From b0360e3a8617c59661d0b0fd805666e6cefcd811 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 17 Dec 2007 08:20:20 +0100 Subject: r26496: Move some provision functions to a new SamDB class, support setting session_info on a ldb context from python. (This used to be commit 75cfb0d609687538048a7d72a499a5205af46a34) --- source4/scripting/python/samba/samdb.py | 117 ++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 source4/scripting/python/samba/samdb.py (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py new file mode 100644 index 0000000000..50164bf590 --- /dev/null +++ b/source4/scripting/python/samba/samdb.py @@ -0,0 +1,117 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. +# Copyright (C) Jelmer Vernooij 2007 +# +# Based on the original in EJS: +# Copyright (C) Andrew Tridgell 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import samba + +class SamDB(samba.Ldb): + def add_foreign(self, domaindn, sid, desc): + """Add a foreign security principle.""" + add = """ +dn: CN=%s,CN=ForeignSecurityPrincipals,%s +objectClass: top +objectClass: foreignSecurityPrincipal +description: %s + """ % (sid, domaindn, desc) + # deliberately ignore errors from this, as the records may + # already exist + for msg in self.parse_ldif(add): + self.add(msg[1]) + + def setup_name_mapping(self, domaindn, sid, unixname): + """Setup a mapping between a sam name and a unix name.""" + res = self.search(Dn(ldb, domaindn), SCOPE_SUBTREE, + "objectSid=%s" % sid, ["dn"]) + assert len(res) == 1, "Failed to find record for objectSid %s" % sid + + mod = """ +dn: %s +changetype: modify +replace: unixName +unixName: %s +""" % (res[0].dn, unixname) + self.modify(self.parse_ldif(mod).next()[1]) + + def enable_account(self, user_dn): + """enable the account. + + :param user_dn: Dn of the account to enable. + """ + res = self.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) + assert len(res) == 1 + userAccountControl = res[0].userAccountControl + userAccountControl = userAccountControl - 2 # remove disabled bit + mod = """ +dn: %s +changetype: modify +replace: userAccountControl +userAccountControl: %u +""" % (user_dn, userAccountControl) + self.modify(mod) + + def newuser(self, username, unixname, password, message): + """add a new user record""" + # connect to the sam + self.transaction_start() + + # find the DNs for the domain and the domain users group + res = self.search("", SCOPE_BASE, "defaultNamingContext=*", + ["defaultNamingContext"]) + assert(len(res) == 1 and res[0].defaultNamingContext is not None) + domain_dn = res[0].defaultNamingContext + assert(domain_dn is not None) + dom_users = searchone(self, domain_dn, "name=Domain Users", "dn") + assert(dom_users is not None) + + user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) + + # + # the new user record. note the reliance on the samdb module to fill + # in a sid, guid etc + # + ldif = """ +dn: %s +sAMAccountName: %s +unixName: %s +sambaPassword: %s +objectClass: user + """ % (user_dn, username, unixname, password) + # add the user to the users group as well + modgroup = """ +dn: %s +changetype: modify +add: member +member: %s +""" % (dom_users, user_dn) + + + # now the real work + message("Adding user %s" % user_dn) + self.add(ldif) + + message("Modifying group %s" % dom_users) + self.modify(modgroup) + + # modify the userAccountControl to remove the disabled bit + enable_account(self, user_dn) + self.transaction_commit() + + -- cgit From f89c7a6e5eb082794d64b487e69fc442d138ca28 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 17 Dec 2007 12:07:51 +0100 Subject: r26505: Add python bindings for some samdb-related functions, improve provisioning in python. (This used to be commit d2402251666738c0372bbbaeaa1d26c06e254033) --- source4/scripting/python/samba/samdb.