip�split�len�
startswith�RuntimeError�append�int)�gplinkrA�a�g�ds     rB�parse_gplinkr]os���
�C�
�|�|�~����
����S��A�
�;����
�G�G�C�L���q�6�Q�;�a��d�o�o�j�9��9�A�=�>�>��
�
�!�A�$�q�r�(�s�1�Q�4�y�9�:�
;��JrDc�6�djd�|D��}|S)z4Encode an array of dn and options into gPLink stringrJc3�6K�|]}d|d|dfz���y�w)z[LDAP://%s;%d]rQrGN�)�.0r[s  rB�	<genexpr>z encode_gplink.<locals>.<genexpr>�s#����M��"�a��g�q��|�%<�<�M�s�)r>)�gplistrAs  rB�
encode_gplinkrd�s��
�'�'�M�f�M�
M�C��JrDc�l�|�|�
	t||�}d|z}|S#t$r}td|��d}~wwxYw)zjIf URL is not specified, return URL for writable DC.
    If dc is provided, use that to construct ldap URLNzCould not find a DC for domain�ldap://)r�	ExceptionrV)�lp�creds�url�dc�es     rB�dc_urlrm�sR���{�
�:�
H�"�2�u�-���"�n���J���
H�"�#C�Q�G�G��
H�s��	3�.�3c��|j�}|jtj|d��|}d}tj}|�dtj
|�z}|�dtj
|�z}|�|}tj}	|j|||gd�d|zg��}	|	S#t$r}
|�d	|z}nd
}t||
��d}
~
wwxYw)z0Get GPO information using gpo, displayname or dnzCN=Policies,CN=Systemz"(objectClass=groupPolicyContainer)Nz.(&(objectClass=groupPolicyContainer)(name=%s))z5(&(objectClass=groupPolicyContainer)(displayname=%s)))�nTSecurityDescriptor�
versionNumberr@�name�displayName�gPCFileSysPath�gPCMachineExtensionNames�gPCUserExtensionNames�
sd_flags:1:%d)�base�scope�
expression�attrs�controlsz!Cannot get information for GPO %szCannot get information for GPOs)
�get_default_basedn�	add_child�ldb�Dn�SCOPE_ONELEVEL�
binary_encode�
SCOPE_BASE�searchrgr)�samdb�gpo�displaynamerQ�sd_flags�policies_dn�base_dn�search_expr�search_scope�msgrl�mesgs            rB�get_gpo_infor��s����*�*�,�K����#�&�&��(?�@�A��G�6�K��%�%�L�
��F��IZ�IZ�[^�I_�_����M�PS�Pa�Pa�bm�Pn�n��	�~����~�~��$��l�l��|�&1�";�&5�x�%?�$@��
B��$�J���$��?�6��<�D�4�D��4��#�#��$�s�B1�1	C�:C�Cc�z�d|z}	|j|dg��}|S#t$r}td|z|��d}~wwxYw)z lists dn of containers for a GPOz(&(objectClass=*)(gPLink=*%s*))�gPLink)ryrzz'Could not find container(s) with GPO %sN)r�rgr)r�r�r�r�rls     rB�get_gpo_containersr��sV��4�c�9�K�O��l�l�k�(��l�D���J���O��D�s�J�A�N�N��O�s��	:�5�:c��	|j|tjddg��d}d}tt
||��}d|vr[tt|dd��}|D];}|dj�|j�k(s�(|j|�d	}n
nt	d
��|st	d|z��tj�}	||	_|r4t|�}
tj|
tjd�|	d<n.tj|ddtjd�|	d
<	|j!|	�y#t$r}t	d|z|��d}~wwxYw#t$r}t	d|��d}~wwxYw)z!delete GPO link for the container�(objectClass=*)r��rwrxryrzr�Container '%s' does not existNFrQTz"No GPO(s) linked to this containerz%GPO '%s' not linked to this container�r0�d0z!Error removing GPO from container)r�r~r�rgr�strr4r]�lower�remove�MessagerQrd�MessageElement�FLAG_MOD_REPLACE�FLAG_MOD_DELETE�modify)r��container_dnr�r�rl�found�gpo_dnrcr[�m�
gplink_strs           rB�del_gpo_linkr��s���N��l�l��C�N�N�&7�"*���-�-.�0��
�E�
��E�3�'�
(�F��3���c�#�h�-��"2�3�4���	�A���w�}�}��&�,�,�.�0��
�
�a� ����		��?�@�@���B�S�H�I�I����
�A��A�D�
�"�6�*�
��$�$�Z��1E�1E�x�P��$���$�$�S��]�1�%5�s�7J�7J�H�U��$��C�
���Q���5�N��:�\�I�1�M�M��N��6�C��>��B�B��C�s/�'E�:E,�	E)�E$�$E)�,	F�5F�Fc���g}|jd�r|ddjdd�}n&|jd�r|ddjdd�}t|�dk7rtd|z��|S)	z;Parse UNC string into a hostname, a service, and a filepath�\\rMN�\z//�/�zInvalid UNC string: %s)rUrSrT�
ValueError)�unc�tmps  rB�	parse_uncr��sl��
�C�
�~�~�f���!�"�g�m�m�D�!�$��	����	��!�"�g�m�m�C��#��
�3�x�1�}��1�C�7�8�8��JrDc��tjd||��r
t�Stjd||��r
t�Stjd||��r
t	�Stjd||��r
t�Stjd||��r
t
�Stjd||��r
t
�Stjd||��r
t�Stjd	||��r
t�Stjd
||��r
t�Stjd||��r
t�St�S)Nzfdeploy1\.ini$�r@zaudit\.csv$z
GptTmpl\.inf$z	GPT\.INI$z
scripts\.ini$zpsscripts\.ini$z	GPE\.INI$z.*\.ini$z.*\.pol$z.*\.aas$)�re�matchrr r!rrrrrr")rqr@s  rB�find_parserr�s��	�x�x�!�4�u�5�"�$�$�	�x�x���E�2��!�!�	�x�x� �$�e�4��!�!�	�x�x��d�%�0��~��	�x�x� �$�e�4�!�#�#�	�x�x�"�D��6�!�#�#�	�x�x��d�%�0�
�z��	�x�x��T��/��}��	�x�x��T��/��}��	�x�x��T��/��}���:�rDc��d}tjj|�stj|�|g}|g}|�r?|j	�}|j	�}|j|t��}|jd���|D]�}	|dz|	dz}
tjj||	d�}|	dtjzr8|j|
�|j|�tj|��|j|
�}t||zd�5}
|
j|�ddd�t|	d�}|j!|�|j#|d	z���|r��>yy#1swY�DxYw)
N�.SAMBABACKUP��attribsc��|dS�Nrqr`��xs rB�<lambda>z2backup_directory_remote_to_local.<locals>.<lambda>+�
��A�f�I�rD��keyr�rq�attrib�wb�.xml)�os�path�isdir�mkdir�pop�list�
attr_flags�sortr>�libsmb�FILE_ATTRIBUTE_DIRECTORYrW�loadfile�open�writer��parse�	write_xml)�conn�	remotedir�localdir�SUFFIX�r_dirs�l_dirs�r_dir�l_dir�dirlistrl�r_name�l_name�data�f�parsers               rB� backup_directory_remote_to_localr� sK��
�F�
�7�7�=�=��"�
������]�F��\�F�
��
�
����
�
����)�)�E�:�)�6�����-��.��	2�A��T�\�A�f�I�-�F��W�W�\�\�%��6��3�F���{�V�<�<�<��
�
�f�%��
�
�f�%����� ��}�}�V�,���&�6�/�4�0�"�A��G�G�D�M�"�%�Q�v�Y�/�����T�"�� � ��&��1�	2�
� "�"�s�+F�F		c�v�tjj|�stj|�|g}|g}|r�|j	�}|j	�}|j|t��}|jd���|D]�}|dz|dz}	tjj||d�}
|dtjzr8|j|	�|j|
�tj|
��|j|	�}t|
d�j|���|r��yy)Nr�c��|dSr�r`r�s rBr�z0copy_directory_remote_to_local.<locals>.<lambda>Nr�rDr�r�rqr�r�)r�r�r�r�r�r�r�r�r>r�r�rWr�r�r�)r�r�r�r�r�r�r�r�rlr�r�r�s            rB�copy_directory_remote_to_localr�Ds���
�7�7�=�=��"�
������[�F��Z�F�
��
�
����
�
����)�)�E�:�)�6�����-��.��
	/�A��T�\�A�f�I�-�F��W�W�\�\�%��6��3�F���{�V�<�<�<��
�
�f�%��
�
�f�%����� ��}�}�V�,���V�T�"�(�(��.�
	/�
rDc��|j|�s|j|�|g}|g}|�r|j�}|j�}tj|�}	|	j�|	D]�}
tjj||
�}|dz|
z}tjj|�r5|j|�|j|�	|j|��|r	|j|���t|d�j�}
|j||
���|r��
yy#t$r|s�Y��wxYw#t$rY�QwxYw)Nr��rb)�chkpathr�r�r��listdirr�r�r>r�rWrr�r��read�savefile)r�r�r��ignore_existing_dir�keep_existing_filesr�r�r�r�r�rlr�r�r�s              rB�copy_directory_local_to_remoter�\s6���<�<�	�"��
�
�9���Z�F��[�F�
��
�
����
�
����*�*�U�#�������	,�A��W�W�\�\�%��+�F��T�\�A�%�F��w�w�}�}�V�$��
�
�f�%��
�
�f�%���J�J�v�&�
'���
�
�f�-� ��F�D�)�.�.�0���
�
�f�d�+�+	,�
��%��.��/���)����s$� D;�5E
�;E
�	E
�
	E�Ec��eZdZd�Zd�Zy)�
GPOCommandc�x�|�.tj�}td|z|j��tj
j
|�std|z��tj
j|d�}tj
j
|�st	j|�tj
j||�}tj
j
|�rtd|z��	t	j|�||fS#ttf$r}td|��d}~wwxYw)a�Ensure that the temporary directory structure used in fetch,
        backup, create, and restore is consistent.

        If --tmpdir is used the named directory must be present, which may
        contain a 'policy' subdirectory, but 'policy' must not itself have
        a subdirectory with the gpo name. The policy and gpo directories
        will be created.

