OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	02/03/2022 06:37:41 AM	rwxr-xr-x
📄 __init__.py	7.89 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 __init__.pyc	8.33 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 common.py	2.38 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 common.pyc	2.28 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dbcheck.py	6.49 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 dbcheck.pyc	5.25 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 delegation.py	10.88 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 delegation.pyc	9.22 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dns.py	43.86 KB	11/02/2017 11:38:36 AM	rw-r--r--
📄 dns.pyc	38.13 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 domain.py	175.3 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 domain.pyc	108.8 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 drs.py	24.81 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 drs.pyc	22.57 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dsacl.py	7.37 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 dsacl.pyc	6.67 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 fsmo.py	20.25 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 fsmo.pyc	14.39 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 gpo.py	39.7 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 gpo.pyc	33.57 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 group.py	18.49 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 group.pyc	16.74 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 ldapcmp.py	40.5 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 ldapcmp.pyc	31.22 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 main.py	2.31 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 main.pyc	2.22 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 nettime.py	1.96 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 nettime.pyc	1.81 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 ntacl.py	10.58 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 ntacl.pyc	9.65 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 processes.py	2.78 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 processes.pyc	2.08 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 rodc.py	5.76 KB	09/17/2017 07:15:34 PM	rw-r--r--
📄 rodc.pyc	5.61 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 sites.py	7.53 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 sites.pyc	7.2 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 spn.py	7.44 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 spn.pyc	6.08 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 testparm.py	8.26 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 testparm.pyc	6.14 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 user.py	104.51 KB	01/25/2022 03:20:03 PM	rw-r--r--
📄 user.pyc	82.91 KB	02/03/2022 06:37:41 AM	rw-r--r--

Editing: delegation.py

# delegation management
#
# Copyright Matthieu Patou mat@samba.org 2010
# Copyright Stefan Metzmacher metze@samba.org 2011
# Copyright Bjoern Baumbach bb@sernet.de 2011
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import samba.getopt as options
import ldb
from samba import provision
from samba import dsdb
from samba.samdb import SamDB
from samba.auth import system_session
from samba.netcmd.common import _get_user_realm_domain
from samba.netcmd import (
    Command,
    CommandError,
    SuperCommand,
    Option
    )

class cmd_delegation_show(Command):
    """Show the delegation setting of an account."""

synopsis = "%prog <accountname> [options]"

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
        ]

takes_args = ["accountname"]

def run(self, accountname, H=None, credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))

if H == None:
            path = paths.samdb
        else:
            path = H

sam = SamDB(path, session_info=system_session(),
                    credentials=creds, lp=lp)
        # TODO once I understand how, use the domain info to naildown
        # to the correct domain
        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)

res = sam.search(expression="sAMAccountName=%s" %
                    ldb.binary_encode(cleanedaccount),
                    scope=ldb.SCOPE_SUBTREE,
                    attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
        if len(res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(res) == 1)

uac = int(res[0].get("userAccountControl")[0])
        allowed = res[0].get("msDS-AllowedToDelegateTo")

self.outf.write("Account-DN: %s\n" %  str(res[0].dn))
        self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n"
            % bool(uac & dsdb.UF_TRUSTED_FOR_DELEGATION))
        self.outf.write("UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" %
              bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION))

if allowed is not None:
            for a in allowed:
                self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)

class cmd_delegation_for_any_service(Command):
    """Set/unset UF_TRUSTED_FOR_DELEGATION for an account."""

synopsis = "%prog <accountname> [(on|off)] [options]"

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
        ]

takes_args = ["accountname", "onoff"]

def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None,
            versionopts=None):

on = False
        if onoff == "on":
            on = True
        elif onoff == "off":
            on = False
        else:
            raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)

lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H == None:
            path = paths.samdb
        else:
            path = H

search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
        flag = dsdb.UF_TRUSTED_FOR_DELEGATION
        try:
            sam.toggle_userAccountFlags(search_filter, flag,
                                        flags_str="Trusted-for-Delegation",
                                        on=on, strict=True)
        except Exception, err:
            raise CommandError(err)

class cmd_delegation_for_any_protocol(Command):
    """Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account."""

synopsis = "%prog <accountname> [(on|off)] [options]"

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
        ]

takes_args = ["accountname", "onoff"]

def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None,
            versionopts=None):

lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp, fallback_machine=True)
        paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
        if H == None:
            path = paths.samdb
        else:
            path = H

search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
        flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
        try:
            sam.toggle_userAccountFlags(search_filter, flag,
                        flags_str="Trusted-to-Authenticate-for-Delegation",
                        on=on, strict=True)
        except Exception, err:
            raise CommandError(err)

class cmd_delegation_add_service(Command):
    """Add a service principal as msDS-AllowedToDelegateTo."""

synopsis = "%prog <accountname> <principal> [options]"

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
        ]

takes_args = ["accountname", "principal"]

def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

res = sam.search(expression="sAMAccountName=%s" %
                         ldb.binary_encode(cleanedaccount),
                         scope=ldb.SCOPE_SUBTREE,
                         attrs=["msDS-AllowedToDelegateTo"])
        if len(res) == 0:
            raise CommandError("Unable to find account name '%s'" % accountname)
        assert(len(res) == 1)

msg = ldb.Message()
        msg.dn = res[0].dn
        msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
                                          ldb.FLAG_MOD_ADD,
                                          "msDS-AllowedToDelegateTo")
        try:
            sam.modify(msg)
        except Exception, err:
            raise CommandError(err)

class cmd_delegation_del_service(Command):
    """Delete a service principal as msDS-AllowedToDelegateTo."""

synopsis = "%prog <accountname> <principal> [options]"

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
        ]

takes_args = ["accountname", "principal"]

def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
            versionopts=None):

msg = ldb.Message()
        msg.dn = res[0].dn
        msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
                                          ldb.FLAG_MOD_DELETE,
                                          "msDS-AllowedToDelegateTo")
        try:
            sam.modify(msg)
        except Exception, err:
            raise CommandError(err)

class cmd_delegation(SuperCommand):
    """Delegation management."""

subcommands = {}
    subcommands["show"] = cmd_delegation_show()
    subcommands["for-any-service"] = cmd_delegation_for_any_service()
    subcommands["for-any-protocol"] = cmd_delegation_for_any_protocol()
    subcommands["add-service"] = cmd_delegation_add_service()
    subcommands["del-service"] = cmd_delegation_del_service()