%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python3/dist-packages/samba/netcmd/
Upload File :
Create Path :
Current File : //usr/lib/python3/dist-packages/samba/netcmd/delegation.py

# delegation management
#
# Copyright Matthieu Patou mat@samba.org 2010
# Copyright Stefan Metzmacher metze@samba.org 2011
# Copyright Bjoern Baumbach bb@sernet.de 2011
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import samba.getopt as options
import ldb
from samba import provision
from samba import dsdb
from samba.samdb import SamDB
from samba.auth import system_session
from samba.dcerpc import security
from samba.ndr import ndr_pack, ndr_unpack
from samba.netcmd.common import _get_user_realm_domain
from samba.netcmd import (
    Command,
    CommandError,
    SuperCommand,
    Option
)


class cmd_delegation_show(Command):
    """Show the delegation setting of an account."""

    synopsis = "%prog <accountname> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_args = ["accountname"]

    def show_security_descriptor(self, sam, security_descriptor):
        dacl = security_descriptor.dacl
        desc_type = security_descriptor.type

        warning_info = ('Security Descriptor of attribute '
                        'msDS-AllowedToActOnBehalfOfOtherIdentity')

        if dacl is None or not desc_type & security.SEC_DESC_DACL_PRESENT:
            self.errf.write(f'Warning: DACL not present in {warning_info}!\n')
            return

        if not desc_type & security.SEC_DESC_SELF_RELATIVE:
            self.errf.write(f'Warning: DACL in {warning_info} lacks '
                            f'SELF_RELATIVE flag!\n')
            return

        first = True

        for ace in dacl.aces:
            trustee = ace.trustee

            # Convert the trustee SID into a DN if we can.
            try:
                res = sam.search(f'<SID={trustee}>',
                                 scope=ldb.SCOPE_BASE)
            except ldb.LdbError as err:
                num, _ = err.args
                if num != ldb.ERR_NO_SUCH_OBJECT:
                    raise
            else:
                if len(res) == 1:
                    trustee = res[0].dn

            ignore = False

            if (ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED
                    or ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED_OBJECT):
                self.errf.write(f'Warning: ACE in {warning_info} denies '
                                f'access for trustee {trustee}!\n')
                # Ignore the ACE if it denies access
                ignore = True
            elif (ace.type != security.SEC_ACE_TYPE_ACCESS_ALLOWED
                    and ace.type != security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT):
                # Ignore the ACE if it doesn't explicitly allow access
                ignore = True

            inherit_only = ace.flags & security.SEC_ACE_FLAG_INHERIT_ONLY
            object_inherit = ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT
            container_inherit = (
                ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT)
            inherited_ace = ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE

            if inherit_only and not object_inherit and not container_inherit:
                # Ignore the ACE if it is propagated only to child objects, but
                # neither of the object and container inherit flags are set.
                ignore = True
            else:
                if container_inherit:
                    self.errf.write(f'Warning: ACE for trustee {trustee} has '
                                    f'unexpected CONTAINER_INHERIT flag set in '
                                    f'{warning_info}!\n')
                    ignore = True

                if inherited_ace:
                    self.errf.write(f'Warning: ACE for trustee {trustee} has '
                                    f'unexpected INHERITED_ACE flag set in '
                                    f'{warning_info}!\n')
                    ignore = True

            if not ace.access_mask:
                # Ignore the ACE if it doesn't grant any permissions.
                ignore = True

            if not ignore:
                if first:
                    self.outf.write(f'  Principals that may delegate to this '
                                    f'account:\n')
                    first = False

                self.outf.write(f'msDS-AllowedToActOnBehalfOfOtherIdentity: '
                                f'{trustee}\n')


    def run(self, accountname, H=None, credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))

