Fix SID Lookup Issues on Assorted Windows Modules (#28979)
* fix sid lookup issues and update copyright/license to latest format * simplify win_owner and win_share by removing unnecessary function
This commit is contained in:
parent
4af8c6852f
commit
8f050d3719
7 changed files with 52 additions and 332 deletions
|
@ -1,113 +1,43 @@
|
|||
#!powershell
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
||||
# Copyright 2015, Trond Hindenes
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# WANT_JSON
|
||||
# POWERSHELL_COMMON
|
||||
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||
|
||||
# win_acl module (File/Resources Permission Additions/Removal)
|
||||
|
||||
|
||||
|
||||
#Functions
|
||||
Function UserSearch
|
||||
{
|
||||
Param ([string]$accountName)
|
||||
#Check if there's a realm specified
|
||||
function Get-UserSID {
|
||||
param(
|
||||
[String]$AccountName
|
||||
)
|
||||
|
||||
$searchDomain = $false
|
||||
$searchDomainUPN = $false
|
||||
$SearchAppPools = $false
|
||||
if ($accountName.Split("\").count -gt 1)
|
||||
{
|
||||
if ($accountName.Split("\")[0] -eq $env:COMPUTERNAME)
|
||||
{
|
||||
$userSID = $null
|
||||
$searchAppPools = $false
|
||||
|
||||
}
|
||||
elseif ($accountName.Split("\")[0] -eq "IIS APPPOOL")
|
||||
{
|
||||
$SearchAppPools = $true
|
||||
$accountName = $accountName.split("\")[1]
|
||||
}
|
||||
else
|
||||
{
|
||||
$searchDomain = $true
|
||||
$accountName = $accountName.split("\")[1]
|
||||
if ($AccountName.Split("\").Count -gt 1) {
|
||||
if ($AccountName.Split("\")[0] -eq "IIS APPPOOL") {
|
||||
$searchAppPools = $true
|
||||
$AccountName = $AccountName.Split("\")[1]
|
||||
}
|
||||
}
|
||||
Elseif ($accountName.contains("@"))
|
||||
{
|
||||
$searchDomain = $true
|
||||
$searchDomainUPN = $true
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Default to local user account
|
||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
||||
}
|
||||
|
||||
if (($searchDomain -eq $false) -and ($SearchAppPools -eq $false))
|
||||
{
|
||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
||||
if ($localaccount)
|
||||
{
|
||||
return $localaccount.SID
|
||||
if ($searchAppPools) {
|
||||
Import-Module -Name WebAdministration
|
||||
$testIISPath = Test-Path -Path "IIS:"
|
||||
if ($testIISPath) {
|
||||
$appPoolObj = Get-ItemProperty -Path "IIS:\AppPools\$AccountName"
|
||||
$userSID = $appPoolObj.applicationPoolSid
|
||||
}
|
||||
}
|
||||
Elseif ($SearchAppPools -eq $true)
|
||||
{
|
||||
Import-Module WebAdministration
|
||||
$testiispath = Test-path "IIS:"
|
||||
if ($testiispath -eq $false)
|
||||
{
|
||||
return $null
|
||||
}
|
||||
else
|
||||
{
|
||||
$apppoolobj = Get-ItemProperty IIS:\AppPools\$accountName
|
||||
return $apppoolobj.applicationPoolSid
|
||||
}
|
||||
else {
|
||||
$userSID = Convert-ToSID -account_name $AccountName
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Search by samaccountname
|
||||
$Searcher = [adsisearcher]""
|
||||
|
||||
If ($searchDomainUPN -eq $false) {
|
||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
||||
}
|
||||
Else {
|
||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
||||
}
|
||||
|
||||
$result = $Searcher.FindOne()
|
||||
if ($result)
|
||||
{
|
||||
$user = $result.GetDirectoryEntry()