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 50164bf590..73426121a6 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -21,6 +21,7 @@ # import samba +import misc class SamDB(samba.Ldb): def add_foreign(self, domaindn, sid, desc): @@ -114,4 +115,8 @@ member: %s enable_account(self, user_dn) self.transaction_commit() + def set_domain_sid(self, sid): + misc.samdb_set_domain_sid(self, sid) + def attach_schema_from_ldif(self, pf, df): + misc.dsdb_attach_schema_from_ldif_file(self, pf, df) -- cgit From 63f53094efa29b76eb4136cddf19d9c5d325fc5f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Dec 2007 02:21:14 +0100 Subject: r26520: More Python updates. (This used to be commit a8b1fe15ac853082961132ede061fe1556ae29f7) --- source4/scripting/python/samba/samdb.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 73426121a6..ce06efa3de 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -22,8 +22,14 @@ import samba import misc +import ldb class SamDB(samba.Ldb): + def __init__(self, *args, **kwargs): + super(SamDB, self).__init__(*args, **kwargs) + misc.dsdb_set_global_schema(self) + misc.ldb_register_samba_handlers(self) + def add_foreign(self, domaindn, sid, desc): """Add a foreign security principle.""" add = """ @@ -39,7 +45,7 @@ description: %s def setup_name_mapping(self, domaindn, sid, unixname): """Setup a mapping between a sam name and a unix name.""" - res = self.search(Dn(ldb, domaindn), SCOPE_SUBTREE, + res = self.search(ldb.Dn(self, domaindn), ldb.SCOPE_SUBTREE, "objectSid=%s" % sid, ["dn"]) assert len(res) == 1, "Failed to find record for objectSid %s" % sid -- cgit From 54a48d40a10c813954e4b777377607bb8366a57e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Dec 2007 02:21:28 +0100 Subject: r26522: Fix warnings on SamDB connect from Python, simplify the setup code for the various LDBs. (This used to be commit 20c686f501b652ec0578a075a124b72ecb5f41b6) --- source4/scripting/python/samba/samdb.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index ce06efa3de..e3f001deb1 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -25,10 +25,14 @@ import misc import ldb class SamDB(samba.Ldb): - def __init__(self, *args, **kwargs): - super(SamDB, self).__init__(*args, **kwargs) + def __init__(self, url=None, session_info=None, credentials=None, + modules_dir=None, lp=None): + super(SamDB, self).__init__(session_info=session_info, credentials=credentials, + modules_dir=modules_dir, lp=lp) misc.dsdb_set_global_schema(self) misc.ldb_register_samba_handlers(self) + if url: + self.connect(url) def add_foreign(self, domaindn, sid, desc): """Add a foreign security principle.""" -- cgit From 1c29a63d443fde3fc0253f634822c12749f1afad Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Dec 2007 17:21:13 +0100 Subject: r26523: Refactor provisioning code. (This used to be commit ac1083178f9e521dcd5d3d8b5199abcb00159adf) --- source4/scripting/python/samba/samdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index e3f001deb1..7061e22ce4 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -89,7 +89,7 @@ userAccountControl: %u assert(len(res) == 1 and res[0].defaultNamingContext is not None) domain_dn = res[0].defaultNamingContext assert(domain_dn is not None) - dom_users = searchone(self, domain_dn, "name=Domain Users", "dn") + dom_users = self.searchone(domain_dn, "dn", "name=Domain Users") assert(dom_users is not None) user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) -- cgit From c2fffa8335ac68ff70de52f9fc80fb49e5d6d686 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 19 Dec 2007 23:27:38 +0100 Subject: r26538: Pass path generation function around rather than base directory. (This used to be commit 5f921af41e4dcd6844f6a662d56bd27c4e76ff88) --- source4/scripting/python/samba/samdb.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 7061e22ce4..84b604dbc4 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -29,8 +29,8 @@ class SamDB(samba.Ldb): modules_dir=None, lp=None): super(SamDB, self).