        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
                                                                 sam)

        res = sam.search(expression="sAMAccountName=%s" %
                         ldb.binary_encode(cleanedaccount),
                         scope=ldb.SCOPE_SUBTREE,
                         attrs=["userAccountControl", "msDS-AllowedToDelegateTo",
                                "msDS-AllowedToActOnBehalfOfOtherIdentity"])
        if len(res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(res) == 1)

        uac = int(res[0].get("userAccountControl")[0])
        allowed = res[0].get("msDS-AllowedToDelegateTo")
        allowed_from = res[0].get("msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)

        self.outf.write("Account-DN: %s\n" % str(res[0].dn))
        self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n"
                        % bool(uac & dsdb.UF_TRUSTED_FOR_DELEGATION))
        self.outf.write("UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" %
                        bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION))

        if allowed:
            self.outf.write("  Services this account may delegate to:\n")
            for a in allowed:
                self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)
        if allowed_from is not None:
            try:
                security_descriptor = ndr_unpack(security.descriptor, allowed_from)
            except RuntimeError:
                self.errf.write("Warning: Security Descriptor of attribute "
                                "msDS-AllowedToActOnBehalfOfOtherIdentity "
                                "could not be unmarshalled!\n")
            else:
                self.show_security_descriptor(sam, security_descriptor)


class cmd_delegation_for_any_service(Command):
    """Set/unset UF_TRUSTED_FOR_DELEGATION for an account."""

    synopsis = "%prog <accountname> [(on|off)] [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "onoff"]

    def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        on = False
        if onoff == "on":
            on = True
        elif onoff == "off":
            on = False
        else:
            raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
                                                                 sam)

        search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
        flag = dsdb.UF_TRUSTED_FOR_DELEGATION
        try:
            sam.toggle_userAccountFlags(search_filter, flag,
                                        flags_str="Trusted-for-Delegation",
                                        on=on, strict=True)
        except Exception as err:
            raise CommandError(err)


class cmd_delegation_for_any_protocol(Command):
    """Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account."""

    synopsis = "%prog <accountname> [(on|off)] [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "onoff"]

    def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        on = False
        if onoff == "on":
            on = True
        elif onoff == "off":
            on = False
        else:
            raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp, fallback_machine=True)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
                                                                 sam)

        search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
        flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
        try:
            sam.toggle_userAccountFlags(search_filter, flag,
                                        flags_str="Trusted-to-Authenticate-for-Delegation",
                                        on=on, strict=True)
        except Exception as err:
            raise CommandError(err)


class cmd_delegation_add_service(Command):
    """Add a service principal to msDS-AllowedToDelegateTo so that an account may delegate to it."""

    synopsis = "%prog <accountname> <principal> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "principal"]

    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
                                                                 sam)

        res = sam.search(expression="sAMAccountName=%s" %
                         ldb.binary_encode(cleanedaccount),
                         scope=ldb.SCOPE_SUBTREE,
                         attrs=["msDS-AllowedToDelegateTo"])
        if len(res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(res) == 1)

        msg = ldb.Message()
        msg.dn = res[0].dn
        msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
                                                             ldb.FLAG_MOD_ADD,
                                                             "msDS-AllowedToDelegateTo")
        try:
            sam.modify(msg)
        except Exception as err:
            raise CommandError(err)


class cmd_delegation_del_service(Command):
    """Delete a service principal from msDS-AllowedToDelegateTo so that an account may no longer delegate to it."""

    synopsis = "%prog <accountname> <principal> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "principal"]

    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
                                                                 sam)

        res = sam.search(expression="sAMAccountName=%s" %
                         ldb.binary_encode(cleanedaccount),
                         scope=ldb.SCOPE_SUBTREE,
                         attrs=["msDS-AllowedToDelegateTo"])
        if len(res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(res) == 1)

        msg = ldb.Message()
        msg.dn = res[0].dn
        msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
                                                             ldb.FLAG_MOD_DELETE,
                                                             "msDS-AllowedToDelegateTo")
        try:
            sam.modify(msg)
        except Exception as err:
            raise CommandError(err)


class cmd_delegation_add_principal(Command):
    """Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account."""