|
||||
|
||||
# get binary SID from AD account
|
||||
$binarySID = $user.ObjectSid.Value
|
||||
|
||||
# convert to string SID
|
||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
||||
}
|
||||
}
|
||||
return $userSID
|
||||
}
|
||||
|
||||
# Need to adjust token privs when executing Set-ACL in certain cases.
|
||||
|
@ -234,9 +164,8 @@ If (-Not (Test-Path -Path $path)) {
|
|||
}
|
||||
|
||||
# Test that the user/group is resolvable on the local machine
|
||||
$sid = UserSearch -AccountName ($user)
|
||||
if (!$sid)
|
||||
{
|
||||
$sid = Get-UserSID -AccountName $user
|
||||
if (!$sid) {
|
||||
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
||||
}
|
||||
|
||||
|
@ -260,14 +189,14 @@ Try {
|
|||
|
||||
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit
|
||||
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation
|
||||
|
||||
|
||||
If ($type -eq "allow") {
|
||||
$objType =[System.Security.AccessControl.AccessControlType]::Allow
|
||||
}
|
||||
Else {
|
||||
$objType =[System.Security.AccessControl.AccessControlType]::Deny
|
||||
}
|
||||
|
||||
|
||||
$objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
|
||||
If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
|
||||
$objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
||||
|
@ -276,7 +205,7 @@ Try {
|
|||
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
||||
}
|
||||
$objACL = Get-ACL $path
|
||||
|
||||
|
||||
# Check if the ACE exists already in the objects ACL list
|
||||
$match = $false
|
||||
|
||||
|
@ -300,7 +229,7 @@ Try {
|
|||
Break
|
||||
}
|
||||
} else {
|
||||
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
||||
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
||||
$match = $true
|
||||
Break
|
||||
}
|
||||
|
@ -335,11 +264,11 @@ Try {
|
|||
# A rule didn't exist that was trying to be removed
|
||||
Else {
|
||||
Exit-Json $result "the specified rule does not exist"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Catch {
|
||||
Fail-Json $result "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)"
|
||||
}
|
||||
|
||||
|
||||
Exit-Json $result
|
||||
|
|
|
@ -1,27 +1,8 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
||||
# Copyright 2015, Trond Hindenes
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# this is a windows documentation stub. actual code lives in the .ps1
|
||||
# file of the same name
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
|
|
|
@ -1,85 +1,9 @@
|
|||
#!powershell
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
# WANT_JSON
|
||||
# POWERSHELL_COMMON
|
||||
|
||||
#Functions
|
||||
Function UserSearch
|
||||
{
|
||||
Param ([string]$accountName)
|
||||
#Check if there's a realm specified
|
||||
|
||||
$searchDomain = $false
|
||||
$searchDomainUPN = $false
|
||||
if ($accountName.Split("\").count -gt 1)
|
||||
{
|
||||
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
|
||||
{
|
||||
$searchDomain = $true
|
||||
$accountName = $accountName.split("\")[1]
|
||||
}
|
||||
}
|
||||
Elseif ($accountName.contains("@"))
|
||||
{
|
||||
$searchDomain = $true
|
||||
$searchDomainUPN = $true
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Default to local user account
|
||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
||||
}
|
||||
|
||||
if ($searchDomain -eq $false)
|
||||
{
|
||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
||||
if ($localaccount)
|
||||
{
|
||||
return $localaccount.SID
|
||||
}
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Search by samaccountname
|
||||
$Searcher = [adsisearcher]""
|
||||
|
||||
If ($searchDomainUPN -eq $false) {
|
||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
||||
}
|
||||
Else {
|
||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
||||
}
|
||||
|
||||
$result = $Searcher.FindOne()
|
||||
if ($result)
|
||||
{
|
||||
$user = $result.GetDirectoryEntry()
|
||||
|
||||
# get binary SID from AD account
|
||||
$binarySID = $user.ObjectSid.Value
|
||||
|
||||
# convert to string SID
|
||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
||||
}
|
||||
}
|
||||
}
|
||||
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||
|
||||
$result = @{
|
||||
