diff options
-rw-r--r-- | python/samba/upgradehelpers.py | 19 | ||||
-rw-r--r-- | source4/scripting/devel/chgkrbtgtpass | 63 |
2 files changed, 82 insertions, 0 deletions
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py index ed63c25268..3b664fe051 100644 --- a/python/samba/upgradehelpers.py +++ b/python/samba/upgradehelpers.py @@ -637,6 +637,25 @@ def update_dns_account_password(samdb, secrets_ldb, names): secrets_ldb.modify(msg) +def update_krbtgt_account_password(samdb, names): + """Update (change) the password of the krbtgt account + + :param samdb: An LDB object related to the sam.ldb file of a given provision + :param names: List of key provision parameters""" + + expression = "samAccountName=krbtgt" + res = samdb.search(expression=expression, attrs=[]) + assert(len(res) == 1) + + msg = ldb.Message(res[0].dn) + machinepass = samba.generate_random_password(128, 255) + mputf16 = machinepass.encode('utf-16-le') + msg["clearTextPassword"] = ldb.MessageElement(mputf16, + ldb.FLAG_MOD_REPLACE, + "clearTextPassword") + + samdb.modify(msg) + def search_constructed_attrs_stored(samdb, rootdn, attrs): """Search a given sam DB for calculated attributes that are still stored in the db. diff --git a/source4/scripting/devel/chgkrbtgtpass b/source4/scripting/devel/chgkrbtgtpass new file mode 100644 index 0000000000..7e4f9fb791 --- /dev/null +++ b/source4/scripting/devel/chgkrbtgtpass @@ -0,0 +1,63 @@ +#!/usr/bin/env python +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2010 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2015 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +__docformat__ = "restructuredText" + + +import optparse +import sys +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import param +from samba.provision import find_provision_key_parameters +from samba.upgradehelpers import (get_paths, + get_ldbs, + update_krbtgt_account_password) + +parser = optparse.OptionParser("chgkrbtgtpass [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +opts = parser.parse_args()[0] + +lp = sambaopts.get_loadparm() +smbconf = lp.configfile +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + + +paths = get_paths(param, smbconf=smbconf) +session = system_session() + +ldbs = get_ldbs(paths, creds, session, lp) +ldbs.startTransactions() + +names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, smbconf, lp) + +update_krbtgt_account_password(ldbs.sam, names) +ldbs.groupedCommit() |