    synopsis = "%prog <accountname> <principal> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server",
               type=str, metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "principal"]

    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)

        account_res = sam.search(
            expression="sAMAccountName=%s" %
            ldb.binary_encode(cleanedaccount),
            scope=ldb.SCOPE_SUBTREE,
            attrs=["msDS-AllowedToActOnBehalfOfOtherIdentity"])
        if len(account_res) == 0:
            raise CommandError(f"Unable to find account name '{accountname}'")
        assert(len(account_res) == 1)

        data = account_res[0].get(
            "msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)
        if data is None:
            # Create the security descriptor if it is not present.
            owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)

            security_desc = security.descriptor()
            security_desc.revision = security.SD_REVISION
            security_desc.type = (security.SEC_DESC_DACL_PRESENT |
                                  security.SEC_DESC_SELF_RELATIVE)
            security_desc.owner_sid = owner_sid

            dacl = None
        else:
            try:
                security_desc = ndr_unpack(security.descriptor, data)
            except RuntimeError:
                raise CommandError(f"Security Descriptor of attribute "
                                   f"msDS-AllowedToActOnBehalfOfOtherIdentity "
                                   f"for account '{accountname}' could not be "
                                   f"unmarshalled!")

            dacl = security_desc.dacl

        if dacl is None:
            # Create the DACL if it is not present.
            dacl = security.acl()
            dacl.revision = security.SECURITY_ACL_REVISION_ADS
            dacl.num_aces = 0

        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)

        princ_res = sam.search(expression="sAMAccountName=%s" %
                               ldb.binary_encode(cleanedprinc),
                               scope=ldb.SCOPE_SUBTREE,
                               attrs=["objectSid"])
        if len(princ_res) == 0:
            raise CommandError(f"Unable to find principal name '{principal}'")
        assert(len(princ_res) == 1)

        princ_sid = security.dom_sid(
            sam.schema_format_value(
                "objectSID",
                princ_res[0].get("objectSID", idx=0)).decode("utf-8"))

        aces = dacl.aces

        # Check that there is no existing ACE for this principal.
        if any(ace.trustee == princ_sid for ace in aces):
            raise CommandError(
                f"ACE for principal '{principal}' already present in Security "
                f"Descriptor of attribute "
                f"msDS-AllowedToActOnBehalfOfOtherIdentity for account "
                f"'{accountname}'.")

        # Create the new ACE.
        ace = security.ace()
        ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
        ace.flags = 0
        ace.access_mask = security.SEC_ADS_GENERIC_ALL
        ace.trustee = princ_sid

        aces.append(ace)

        dacl.aces = aces
        dacl.num_aces += 1

        security_desc.dacl = dacl

        new_data = ndr_pack(security_desc)

        # Set the new security descriptor. First, delete the original value to
        # detect a race condition if someone else updates the attribute at the
        # same time.
        msg = ldb.Message()
        msg.dn = account_res[0].dn
        if data is not None:
            msg["0"] = ldb.MessageElement(
                data, ldb.FLAG_MOD_DELETE,
                "msDS-AllowedToActOnBehalfOfOtherIdentity")
        msg["1"] = ldb.MessageElement(
            new_data, ldb.FLAG_MOD_ADD,
            "msDS-AllowedToActOnBehalfOfOtherIdentity")
        try:
            sam.modify(msg)
        except ldb.LdbError as err:
            num, _ = err.args
            if num == ldb.ERR_NO_SUCH_ATTRIBUTE:
                raise CommandError(
                    f"Refused to update attribute "
                    f"msDS-AllowedToActOnBehalfOfOtherIdentity for account "
                    f"'{accountname}': a conflicting attribute update "
                    f"occurred simultaneously.")
            else:
                raise CommandError(err)


class cmd_delegation_del_principal(Command):
    """Delete a principal from msDS-AllowedToActOnBehalfOfOtherIdentity that may no longer delegate to an account."""