        If --tmpdir is not used, a temporary directory is securely created.
        Nz5Using temporary directory %s (use --tmpdir to change))�filez'Temporary directory '%s' does not existrz8GPO directory '%s' already exists, refusing to overwritez%Error creating teporary GPO directory)�tempfile�mkdtemp�print�outfr�r�r�rr>r��IOError�OSError)�self�tmpdirr�r��gpodirrls      rB�construct_tmpdirzGPOCommand.construct_tmpdir�s���>��%�%�'�F��I�F�R��y�y�
"��w�w�}�}�V�$��H�6�Q�R�R��7�7�<�<���1���w�w�}�}�X�&��H�H�X�������h��,��
�7�7�=�=�� ��J�V�S�U�
U�	K��H�H�V���v�~�����!�	K��F��J�J��	K�s�D�D9�(D4�4D9c���	t|jt�|j|j��|_y#t$r}td|jz|��d}~wwxYw)z$make a ldap connection to the server�rj�session_info�credentialsrhzLDAP connection to %s failed N)rrjrrirhr�rgr)r�rls  rB�
samdb_connectzGPOCommand.samdb_connect�sY��	N��4�8�8�,:�,<�+/�:�:�$�'�'�C�D�J���	N��>����I�1�M�M��	N�s�:=�	A$�A�A$N)�__name__�
__module__�__qualname__r�r�r`rDrBr�r��s��!�FNrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZdd�Z
y
)
�cmd_listallzList all GPOs.�%prog [options]��	sambaopts�versionopts�credopts�-H�--URL�%LDB URL for database or target server�URL�H��help�type�metavar�destNc
�B�|j�|_|j|jd��|_t	|j|j|�|_|j
�t|jd�}|D�]}|jjd|ddz�|jjd|ddz�|jjd|d	dz�|jjd
|jz�|jjdt|dd
�z�|jjdttt|dd���z�|jjd���y)NT��fallback_machine�GPO          : %s
rqr�display name : %s
rr�path         : %s
rs�dn           : %s
�version      : %s
rp�0�flags        : %s
r@�
)�get_loadparmrh�get_credentialsrirmrjr�r�r�r�r�rQr$rCrX)r�rrr	rr�r�s       rB�runzcmd_listall.run�sF���(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1��������4�:�:�t�,���	"�A��I�I�O�O�1�A�f�I�a�L�@�A��I�I�O�O�1�A�m�4D�Q�4G�G�H��I�I�O�O�1�A�6F�4G��4J�J�K��I�I�O�O�1�A�D�D�8�9��I�I�O�O�1�L��O�UX�4Y�Y�Z��I�I�O�O�1�4D�S��VW�Y`�bc�Id�Ee�4f�f�g��I�I�O�O�D�!�	"rD�NNNN�rrr�__doc__�synopsisrG�SambaOptions�VersionOptions�CredentialsOptions�takes_optiongroupsrr��
takes_optionsr!r`rDrBrr�sT��� �H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(��M�
"rDrc��eZdZdZdZdgZejejejd�Z
edddedd	�
�gZ
d
d�Zy)�cmd_listzList GPOs for an account.z&%prog <username|machinename> [options]�accountnamerr
rrr
rrNc��	�|j�|_|j|jd��|_t	|j|j|�|_|j
�	|jjdtj|��dtj|��d���}|dj}	|jj|tjd	g�
�d}d|d	v}tt z}	|j
�$|j
j#d
�r	|	t$z}	t&j(j+|j|j||	��}
|
j,}g}d}
tj.|jt1|��j3�}	|jj|tjddg�
�d}d|v�r�t5t1|dd��}|D�]}|
s|dt6j8zs�|dt6j:zr�4	t<j>t<j@zt<jBz}|jj|dtjgd�d|zg��}|ddd}tEt<jF|�}	t&j<jM||t<jNt<jPzt<jRz�tWtY|ddd��}|r|t6jZzr��D|s|t6j\zr��[|j_|ddd|dddf����tWtY|dd��}|t6j`zrd}
||jjc�k(rn|j3�}��0|rd}nd}|jHjKd|�d|�d ��|D]*}|jHjKd!|d�d|d"�d ���,y#t$rtd|z��wxYw#t$rtd|z��wxYw#t$r%|jHjKd|dz�Y���wxYw#tT$r,|jHjKd|jz�Y���wxYw)#NTrz(&(|(samAccountName=z)(samAccountName=z$))(objectClass=User)))ryrzFailed to find account %s�objectClass)rwrxrz�computerz!Failed to find objectClass for %s�ldap)�lp_ctxrQ�session_info_flagsr��	gPOptionsrGrQ)rqrrr@rorv)rwrxrzr{roz8Failed to fetch gpo object with nTSecurityDescriptor %s
zFailed access check on %s
r@rrrqF�userz	GPOs for r<rz    rO)2rrhr rirmrjr�r�r�r~r�rQrgrr�rrrUr�samba�auth�user_session�security_tokenrr��parentr]r	�GPLINK_OPT_ENFORCE�GPLINK_OPT_DISABLEr
�
SECINFO_OWNER�
SECINFO_GROUP�SECINFO_DACLr�
descriptorr�r��access_check�SEC_STD_READ_CONTROL�SEC_ADS_LIST�SEC_ADS_READ_PROPrVrXr$�GPO_FLAG_MACHINE_DISABLE�GPO_FLAG_USER_DISABLErW�GPO_BLOCK_INHERITANCEr|)r�r-rrr	rr��user_dn�is_computerr3�session�token�gpos�inheritrQ�glistr[r��gmsg�secdesc_ndr�secdescr@�	gpoptions�msg_strs                        rBr!zcmd_list.run�s����(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������	J��*�*�#�#�%(�%6�%6�{�%C�S�EV�EV�Wb�Ec�0e�#�f�C��!�f�i�i�G�
	R��*�*�#�#�����}�o�#�^�_`�a�C�$��M�(:�:�K�?�=�>���8�8��D�H�H�$7�$7��$?��"E�E���*�*�)�)�$�*�*�T�W�W��=O�*�Q���&�&������
�V�V�D�J�J��G��
-�
4�
4�
6����*�*�#�#��3�>�>�(�T_�I`�#�a�bc�d�C��3��$�S��X��q�)9�%:�;���$Q�A�"�A�i�L�4�;R�;R�,R� ���|�d�&=�&=�=� �
!�$,�$:�$:�$,�$:�$:�%;�$,�$9�$9�%:�� $�z�z�0�0�a��g�S�^�^�8P�;J�X�;U�:V� 1� X��'+�1�g�.D�&E�a�&H��",�X�-@�-@�+�"N��!����3�3�G�U�4<�4Q�4Q�4<�4I�4I�5J�4<�4N�4N�5O�P� ��T�!�W�g�q� A�B�E�"���0M�0M�(M� �&�E�D�4N�4N�,N� ��K�K��a���!7��!:�D��G�F�O�A�<N� O�P�I$Q�N�L��k�1�=�>�I��4�5�5�5����T�Z�Z�2�2�4�4������B�c�f� �G��G��	�	���g�{�C�D��	:�A��I�I�O�O�Q�q�T�1�Q�4�8�9�	:��g�	J��:�[�H�I�I�	J���	R��B�[�P�Q�Q�	R��N%�!��	�	���(c�()�$��)0�1� �!��(�!��	�	���(E����(N�O� �!�s?�/AQ�7Q�B
Q:�AR+�Q�Q7�:*R(�'R(�+1S �S r")rrrr$r%�
takes_argsrGr&r'r(r)rr�r*r!r`rDrBr,r,�sY��#�7�H���J��)�)��-�-��.�.���	�t�W�#J���S�	2��M�
a:rDr,c��eZdZdZdZejejejd�Z	dgZ
edde��gZ
d
d	�Zy)�cmd_showzShow information for a GPO.�%prog <gpo> [options]rr�r
r�rrNc�	�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_|j�	t|j|�d}	|dd}ttj|�}	|	j!�}
|j"j%d
|ddz�|j"j%d|d
dz�|j"j%d|ddz�d|vr$|j"j%d|ddz�d|vr$|j"j%d|ddz�|j"j%d|j&z�|j"j%dt)|dd�z�|j"j%dt+t-t)|dd���z�|j"j%d|
z�t/|d|j|j��}|jj1d�}dj3|j5�d|d g�}
g}d!D�]}	tt6j8|j;|
|z��}|jHD]�}|jJd#k(r�i}|jL|d$<|jJ|d%<||d&<tO|jP�|d'<|jR|d(<tQ|d(�tTk(r\|jPtVk(r8|d(jYd)�}|j[d*�j]d*�|d(<nt_|d(�|d(<|ja|�����"|j"j%d+�tcjd||j"d,�-�|j"j%d.�y#t$rtd|z��wxYw#t$rd	}
Y��pwxYw#t<$rM}|j>dt@tBtDfvrYd}~���|j>dtFk(rtd"���d}~wwxYw)/NTrrf��rkr�GPO '%s' does not existroz<hidden>rrqrrrrrsrtzMachine Exts : %s
ruzUser Exts    : %s
rrrprrr@zACL          : %s
�sysvol�rhri�realmr��Policiesz%s\Registry.pol)�MACHINE�USER�:The authenticated user does not have sufficient privilegesz
**delvals.�keyname�	valuename�classrr�z	utf-16-le�zPolicies     :
�)�indentr)3rrhr rirUrjrrmr�r�r�rgrrr
r@�as_sddlr�r�rQr$rCrXr3�getr>r�r
r�r�r�argsr-r.r/r1�entriesrerdr,rr��bytesr6�decode�rstriprSr�rW�json�dump)r�r�rrr	r�dc_hostnamer�rPrQ�secdesc_sddlr�r_�pol_file�policy_defs�policy_class�pol_datarl�entry�defsr�s                     rBr!zcmd_show.runZsC���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H�����	@��t�z�z�3�/��2�C�	&��4�5�a�8�K� ��!4�!4�k�B�G�"�?�?�,�L�	
�	�	���-��F��A��>�?��	�	���-��M�0B�1�0E�E�F��	�	���-��4D�0E�a�0H�H�I�%��,��I�I�O�O�1�C�8R�4S�TU�4V�V�W�"�c�)��I�I�O�O�1�C�8O�4P�QR�4S�S�T��	�	���-����6�7��	�	���-��S�/�SV�0W�W�X��	�	���-�0@��\�RU�W^�`a�Eb�Ac�0d�d�e��	�	���-��<�=��k�&�!%���$(�J�J�0��
�����G�$���9�9�e�k�k�m�Z�� 2�4�5����/�	)�L�
�%�d�i�i�&*�m�m�H�|�4K�&L�N��"�)�)�
)���?�?�l�2����"'�-�-��Y��$)�O�O��[�!� ,��W�
�*�5�:�:�6��V��$�z�z��V����V��%��.��z�z�\�1�#�F�|�2�2�;�?��'+�{�{�6�':�'@�'@��'H��V��'+�D��L�'9��V���"�"�4�(�!
)�	)�>	
�	�	���*�+��	�	�+�t�y�y��3��	�	������C�	@��8�3�>�?�?�	@���	&�%�L�	&��:!�
��6�6�!�9�!>�!@�!@�!B�B���6�6�!�9� 7�7�&�(H�I�I���
�s<�0Q�
2Q�,Q0�Q�Q-�,Q-�0	S�9 S�"S�Sr"�rrrr$r%rGr&r'r(r)rTrr�r*r!r`rDrBrVrVIsT��%�&�H��)�)��-�-��.�.�����J�	�t�A��L��M�RrDrVc
���eZdZdZdZejejejd�Z	dgZ
edde��edd	e��ed
ddd
gd��edddd
gd��edddd��gZ
				dd�Zy)�cmd_loada�Load policies onto a GPO.

    Reads json from standard input until EOF, unless a json formatted
    file is provided via --content.

    Example json_input:
    [
        {
            "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
            "valuename": "StartPage",
            "class": "USER",
            "type": "REG_SZ",
            "data": "homepage"
        },
        {
            "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
            "valuename": "URL",
            "class": "USER",
            "type": "REG_SZ",
            "data": "google.com"
        },
        {
            "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
            "valuename": "IEToolbar",
            "class": "USER",
            "type": "REG_BINARY",
            "data": [0]
        },
        {
            "keyname": "Software\Policies\Microsoft\InputPersonalization",
            "valuename": "RestrictImplicitTextCollection",
            "class": "USER",
            "type": "REG_DWORD",
            "data": 1
        }
    ]

    Valid class attributes: MACHINE|USER|BOTH
    Data arrays are interpreted as bytes.

    The --machine-ext-name and --user-ext-name options are multi-value inputs
    which respectively set the gPCMachineExtensionNames and gPCUserExtensionNames
    ldap attributes on the GPO. These attributes must be set to the correct GUID
    names for Windows Group Policy to work correctly. These GUIDs represent
    the client side extensions to apply on the machine. Linux Group Policy does
    not enforce this constraint.
    {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is provided by default, which
    enables most Registry policies.
    rWrr�r
rrX�	--content�JSON file of policy inputs�--machine-ext-namerW�machine_exts�&{35378EAC-683F-11D2-A89A-00C04FBBCFA2}z;A machine extension name to add to gPCMachineExtensionNames)�actionr�defaultr�--user-ext-name�	user_extsz5A user extension name to add to gPCUserExtensionNamesz	--replace�
store_trueFz8Replace the existing Group Policies, rather than merging�r�r�rNc
��|�dg}|�dg}|�2tjtjj	��}
nUt
jj|�r+t|d�5}tj|�}
ddd�ntd��|j�|_|j|jd��|_t|j|j|�|_|j#�t%||j|j|j&|�}|D]}
|j)|
d��|D]}
|j)|
d��	|r|j+
�y|j-
�y#1swY��xYw#t.$r'}|j0dt2k(rtd	���d}~wwxYw)
Nr�r��$The JSON content file does not existTrrtrurrc)rq�loads�sys�stdinr�r�r��existsr��loadrrrhr rirmrjr�r5r��register_extension_name�	replace_s�merge_srrlr1)r�r�r�contentr�r��replacerr	rrv�r�reg�ext_namerls               rBr!zcmd_load.run�s�����D�E�L���A�B�I��?��*�*�S�Y�Y�^�^�%5�6�K�
�W�W�^�^�G�
$��g�t�$�
+��"�i�i��l��
+�
+��E�F�F��(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������#�C����$�*�*�d�j�j�!�L��$�	N�H��'�'��2L�M�	N�!�	K�H��'�'��2I�J�	K�
	���
�
�k�*����K�(�%
+�
+��&�	��v�v�a�y�3�3�"�$D�E�E���	�s*�*F�!F�5F�F�	G�"F>�>G)NNNNFNNNr{r`rDrBr}r}�s���0�d'�H��)�)��-�-��.�.�����J�	�t�A��L��{�!=�C�H��#��.�=�>�N�	P�	� ��+�=�>�H�	J�	�{�<��N�	P�
�M�(,���FJ�#rDr}c
���eZdZdZdZejejejd�Z	dgZ
edde��edd	e��ed
dgdd
��eddgdd��gZ
		dd�Zy)�
cmd_removeagRemove policies from a GPO.

    Reads json from standard input until EOF, unless a json formatted
    file is provided via --content.

    Example json_input:
    [
        {
            "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
            "valuename": "StartPage",
            "class": "USER",
        },
        {
            "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
            "valuename": "URL",
            "class": "USER",
        },
        {
            "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
            "valuename": "IEToolbar",
            "class": "USER"
        },
        {
            "keyname": "Software\Policies\Microsoft\InputPersonalization",
            "valuename": "RestrictImplicitTextCollection",
            "class": "USER"
        }
    ]

