gpupdate: Use winbind separator in PAM Access Policies

Signed-off-by: David Mulder <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>

Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224

python/samba/gp/vgp_access_ext.py

@@ -82,6 +82,7 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                 deny_conf = self.parse(path)
                 entries = []
                 policy_files = []
+                winbind_sep = self.lp.get('winbind separator')
                 if allow_conf:
                     policy = allow_conf.find('policysetting')
                     data = policy.find('data')
@@ -90,7 +91,9 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                         adobject = listelement.find('adobject')
                         name = adobject.find('name').text
                         domain = adobject.find('domain').text
-                        entries.append('+:%s\\%s:ALL' % (domain, name))
+                        entries.append('+:%s%s%s:ALL' % (domain,
+                                                         winbind_sep,
+                                                         name))
                     if len(allow_listelements) > 0:
                         log.info('Adding an implicit deny ALL because an allow'
                                  ' entry is present')
@@ -102,7 +105,9 @@ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
                         adobject = listelement.find('adobject')
                         name = adobject.find('name').text
                         domain = adobject.find('domain').text
-                        entries.append('-:%s\\%s:ALL' % (domain, name))
+                        entries.append('-:%s%s%s:ALL' % (domain,
+                                                         winbind_sep,
+                                                         name))
                         if len(allow_listelements) > 0:
                             log.warn("Deny entry '%s' is meaningless with "
                                      "allow present" % entries[-1])
@@ -143,6 +148,7 @@ def rsop(self, gpo):
             path = os.path.join(gpo.file_sys_path, deny)
             deny_conf = self.parse(path)
             entries = []
+            winbind_sep = self.lp.get('winbind separator')
             if allow_conf:
                 policy = allow_conf.find('policysetting')
                 data = policy.find('data')
@@ -153,7 +159,9 @@ def rsop(self, gpo):
                     domain = adobject.find('domain').text
                     if str(self) not in output.keys():
                         output[str(self)] = []
-                    output[str(self)].append('+:%s\\%s:ALL' % (name, domain))
+                    output[str(self)].append('+:%s%s%s:ALL' % (name,
+                                                               winbind_sep,
+                                                               domain))
                 if len(allow_listelements) > 0:
                     output[str(self)].append('-:ALL:ALL')
             if deny_conf:
@@ -165,5 +173,7 @@ def rsop(self, gpo):
                     domain = adobject.find('domain').text
                     if str(self) not in output.keys():
                         output[str(self)] = []
-                    output[str(self)].append('-:%s\\%s:ALL' % (name, domain))
+                    output[str(self)].append('-:%s%s%s:ALL' % (name,
+                                                               winbind_sep,
+                                                               domain))
         return output