g}DSrSSKJr SSKJr SSKJr SSKrSSKrSr S"Sjr S"Sjr S"S jr S"S jr S"S jrS"S jrS"S jrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrS"SjrSr Sr!Sr"S r#S#S!jr$g)$zFFunctions for setting up a Samba configuration (security descriptors).)security)ndr_pack)get_schema_descriptorNcSU-nUR5HupEURXE5nM [RR X15n[ U5$)N%s)itemsreplacer descriptor from_sddlr)sddl_in domain_sidname_mapsddlnamesidsecs 2/usr/lib/python3/dist-packages/samba/descriptor.py sddl2binaryr&sN '>D~~' ||D&(    ' ' 9C C=c(Uc0nSn[X U5$)Nrr rrs rget_empty_descriptorr0s D t 22rc(Uc0nSn[X U5$)Nz9O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA)rrs rget_deletedobjects_descriptorr:s# D t 22rc(Uc0nSn[X U5$)Na O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)rrs rget_config_descriptorrDs$ AD t 22rc(Uc0nSn[X U5$)NaD:(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)S:(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)rrs r get_config_partitions_descriptorr Zs# *D t 22rc(Uc0nSn[X U5$)NaD:(A;;RPLCLORC;;;AU)(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;RO)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(AU;CISA;CCDCSDDT;;;WD)(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)rrs rget_config_sites_descriptorr"os$ fD t 22rc(Uc0nSn[X U5$)NziD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPLCLORC;;;BA)(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)rrs r!get_config_ntds_quotas_descriptorr$s# > ?Ahi -EOO4E0FF GImn U__->)?? @B_` (3u/@+AA BDcd }s5??+<'== >@[\ 1C8I4JJ KMno 5EOOZ$[\ 66%6* +{ :tc+&6679UVA   #6[9IIJ.0A   #5K8HHI8:A   #3c+6FFG8:A   #3c+6FFG8:A   # ffU$:c%//BS>T$UV 66%6* +{ :tc+&6679UVA   #6[9IIJ.0A   #5K8HHI8:A   #3c+6FFG8:A   #3c+6FFG8:A   #G+J rc[R"S5nURU5n0n/US'UH4n[US5S:aUSUS'USR US5 M6 U$)znReturn separate ACE of an ACL :param acl: A string representing the ACL :return: A hash with different parts z(\w+)?(\(.*?\))acesrflags)recompilefindalllenrW)aclptabhashes r chunck_aclrm8sq %&A ))C.C DDL  qt9q=aDDM V AaD! Krc[R"S5nURU5n0nUHInUSS:XaUSUS'USS:XaUSUS'USS:XaUSUS 'USS :XdMAUSUS 'MK U$) zReturn separate parts of the SDDL (owner, group, ...) :param sddl: An string containing the SDDL to chunk :return: A hash with the different chunk z([OGDS]:)(.*?)(?=(?:[GDS]:|$))rzO:rcownerzG:groupzD:daclzS:sacl)rdrerf)rrirjrkrls r chunck_sddlrsLs 45A ))D/C D  Q44<aDDM Q44<aDDM Q44<Q4DL Q44<Q4DL Krc[R"5nURUlURUlURUlUR Ul/nUR bUR Rn[S[U55H<nX#nUR[R-(aM+URU5 M> /nURbURRn[S[U55H<nX#nUR[R-(aM+URU5 M> U$)zjGet the SD without any inherited ACEs :param sd: SD to strip :return: An SD with inherited ACEs stripped r)rr owner_sid group_sidtyperevisionrrrarangergrbSEC_ACE_FLAG_INHERITED_ACEsacl_addrqdacl_add)sdsd_cleanraiaces r get_clean_sdrds""$HHHGGHM H D wwww|| 1c$i gyy8>>>>   c "  ! D wwww|| 1c$i gyy8>>>>   c "  ! OrcF[U5RU5n[U5RU5nSn[U5n[U5n SU;aSnO#SU ;aUSU S:waSU S<SUS<S3nSU;aSU-nO&SU ;a USU S:waU<S U S<SUS<S3nS /n U(aU RS 5 U GHTn X;GaX;Ga[ 5n [ 5n [ X5n[ X5nUS HnU R U5 M US HnU R U5 M [ U 5H-nUU ;dM U RU5 U RU5 M/ [U 5[U 5-S :aQUS:Xa[U 5S :Xa U(a gU<SU <S3nU H nU<SU<S3nM U H nU<SU<S3nM GM GM#X;aX;a U<SU <S3nGM:X;dGMBX;dGMJU<SU <S3nGMW U$)abGet the difference between 2 sd This function split the textual representation of ACL into smaller chunk in order to not to report a simple permutation as a difference :param refsddl: First sddl to compare :param cursddl: Second sddl to compare :param checkSacl: If false we skip the sacl checks :return: A string that explain difference between sddls rroz No owner in current SDz Owner mismatch: z (in ref) z (in current) rpz%s No group in current SDz Group mismatch: rqrrrarz Part z@ is different between reference and current here is the detail: z z% ACE is not present in the reference z# ACE is not present in the current z Reference ACL hasn't a z part z Current ACL hasn't a ) ras_sddlrsrWsetrmaddremoverg)refsdcursd domainsid checkSaclignoreAdditionalACEscursddlrefsddltxthash_curhash_refpartsparth_curh_refc_curc_refelemkitems r get_diff_sdsrs(5!)))4G5!)))4G C7#H7#Hh( H '!2hw6G!G"*7"3Xg5FHh*S0 H '!2hw6G!G"%x'8(7:KMHE V   0EEEEx~.Ex~.Ef  $&f  $&Z:LLOLLO 5zCJ&*"9Uq+!?B4I"D,/7C""D*-t5C"+  $"6rs6M!. 333,3*3$3333<3~ 3=3@3" 3 3 333;3|3 33HV(0 F59&+Lr