    Valid class attributes: MACHINE|USER|BOTH
    rWrr�r
rrXr~rr�rWr�z@A machine extension name to remove from gPCMachineExtensionNames)r�r�rrr�r�z:A user extension name to remove from gPCUserExtensionNamesNc	�`�|�g}|�g}|�2tjtjj	��}	nUt
jj|�r+t|d�5}
tj|
�}	ddd�ntd��|j�|_|j|jd��|_t|j|j|�|_|j#�t%||j|j|j&|�}|D]}|j)|d��|D]}|j)|d��	|j+	�y#1swY��xYw#t,$r'}
|
j.dt0k(rtd���d}
~
wwxYw)	Nr�r�Trrtrurrc)rqr�r�r�r�r�r�r�r�r�rrrhr rirmrjr�r5r��unregister_extension_name�remove_srrlr1)r�r�rr�r�r�rr	rrvr�r�r�rls              rBr!zcmd_remove.runWs������L����I��?��*�*�S�Y�Y�^�^�%5�6�K�
�W�W�^�^�G�
$��g�t�$�
+��"�i�i��l��
+�
+��E�F�F��(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������#�C����$�*�*�d�j�j�!�L��$�	P�H��)�)�(�4N�O�	P�!�	M�H��)�)�(�4K�L�	M�	��L�L��%�
+�
+�� �	��v�v�a�y�3�3�"�$D�E�E���	�s$�(E1�E=�1E:�=	F-�"F(�(F-�NNNNNNNr{r`rDrBr�r�!s����@'�H��)�)��-�-��.�.�����J�	�t�A��L��{�!=�C�H��#��R�n�S�	U�	� ��R�k�M�	O�
	�M�KO�7;�rDr�c��eZdZdZdZejejejd�Z	dgZ
edde��gZ
		d
d	�Zy)�cmd_getlinkzList GPO Links for a container.�%prog <container_dn> [options]rr�r
rrXNc��|j�|_|j|jd��|_t	|j|j|�|_|j
�	|jj|tjddg��d}d|vr�|dr�|jjd|z�tt!|dd��}|D]�}t#|j|d	�
�}|jjd|dddz�|jjd
|dddz�|jjdt%|d�z�|jjd���y|jjd|z�y#t$rtd|z��wxYw)NTrr�r�r�rr�zGPO(s) linked to DN %s
rQ)rQz    GPO     : %s
rqz    Name    : %s
rrz    Options : %s
rGrzNo GPO(s) linked to DN=%s
)rrhr rirmrjr�r�r�r~r�rgrr�r�r]r�r�rH)	r�r�rrr	rr�rcr[s	         rBr!zcmd_getlink.run�s����(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������	O��*�*�#�#��S�^�^�/@�+3�*�$�6�67�9�C��s�?�s�8�}��I�I�O�O�6��E�F�!�#�c�(�m�A�&6�"7�8�F��
&��"�4�:�:�!�D�'�:���	�	��� 4�s�1�v�f�~�a�7H� H�I��	�	��� 4�s�1�v�m�7L�Q�7O� O�P��	�	��� 4�7L�Q�y�\�7Z� Z�[��	�	����%�
&�
�I�I�O�O�9�L�H�I���	O��>��M�N�N�	O�s�/1F5�5G
r"r{r`rDrBr�r�xs_��)�/�H��)�)��-�-��.�.���!�!�J�	�t�A��L��M�BF��JrDr�c	��eZdZdZdZejejejd�Z	ddgZ
edde��ed	d
ddd
��eddddd��gZ
		dd�Zy)�cmd_setlinkz(Add or update a GPO link to a container.�$%prog <container_dn> <gpo> [options]rr�r�r
rrXz	--disable�disabledFr�zDisable policy�rr�r�rz	--enforce�enforcedzEnforce policyNc	��|j�|_|j|jd��|_t	|j|j|�|_|j
�d}	|r|	tjz}	|r|	tjz}		t|j|��dtt|j|��}
	|jj!|t"j$ddg��d}d
}d|vrxt't|dd��}
d}d
}|
D]/}|dj)�|
j)�k(s�(|	|d<d}n|rtd
|z��|
j+d|
|	d��ng}
|
j-|
|	d��t/|
�}t#j0�}t#j2|j|�|_|r)t#j6|t"j8d�|d<n(t#j6|t"j:d�|d<	|jj=|�|j>jAd�tC�jE|||||�y#t$rtd|z��wxYw#t$rtd	|z��wxYw#t$r}td|��d}~wwxYw)NTrr�r�r\r�r�r�r�FrQrGz)GPO '%s' already linked to this containerrP�	new_valuezError adding GPO LinkzAdded/Updated GPO link
)#rrhr rirmrjr�r	r<r;r�r�rgrr�r4r�r~r�r]r��insertrWrdr�rrQr�r��FLAG_MOD_ADDr�r�r�r�r!)r�r�r�rr�r�rr	r�gplink_optionsr�r��existing_gplinkrcr�r[r�r�rls                   rBr!zcmd_setlink.run�s����(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�����������d�5�5�5�N���d�5�5�5�N�	@������-�a�0��Z��
�
�C�0�1��	O��*�*�#�#��S�^�^�/@�+3�*�$�6�67�9�C� ���s�?�!�#�c�(�m�A�&6�"7�8�F�"�O��E��
���T�7�=�=�?�f�l�l�n�4�#1�A�i�L� �E��	
�
�"�#N�QT�#T�U�U��
�
�a��>�!J�K��F��M�M��N�C�D�"�6�*�
��K�K�M���v�v�d�j�j�,�/���� �/�/�
�C�<P�<P�RZ�[�A�k�N� �/�/�
�C�<L�<L�h�W�A�k�N�	;��J�J���a� �	
�	�	���2�3��
���,��9�h��L��_�	@��8�3�>�?�?�	@���	O��>��M�N�N�	O��D�	;��6��:�:��	;�s0�J�1J!�2J<�J�!J9�<	K�K�K)NFFNNNr{r`rDrBr�r��s���2�5�H��)�)��-�-��.�.���!�%�(�J�	�t�A��L��{��U�<�$�	&��{��U�<�$�	&�	�M�GL�7;�BMrDr�c��eZdZdZdZejejejd�Z	ddgZ
edde��gZ
		dd
�Zy	)�cmd_dellinkz!Delete GPO link from a container.r�r�	containerr�r
rrXNc�(�|j�|_|j|jd��|_t	|j|j|�|_|j
�	t|j|��dtj|j|�}t|j||�|jjd�t!�j#|||||�y#t$rtd|z��wxYw)NTrr�rr\zDeleted GPO link.
)rrhr rirmrjr�r�r�rgrr~rr�r�r�r�r!)r�r�r�rrr	rr�s        rBr!zcmd_dellink.runs����(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������	@������-�a�0��v�v�d�j�j�)�4���T�Z�Z��s�3��	�	���-�.��
���,��9�h��L��
�	@��8�3�>�?�?�	@�s�/C9�9Dr"r{r`rDrBr�r�sa��+�5�H��)�)��-�-��.�.����u�%�J�	�t�A��L��M�DH��MrDr�c��eZdZdZdZejejejd�Z	dgZ
edde��gZ
		d
d	�Zy)�cmd_listcontainersz%List all linked containers for a GPO.rWrr�r
rrXNc���|j�|_|j|jd��|_t	|j|j|�|_|j
�t|j|�}t|�rG|jjd|z�|D]#}|jjd|dz��%y|jjd|z�y)NTrzContainer(s) using GPO %s
z    DN: %s
rQzNo Containers using GPO %s
)rrhr rirmrjr�r�r�rTr�r�)r�r�rrr	rr�r�s        rBr!zcmd_listcontainers.run9s����(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1������� ����S�1���s�8��I�I�O�O�9�C�?�@��
:���	�	�����4�� 8�9�
:�
�I�I�O�O�:�S�@�ArDr"r{r`rDrBr�r�(s\��/�&�H��)�)��-�-��.�.�����J�	�t�A��L��M�9=��BrDr�c��eZdZdZdZejejejd�Z	dgZ
edde��gZ
		d
d	�Zy)�cmd_getinheritancez%Get inheritance flag for a container.r�rr�r
rrXNc�:�|j�|_|j|jd��|_t	|j|j|�|_|j
�	|jj|tjddg��d}d}d|vrt|dd�}|tjk(r|j j#d�y|j j#d	�y#t$rtd|z��wxYw)
NTrr�r4r�rr�z$Container has GPO_BLOCK_INHERITANCE
zContainer has GPO_INHERIT
)rrhr rirmrjr�r�r�r~r�rgrrXr	rGr�r�)r�r�rrr	rr��inheritances        rBr!zcmd_getinheritance.run]s���(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������	O��*�*�#�#��S�^�^�/@�+6�-�$�9�9:�<�C����#���c�+�.�q�1�2�K��$�4�4�4��I�I�O�O�C�D��I�I�O�O�9�:���	O��>��M�N�N�	O�s�/1D�Dr"r{r`rDrBr�r�Ls^��/�/�H��)�)��-�-��.�.���!�!�J�	�t�A��L��M�BF��;rDr�c��eZdZdZdZejejejd�Z	ddgZ
edde��gZ
		dd
�Zy	)�cmd_setinheritancez$Set inheritance flag on a container.z.%prog <container_dn> <block|inherit> [options]rr��
inherit_stater
rrXNc���|j�dk(rtj}n2|j�dk(rtj}nt	d|z��|j�|_|j|jd��|_t|j|j|�|_
|j�	|jj|tjddg��d	}tj"�}	tj$|j|�|	_d|vr2tj(t+|�tj,d�|	d<n1tj(t+|�tj.d�|	d<	|jj1|	�y#t $rt	d
|z��wxYw#t $r}
t	d|z|
��d}
~
wwxYw)
N�blockrMzUnknown inheritance state (%s)Trr�r4r�rr�r�z"Error setting inheritance state %s)r�r	rG�GPO_INHERITrrrhr rirmrjr�r�r�r~r�rgr�rrQr�r�r�r�r�)r�r�r�rrr	rr�r�r�rls           rBr!zcmd_setinheritance.run�s������ �G�+��4�4�K�
�
 �
 �
"�i�
/��*�*�K��?�-�O�P�P��(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1�������	O��*�*�#�#��S�^�^�/@�+6�-�$�9�9:�<�C�
�K�K�M���v�v�d�j�j�,�/����#�� �/�/��K�0@�#�BV�BV�Xc�d�A�k�N� �/�/��K�0@�#�BR�BR�T_�`�A�k�N�	X��J�J���a� ���	O��>��M�N�N�	O���	X��C�m�S�UV�W�W��	X�s$�1F3�G�3G�	G+�G&�&G+r"r{r`rDrBr�r�xsa��.�?�H��)�)��-�-��.�.���!�/�2�J�	�t�A��L��M�QU��"XrDr�c��eZdZdZdZejejejd�Z	dgZ
edde��edd	e��gZ
dd�Zy
)
�	cmd_fetchzDownload a GPO.rWrr�r
rrX�--tmpdir�,Temporary directory for copying policy filesNc�D�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_|j�	t|j|�d}t|dd�}		t|	�\}
}}t!|||j|j�
�}
|j#||�\}}	t%|
||�|j&j)d|z�y#t$rtd|z��wxYw#t$rtd	|	z��wxYw#t$r}td|��d}~wwxYw)
NTrrfrZr[rr\rs�Invalid GPO path (%s)r^�Error copying GPO from DC�GPO copied to %s
)rrhr rirUrjrrmr�r�r�rgrr�r�r�r3r�r�r�r�)r�r�rr�rr	rrsr�r��dom_name�service�	sharepathr�r�rls                rBr!z
cmd_fetch.run�s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H�����	@��t�z�z�3�/��2�C�
�#�&�'��*�+��	>�-6�s�^�*�X�w�	�
�k�7�t�w�w�$(�J�J�0���.�.�v�s�;����	?�*�4��F�C�	
�	�	���,�v�5�6��-�	@��8�3�>�?�?�	@���	>��6��<�=�=�	>���	?��:�A�>�>��	?�s0�0E�E*�#
F�E'�*F�	F�F�F�NNNNNr{r`rDrBr�r��sa���&�H��)�)��-�-��.�.�����J�	�t�A��L��z� N�UX�Y��M�
&7rDr�c	���eZdZdZdZejejejd�Z	dgZ
edde��edd	e��ed
ddd
��eddde��gZ
		dd�Zed��Zy)�
cmd_backupz
Backup a GPO.rWrr�r
rrXr�r�z--generalizez"Generalize XML entities to restoreFr��rr�r��
--entitiesz4File to export defining XML entities for the restore�ent_file)rrrNc		�&�|j�|_|j|jd��|_|r|j	d�r
|dd}	||_nGt
|j|j�}	t|j|j|	��|_|j�	t|j|�d}
t|
dd�}	t|�\}}
}t!|	|
|j|j�
�}|j#||�\}}	t%|||�|j&j)d|z�|r�|j&j)d
�t*j-|j&||�}ddl}dj1d�t3|j5�|j7d���D��}|rEt9|d�5}|j)|�ddd�|j&j)d|z�n6|j&j)d�|j&j)|�dD]T}||
vs�t9t:j<j1||dz�d�5}|j)|
|d�ddd��Vy#t$rtd|z��wxYw#t$rtd	|z��wxYw#t$r}td|��d}~wwxYw#1swY��xYw#1swY��xYw)NTrrfrZr[rr\rsr�r^r�r�z(
Attempting to generalize XML entities:
rJc3�jK�|]+}dj|djd�|d����-y�w)z<!ENTITY {} "{}
">rOz&;rN)�formatrR)ra�ents  rBrbz!cmd_backup.run.<locals>.<genexpr>.s9����^�!$�1�7�7��A����T�8J�C�PQ�F�S�^�s�13rOr��wz$Entities successfully written to %s
z
Entities:
�rtru�	.SAMBAEXTr�)rrhr rirUrjrrmr�r�r�rgrr�r�r�r3r�r�r�r�r��generalize_xml_entities�operatorr>�sorted�items�
itemgetterr�r�r�)r�r�rr��
generalizerr	rr�rsr�r�r�r�r�r�r�rl�entitiesr��entsr��exts                       rBr!zcmd_backup.run�s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H�����	@��t�z�z�3�/��2�C�
�#�&�'��*�+��	>�-6�s�^�*�X�w�	�
�k�7�t�w�w�$(�J�J�0���.�.�v�s�;����	?�,�T�9�f�E�
	
�	�	���,�v�5�6���I�I�O�O�H�I�!�9�9�$�)�)�V�:@�B�H���7�7�^�(.�x�~�~�/?�X�EX�EX�YZ�E[�(\�^�^�D���(�C�(�"�A��G�G�D�M�"��	�	��� G� (�!)�*��	�	����0��	�	����%�I�	)�C��c�z��"�'�'�,�,�v�s�[�/@�A�4�H�)�A��G�G�C��H�Q�K�(�)�)�	)��W�	@��8�3�>�?�?�	@���	>��6��<�=�=�	>���	?��:�A�>�>��	?��"�"��)�)�sH�0J'�K�#
K�K:�L�'J?�K�	K7�&K2�2K7�:L�L	c��i}tjj|�stj|�|g}|g}|�r�|j	�}|j	�}tj
|�}|j
�|D�]�}	tjj||	�}
tjj||	�}tjj|
�rX|j|
�|j|�tjj|�r��tj|���|
jd�r}tjj|
�dd}t|�}
	t|
d�5}|j�}ddd�tj �}|
j#|||�}��Itjj)|
|�r��kt+j,|
|����|r���|S#1swY�txYw#t$$r|j'd|z�Y���wxYw)Nr����r�z%SKIPPING: Generalizing failed for %s
)r�r�r�r�r�r�r�r>r�rW�endswith�basenamer�r�r��ET�
fromstring�generalize_xmlrr��samefile�shutil�copy2)r��	sourcedir�	targetdirr�r�r�r�r�r�rlr�r��to_parser��ltempr��concrete_xml�found_entitiess                  rBr�z"cmd_backup.generalize_xml_entities@s������w�w�~�~�i�(��H�H�Y����������J�J�L�E��J�J�L�E��j�j��'�G��L�L�N��!
9�������e�Q�/�������e�Q�/���7�7�=�=��(��M�M�&�)��M�M�&�)��7�7�>�>�&�1�����(����v�.�$&�7�7�#3�#3�F�#;�C�R�#@��!,�X�!6��\�!%�f�c�!2�4�e�',�z�z�|��4�,.�=�=��+>�L�-3�-B�-B�<�QW�Ya�-b�N� "�w�w�/�/���?�"�L�L���8�C!
9�
�R��#4�4��
 5�\� �J�J�'O�RZ�'Z�[�\�s*�H�
H�0H�H	�H�H>�=H>)NNFNNNN)rrrr$r%rGr&r'r(r)rTrr�r*r!�staticmethodr�r`rDrBr�r��s����&�H��)�)��-�-��.�.�����J�	�t�A��L��z� N�UX�Y��~�$H��\�	3��|�"X��S�	*��M�IM�6:�?)�B�1��1rDr�c��eZdZdZdZejejejd�Z	dgZ
edde��edd	e��gZ
		dd�Zy
)
�
cmd_createzCreate an empty GPO.z%prog <displayname> [options]rr�r
rrXr�r�Nc���|j�|_|j|jd��|_t	|j|j��}|rc|jd�rR|dd}||_tjtjztjz}	|j||	��}
n�tjtjztjz}	|j|jjd�|	��}
|
j}t|j|j|�	�|_|j�t!|j"|�
�}|j$dkDrt'd|z��t)t+j,��}d
|j/�z}
|
|_|
j2}d|�d|�d|
��}|j5||
�\|_}||_	t;j<t:j>jA|d��t;j<t:j>jA|d��d}tCt:j>jA|d�d�jE|�tI|�\}}}||_%tM|||j|j��}||_'|j"jQ�	tS|j"|
�}tUjV�}||_,tUjZdtTj\d�|d<|j"j_|�tUjV�}tUj`|j"dt)|�z�|_,tUjZdtTj\d�|d<|j"j_|�tUjV�}tUj`|j"dt)|�z�|_,tUjZdtTj\d�|d<|j"j_|�tbjdtbjfztbjhz}t!|j"|
|��d}|dd}tktbjl|�jo�}tcjp|j"js��}tu||�}tbjljw||�}ty||�tbjdtbjfztbjhztbjzz}|j}|||�t|||�tUjV�}||_,tUjZ|tTj�d �|d!<tUjZ|tTj�d"�|d#<tUjZd$tTj�d%�|d&<tUjZd'tTj�d(�|d)<tUjZd$tTj�d*�|d+<d,g} |j"j�|| �-�|j"j��|�t�j�|j6�|j�jEd.|�d/|
�d0��y#tF$r}t'd|��d}~wwxYw#tF$r|j"j���wxYw)1NTr)rirhrfrZ)�addressr@r_)�domainr@r[)r�rz%A GPO already existing with name '%s'�{%s}r�z\sysvol\z
\Policies\�Machine�Userz[General]
Version=0
zGPT.INIr�zError Creating GPO filesr^�groupPolicyContainerr/�a01�
CN=User,%sr��
CN=Machine,%s)r�r�rorr�a02rs�a03rrp�a05�2�gpcFunctionalityVersion�a07r@�a04zpermissive_modify:0)r{zGPO 'z
' created as r)Grrhr rirrUrjr�NBT_SERVER_LDAP�
NBT_SERVER_DS�NBT_SERVER_WRITABLE�finddcrk�pdc_dns_namermr�r�r��countrr��uuid�uuid4�upper�gpo_name�
dns_domainr�r�r�r�r�r�r>r�r�rgr�r�r3r��transaction_startr4r~r�rQr�r��addrr
r=r>r?rr@rj�dom_sid�get_domain_sidr�	from_sddlr2�SECINFO_PROTECTED_DACL�set_aclr�r�r��transaction_commit�transaction_cancelr��rmtreer�)!r�r�rr�rr	r�netrsr@�	cldap_retr��guidr�r_�unc_pathr��gpt_contentsrlr�r�r�r�r�r��ds_sd_flags�	ds_sd_ndr�ds_sd�
domain_sid�sddl�fs_sd�sior{s!                                 rBr!zcmd_create.run�s����(�(�*����-�-�d�g�g��-�M��
���
�
�t�w�w�/��
����i�(��A�B�%�K��D�H��(�(��&�&�'��,�,�-�E��
�
�;�e�
�D�I��(�(��&�&�'��,�,�-�E��
�
�$�'�'�+�+�g�*>�e�
�L�I�#�0�0�K��d�g�g�t�z�z�k�B�D�H������4�:�:�;�?���9�9�q�=��F��T�U�U��D�J�J�L�!���t�z�z�|�#����
��$�$��9>��s�K��#�3�3�F�C�@����V����	>��H�H�R�W�W�\�\�&�)�4�5��H�H�R�W�W�\�\�&�&�1�2�7�L�������f�i�0�#�6�<�<�\�J�
*3�8�)<�&��7�I�"����k�7�t�w�w�$(�J�J�0����	��
�
�$�$�&�<	,���
�
�C�0�F����
�A��A�D��)�)�*@�#�BR�BR�Ta�b�A�e�H��J�J�N�N�1�����
�A��6�6�$�*�*�l�S��[�&@�A�A�D��)�)�+�s�7G�7G��W�A�e�H��J�J�N�N�1�����
�A��6�6�$�*�*�o��F��&C�D�A�D��)�)�+�s�7G�7G��W�A�e�H��J�J�N�N�1��$�1�1�#�1�1�2�#�0�0�1�K��t�z�z�s�[�I�!�L�C��2�3�A�6�I��x�2�2�I�>�F�F�H�E�"�)�)�$�*�*�*C�*C�*E�F�J��u�j�1�D��'�'�1�1�$�
�C�E�
"�$�	�2��)�)��)�)�*��(�(�)��2�2�3�C�
�L�L��E�3�/�
+�4���C����
�A��A�D��)�)�+�s�7K�7K�]�[�A�e�H��)�)�(�C�4H�4H�JZ�[�A�e�H��)�)�#�s�/C�/C�_�U�A�e�H��)�)�#�s�/C�/C�E^�_�A�e�H��)�)�#�s�/C�/C�W�M�A�e�H�-�.�H��J�J���a�(��3�

�J�J�)�)�+��>��M�M�$�+�+�&��	�	���k�3�G�H��]�	>��9�1�=�=��	>��H�	��J�J�)�)�+��	�s&�B!\)�?O]�)	]�2\>�>]�%]+r�r{r`rDrBr�r�usm���.�H��)�)��-�-��.�.��� ��J�	�t�A��L��z� N�UX�Y��M�
NR��~IrDr�c	����eZdZdZdZejejejd�Z	ddgZ
edde��ed	d
e��edde��ed
ddd��gZ
dd�Z		d�fd�	Z�xZS)�cmd_restorez!Restore a GPO to a new container.z/%prog <displayname> <backup location> [options]rr��backupr
rrXr�r�r�z8File defining XML entities to insert into DOCTYPE headerz--restore-metadataz7Keep the old GPT.INI file and associated version numberFr�r�c�<�d}tjj|�stj|�|g}|g}|�r�|j	�}|j	�}tj
|�}	|	j
�|	D�]�}
tjj||
�}tjj||
�}tjj|�rX|j|�|j|�tjj|�r��tj|���|jd�s��tjj|�dd}
t|
�}	t|d�5}|j�}d}|j|�r9|t!|�d}|j#t%j&||z|z��n'|j#t%j&||z��|j)|dd�ddd����|r���yy#1swY�xYw#t*$r^|dd|z}t-j.||dd�|j0j3d|
z�|j0j3d�Y��"ddl}|j7�|dd|z}t-j.||dd�|j0j3d	|z�|j0j3d�Y���xYw)
Nr�r�r�r�z&<?xml version="1.0" encoding="utf-8"?>zWARNING: No such parser for %s
z.WARNING: Falling back to simple copy-restore.
rz%WARNING: Error during parsing for %s
)r�r�r�r�r�r�r�r>r�rWr�r�r�r�r�rUrT�load_xmlr�r��write_binaryrr�r�r�r��	traceback�	print_exc)r�r�r��
dtd_headerr�r�r�r�r�r�rlr�r�r�r�r�r��xml_head�
original_filer,s                    rB� restore_from_backup_to_local_dirz,cmd_restore.restore_from_backup_to_local_dirs}�����w�w�~�~�i�(��H�H�Y����������J�J�L�E��J�J�L�E��j�j��'�G��L�L�N��4
_�������e�Q�/�������e�Q�/���7�7�=�=��(��M�M�&�)��M�M�&�)��7�7�>�>�&�1�����(����v�.�$&�7�7�#3�#3�F�#;�C�R�#@��!,�X�!6��#_�!%�f�c�!2�A�e�',�z�z�|��+S��#'�?�?�8�#<�,0��H�
��+?�D�%+�O�O�B�M�M�(�Z�BW�Z^�B^�4_�$`�$*�O�O�B�M�M�*�t�BS�4T�$U�!'� 3� 3�F�3�B�K� @�!A��%4
_�
�0A�A��$ 3�_�,2�3�B�K�&�,@�M�"�L�L���s���D� �I�I�O�O�,N�QY�,Y�Z� �I�I�O�O�,]�^�	_�,�%�/�/�1�-3�3�B�K�&�,@�M�"�L�L���s���D� �I�I�O�O�,T�W]�,]�^� �I�I�O�O�,]�^�s-�I�BH7�&I�7I	�<I�A#L�)A/Lc
���d}
tjj|�std|z��|��d}
tjj|�std|z��t	|d�5}|j�}t
jd|tj��	�td��|
|j�z
}
ddd�|
d	z
}
tt|�3||||||�	|j||j|
�|	}
t|j |j|j"d
|
��t%|j&|j(�}dD]�}tjj+||d
z�}tjj|�s�Ft	|d�5}|j�}ddd�t-j.�}||_t-j2t,j4|�||<|j&j7|���y#1swY��dxYw#1swY�wxYw#t8$r�}ddl}|j=�|j>jAtC|�dz�|j>jAd�tE�}|j|j(||||�td|z��d}~wwxYw)NrJz"Backup directory does not exist %sz<!DOCTYPE foobar [
zEntities file does not exist %sr�z*(\s*<!ENTITY\s*[a-zA-Z0-9_]+\s*.*?>)+\s*\Zr�zPEntities file does not appear to conform to format
e.g. <!ENTITY entity "value">z
]>
T)r�r�r�r�r�rrz%Failed to restore GPO -- deleting...
zFailed to restore: %s)#r�r�r�rr�r�r�r��	MULTILINErR�superr'r!r1r�r�r�r�r4r�rr>r~r�rQr�r�r�rgr,r-r�r�r��cmd_del)r�r�r(rr�r�rr	r�restore_metadatar.�
entities_file�entities_content�keep_new_filesr�r��ext_filer�r�r�rlr,�cmd�	__class__s                       �rBr!zcmd_restore.runas�����
��w�w�~�~�f�%��C�f�L�M�M���0�J��7�7�>�>�(�+�"�#D�#+�$,�-�-��h��$�	
7�
�#0�#5�#5�#7� ��8�8�I�,�B�L�L�B�EI�J�&�(G�H�H��.�4�4�6�6�
�	
7�
�(�"�J�
�k�4�$�[�!�V�Y�%-�{�	<�&	<��1�1�&�$�+�+�2<�
>�"2�1�N�
+�4�9�9�d�k�k�+/�>�>�?C�?M�
O�
 ��
�
�D�M�M�:�F�M�
)���7�7�<�<���k�0A�B���7�7�>�>�(�+��h��-�(�� �v�v�x��(����
�A�!�A�D� �/�/��c�6J�6J�03�5�A�c�F��J�J�%�%�a�(�
)�A	
7�	
7��F(�(���		<�����!��I�I�O�O�C��F�T�M�*��I�I�O�O�D�E��)�C��G�G�D�M�M�1�i��;�G��6��:�;�;��		<�sF�.AH&�*B5H?� H?�,H3�=A(H?�&H0�3H<	�8H?�?	K�B
K�K)rJr�)rrrr$r%rGr&r'r(r)rTrr�r*r1r!�
__classcell__)r<s@rBr'r's����+�@�H��)�)��-�-��.�.��� ��*�J�	�t�A��L��z� N�UX�Y��|�"\�cf�g��#�*c��\�	3�	�M�B_�Hei�/3�G<�G<rDr'c��eZdZdZdZejejejd�Z	dgZ
edde��gZ
		d
d	�Zy)r5z
Delete a GPO.rWrr�r
rrXNc	���|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_|j�	t|j|��d}t|dd�}t|�\}	}
}t||
|j|j�
�}|jj!�	t#|j|�}t%|�r`|j&j)d|z�|D]=}
t+|j|
d|�|j&j)d
|
dz��?t-|j|�}|jj/t1j2|jdt|�z��|jj/t1j2|jdt|�z��|jj/|�|j5|�|jj7�|j&j)d|z�y#t$rtd	|z��wxYw#t$r|jj9��wxYw)NTrrfrZr[r�rrsr\r^zGPO %s is linked to containers
rQz    Removed link from %s.
r�r�zGPO %s deleted.
)rrhr rirUrjrrmr�r�r�r�rgrr�r3rr�rTr�r�r�r4�deleter~r�deltreerr)r�r�rrr	rrsr�rr�r�r�r�r�r�s               rBr!zcmd_del.run�s`���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H�����	@��t�z�z�s�3�A�6�C��3�/�0��3�4�H�
*3�8�)<�&��7�I��k�7�t�w�w�$(�J�J�0��	
�
�
�$�$�&�	,�$�T�Z�Z��5�C��3�x��	�	��� B�S� H�I��M�A� ����Q�t�W�c�:��I�I�O�O�$A�A�d�G�$K�L�M�
 ��
�
�C�0�F��J�J���c�f�f�T�Z�Z���F��1K�L�M��J�J���c�f�f�T�Z�Z��3�v�;�1N�O�P��J�J���f�%�
�L�L��#�
�J�J�)�)�+��	�	���+�c�1�2��E�	@��8�3�>�?�?�	@��8�	��J�J�)�)�+��	�s�0+J.�(E
K	�.K�	%K.r"r{r`rDrBr5r5�s[���&�H��)�)��-�-��.�.�����J�	�t�A��L��M�9=��63rDr5c��eZdZdZdZejejejd�Z	e
dddedd�	�gZdd�Z
y
)
�cmd_aclcheckz.Check all GPOs have matching LDAP and DS ACLs.rrr
rrr
rrNc	��|j�|_|j|jd��|_t	|j|j|�|_|r|j
d�r
|dd}||_nGt|j|j�}t	|j|j|��|_|j�t|jd�}|D�]G}t|dd�}	t|�\}	}
}t||
|j|j�	�}|j!|t"j$t"j&zt"j(zt"j*�}
d
|vrtd��|d
d}t-t"j.|�j1�}t#j2|jj5��}t7||�}|
j1|�|k7s��'td|
j1|��d
|�d|����y#t$rtd|z��wxYw)NTrrfrZr[rsrr�r^rozKCould not read nTSecurityDescriptor. This requires an Administrator accountzInvalid GPO ACL z
 on path (z
), should be )rrhr rirmrjrUrr�r�r�r�r�r�rr3�get_aclr
r=r>r?�SEC_FLAG_MAXIMUM_ALLOWEDrr@rjrrr)r�rrr	rrsr�r�r�r�r�r�r�r$r r!r"�expected_fs_sddls                  rBr!zcmd_aclcheck.runs%���(�(�*����-�-�d�g�g��-�M��
��$�'�'�4�:�:�q�1���
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H������4�:�:�t�,���	O�A��a�(�)�!�,�-�C�
B�1:�3��.��7�I�
"�+�w�4�7�7�(,�
�
�4�D��L�L��H�,B�,B�X�E[�E[�,[�^f�^s�^s�,s�u}�vW�vW�X�E�%�Q�.�"�$L�M�M��0�1�!�4�I��x�2�2�I�>�F�F�H�E�"�)�)�$�*�*�*C�*C�*E�F�J�*�5�*�=���
�
�j�)�-=�=�"�V[�Vc�Vc�dn�Vo�qz�}M�$N�O�O�5	O��
�
B�"�#:�S�#@�A�A�
B�s�H9�9Ir"r#r`rDrBrCrC�sU��8� �H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(��M�
-OrDrCc
���eZdZdZdZejejejd�Z	e
dddedd�	�e
d
deejjej �d��
�gZ		dd�Zy)�cmd_admxloadz Loads samba admx files to sysvolrrr
rrr
rrz
--admx-dirz)Directory where admx templates are storedz
samba/admx)rrr�Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}dj|jjd	�j�d
dg�}	|j|�t%j&|�D]�\}
}}|D]�}
|
j)|d�}t$j*j|
|
�}dj||g�j)dd�}dj||
g�}	t-||�t/|d�5}	|j1||j3��ddd�����|j4j7d�y#t$rC}	|	jdtk(rt!d
��|	jdt"k7r�Yd}	~	��3d}	~	wwxYw#t$rB}	|	jdtk(rt!d
��|	jdt"k7r�Yd}	~	��d}	~	wwxYw#t$r+}	|	jdtk(rt!d
��Yd}	~	��d}	~	wwxYw#1swY���xYw)NTrrfrZr[r]r^r�r_r`�PolicyDefinitionsrrcrJr�r�aInstalling ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates.
)rrhr rirUrjrrmr3r>rkr�r�rrlr1rr0r��walkr�r�r2r�r�r�r�r�)r�rrr	r�admx_dirrsr��smb_dirrl�dirname�dirs�files�fname�path_in_admx�	full_path�sub_dir�smb_pathr�s                   rBr!zcmd_admxload.runFs����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�)�)�T�W�W�[�[��1�7�7�9�'�)<�>�?��	��J�J�w��%'�G�G�H�$5�	Q� �G�T�5��
Q��&���x��<���G�G�L�L��%�8�	��)�)�W�l�$;�<�D�D�S�$�O���9�9�g�u�%5�6���)�$��8��)�T�*�Q�a�Q��
�
�h�����9�Q�Q�
Q�	Q�*	
�	�	���P�	Q��9�	��v�v�a�y�3�3�"�$D�E�E������=�=��>��		��%���v�v�a�y�$;�;�*�,L�M�M������&E�E��F��	��)�Q��6�6�!�9�(?�?�".�0P�#Q�Q�@��Q��Q�Q�s`�>G;�I
�1K�3 J�;	I�8I�I�
	J�8J�J�	K	�!!K	�K�K	�K�Kr�)rrrr$r%rGr&r'r(r)rr�r�r�r>r#�data_dirr*r!r`rDrBrIrI4s���*� �H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��|�"M��"�'�'�,�,�~�u�~�~�/?��"N�	P��M�FJ��8QrDrIc��eZdZdZdZejejejd�Z	e
dddedd�	�e
d
ddd
��gZgd�Z
		dd�Zy)�cmd_add_sudoersa�Adds a Samba Sudoers Group Policy to the sysvol

This command adds a sudo rule to the sysvol for applying to winbind clients.

The command argument indicates the final field in the sudo rule.
The user argument indicates the user specified in the parentheses.
The users and groups arguments are comma separated lists, which are combined to
form the first field in the sudo rule.
The --passwd argument specifies whether the sudo entry will require a password
be specified. The default is False, meaning the NOPASSWD field will be
specified in the sudo entry.