__init__(session_info=session_info, credentials=credentials, modules_dir=modules_dir, lp=lp) - misc.dsdb_set_global_schema(self) - misc.ldb_register_samba_handlers(self) + assert misc.dsdb_set_global_schema(self) == 0 + assert misc.ldb_register_samba_handlers(self) == 0 if url: self.connect(url) -- cgit From 109a903750e6bec865e402f02c5c457250594e55 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 20 Dec 2007 15:53:56 +0100 Subject: r26545: Sync output with ejs. (This used to be commit 48ceaa964327ed7094275780cc3c0767636bcb18) --- source4/scripting/python/samba/samdb.py | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 84b604dbc4..46707f060f 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -30,7 +30,6 @@ class SamDB(samba.Ldb): super(SamDB, self).__init__(session_info=session_info, credentials=credentials, modules_dir=modules_dir, lp=lp) assert misc.dsdb_set_global_schema(self) == 0 - assert misc.ldb_register_samba_handlers(self) == 0 if url: self.connect(url) -- cgit From 6817c5d885a75a1af0e646827c3fa8220df8c7a5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Dec 2007 18:14:15 -0600 Subject: r26628: python: Add more documentation, simplify code in Samba3 module. (This used to be commit 3c329ee73d9979236313c37e51750ec06b8dd69e) --- source4/scripting/python/samba/samdb.py | 50 ++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 17 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 46707f060f..2af56d8d8e 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -20,13 +20,20 @@ # along with this program. If not, see . # +"""Convenience functions for using the SAM.""" + import samba import misc import ldb class SamDB(samba.Ldb): + """The SAM database.""" def __init__(self, url=None, session_info=None, credentials=None, modules_dir=None, lp=None): + """Open the Sam Database. + + :param url: URL of the database. + """ super(SamDB, self).__init__(session_info=session_info, credentials=credentials, modules_dir=modules_dir, lp=lp) assert misc.dsdb_set_global_schema(self) == 0 @@ -47,7 +54,12 @@ description: %s self.add(msg[1]) def setup_name_mapping(self, domaindn, sid, unixname): - """Setup a mapping between a sam name and a unix name.""" + """Setup a mapping between a sam name and a unix name. + + :param domaindn: DN of the domain. + :param sid: SID of the NT-side of the mapping. + :param unixname: Unix name to map to. + """ res = self.search(ldb.Dn(self, domaindn), ldb.SCOPE_SUBTREE, "objectSid=%s" % sid, ["dn"]) assert len(res) == 1, "Failed to find record for objectSid %s" % sid @@ -61,7 +73,7 @@ unixName: %s self.modify(self.parse_ldif(mod).next()[1]) def enable_account(self, user_dn): - """enable the account. + """Enable an account. :param user_dn: Dn of the account to enable. """ @@ -75,10 +87,15 @@ changetype: modify replace: userAccountControl userAccountControl: %u """ % (user_dn, userAccountControl) - self.modify(mod) + self.modify_ldif(mod) - def newuser(self, username, unixname, password, message): - """add a new user record""" + def newuser(self, username, unixname, password): + """add a new user record. + + :param username: Name of the new user. + :param unixname: Name of the unix user to map to. + :param password: Password for the new user + """ # connect to the sam self.transaction_start() @@ -97,13 +114,13 @@ userAccountControl: %u # the new user record. note the reliance on the samdb module to fill # in a sid, guid etc # - ldif = """ -dn: %s -sAMAccountName: %s -unixName: %s -sambaPassword: %s -objectClass: user - """ % (user_dn, username, unixname, password) + # now the real work + self.add({"dn": user_dn, + "sAMAccountName": username, + "unixName": unixname, + "sambaPassword": password, + "objectClass": "user"}) + # add the user to the users group as well modgroup = """ dn: %s @@ -113,11 +130,6 @@ member: %s """ % (dom_users, user_dn) - # now the real work - message("Adding user %s" % user_dn) - self.add(ldif) - - message("Modifying group %s" % dom_users) self.modify(modgroup) # modify the userAccountControl to remove the disabled bit @@ -125,6 +137,10 @@ member: %s self.transaction_commit() def set_domain_sid(self, sid): + """Change the domain SID used by this SamDB. + + :param sid: The new domain sid to use. + """ misc.samdb_set_domain_sid(self, sid) def attach_schema_from_ldif(self, pf, df): -- cgit From 7c3e8c838f0ada9ebae9dbb2bc5d84320c8431f2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 11 Jan 2008 16:13:46 +0100 Subject: Python: Simplify code in a couple of places. Copy Andrew's changes from g53b5166. (This used to be commit f056f624958af79204c972eba3f85e36e93daed7) --- source4/scripting/python/samba/samdb.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 2af56d8d8e..353eaee198 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -60,7 +60,7 @@ description: %s :param sid: SID of the NT-side of the mapping. :param unixname: Unix name to map to. """ - res = self.search(ldb.Dn(self, domaindn), ldb.SCOPE_SUBTREE, + res = self.search(domaindn, ldb.SCOPE_SUBTREE, "objectSid=%s" % sid, ["dn"]) assert len(res) == 1, "Failed to find record for objectSid %s" % sid @@ -103,7 +103,7 @@ userAccountControl: %u res = self.search("", SCOPE_BASE, "defaultNamingContext=*", ["defaultNamingContext"]) assert(len(res) == 1 and res[0].defaultNamingContext is not None) - domain_dn = res[0].defaultNamingContext + domain_dn = res[0]["defaultNamingContext"][0] assert(domain_dn is not None) dom_users = self.searchone(domain_dn, "dn", "name=Domain Users") assert(dom_users is not None) -- cgit From 859b847a68cf10526b9f356ebcb328e7334a8cb1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Jan 2008 22:08:39 +0100 Subject: python: Add bindings for SamDB.set_invocation_id(). (This used to be commit c09efa7b778f9cb29032a6abfd914fcaae8df163) --- source4/scripting/python/samba/samdb.py | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 353eaee198..e92a4bbb90 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -145,3 +145,10 @@ member: %s def attach_schema_from_ldif(self, pf, df): misc.dsdb_attach_schema_from_ldif_file(self, pf, df) + + def set_invocation_id(self, invocation_id): + """Set the invocation id for this SamDB handle. + + :param invocation_id: GUID of the invocation id. + """ + misc.samdb_set_ntds_invocation_id(self, invocation_id) \ No newline at end of file -- cgit From 37f35d2a03409e0d52232d4c4f956ec8637d4884 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 25 Jan 2008 01:02:13 +0100 Subject: python/provision: Reconcile code partitions-only provisioning and generic provisioning, some other minor refactoring of the provisioning. Pair-programmed by Andrew and me using obby :-) (This used to be commit 688adcbb635af87fcfedb869b7f1857a947fd2f9) --- source4/scripting/python/samba/samdb.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index e92a4bbb90..b757330ecb 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -1,10 +1,10 @@ #!/usr/bin/python # Unix SMB/CIFS implementation. -# Copyright (C) Jelmer Vernooij 2007 +# Copyright (C) Jelmer Vernooij 2007-2008 # # Based on the original in EJS: -# Copyright (C) Andrew Tridgell 2005 +# Copyright (C) Andrew Tridgell 2005 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -151,4 +151,4 @@ member: %s :param invocation_id: GUID of the invocation id. """ - misc.samdb_set_ntds_invocation_id(self, invocation_id) \ No newline at end of file + misc.dsdb_set_ntds_invocation_id(self, invocation_id) -- cgit From dcb04065cda7fc7f23c494ec138af6b882651f20 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 25 Jan 2008 03:54:33 +0100 Subject: python: Fix representation of UUIDs as strings in zone files rather than binary blobs, fix escaping of LDAP URL's in PHP LDAP admin configuration. Pair-programmed with Andrew, but git doesn't appear to support multiple --author arguments. :-( (This used to be commit dff54ff043563f93b86361039c46e662045f62cc) --- source4/scripting/python/samba/samdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index b757330ecb..c11fabf553 