diff --git a/.github/samba/python/samba/gp/gpclass.py b/.github/samba/python/samba/gp/gpclass.py index c2d612c59..f72281070 100644 --- a/.github/samba/python/samba/gp/gpclass.py +++ b/.github/samba/python/samba/gp/gpclass.py @@ -50,6 +50,7 @@ from samba.dcerpc import security import samba.security from samba.dcerpc import netlogon +from datetime import datetime try: @@ -776,12 +777,14 @@ def add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, link_dn, gp_link, log.debug("add_gplink_to_gpo_list: added GPLINK #%d %s " "to GPO list" % (i, gp_link.link_names[i])) -def merge_nt_token(token_1, token_2): +def merge_with_system_token(token_1): sids = token_1.sids - sids.extend(token_2.sids) + system_token = system_session().security_token + sids.extend(system_token.sids) token_1.sids = sids - token_1.rights_mask |= token_2.rights_mask - token_1.privilege_mask |= token_2.privilege_mask + token_1.rights_mask |= system_token.rights_mask + token_1.privilege_mask |= system_token.privilege_mask + # There are no claims in the system token, so it is safe not to merge the claims return token_1 def site_dn_for_machine(samdb, dc_hostname, lp, creds, hostname): @@ -835,8 +838,7 @@ def get_gpo_list(dc_hostname, creds, lp, username): gpo_list_machine = False if uac & UF_WORKSTATION_TRUST_ACCOUNT or uac & UF_SERVER_TRUST_ACCOUNT: gpo_list_machine = True - token = merge_nt_token(session.security_token, - system_session().security_token) + token = merge_with_system_token(session.security_token) else: token = session.security_token @@ -1214,3 +1216,69 @@ def drop_privileges(username, func, *args): raise exc return out + +def expand_pref_variables(text, gpt_path, lp, username=None): + utc_dt = datetime.utcnow() + dt = datetime.now() + cache_path = lp.cache_path(os.path.join('gpo_cache')) + # These are all the possible preference variables that MS supports. The + # variables set to 'None' here are currently unsupported by Samba, and will + # prevent the individual policy from applying. + variables = { 'AppDataDir': os.path.expanduser('~/.config'), + 'BinaryComputerSid': None, + 'BinaryUserSid': None, + 'CommonAppdataDir': None, + 'CommonDesktopDir': None, + 'CommonFavoritesDir': None, + 'CommonProgramsDir': None, + 'CommonStartUpDir': None, + 'ComputerName': lp.get('netbios name'), + 'CurrentProccessId': None, + 'CurrentThreadId': None, + 'DateTime': utc_dt.strftime('%Y-%m-%d %H:%M:%S UTC'), + 'DateTimeEx': str(utc_dt), + 'DesktopDir': os.path.expanduser('~/Desktop'), + 'DomainName': lp.get('realm'), + 'FavoritesDir': None, + 'GphPath': None, + 'GptPath': os.path.join(cache_path, + check_safe_path(gpt_path).upper()), + 'GroupPolicyVersion': None, + 'LastDriveMapped': None, + 'LastError': None, + 'LastErrorText': None, + 'LdapComputerSid': None, + 'LdapUserSid': None, + 'LocalTime': dt.strftime('%H:%M:%S'), + 'LocalTimeEx': dt.strftime('%H:%M:%S.%f'), + 'LogonDomain': lp.get('realm'), + 'LogonServer': None, + 'LogonUser': username, + 'LogonUserSid': None, + 'MacAddress': None, + 'NetPlacesDir': None, + 'OsVersion': None, + 'ProgramFilesDir': None, + 'ProgramsDir': None, + 'RecentDocumentsDir': None, + 'ResultCode': None, + 'ResultText': None, + 'ReversedComputerSid': None, + 'ReversedUserSid': None, + 'SendToDir': None, + 'StartMenuDir': None, + 'StartUpDir': None, + 'SystemDir': None, + 'SystemDrive': '/', + 'TempDir': '/tmp', + 'TimeStamp': str(datetime.timestamp(dt)), + 'TraceFile': None, + 'WindowsDir': None + } + for exp_var, val in variables.items(): + exp_var_fmt = '%%%s%%' % exp_var + if exp_var_fmt in text: + if val is None: + raise NameError('Expansion variable %s is undefined' % exp_var) + text = text.replace(exp_var_fmt, val) + return text