    synopsis = "%prog <accountname> <principal> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server",
               type=str, metavar="URL", dest="H"),
    ]

    takes_args = ["accountname", "principal"]

    def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H is None:
            path = paths.samdb
        else:
            path = H

        sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)

        account_res = sam.search(
            expression="sAMAccountName=%s" %
            ldb.binary_encode(cleanedaccount),
            scope=ldb.SCOPE_SUBTREE,
            attrs=["msDS-AllowedToActOnBehalfOfOtherIdentity"])
        if len(account_res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(account_res) == 1)

        data = account_res[0].get(
            "msDS-AllowedToActOnBehalfOfOtherIdentity", idx=0)
        if data is None:
            raise CommandError(f"Attribute "
                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
                               f"account '{accountname}' not present!")

        try:
            security_desc = ndr_unpack(security.descriptor, data)
        except RuntimeError:
            raise CommandError(f"Security Descriptor of attribute "
                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
                               f"account '{accountname}' could not be "
                               f"unmarshalled!")

        dacl = security_desc.dacl
        if dacl is None:
            raise CommandError(f"DACL not present on Security Descriptor of "
                               f"attribute "
                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
                               f"account '{accountname}'!")

        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)

        princ_res = sam.search(expression="sAMAccountName=%s" %
                               ldb.binary_encode(cleanedprinc),
                               scope=ldb.SCOPE_SUBTREE,
                               attrs=["objectSid"])
        if len(princ_res) == 0:
            raise CommandError(f"Unable to find principal name '{principal}'")
        assert(len(princ_res) == 1)

        princ_sid = security.dom_sid(
            sam.schema_format_value(
                "objectSID",
                princ_res[0].get("objectSID", idx=0)).decode("utf-8"))

        old_aces = dacl.aces

        # Remove any ACEs relating to the specified principal.
        aces = [ace for ace in old_aces if ace.trustee != princ_sid]

        # Raise an error if we didn't find any.
        if len(aces) == len(old_aces):
            raise CommandError(f"Unable to find ACE for principal "
                               f"'{principal}' in Security Descriptor of "
                               f"attribute "
                               f"msDS-AllowedToActOnBehalfOfOtherIdentity for "
                               f"account '{accountname}'.")

        dacl.num_aces = len(aces)
        dacl.aces = aces

        security_desc.dacl = dacl

        new_data = ndr_pack(security_desc)

        # Set the new security descriptor. First, delete the original value to
        # detect a race condition if someone else updates the attribute at the
        # same time.
        msg = ldb.Message()
        msg.dn = account_res[0].dn
        msg["0"] = ldb.MessageElement(
            data, ldb.FLAG_MOD_DELETE,
            "msDS-AllowedToActOnBehalfOfOtherIdentity")
        msg["1"] = ldb.MessageElement(
            new_data, ldb.FLAG_MOD_ADD,
            "msDS-AllowedToActOnBehalfOfOtherIdentity")
        try:
            sam.modify(msg)
        except ldb.LdbError as err:
            num, _ = err.args
            if num == ldb.ERR_NO_SUCH_ATTRIBUTE:
                raise CommandError(
                    f"Refused to update attribute "
                    f"msDS-AllowedToActOnBehalfOfOtherIdentity for account "
                    f"'{accountname}': a conflicting attribute update "
                    f"occurred simultaneously.")
            else:
                raise CommandError(err)


class cmd_delegation(SuperCommand):
    """Delegation management."""

    subcommands = {}
    subcommands["show"] = cmd_delegation_show()
    subcommands["for-any-service"] = cmd_delegation_for_any_service()
    subcommands["for-any-protocol"] = cmd_delegation_for_any_protocol()
    subcommands["add-service"] = cmd_delegation_add_service()
    subcommands["del-service"] = cmd_delegation_del_service()
    subcommands["add-principal"] = cmd_delegation_add_principal()
    subcommands["del-principal"] = cmd_delegation_del_principal()

Zerion Mini Shell 1.0