changed = $false
|
||||
|
@ -97,9 +21,8 @@ If (-Not (Test-Path -Path $path)) {
|
|||
}
|
||||
|
||||
# Test that the user/group is resolvable on the local machine
|
||||
$sid = UserSearch -AccountName ($user)
|
||||
if (-not $sid)
|
||||
{
|
||||
$sid = Convert-ToSID -account_name $user
|
||||
if (!$sid) {
|
||||
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
||||
}
|
||||
|
||||
|
|
|
@ -1,25 +1,6 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# this is a windows documentation stub. actual code lives in the .ps1
|
||||
# file of the same name
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
|
|
|
@ -1,87 +1,12 @@
|
|||
#!powershell
|
||||
# This file is part of Ansible
|
||||
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
# WANT_JSON
|
||||
# POWERSHELL_COMMON
|
||||
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||
|
||||
#Functions
|
||||
Function UserSearch
|
||||
{
|
||||
Param ([string]$accountName)
|
||||
#Check if there's a realm specified
|
||||
|
||||
$searchDomain = $false
|
||||
$searchDomainUPN = $false
|
||||
if ($accountName.Split("\").count -gt 1)
|
||||
{
|
||||
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
|
||||
{
|
||||
$searchDomain = $true
|
||||
$accountName = $accountName.split("\")[1]
|
||||
}
|
||||
}
|
||||
Elseif ($accountName.contains("@"))
|
||||
{
|
||||
$searchDomain = $true
|
||||
$searchDomainUPN = $true
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Default to local user account
|
||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
||||
}
|
||||
|
||||
if ($searchDomain -eq $false)
|
||||
{
|
||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
||||
if ($localaccount)
|
||||
{
|
||||
return $localaccount.SID
|
||||
}
|
||||
}
|
||||
Else
|
||||
{
|
||||
#Search by samaccountname
|
||||
$Searcher = [adsisearcher]""
|
||||
|
||||
If ($searchDomainUPN -eq $false) {
|
||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
||||
}
|
||||
Else {
|
||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
||||
}
|
||||
|
||||
$result = $Searcher.FindOne()
|
||||
if ($result)
|
||||
{
|
||||
$user = $result.GetDirectoryEntry()
|
||||
|
||||
# get binary SID from AD account
|
||||
$binarySID = $user.ObjectSid.Value
|
||||
|
||||
# convert to string SID
|
||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
||||
}
|
||||
}
|
||||
}
|
||||
Function NormalizeAccounts
|
||||
{
|
||||
Function NormalizeAccounts {
|
||||
param(
|
||||
[parameter(valuefrompipeline=$true)]
|
||||
$users
|
||||
|
@ -89,17 +14,17 @@ Function NormalizeAccounts
|
|||
|
||||
$users = $users.Trim()
|
||||
If ($users -eq "") {
|
||||
$splittedUsers = [Collections.Generic.List[String]] @()
|
||||
$splitUsers = [Collections.Generic.List[String]] @()
|
||||
}
|
||||
Else {
|
||||
$splittedUsers = [Collections.Generic.List[String]] $users.Split(",")
|
||||
$splitUsers = [Collections.Generic.List[String]] $users.Split(",")
|
||||
}
|
||||
|
||||
$normalizedUsers = [Collections.Generic.List[String]] @()
|
||||
ForEach($splittedUser in $splittedUsers) {
|
||||
$sid = UserSearch $splittedUser
|
||||
If (!$sid) {
|
||||
Fail-Json $result "$splittedUser is not a valid user or group on the host machine or domain"
|
||||
ForEach($splitUser in $splitUsers) {
|
||||
$sid = Convert-ToSID -account_name $splitUser
|
||||
if (!$sid) {
|
||||
Fail-Json $result "$splitUser is not a valid user or group on the host machine or domain"
|
||||
}
|
||||
|
||||
$normalizedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount])
|
||||
|
|
|
@ -1,25 +1,6 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# this is a windows documentation stub. actual code lives in the .ps1
|
||||
# file of the same name
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
path: "{{test_win_owner_path}}"
|
||||
user: invalid-user
|
||||
register: invalid_user
|
||||
failed_when: invalid_user.msg != 'invalid-user is not a valid user or group on the host machine or domain'
|
||||
failed_when: invalid_user.msg is not search("account_name invalid-user is not a valid account, cannot get SID.*")
|
||||
|
||||
- name: set owner defaults check
|
||||
win_owner:
|
||||
|
|
Loading…
Reference in a new issue