Example:
samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg

The example command will generate the following sudoers entry:
fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL
    z7%prog <gpo> <command> <user> <users> [groups] [options]rr
rrr
rrz--passwdr�Fz;Specify to indicate that sudo entry must provide a passwordr�)r��commandr5�userszgroups?Nc�X	�|j�|_|	j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}
|jjd�}d	j|j�d
|ddg�}d	j|d
g�}	tj tj"|j%|���}|j'�j)d�}|j)d�}tj6|d�}|rtj6|d�tj6|d�}||_tj6|d �}||_tj6|d!�}|j?d"�D].}tj6|d#�}||_d |j@d$<�0|�A|j?�D].} tj6|d#�}| |_d%|j@d$<�0tC�}!|jE|!d&d�'�|!jGd�	tI||�|jK||!jM��|
jOd�(�y#t*$�rA}|j,dt.t0t2fvr�tj tj4d��}tj6|j'�d�}tj6|d�}d|_tj6|d�}d|_tj6|d�}d|_tj6|d�}d|_tj6|d�}tj6|d�}d|_n"|j,dt:k(rt=d���Yd}~���d}~wwxYw#t*$r'}|j,dt:k(rt=d���d}~wwxYw))NTrrfrZr[r]r^r_r�r`�MACHINE\VGP\VTLA\Sudo�SudoersConfiguration�manifest.xml�
policysettingr�r�	vgppolicy�version�1rqzSudo Policy�descriptionz!Sudoers File Configuration Policy�
apply_mode�merge�load_plugin�truerc�
sudoers_entry�passwordrZr5�listelement�,�	principalr�group�UTF-8��encoding�xml_declaration��machine_changed)(rrhr rirUrjrrmr3r�r5r�rkr>r�r��ElementTreer�r��getroot�findrrlr-r.r/�Element�
SubElement�textr1rrSr�r)r��seekr2r�r��increment_gpt_ini)"r�r�rZr5r[�groups�passwdrrr	rrsr�r�r_�vgp_dir�vgp_xml�xml_datar`r�rl�pvrqrdrergri�command_elm�user_elmrk�urmr[�outs"                                  rBr!zcmd_add_sudoers.run�s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��7�3�5�6���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H�$�,�,�.�3�3�O�D�M� �%�%�f�-�D�4�
�
�d�O�<�
���M�M�-��4��m�m�M�9�=��"����=�=���7����
��m�m�M�=�A�����S�!�	.�A��
�
�k�;�?�I��I�N�'-�I���V�$�	.����\�\�^�
3���M�M�+�{�C�	�!"�	��+2�	� � ��(�
3�
�i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��c�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��)��	� �m�m�M�=�I��#F�� ��]�]�=�,�G�
�")�
���}�}�]�F�;�� �m�m�D�-�@��#)�� ������5�5�"�$D�E�E��!��%	��d�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A'L+�,>Q9�+
Q6�5D6Q1�1Q6�9	R)�"R$�$R))NNNNNN�rrrr$r%rGr&r'r(r)rr�r*rTr!r`rDrBrYrY�sz���&I�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��z�,��Q�	S��M�@�J�AE�?C�UrDrYc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_sudoersz�List Samba Sudoers Group Policy from the sysvol

This command lists sudo rules from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc���|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
��J|
j-d�}|j,d�}
|
j/d�D�]}|j-d�j0}|j-d�j0}|j/d�}g}|D]"}|j3|j/d���$t5|�d
kDrKdj|D�cgc]/}|j6ddk(r|j0nd|j0z��1c}�}nd}|j-d�du}|rdnd}|�d|�d|�d|��}|j8j;d |z���d	j|j�d
|d!g�}	t=t>j@|j|��}d"}|jBD]g}tE|jF�|k(s�tI|jJ�jM�s�@|j8j;d |jJz��iy#t$rP}|j d
t"t$t&fvrd}
n"|j d
t(k(rt+d���Yd}~��gd}~wwxYwcc}w#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)#NTrrfrZr[r]r^r_r�r`r]z!SudoersConfiguration\manifest.xmlrrcr`r�rirZr5rkrmrlr�%s%%�ALLrj�
 NOPASSWD:rJ� ALL=(�)r<�%s
�MACHINE\Registry.pols1Software\Policies\Samba\Unix Settings\Sudo Rights)'rrhr rirUrjrrmr3rkr>r�r�r�r�rrlr-r.r/r1rrw�findallrz�extendrTr�r�r�rr
r�rmr%rdr&r�rR)r�r�rrr	rrsr�r_r�r�rlrr�ryrZr5�listelements�
principalsrkr��uname�
nopassword�np_entry�prurxrds                            rBr!zcmd_list_sudoers.runs����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� D�F�G��	��}�}�T�]�]�7�%;�<�H����]�]�?�3�F��6�;�;�v�&�D����o�6�
,���*�*�Y�/�4�4���z�z�&�)�.�.��$�}�}�]�;���
�#/�H�K��%�%�k�&9�&9�+�&F�G�H��z�?�Q�&��H�H�6@�&B�12�12����0@�F�0J�a�f�f�#�a�f�f�_�'-�&B�C�E�"�E�"�Z�Z�
�3�t�;�
�+5�<�2��*/��x��I���	�	�����
�+�
,�"�9�9�e�k�k�m�Z��5�7�8��
	�!�$�)�)�T�]�]�8�-D�E�H�K���%�%�	5�E�����'�7�2��u�z�z�*�0�0�2��	�	������� 3�4�	5��a�
	��v�v�a�y�:�<�<�>�>� �������5�5�"�$D�E�E����
	��.&B���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s=�$L9�.4N
�)N�9	N�AN
�
N�	O/�# O*�"O*�*O/r"r�r`rDrBr�r��sb���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�K5rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
dd
�Zy)�cmd_remove_sudoersaRemoves a Samba Sudoers Group Policy from the sysvol

This command removes a sudo rule from the sysvol from applying to winbind clients.

Example:
samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL'
    �%prog <gpo> <entry> [options]rr
rrr
rrr�ryNc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}	|jjd�}
d	j|
j�d
|ddg�}d	j|d
g�}	tj tj"|j%|���}
|
j'�j)d�}|j)d�}d	j|
j�d
|dg�}	t9t:j<|j%|��}i}|r|j?d�ngD]�}|j)d�j@}|j)d�j@}|j?d�}g}|D]"}|jC|j?d���$tE|�dkDrKdj|D�cgc]/}|jFddk(r|j@nd|j@z��1c}�}nd}|j)d�du}|rdnd}|�d|�d |�d!|��}|||<��||jI�vr�|jK||�tM�}
jO|d"d�#�|jQd�	tS||�|jU||jW��|	jYd�$�y||r$|jZD�cgc]}|j\��c}ngvro|jZD�cgc]}|j\|k7s�|��}}tE|�|_/||_-	|jU|ta|��|	jYd�$�yt7d%|z��#t*$rP}|j,dt.t0t2fvrd}n"|j,dt4k(rt7d���Yd}~���d}~wwxYw#t*$rP}|j,dt.t0t2fvrd}n"|j,dt4k(rt7d���Yd}~���d}~wwxYwcc}w#t*$r'}|j,dt4k(rt7d���d}~wwxYwcc}wcc}w#t*$r'}|j,dt4k(rt7d���d}~wwxYw)&NTrrfrZr[r]r^r_r�r`r]r^r_r`r�rrcr�rirZr5rkrmrlrr�r�rjr�rJr�r�r<rorprs�,Cannot remove '%s' because it does not exist)1rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/r1rrr
r�r�rzr�rTr��keysr�r)r�r{r2r�r�r|rmr��num_entriesr)r�r�ryrrr	rrsr�r�r_rr�r�r`r�rlrurxrmrZr5r�r�rkr�r�r�r�r�r�s                               rBr!zcmd_remove_sudoers.runys���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��7�3�5�6���)�)�W�n�5�6��
	��~�~�b�m�m�D�M�M�'�4J�&K�L�H�$�,�,�.�3�3�O�D�M� �%�%�f�-�D��9�9�e�k�k�m�Z��5�7�8��	�!�$�)�)�T�]�]�8�-D�E�H���26����o�.�B�	�A��f�f�Y�'�,�,�G��6�6�&�>�&�&�D��9�9�]�3�L��J�+�
D���!�!�+�"5�"5�k�"B�C�
D��:���"����2<�">�-.�-.�H�H�V�,<��,F�!�&�&��!�&�&��#)�">�?�������
�+�t�3�J�'1�|�r�H�&+�T�8�W�E�A��G�A�J�	�"�G�L�L�N�"��K�K����'��)�C��N�N�3��$�N�G��H�H�Q�K�
�%�d�G�4��
�
�g�s�x�x�z�2��%�%�d�%�;��X��(8�(8�9�1����9�2�
N�"*�"2�"2�F�Q�a�f�f��o�q�F�G�F�#&�w�<�H� �&�H��
��
�
�h���(:�;��%�%�d�%�;��M�$� %�&�
&��S�		��v�v�a�y�:�<�<�>�>��������5�5�"�$D�E�E����			���		��v�v�a�y�:�<�<�>�>� �������5�5�"�$D�E�E����			��(">��&!�
��6�6�!�9� 7�7�&�(H�I�I���	
��
:��F��!�
��6�6�!�9� 7�7�&�(H�I�I���	
�s{�A'Q�)R0�-4T
�.>T�>U�%U	�:U	�-U�	R-�AR(�(R-�0	T	�9AT�T	�	U�"T<�<U�	U>�"U9�9U>r"r�r`rDrBr�r�ase���/�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��!�J�h&rDr�c�P�eZdZdZiZe�ed<e�ed<e�ed<y)�cmd_sudoersz#Manage Sudoers Group Policy Objectsrr�r�N)rrrr$�subcommandsrYr�r�r`rDrBr�r��s1��-��K�(�*�K���*�,�K���.�0�K��rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_set_securitya
Set Samba Security Group Policy to the sysvol

This command sets a security setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.
These settings only apply to the ADDC.

Example:
samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10

Possible policies:
MaxTicketAge            Maximum lifetime for user ticket
                        Defined in hours

MaxServiceAge           Maximum lifetime for service ticket
                        Defined in minutes

MaxRenewAge             Maximum lifetime for user ticket renewal
                        Defined in minutes

MinimumPasswordAge      Minimum password age
                        Defined in days

MaximumPasswordAge      Maximum password age
                        Defined in days

MinimumPasswordLength   Minimum password length
                        Defined in characters

PasswordComplexity      Password must meet complexity requirements
                        1 is Enabled, 0 is Disabled
    rWrr
rrr
rr)r�r�value?Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}	|j�t||j|j|j|�}
|jjd�}d	j|j�d
|dg�}d	j|dg�}
	td�
�}t |_|	j%|
�}	|j't)|j+���dddddddd�}||}j=|�s|j?|�|�|jA|||�n@|jC||�tE|jG|��dk(r|jI|�t)�}|jK|�	tM|	|�|	jO|
tQ|jS���|
jUd��y#t,$r-|j't)|j+d���Y�� wxYw#t.$rM}|j0dt2k(rt5d��|j0dt6t8t:fvr�Yd}~��ud}~wwxYw#t.$r'}|j0dt2k(rt5d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`z$MACHINE\Microsoft\Windows NT\SecEditzGptTmpl.inf��
interpolation�utf-16rrc�Kerberos Policy�
System Access)�MaxTicketAge�
MaxServiceAge�MaxRenewAge�MinimumPasswordAge�MaximumPasswordAge�MinimumPasswordLength�PasswordComplexityrs)+rrhr rirUrjrrmr3r�r5r�rkr>r�r'r��optionxformr��readfpr(ro�UnicodeDecodeErrorrrlr1rr-r.r/�has_section�add_section�set�
remove_optionrTrG�remove_sectionr�r2r�r%�getvaluer|)r�r�rr?rrr	rrsr�r�r_�inf_dir�inf_file�inf_data�rawrl�section_map�sectionr�s                    rBr!zcmd_set_security.run	s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��5�7�8���9�9�g�}�5�6��	�#�$�7�H�!$�H� ��-�-��)�C�
@��������� 6�7�*;�*;�(9�/>�/>�2A�/>�
���f�%���#�#�G�,�� � ��)����L�L��&�%�0��"�"�7�F�3��8�#�#�G�,�-��2��'�'��0��j�����s��		�!�$��0��M�M�(�I�c�l�l�n�$=�>��!�!�$�!�7��G&�
@��������H�)=� >�?�
@���	��v�v�a�y�3�3�"�$D�E�E��v�v�a�y�!>�!@�!@�!B�B��B��		��D�	��v�v�a�y�3�3�"�$D�E�E���	�sP�(K�:(J
�AL�
2K�?K�K�K�	L�AL�L�	M�("M
�
Mr�r�r`rDrBr�r��sg���@'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
-�J�=A�'+�IrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_securityaList Samba Security Group Policy from the sysvol

This command lists security settings from the sysvol that will be applied to winbind clients.
These settings only apply to the ADDC.

Example:
samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc�n�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|dg�}		td��}
t|
_|j|	�}	|
j!t#|j%���|
j7�D]A}
|
dvr�|
j9|
�D]&\}}|j:j=|�d|�d���(�Cy#t&$r,|
j!t#|j%d
���Y��wxYw#t($rL}|j*dt,t.t0fvrYd}~y|j*dt2k(rt5d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`z0MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.infr�r�rrc)r�r�� = r)rrhr rirUrjrrmr3rkr>r�r'r�r�r�r�r(ror�rrlr-r.r/r1r�sectionsr�r�r�)r�r�rrr	rrsr�r_r�r�r�rlr�r�r?s                rBr!zcmd_list_security.run~	s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���9�9�e�k�k�m�Z��B�D�E��	�#�$�7�H�!$�H� ��-�-��)�C�
@��������� 6�7� �(�(�*�	<�G��B�B��&�n�n�W�5�
<�
��U��	�	���s�E� :�;�
<�	<��&�
@��������H�)=� >�?�
@���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s<�(G�*(F'�'2G�G�G�G�	H4�( H/�
"H/�/H4r"r�r`rDrBr�r�e	sa���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�+<rDr�c�<�eZdZdZiZe�ed<e�ed<y)�cmd_securityz$Manage Security Group Policy Objectsr�r�N)rrrr$r�r�r�r`rDrBr�r��	s$��.��K�)�+�K���+�-�K��rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_smb_confz�List Samba smb.conf Group Policy from the sysvol

This command lists smb.conf settings from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage smb_conf list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc�p�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|dg�}		ttj|j|	��}
d}t/j0�}
|
j2D]�}t5|j6�|k(s�|
j9|j:t=|j>��|
j|j:�}|j@jC|j:�d|�d����y#t $rL}|j"dt$t&t(fvrYd}~y|j"dt*k(rt-d
���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�rrc� Software\Policies\Samba\smb_confr�r)"rrhr rirUrjrrmr3rkr>r�rr
r�r�rrlr-r.r/r1rr#�LoadParmrmr%rdr�rer�r�r�r�)r�r�rrr	rrsr�r_rurxrlrdrhry�vals                rBr!zcmd_list_smb_conf.run�	s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���9�9�e�k�k�m�Z�� 7�9�:��
	�!�$�)�)�T�]�]�8�-D�E�H�9��
�^�^�
���%�%�	F�E�����'�7�2����u����E�J�J��8��f�f�U�_�_�-���	�	���u���� D�E�		F���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s�)G � 	H5�) H0�"H0�0H5r"r�r`rDrBr�r��	sb���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�'FrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_set_smb_confa%Sets a Samba smb.conf Group Policy to the sysvol

This command sets an smb.conf setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage smb_conf set {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes
    r�rr
rrr
rr�r��settingr�Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}	|j�t||j|j|j|�}
|jjd�}d	j|j�d
|dg�}d	j|dg�}
	tt j"|	j%|
��}|�t||j4D�cgc]}|j6��c}vrt3d|z��|j4D�cgc]}|j6|k7r|��}}||_t9|�|_n�t=|�j�dvrd}d}n]t=|�j�dvrd}d
}n=t=|�j?�rd}tAt=|��}n
d}tC|�}t!jD�}d|_#tC|�|_||_$||_%tM|j4�}|jO|�||_t9|�|_	tQ|	|�|	jS|
tU|��|
jWd��y#t&$rb}|j(d
t*t,t.fvrt!j"�}n"|j(d
t0k(rt3d���Yd}~��
d}~wwxYwcc}wcc}w#t&$r'}|j(d
t0k(rt3d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`razRegistry.polrrcr�)�yesrhrcrhrO)�no�falserr�rs),rrhr rirUrjrrmr3r�r5r�rkr>r�rr
r�r�rrlr-r.r/r1rrmrerTr�r&�	isnumericrXr%ryrdrr�r�rWr2r�rr|)r�r�r�r?rrr	rrsr�r�r_�pol_dirrurxrlrm�etyper�s                   rBr!zcmd_set_smb_conf.run
s^���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��Y�G�H���9�9�g�~�6�7��	�!�$�)�)�T�]�]�8�-D�E�H��=��H�4D�4D�E�q�q�{�{�E�E�"�$0�29�$:�;�;�"*�"2�"2�+�Q��;�;�'�)��+�G�+�&�H��#&�w�<�H� ��%� �&�&�(�,@�@������E�"�(�(�*�.B�B������E�"�,�,�.����*�U�+�,������&���
�
��A�>�A�I�#�G�,�A�K��A�F��A�F��8�+�+�,�G��N�N�1��&�H��#&�w�<�H� �	�!�$��0��M�M�(�H�X�$6�7��!�!�$�!�7��[�		��v�v�a�y�:�<�<�>�>� �9�9�;�������5�5�"�$D�E�E����			��F��+��>�	��v�v�a�y�3�3�"�$D�E�E���		�s=�)L�N�>N�$9N�	N	�'AN�N	�	O�"O�Or�r�r`rDrBr�r��	sf���/�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
.�J�MQ��MrDr�c�<�eZdZdZiZe�ed<e�ed<y)�cmd_smb_confz$Manage smb.conf Group Policy Objectsr�r�N)rrrr$r�r�r�r`rDrBr�r�Z
s$��.��K�+�-�K���)�+�K��rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_symlinkz�List VGP Symbolic Link Group Policy from the sysvol

This command lists symlink settings from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage symlink list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc� �|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j/d�D]Z}|j-d�}|j-d�}|j0j3d|j4�d|j4�d���\y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`�MACHINE\VGP\VTLA\UnixzSymlink\manifest.xmlrrcr`r��file_properties�source�targetzln -s r<r�rrhr rirUrjrrmr3rkr>r�r�r�r�rrlr-r.r/r1rrwr�r�r�rz)r�r�rrr	rrsr�r_r�r�rlrr�r�r�r�s                 rBr!zcmd_list_symlink.runx
s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� 7�9�:��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"��#�|�|�,=�>�	J�O�$�)�)�(�3�F�$�)�)�(�3�F��I�I�O�O�v�{�{�F�K�K�H�I�	J���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s�$F8�8	H
� H�&"H�H
r"r�r`rDrBr�r�`
sb���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�'JrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_add_symlinkz�Adds a VGP Symbolic Link Group Policy to the sysvol

This command adds a symlink setting to the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target
    �'%prog <gpo> <source> <target> [options]rr
rrr
rr�r�r�r�Nc�~�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}	|j�t||j|j|j|�}
|jjd�}d	j|j�d
|dg�}d	j|dg�}
	tj tj"|	j%|
���}|j'�j)d
�}|j(d�}tj6|d�}tj6|d�}||_tj6|d�}||_t?�}|jA|dd��|jCd�	tE|	|�|	jG|
|jI��|
jKd��y#t*$�r}|j,dt.t0t2fvr�tj tj4d��}tj6|j'�d
�}tj6|d�}d|_tj6|d�}d|_tj6|d�}d|_tj6|d�}n"|j,dt:k(rt=d���Yd}~���d}~wwxYw#t*$r'}|j,dt:k(rt=d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`�MACHINE\VGP\VTLA\Unix\Symlinkr_r`r�rrarbrcrqzSymlink PolicyrdzSpecifies symbolic link datarcr�r�r�rorprs)&rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rxryrzr1rr)r�r{r2r�r�r|)r�r�r�r�rrr	rrsr�r�r_rr�r�rr�rlr`r�rqrdr��
source_elm�
target_elmr�s                          rBr!zcmd_add_symlink.run�
s���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��@�B�C���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D�,�-�-��.?�@���]�]�?�H�=�
� �
���]�]�?�H�=�
� �
���i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��C�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��,��	� �m�m�M�=�I��#A�� ��}�}�]�F�;�������5�5�"�$D�E�E����	��D�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(I8�9>N�8
N	�C<N�N	�	N<�"N7�7N<r"r�r`rDrBr�r��
sf���9�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
-�J�HL��DrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_remove_symlinkaRemoves a VGP Symbolic Link Group Policy from the sysvol

This command removes a symlink setting from the sysvol from applying to winbind
clients.

Example:
samba-tool gpo manage symlink remove {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target
    r�rr
rrr
rrr�Nc�l�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}	|j�t||j|j|j|�}
|jjd�}d	j|j�d
|dg�}d	j|dg�}
	tj tj"|	j%|
���}|j'�j)d
�}|j(d�}|j9d�D]V}|j)d�}|j)d�}|j:|k(s�5|j:|k(s�E|j=|�nt5d|z|��t?�}|jA|dd��|jCd�	tE|	|�|	jG|
|jI��|
jKd��y#t*$rV}|j,dt.t0t2fvrt5d|z|��|j,dt6k(rt5d���d}~wwxYw#t*$r'}|j,dt6k(rt5d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�r_r`r�rz>Cannot remove link from '%s' to '%s' because it does not existrcr�r�r�rorprs)&rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rr1r�rzr�r)r�r{r2r�r�r|)r�r�r�r�rrr	rrsr�r�r_rr�r�rr�rlr�r�r�r�s                      rBr!zcmd_remove_symlink.runs����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��@�B�C���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D� $�|�|�,=�>�	M�O�(�-�-�h�7�J�(�-�-�h�7�J����&�(�Z�_�_��-F����O�,��	M�� ;�=C� D�EK�M�
M��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��;�
	��v�v�a�y�:�<�<�>�>�#�$0�28�$9�:@�B�B������5�5�"�$D�E�E���
	��<�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(J!�">L�!	L�*AK;�;L�	L3�"L.�.L3r"r�r`rDrBr�r��
sf���9�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
-�J�HL��@rDr�c�P�eZdZdZiZe�ed<e�ed<e�ed<y)�cmd_symlinkz#Manage symlink Group Policy Objectsr�rr�N)rrrr$r�r�r�r�r`rDrBr�r�Zs1��-��K�*�,�K���(�*�K���.�0�K��rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_filesz�List VGP Files Group Policy from the sysvol

This command lists files which will be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc
���|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j/d�D]�}|j-d�j0}|j-d�j0}|j-d�j0}|j-d�j0}t3|�}t5|��d|�d|�d|�d|��	}|j6j9d|z���y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�zFiles\manifest.xmlrrcr`r�r�r�r�r5rn�	z -> r�)rrhr rirUrjrrmr3rkr>r�r�r�r�rrlr-r.r/r1rrwr�rzr*r+r�r�)r�r�rrr	rrsr�r_r�r�rlrr�ryr�r�r5rn�moder�s                     rBr!zcmd_list_files.runys���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� 5�7�8��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"���\�\�"3�4�	(�E��Z�Z��)�.�.�F��Z�Z��)�.�.�F��:�:�f�%�*�*�D��J�J�w�'�,�,�E��U�#�D�#�D�)�4����H�A��I�I�O�O�F�Q�J�'�	(���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s�$H�	I#� I�<"I�I#r"r�r`rDrBr�r�asa���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�,(rDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�
cmd_add_filesaAdd VGP Files Group Policy to the sysvol

This command adds files which will be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600
    z=%prog <gpo> <source> <target> <user> <group> <mode> [options]rr
rrr
rr)r�r�r�r5rnr�Nc�
�|j�|_|	j|jd��|_tj
j
|�std|z��|r|jd�r
|dd}||_	nGt|j|j�}t|j|j|��|_	t|d|j|j��}|j�t||j|j|j|�}
|jj!d	�}d
j#|j%�d|dg�}d
j#|d
g�}	t'j(t'j*|j-|���}|j/�j1d�}|j0d�}t'j>|d�}t'j>|d�}tj
jE|�|_ t'j>|d�}||_ t'j>|d�}||_ t'j>|d�}||_ dD]�\}}t'j>|d�} | jGd |�tI|d!�d"|zzrt'j>| d#�tI|d!�d$|zzrt'j>| d%�tI|d!�d&|zzs��t'j>| d'���tK�}!|jM|!d(d�)�|!jOd�tQ|d*�jS�}"d
j#|tj
jE|�g�}#	tU||�|jW||!jS��|jW|#|"�|
jYd�+�y#t2$�r}|j4dt6t8t:fvr�t'j(t'j<d��}t'j>|j/�d�}t'j>|d�}d|_ t'j>|d�}d|_ t'j>|d�}d|_ t'j>|d�}n"|j4dtBk(rtd���Yd}~��)d}~wwxYw#t2$r'}|j4dtBk(rtd���d}~wwxYw),NTrzSource '%s' does not existrfrZr[r]r^r_r�r`�MACHINE\VGP\VTLA\Unix\Filesr_r`r�rrarbrcrq�Filesrdz+Represents file data to set/copy on clientsrcr�r�r�r5rn))r5�)rnr�)�otherr�permissionsrrNrhr�rMr�rO�executerorpr�rs)-rrhr rir�r�r�rrUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rxryrzr1r�r�rXr)r�r{r�r�r2r�r|)$r�r�r�r�r5rnr�rrr	rrsr�r�r_rr�r�rr�rlr`r�rqrdr�r�r�r��	group_elm�ptype�shiftr�r��source_data�
sysvol_sources$                                    rBr!zcmd_add_files.run�sS���(�(�*����-�-�d�g�g��-�M��
��w�w�~�~�f�%��;�f�D�E�E�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��>�@�A���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D�,�-�-��.?�@���]�]�?�H�=�
��'�'�*�*�6�2�
���]�]�?�H�=�
� �
���=�=��&�9����
��M�M�/�7�;�	��	��E�	6�L�E�5��-�-���G�K��O�O�F�E�*��4��|�s�e�|�,��
�
�k�6�2��4��|�s�e�|�,��
�
�k�7�3��4��|�s�e�|�,��
�
�k�9�5�	6��i�����s�W�d��C�������6�4�(�-�-�/���	�	�7�B�G�G�,<�,<�V�,D�"E�F�
�		�!�$��0��M�M�'�3�8�8�:�.��M�M�-��5��!�!�$�!�7��c�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��#��	� �m�m�M�=�I��#P�� ��}�}�]�F�;�������5�5�"�$D�E�E����	��d�	��v�v�a�y�3�3�"�$D�E�E���		�s3�>A(P�2AT�
T�
C<T�T�	U� "U�Ur"r�r`rDrBr�r��sh���O�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
F�J�<@�7;�WrDr�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�cmd_remove_filesaRemove VGP Files Group Policy from the sysvol

This command removes files which would be copied from the sysvol and applied to winbind clients.

Example:
samba-tool gpo manage files remove {31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/doc/target.txt
    z%prog <gpo> <target> [options]rr
rrr
rrr�r�Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}	|jjd�}
d	j|
j�d
|dg�}d	j|dg�}	tj tj"|j%|���}
|
j'�j)d
�}|j(d�}|j9d�D]t}|j)d�}|j)d�}|j:|k(s�5d	j||j:g�}|j=|�|j?|�nt5d|z��tA�}|
jC|dd��|jEd�	tG||�|jI||jK��|	jMd��y#t*$rU}|j,dt.t0t2fvrt5d|z��|j,dt6k(rt5d���d}~wwxYw#t*$r'}|j,dt6k(rt5d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�r_r`r�rz1Cannot remove file '%s' because it does not existrcr�r�r�rorprs)'rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rr1r�rz�unlinkr�r)r�r{r2r�r�r|)r�r�r�rrr	rrsr�r�r_rr�r�rr�rlr�r�r�r�r�s                      rBr!zcmd_remove_files.run0s���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��>�@�A���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D� $�|�|�,=�>�
	E�O�(�-�-�h�7�J�(�-�-�h�7�J����&�(����G�Z�_�_�#=�>�����F�#����O�,��
	E�� ;�=C� D�E�
E��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��?�
	��v�v�a�y�:�<�<�>�>�#�$0�28�$9�:�:������5�5�"�$D�E�E���
	��@�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(J>�?>L�>	L�AL�L�	M�("M
�
Mr"r�r`rDrBrrsk���0�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��"�J�@D��BrDrc�P�eZdZdZiZe�ed<e�ed<e�ed<y)�	cmd_filesz!Manage Files Group Policy Objectsr�rr�N)rrrr$r�r�r�rr`rDrBr
r
ts0��+��K�(�*�K���&��K���,�.�K��rDr
c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_opensshz�List VGP OpenSSH Group Policy from the sysvol

This command lists openssh options from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage openssh list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc	��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j-d�}|j/d�D]�}|j-d�j0r�|j/d�D]U}|j2j5|j-d�j0�d|j-d�j0�d���W��y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`zMACHINE\VGP\VTLA\SshCfgzSshD\manifest.xmlrrcr`r��
configfile�
configsection�sectionname�keyvaluepairr�r<r?r�rrhr rirUrjrrmr3rkr>r�r�r�r�rrlr-r.r/r1rrwr�rzr�r�)r�r�rrr	rrsr�r_r�r�rlrr�rr�kvs                 rBr!zcmd_list_openssh.run�s���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� <� 4�6�7��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"���Y�Y�|�,�
�'�/�/��@�	E�M��!�!�-�0�5�5��#�+�+�N�;�
E���	�	���R�W�W�U�^�-@�-@�-/�W�W�W�-=�-B�-B�!D�E�
E�	E���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s�$G6�6	I�? I�$"I�Ir"r�r`rDrBrr{sb���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�*ErDrc��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_set_openssha"Sets a VGP OpenSSH Group Policy to the sysvol

This command sets an openssh setting to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes
    z'%prog <gpo> <setting> [value] [options]rr
rrr
rrr�Nc�
�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}	|j�t||j|j|j|�}
|jjd�}d	j|j�d
|dg�}d	j|dg�}
	tj tj"|	j%|
���}|j'�j)d
�}|j(d�}|j)d�}|��|j?d�D]�}|j)d�j8r�i}|j?d�D]}|||j)d�<�||jA�vr|||_�htj6|d�}tj6|d�}||_tj6|d�}||_��n�|j?d�D]�}|j)d�j8r�i}|j?d�D] }|||j)d�j8<�"||jA�vr|jC||��|t=d |z��tE�}|jG|d!d�"�|jId�	tK|	|�|	jM|
|jO��|
jQd�#�y#t*$�rg}|j,dt.t0t2fv�rtj tj4d��}tj6|j'�d
�}tj6|d�}d|_tj6|d�}d|_tj6|d�}d|_tj6|d�}d|_tj6|d�}tj6|d�}tj6|d�}tj6|d�n"|j,dt:k(rt=d���Yd}~��Ed}~wwxYw#t*$r'}|j,dt:k(rt=d���d}~wwxYw)$NTrrfrZr[r]r^r_r�r`zMACHINE\VGP\VTLA\SshCfg\SshDr_r`r�rrrarbrcrqzConfiguration Filerdz+Represents Unix configuration file settingsrerfrrrcrr�r?r�rorprs))rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rxryrzr1rr�r�r�r)r�r{r2r�r�r|)r�r�r�r?rrr	rrsr�r�r_rr�r�rr�rrlr`r�rqrdrer�settingsrrr��dvaluer�s                               rBr!zcmd_set_openssh.run�s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��?�A�B���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D����<�0�J�6��!+�!3�!3�O�!D�

(�
� �%�%�m�4�9�9����'�/�/��?�2�B�/1�H�R�W�W�U�^�,�2��h�m�m�o�-�-2�H�W�%�*�#%�=�=���#O�L��-�-��e�<�C�&�C�H��]�]�<��A�F�"'�F�K�

(�",�!3�!3�O�!D�

>�
� �%�%�m�4�9�9����'�/�/��?�7�B�46�H�R�W�W�U�^�0�0�1�7��h�m�m�o�-�!�(�(��'�):�;�&�(3�5<�(=�>�>�

>��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��y�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��0��	� �m�m�M�=�I��#P�� ��]�]�=�,�G�
�")�
���}�}�]�F�;���]�]�4��>�
� "�
�
�j�/� J�
��
�
�m�]�;������5�5�"�$D�E�E��<��'	��z�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A9N#�$>T�#
T�-ET�T�	U� "U�Ur�r�r`rDrBrr�sf���9�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
.�J�>B�'+�`rDrc�<�eZdZdZiZe�ed<e�ed<y)�cmd_opensshz#Manage OpenSSH Group Policy Objectsr�r�N)rrrr$r�rrr`rDrBrr:
s$��-��K�*�,�K���(�*�K��rDrc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_startupz�List VGP Startup Script Group Policy from the sysvol

This command lists the startup script policies currently set on the sysvol.

Example:
samba-tool gpo manage scripts startup list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc
���|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j/d�D]�}|j-d�}d	jd	|j�d
|dd|j0g�}|j-d�}|j-d�}|�
|j0}nd}|�
|j0}nd}|j2j5d|�d|�d|�d����y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�zScripts\Startup\manifest.xmlrrcr`r�rk�scriptzMACHINE\VGP\VTLA\Unix\Scripts�Startup�
parameters�run_as�rootrJz@reboot r<rr)r�r�rrr	rrsr�r_r�r�rlrr�rkr�script_pathr r!s                   rBr!zcmd_list_startup.runX
s*���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� @�B�C��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"���<�<�
�6�	?�K� �%�%�h�/�F��)�)�T�5�;�;�=�*�c�%H�%.����%=�>�K�%�)�)�,�7�J� �%�%�h�/�F��!��������%�'�_�_�
��
��I�I�O�O�F�K�2<�>�
?�	?���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�s�$H
�
	I� I�8"I�Ir"r�r`rDrBrr@
sa���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�4?rDrc��eZdZdZdZejejejd�Z	e
dddedd�	�e
d
ddd
d��gZgd�Z
		dd�Zy)�cmd_add_startupz�Adds VGP Startup Script Group Policy to the sysvol

This command adds a startup script policy to the sysvol.

Example:
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '\-n \-p all'
    z.%prog <gpo> <script> [args] [run_as] [options]rr
rrr
rrz
--run-once�run_onceFr�z#Whether to run the script only oncer�)r�rzargs?zrun_as?Nc
�0
�|j�|_|j|jd��|_tj
j
|�std|z��|r|jd�r
|dd}
||_	nGt|j|j�}
t|j|j|
��|_	t|
d|j|j��}|j�t||j|j|j|�}|jj!d	�}
d
j#|
j%�d|dg�}d
j#|d
g�}	t'j(t'j*|j-|���}|j/�j1d�}|j0d�}tE|d�jG�}t'j>|d�}t'j>|d�}tj
jI|�|_ t'j>|d�}tKjL|�jO�jQ�|_ |�Kt'j>|d�}|jSd�jSd�jUd d!�|_ |�t'j>|d"�}||_ |rt'j>|d#�tW�}|jY|d$d�%�|j[d�d
j#|tj
jI|�g�}	t]||�|j_||jG��|j_||�|jad�&�y#t2$�r}|j4dt6t8t:fvr�t'j(t'j<d��}t'j>|j/�d�}t'j>|d�}d|_ t'j>|d�}d|_ t'j>|d�}d|_ t'j>|d�}n"|j4dtBk(rtd���Yd}~���d}~wwxYw#t2$r'}|j4dtBk(rtd���d}~wwxYw)'NTrzScript '%s' does not existrfrZr[r]r^r_r�r`�%MACHINE\VGP\VTLA\Unix\Scripts\Startupr_r`r�rrarbrcrqzUnix Scriptsrdz6Represents Unix scripts to run on Group Policy clientsrcr�rkr�hashr �"�'z\-�-r!r&rorprs)1rrhr rir�r�r�rrUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rxryrzr1r�r�r��hashlib�md5�	hexdigestr
rRr�r)r�r{r2r�r|) r�r�rrlr!r&rrr	rrsr�r�r_rr�r�rr�rlr`r�rqrd�script_datark�
script_elmr)r �
run_as_elmr��
sysvol_scripts                                 rBr!zcmd_add_startup.run�
s���(�(�*����-�-�d�g�g��-�M��
��w�w�~�~�f�%��;�f�D�E�E�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��I�K�L���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D�.�6�4�(�-�-�/���m�m�D�-�8���]�]�;��9�
��'�'�*�*�6�2�
���}�}�[�&�1���K�K��,�6�6�8�>�>�@��	������{�L�A�J�"�j�j��o�3�3�C�8�@�@���L�J�O������{�H�=�J�$�J�O���M�M�+�z�2��i�����s�W�d��C�������	�	�7�B�G�G�,<�,<�V�,D�"E�F�
�		�!�$��0��M�M�'�3�8�8�:�.��M�M�-��5��!�!�$�!�7��[�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��*��	� �m�m�M�=�I��L�� ��}�}�]�F�;�������5�5�"�$D�E�E����	��\�	��v�v�a�y�3�3�"�$D�E�E���		�s3�>A(O�AS%�
S"�C<S�S"�%	T�."T�Tr�r�r`rDrBr%r%�
sz���@�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��|�*�e�L�9�	;��M�7�J�@D�?C�SrDr%c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�cmd_remove_startupz�Removes VGP Startup Script Group Policy from the sysvol

This command removes a startup script policy from the sysvol.

Example:
samba-tool gpo manage scripts startup remove {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
    z%prog <gpo> <script> [options]rr
rrr
rrr�rNc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}	|jjd�}
d	j|
j�d
|dg�}d	j|dg�}	tj tj"|j%|���}
|
j'�j)d
�}|j(d�}|j9d�D]b}|j)d�}|j:t<j>jA|jCd	d��k(s�Q|jE|�nt5d|z��tG�}|
jI|dd��|jKd�	tM||�|jO||jQ��|	jSd��y#t*$rU}|j,dt.t0t2fvrt5d|z��|j,dt6k(rt5d���d}~wwxYw#t*$r'}|j,dt6k(rt5d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r(r_r`r�rz3Cannot remove script '%s' because it does not existrcrkrr�rorprs)*rrhr rirUrjrrmr3r�r5r�rkr>r�r�rur�r�rvrwrrlr-r.r/rr1r�rzr�r�r�r�r�r)r�r{r2r�r�r|)r�r�rrrr	rrsr�r�r_rr�r�rr�rlrkr1r�s                    rBr!zcmd_remove_startup.runs����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��I�K�L���)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D� �<�<�
�6�	6�K�$�)�)�(�3�J����"�'�'�"2�"2�6�>�>�$��3L�"M�M����K�(��		6�� ,�.4� 5�6�
6��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��7�
	��v�v�a�y�:�<�<�>�>�#�$0�28�$9�:�:������5�5�"�$D�E�E���
	��8�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(J,�->L
�,	L
�5AL�L
�
	L=�"L8�8L=r"r�r`rDrBr5r5�
sj���0�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��"�J�@D��>rDr5c�P�eZdZdZiZe�ed<e�ed<e�ed<y)�cmd_startupz+Manage Startup Scripts Group Policy Objectsr�rr�N)rrrr$r�rr%r5r`rDrBr8r8Us1��5��K�*�,�K���(�*�K���.�0�K��rDr8c�(�eZdZdZiZe�ed<y)�cmd_scriptsz#Manage Scripts Group Policy Objects�startupN)rrrr$r�r8r`rDrBr:r:\s��-��K�(�]�K�	�rDr:c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�
cmd_list_motdz�List VGP MOTD Group Policy from the sysvol

This command lists the Message of the Day from the sysvol that will be applied
to winbind clients.

Example:
samba-tool gpo manage motd list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j-d�}|j.j1|j2�y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�zMOTD\manifest.xmlrrcr`r�rz�rrhr rirUrjrrmr3rkr>r�r�r�r�rrlr-r.r/r1rrwr�r�rz�r�r�rrr	rrsr�r_r�r�rlrr�rzs               rBr!zcmd_list_motd.runzs����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� 4�6�7��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"���y�y�� ���	�	����	�	�"���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	���$F�	G�	 G�."G�Gr"r�r`rDrBr=r=a�a���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�%#rDr=c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�cmd_set_motdaSets a VGP MOTD Group Policy to the sysvol

This command sets the Message of the Day to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Message for today"
    �%prog <gpo> [value] [options]rr
rrr
rrr�r�Nc�P�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}	|jjd�}
d	j|
j�d
|dg�}d	j|dg�}|�$|j|�|	j!d�
�y	t#j$|j'|��}
t#j6d�}||_tA�}|
jC|dd��|jEd�	tG||�|jI||jK��|	j!d�
�y#t($�rA}|j*dt,t.t0fvr�t#j2t#j4d��}
t#j6|
j9�d�}t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}t#j6|d�}d|_n"|j*dt<k(rt?d���Yd}~���d}~wwxYw#t($r'}|j*dt<k(rt?d���d}~wwxYw) NTrrfrZr[r]r^r_r�r`zMACHINE\VGP\VTLA\Unix\MOTDr_rsrrar`rbrcrq�	Text Filerd�Represents a Generic Text Filerer�r��filename�motdrcrzrorp�&rrhr rirUrjrrmr3r�r5r�rkr>r�rr|r�r�r�rrlr-r.r/rurxryrvrzr1rr)r�r{r2r�r��r�r�r?rrr	rrsr�r�r_rr�r�rlr`r�rqrdrer�rIrzr�s                        rBr!zcmd_set_motd.run�s���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��=�?�@���)�)�W�n�5�6���=��K�K�� ��!�!�$�!�7��	��}�}�T�]�]�7�%;�<�H�4�}�}�T�6�*����	��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��E�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��'��	� �m�m�M�=�I��#C�� ��]�]�=�,�G�
�"+�
���}�}�]�F�;���=�=��z�:�� &��
������5�5�"�$D�E�E����%	��F�	��v�v�a�y�3�3�"�$D�E�E���		��1�7$H'�(>M5�'
M2�1D6M-�-M2�5	N%�>"N � N%r�r�r`rDrBrDrD��k���/�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��"�J�DH��IrDrDc�<�eZdZdZiZe�ed<e�ed<y)�cmd_motdz.Manage Message of the Day Group Policy Objectsr�r�N)rrrr$r�r=rDr`rDrBrPrPs"��8��K�'�/�K���%��K��rDrPc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_issuez�List VGP Issue Group Policy from the sysvol

This command lists the Prelogin Message from the sysvol that will be applied
to winbind clients.

Example:
samba-tool gpo manage issue list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc��|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
j-d�}|j,d�}
|
j-d�}|j.j1|j2�y#t$rL}|j d
t"t$t&fvrYd}~y|j d
t(k(rt+d���d}~wwxYw)NTrrfrZr[r]r^r_r�r`r�zIssue\manifest.xmlrrcr`r�rzr?r@s               rBr!zcmd_list_issue.run$s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J�� :� 5�7�8��
	��}�}�T�]�]�7�%;�<�H�����/���v�{�{�6�"���y�y�� ���	�	����	�	�"���	��v�v�a�y�:�<�<�>�>���v�v�a�y�3�3�"�$D�E�E���	�rAr"r�r`rDrBrRrRrBrDrRc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�
cmd_set_issueaSets a VGP Issue Group Policy to the sysvol

This command sets the Prelogin Message to the sysvol for applying to winbind
clients. Not providing a value will unset the policy.

Example:
samba-tool gpo manage issue set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome to Samba!"
    rErr
rrr
rrr�r�Nc�P�|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|j�t||j|j|j|�}	|jjd�}
d	j|
j�d
|dg�}d	j|dg�}|�$|j|�|	j!d�
�y	t#j$|j'|��}
t#j6d�}||_tA�}|
jC|dd��|jEd�	tG||�|jI||jK��|	j!d�
�y#t($�rA}|j*dt,t.t0fvr�t#j2t#j4d��}
t#j6|
j9�d�}t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}d|_t#j6|d�}t#j6|d�}d|_n"|j*dt<k(rt?d���Yd}~���d}~wwxYw#t($r'}|j*dt<k(rt?d���d}~wwxYw) NTrrfrZr[r]r^r_r�r`zMACHINE\VGP\VTLA\Unix\Issuer_rsrrar`rbrcrqrGrdrHrer�r�rI�issuercrzrorprKrLs                        rBr!zcmd_set_issue.runds���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���)�)�U�[�[�]�J��>�@�A���)�)�W�n�5�6���=��K�K�� ��!�!�$�!�7��	��}�}�T�]�]�7�%;�<�H�4�}�}�T�6�*����	��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��E�	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��'��	� �m�m�M�=�I��#C�� ��]�]�=�,�G�
�"+�
���}�}�]�F�;���=�=��z�:�� '��
������5�5�"�$D�E�E����%	��F�	��v�v�a�y�3�3�"�$D�E�E���		�rMr�r�r`rDrBrUrUKrNrDrUc�<�eZdZdZiZe�ed<e�ed<y)�	cmd_issuez!Manage Issue Group Policy Objectsr�r�N)rrrr$r�rRrUr`rDrBrYrY�s#��+��K�(�*�K���&��K��rDrYc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
gZ
d
d�Zy)�cmd_list_accessz�List VGP Host Access Group Policy from the sysvol

This command lists host access rules from the sysvol that will be applied to winbind clients.

Example:
samba-tool gpo manage access list {31B2F340-016D-11D2-945F-00C04FB984F9}
    rWrr
rrr
rrr�Nc���|j�|_|j|jd��|_|r|j	d�r
|dd}||_nGt
|j|j�}t|j|j|��|_t|d|j|j��}|jjd�}d	j|j�d
|ddg�}		tj|j|	��}
|
��|
j-d�}|j,d�}
|
j/d�D]k}|j-d�}|j-d�}|j-d�}|j0j3d|j4�d	|j4�d���md	j|j�d
|ddg�}		tj|j|	��}|��|j-d�}|j,d�}
|
j/d�D]k}|j-d�}|j-d�}|j-d�}|j0j3d|j4�d	|j4�d���myy#t$rP}|j d
t"t$t&fvrd}
n"|j d
t(k(rt+d���Yd}~���d}~wwxYw#t$rP}|j d
t"t$t&fvrd}n"|j d
t(k(rt+d���Yd}~��Vd}~wwxYw)NTrrfrZr[r]r^r_r�r`�MACHINE\VGP\VTLA\VASz$HostAccessControl\Allow\manifest.xmlrrcr`r�rk�adobjectrqr�z+:z:ALL
z#HostAccessControl\Deny\manifest.xmlz-:r�)r�r�rrr	rrsr�r_r��allowrlrr�rkr^rqr��denys                   rBr!zcmd_list_access.run�s���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
�����G�$���)�)�U�[�[�]�J��6�E�G�H��	��M�M�$�-�-��"8�9�E����Z�Z��0�F��6�;�;�v�&�D�#�|�|�M�:�
M��&�+�+�J�7���}�}�V�,��!���x�0���	�	���F�K�K���� K�L�	
M��)�)�U�[�[�]�J��6�D�F�G��	��=�=����w�!7�8�D����Y�Y��/�F��6�;�;�v�&�D�#�|�|�M�:�
M��&�+�+�J�7���}�}�V�,��!���x�0���	�	���F�K�K���� K�L�	
M���I�		��v�v�a�y�:�<�<�>�>��������5�5�"�$D�E�E����			��2�		��v�v�a�y�:�<�<�>�>��������5�5�"�$D�E�E����			�s2�$J9�/$L�9	L�AL
�
L�	M.�AM)�)M.r"r�r`rDrBr[r[�sc���'�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
��J�CMrDr[c��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_add_accessaSAdds a VGP Host Access Group Policy to the sysvol

This command adds a host access setting to the sysvol for applying to winbind
clients. Any time an allow entry is detected by the client, an implicit deny
ALL will be assumed.

Example:
samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
    z0%prog <gpo> <allow/deny> <cn> <domain> [options]rr
rrr
rr)r�r��cnr�Nc	�h�|j�|_|j|jd��|_|r|j	d�r
|dd}	||_nGt
|j|j�}	t|j|j|	��|_t|	d|j|j��}
|j�t||j|j|j|�}|jjd�}|d	k(r%d
j|j�d|dd
g�}
n8|dk(r%d
j|j�d|ddg�}
ntd|z��d
j|
dg�}	t!j"t!j$|
j'|���}|j)�j+d�}|j*d�}t|j|j|��}t?|tA�|j|j��}|jC|jE�tFjHd |zgd!��"�}tK|�dk(rtd#|z��tM|dd$d%�}|d&vrtd'|z��t!j8|d(�}t!j8|d)�}|jO�|_t!j8|d*�}|jQ��d
tM|dd+d%���|_|d,k(rt!j8|d-�}d.|_t!j8|d/�}t!j8|d�}tM|dd+d%�|_t!j8|d0�} || _t!j8|d)�}||_tS�}!|jU|!d1d�2�|!jWd�	tY|
|
�|
j[||!j]��|j_d�3�y#t,$�r$}|j.dt0t2t4fvr�t!j"t!j6d��}t!j8|j)�d�}t!j8|d�}d|_t!j8|d�}d|_t!j8|d�}d|_t!j8|d�}d|_t!j8|d�}n"|j.dt<k(rtd���Yd}~���d}~wwxYw#t,$r'}|j.dt<k(rtd���d}~wwxYw)4NTrrfrZr[r]r^r_r_r�r`r]�HostAccessControl\Allowr`�HostAccessControl\Deny�BThe entry type must be either 'allow' or 'deny'. Unknown type '%s'r_r`r�rrarbrcrqzHost Access Controlrdz0Represents host access control data (pam_access)rerfrcr�z(cn=%s))�userPrincipalName�samaccountnamer/r�z!Unable to find user or group "%s"r/���)r5rnz%s is not a user or grouprkrryrirn�	groupattr�samAccountNamer^r�rorprs)0rrhr rirUrjrrmr3r�r5r�rkr>r�rr�rur�r�rvrwrrlr-r.r/rxryrzr1rrr��	domain_dnr~�
SCOPE_SUBTREErTr&r
�domain_netbios_namer)r�r{r2r�r�r|)"r�r�r�rcr�rrr	rrsr�r�r_rr�r�rr�rlr`r�rqrdrerjr��res�objectclassrkryrkr^�
domain_elmr�s"                                  rBr!zcmd_add_access.run,s����(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���G���i�i�����
�C�!:�!;�!=�>�G��f�_��i�i�����
�C�!:�!:�!<�=�G�� ;�=B� C�D�
D��)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D�0�T�W�W�d�j�j�V�4���#�N�,<�"&�*�*����:���l�l���� 1�!$�!2�!2�&/�"�n�"1��2���s�8�q�=��B�R�G�H�H� ��Q��
�!6�r�!:�;���/�/��:�R�?�@�@��m�m�D�-�8���
�
�k�6�2�� �&�&�(��
��
�
�k�7�3��!&�!:�!:�!<�!+�C��F�3C�,D�R�,H�!I�K��
��'�!��
�
�d�K�8�I�-�I�N��=�=��j�9���}�}�X�v�.���s�1�v�&6�7��;�<��	��]�]�8�X�6�
� �
���
�
�h��/�� ��
��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7���	��v�v�a�y�:�<�<�>�>��>�>�"�*�*�[�*A�B�� "�
�
�h�.>�.>�.@�.=�!?�
��]�]�=�)�<������}�}�]�F�;��1��	� �m�m�M�=�I��#U�� ��]�]�=�,�G�
�")�
���}�}�]�F�;�������5�5�"�$D�E�E����!	��@�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(Q�>V�
U>�DU9�9U>�	V1�
"V,�,V1r"r�r`rDrBrbrbsg���B�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
2�J�<@�'+�krDrbc��eZdZdZdZejejejd�Z	e
dddedd�	�gZgd
�Z
		d
d�Zy)�cmd_remove_accessaRemove a VGP Host Access Group Policy from the sysvol

This command removes a host access setting from the sysvol for applying to
winbind clients.

Example:
samba-tool gpo manage access remove {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
    z2%prog <gpo> <allow/deny> <name> <domain> [options]rr
rrr
rr)r�r�rqr�Nc	��|j�|_|j|jd��|_|r|j	d�r
|dd}	||_nGt
|j|j�}	t|j|j|	��|_t|	d|j|j��}
|j�t||j|j|j|�}|jjd�}|d	k(r%d
j|j�d|dd
g�}
n8|dk(r%d
j|j�d|ddg�}
ntd|z��d
j|
dg�}	t!j"t!j$|
j'|���}|j)�j+d�}|j*d�}|j9d�D]m}|j+d�}|j+d�}|j+d�}|��9|j:|k(s�I|��L|j:|k(s�\|j=|�ntd|z��t?�}|jA|dd��|jCd�	tE|
|
�|
jG||jI��|jKd��y#t,$rU}|j.dt0t2t4fvrtd|z��|j.dt6k(rtd���d}~wwxYw#t,$r'}|j.dt6k(rtd���d}~wwxYw)NTrrfrZr[r]r^r_r_r�r`r]rer`rfrgr_r`r�rz0Cannot remove %s entry because it does not existrcrkr^rqr�rorprs)&rrhr rirUrjrrmr3r�r5r�rkr>r�rr�rur�r�rvrwrrlr-r.r/r1r�rzr�r)r�r{r2r�r�r|)r�r�r�rqr�rrr	rrsr�r�r_rr�r�rr�rlrkr^�name_elmrrr�s                        rBr!zcmd_remove_access.run�sQ���(�(�*����-�-�d�g�g��-�M��
�
����i�(��A�B�%�K��D�H�'�������<�K��d�g�g�t�z�z�k�B�D�H��k�&�!%���$(�J�J�0��
	
����#�C����$�*�*�d�j�j�!�L�������G�$���G���i�i�����
�C�!:�!;�!=�>�G��f�_��i�i�����
�C�!:�!:�!<�=�G�� ;�=B� C�D�
D��)�)�W�n�5�6��	��~�~�b�m�m�D�M�M�'�4J�&K�L�H��%�%�'�,�,�_�=�F��6�;�;�v�&�D� �<�<�
�6�
	8�K�"�'�'�
�3�H��}�}�V�,�H�!���x�0�J��#��
�
��(=��%�*�/�/�V�*C����K�(��
	8�� /�16� 7�8�
8��i�����s�W�d��C������	�!�$��0��M�M�'�3�8�8�:�.��!�!�$�!�7��=�
	��v�v�a�y�:�<�<�>�>�#�$/�16�$7�8�8������5�5�"�$D�E�E���
	��>�	��v�v�a�y�3�3�"�$D�E�E���		�s2�A(K6�7>M�6	M�?AM�M�	N� "N�Nr"r�r`rDrBrtrt�sg���D�H��)�)��-�-��.�.���	�t�W�#J�QT��C�	)��M�
4�J�>B�'+�JrDrtc��eZdZdZdZejejd�Ze	dddd��e	d	ddd
��gZ
ddgZ		dd�Zy
)�cmd_cse_registera�Register a Client Side Extension (CSE) on the current host

This command takes a CSE filename as an argument, and registers it for
applying policy on the current host. This is not necessary for CSEs which
are distributed with the current version of Samba, but is useful for installing
experimental CSEs or custom built CSEs.
The <cse_file> argument MUST be a permanent location for the CSE. The register
command does not copy the file to some other directory. The samba-gpupdate
command will execute the CSE from the exact location specified from this
command.

Example:
samba-tool gpo cse register ./gp_chromium_ext.py gp_chromium_ext --machine
    z%%prog <cse_file> <cse_name> [options]�rrz	--machineFr�z-Whether to register the CSE as Machine policy)r�r�rz--userz*Whether to register the CSE as User policy�cse_file�cse_nameNc�@�|j�|_|dk(r|dk(rtd��dtt	j
��z}tjj|�}t||||jj||��}	|	std|z��y)NFz+Either --machine or --user must be selectedr�)�smb_conf�machiner5zFailed to register CSE "%s")rrhrr�rrr�r��realpathr7r)
r�rzr{r~r5rr�ext_guid�ext_pathrAs
          rBr!zcmd_cse_register.runs����(�(�*����e����
��L�M�M��C��
�
��-�-���7�7�#�#�H�-��#�H�h��-1�W�W�-?�-?�,3�$�@����<�x�G�H�H�rD)FFNN)
rrrr$r%rGr&r'r)rr*rTr!r`rDrBrxrx�so��
�7�H��)�)��-�-���	�{�E�,�C�	E��x��|�@�	B��M��j�)�J�:?�(,�
IrDrxc�N�eZdZdZdZejejd�Zdd�Z	y)�cmd_cse_listz�List the registered Client Side Extensions (CSEs) on the current host

This command lists the currently registered CSEs on the host.

Example:
samba-tool gpo cse list
    rryNc��|j�|_t|jj�}|j	�D]�\}}|j
j
d|z�|j
j
d|dz�|j
j
d|dz�|j
j
dt|d�z�|j
j
dt|d	�z���y)
NzUniqueGUID         : %s
zFileName           : %s
�DllNamezProcessGroupPolicy : %s
�ProcessGroupPolicyzMachinePolicy      : %s
�
MachinePolicyzUserPolicy         : %s

�
UserPolicy)rrhr8rr�r�r�r�)r�rr�csesr�gp_exts      rBr!zcmd_cse_list.run=s����(�(�*���!�$�'�'�"4�"4�5�� �J�J�L�	/�L�D�&��I�I�O�O�7�$�>�?��I�I�O�O�7�&��:K�K�L��I�I�O�O�7��/�0�1�
2��I�I�O�O�7����/�0�1�
2��I�I�O�O�9���|�,�-�.�
/�	/rD�NN)
rrrr$r%rGr&r'r)r!r`rDrBr�r�-s/���!�H��)�)��-�-���
/rDr�c�T�eZdZdZdZejejd�ZdgZ	dd�Z
y)�cmd_cse_unregisteraqUnregister a Client Side Extension (CSE) from the current host

This command takes a unique GUID as an argument (representing a registered
CSE), and unregisters it for applying policy on the current host. Use the
`samba-tool gpo cse list` command to determine the unique GUIDs of CSEs.

Example:
samba-tool gpo cse unregister {3F60F344-92BF-11ED-A1EB-0242AC120002}
    z%prog <guid> [options]ryrNc��|j�|_t||jj�}|st	d|z��y)NzFailed to unregister CSE "%s")rrhr9rr)r�rrrrAs     rBr!zcmd_cse_unregister.run_sA���(�(�*���%�d�D�G�G�,>�,>�?����>��E�F�F�rDr�)rrrr$r%rGr&r'r)rTr!r`rDrBr�r�Ks9���(�H��)�)��-�-���
��J�GrDr�c�P�eZdZdZiZe�ed<e�ed<e�ed<y)�cmd_csezManage Client Side Extensions�registerr��
unregisterN)rrrr$r�rxr�r�r`rDrBr�r�fs0��'��K�.�0�K�
��&�.�K��� 2� 4�K��rDr�c�P�eZdZdZiZe�ed<e�ed<e�ed<y)�
cmd_accessz'Manage Host Access Group Policy Objectsr�rr�N)rrrr$r�r[rbrtr`rDrBr�r�ms1��1��K�)�+�K���'�)�K���-�/�K��rDr�c���eZdZdZiZe�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<e�ed<e�ed	<e
�ed
<e�ed<y)
�
cmd_managezManage Group Policy Objects�sudoersr
r}�symlinkrQ�openssh�scriptsrJrW�accessN)rrrr$r�r�r�r�r�r
rr:rPrYr�r`rDrBr�r�ts���%��K�(�]�K�	��*�n�K�
��*�n�K�
��(�]�K�	��$�;�K���(�]�K�	��(�]�K�	��"�*�K���$�;�K���&�L�K��rDr�c��eZdZdZiZe�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<e�ed<e�ed	<e
�ed
<e�ed<e�ed<e�ed
<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<y)�cmd_gpoz%Group Policy Object (GPO) management.�listallr��showr�r��getlink�setlink�dellink�listcontainers�getinheritance�setinheritance�fetch�create�del�aclcheckr(�restore�admxload�manage�cseN)rrrr$r�rr,rVr}r�r�r�r�r�r�r�r�r�r5rCr�r'rIr�r�r`rDrBr�r��s��/��K�(�]�K�	��"�*�K���"�*�K���"�*�K���&�L�K���(�]�K�	��(�]�K�	��(�]�K�	��$6�$8�K� �!�$6�$8�K� �!�$6�$8�K� �!�$�;�K���&�L�K��� ��K���*�n�K�
��&�L�K���(�]�K�	��*�n�K�
��&�L�K��� ��K��rDr�r�)FF)�r�r��samba.getopt�getoptrGr~r��xml.etree.ElementTree�etreerur�r�r��
samba.authr�samba.netcmdrrrr�samba.samdbrr6r	�samba.dcerpcr
�	samba.ndrrrr
�samba.securityrrr�samba.netcmd.commonrr�samba.samba3rr�rr�samba.ntaclsrr�	samba.netr�samba.gp_parserrr�samba.gp_parse.gp_polr�samba.gp_parse.gp_inirrrr�samba.gp_parse.gp_csvr �samba.gp_parse.gp_infr!�samba.gp_parse.gp_aasr"r#r$�samba.commonr%r&�configparserr'�ior(r)�samba.gp.vgp_files_extr*r+r-rq�samba.registryr,�samba.ntstatusr-r.r/r0r1�samba.netcmd.gpcommonr2r3r4�samba.policiesr5�samba.dcerpc.miscr6�samba.gp.gpclassr7r8r9rCrHr]rdrmr=r>r?�SECINFO_SACLr�r�r�r��
IGNORECASEr�r��FILE_ATTRIBUTE_SYSTEMr��FILE_ATTRIBUTE_ARCHIVE�FILE_ATTRIBUTE_HIDDENr�r�r�r�rr,rVr}r�r�r�r�r�r�r�r�r�r�r'r5rCrIrYr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rr
rrrrr%r5r8r:r=rDrPrRrUrYr[rbrtrxr�r�r�r�r�r�r`rDrB�<module>r�s���*
�
��
�	�"�"�
��%�����!�*����}�}�-��8���$���O�O�-���3�2�-��,�.�%� �<���&�����
1�*������$��!�d�t�#�1�1�#�1�1�2�#�0�0�1�$�0�0�1�+�\	�#C�L��M�M��:2�<�
)�
)�
�
,�
,�-�
�
*�
*�+��
)�
)�*�
�/�28=�7<�",�J+N��+N�\""�*�""�Jr:�z�r:�jc�z�c�Lo�z�o�dT��T�n,J�*�,J�^WM�*�WM�t$M�*�$M�N!B��!B�H);��);�X3X��3X�l87�
�87�vI��I�XPI��PI�f`<�*�`<�FG3�j�G3�T=O�:�=O�~JQ�7�JQ�Xz�j�z�xc5�w�c5�J@&��@&�D1�,�1�y�z�y�vD<��D<�L.�<�.�?F��?F�Bf�z�f�P,�<�,�?J�w�?J�B\�j�\�|Y��Y�v1�,�1�D(�W�D(�Lo�J�o�bZ�z�Z�x/��/�BE�w�BE�Hy�j�y�v+�,�+�L?�w�L?�\m�j�m�^V��V�p1�,�1�+�,�+�
>#�G�>#�@b�:�b�H(�|�(�>#�W�>#�@b�J�b�H)��)�[M�g�[M�zE�Z�E�Nc�
�c�J-I�w�-I�^/�7�/�<G��G�65�l�5�0��0�)��)�#�l�#rD
Zerion Mini Shell 1.0