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -105,7 +105,7 @@ userAccountControl: %u assert(len(res) == 1 and res[0].defaultNamingContext is not None) domain_dn = res[0]["defaultNamingContext"][0] assert(domain_dn is not None) - dom_users = self.searchone(domain_dn, "dn", "name=Domain Users") + dom_users = self.searchone(basedn=domain_dn, attribute="dn", expression="name=Domain Users") assert(dom_users is not None) user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) -- cgit From b4ce9dc3609aafd6df17bd3b57c0da63fdaba4b1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 13 Feb 2008 01:21:06 +0100 Subject: Fix invalid symbol. (This used to be commit bd0ef811c4e6419ba05076fbc151827cea5d1ca1) --- source4/scripting/python/samba/samdb.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index c11fabf553..3c6bb23c02 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -100,12 +100,14 @@ userAccountControl: %u self.transaction_start() # find the DNs for the domain and the domain users group - res = self.search("", SCOPE_BASE, "defaultNamingContext=*", - ["defaultNamingContext"]) + res = self.search("", scope=ldb.SCOPE_BASE, + expression="(defaultNamingContext=*)", + attrs=["defaultNamingContext"]) assert(len(res) == 1 and res[0].defaultNamingContext is not None) domain_dn = res[0]["defaultNamingContext"][0] assert(domain_dn is not None) - dom_users = self.searchone(basedn=domain_dn, attribute="dn", expression="name=Domain Users") + dom_users = self.searchone(basedn=domain_dn, attribute="dn", + expression="name=Domain Users") assert(dom_users is not None) user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) -- cgit From 786deaf9288c77b40892d6639113e580a7be6904 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Mar 2008 12:08:54 +1100 Subject: Make the setup/newuser and setup/setpassword scripts actually work... These need a testsuite, but this will come soon. Andrew Bartlett (This used to be commit fbcaa622bd1929399e32326349e96b6676a49b96) --- source4/scripting/python/samba/samdb.py | 58 ++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 16 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 3c6bb23c02..de0fd4ba04 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -77,10 +77,15 @@ unixName: %s :param user_dn: Dn of the account to enable. """ - res = self.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) + res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"]) assert len(res) == 1 - userAccountControl = res[0].userAccountControl - userAccountControl = userAccountControl - 2 # remove disabled bit + userAccountControl = res[0]["userAccountControl"][0] + userAccountControl = int(userAccountControl) + if (userAccountControl & 0x2): + userAccountControl = userAccountControl & ~0x2 # remove disabled bit + if (userAccountControl & 0x20): + userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit + mod = """ dn: %s changetype: modify @@ -103,13 +108,9 @@ userAccountControl: %u res = self.search("", scope=ldb.SCOPE_BASE, expression="(defaultNamingContext=*)", attrs=["defaultNamingContext"]) - assert(len(res) == 1 and res[0].defaultNamingContext is not None) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) domain_dn = res[0]["defaultNamingContext"][0] assert(domain_dn is not None) - dom_users = self.searchone(basedn=domain_dn, attribute="dn", - expression="name=Domain Users") - assert(dom_users is not None) - user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) # @@ -123,19 +124,44 @@ userAccountControl: %u "sambaPassword": password, "objectClass": "user"}) - # add the user to the users group as well - modgroup = """ + # modify the userAccountControl to remove the disabled bit + self.enable_account(user_dn) + self.transaction_commit() + + def setpassword(self, filter, password): + """Set a password on a user record + + :param filter: LDAP filter to find the user (eg samccountname=name) + :param password: Password for the user + """ + # connect to the sam + self.transaction_start() + + # find the DNs for the domain + res = self.search("", scope=ldb.SCOPE_BASE, + expression="(defaultNamingContext=*)", + attrs=["defaultNamingContext"]) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) + domain_dn = res[0]["defaultNamingContext"][0] + assert(domain_dn is not None) + + res = self.search(domain_dn, scope=ldb.SCOPE_SUBTREE, + expression=filter, + attrs=[]) + assert(len(res) == 1) + user_dn = res[0].dn + + setpw = """ dn: %s changetype: modify -add: member -member: %s -""" % (dom_users, user_dn) - +replace: sambaPassword +sambaPassword: %s +""" % (user_dn, password) - self.modify(modgroup) + self.modify_ldif(setpw) # modify the userAccountControl to remove the disabled bit - enable_account(self, user_dn) + self.enable_account(user_dn) self.transaction_commit() def set_domain_sid(self, sid): -- cgit From 8ac91d913231ecd7ead595b93032c7486f67c949 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Tue, 1 Apr 2008 00:17:00 +0200 Subject: provision: Set up id mappings in the idmap db, only map Administrator. (This used to be commit 206b7d387c6d17e5cc40fd45b489abac9235a7a4) --- source4/scripting/python/samba/samdb.py | 19 ------------------- 1 file changed, 19 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index de0fd4ba04..bc3eef7879 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -53,25 +53,6 @@ description: %s for msg in self.parse_ldif(add): self.add(msg[1]) - def setup_name_mapping(self, domaindn, sid, unixname): - """Setup a mapping between a sam name and a unix name. - - :param domaindn: DN of the domain. - :param sid: SID of the NT-side of the mapping. - :param unixname: Unix name to map to. - """ - res = self.search(domaindn, ldb.SCOPE_SUBTREE, - "objectSid=%s" % sid, ["dn"]) - assert len(res) == 1, "Failed to find record for objectSid %s" % sid - - mod = """ -dn: %s -changetype: modify -replace: unixName -unixName: %s -""" % (res[0].dn, unixname) - self.modify(self.parse_ldif(mod).next()[1]) - def enable_account(self, user_dn): """Enable an account. -- cgit From 5a37b3fc5d42beffaf4bdca70b1f0c5f80f92280 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Apr 2008 11:51:02 +0200 Subject: Fix newuser and setpassword scripts, and port to idmap. The new idmap world does not use the unixUser any more, so we need to set up the entry (if wanted) in the idmap database. Users without a backing unix user will get an allocated uid by idmap later. Andrew Bartlett (This used to be commit 8bd8bc1475ddf22d4702dcd17028a9043a5e629f) --- source4/scripting/python/samba/samdb.py | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index bc3eef7879..198d1e9f5c 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -25,20 +25,29 @@ import samba import misc import ldb +from samba.idmap import IDmapDB +import pwd class SamDB(samba.Ldb): """The SAM database.""" + def __init__(self, url=None, session_info=None, credentials=None, modules_dir=None, lp=None): """Open the Sam Database. :param url: URL of the database. """ + self.lp = lp super(SamDB, self).__init__(session_info=session_info, credentials=credentials, modules_dir=modules_dir, lp=lp) assert misc.dsdb_set_global_schema(self) == 0 if url: self.connect(url) + else: + self.connect(lp.get("sam database")) + + def connect(self, url): + super(SamDB, self).connect(misc.private_path(self.lp, url)) def add_foreign(self, domaindn, sid, desc): """Add a foreign security principle.""" @@ -101,10 +110,27 @@ userAccountControl: %u # now the real work self.add({"dn": user_dn, "sAMAccountName": username, - "unixName": unixname, "sambaPassword": password, "objectClass": "user"}) + res = self.search(user_dn, scope=ldb.SCOPE_BASE, + expression="objectclass=*", + attrs=["objectSid"]) + assert(len(res) == 1) + user_sid = self.schema_format_value("objectSid", res[0]["objectSid"][0]) + + + try: + idmap = IDmapDB(lp=self.lp) + + user = pwd.getpwnam(unixname) + # setup ID mapping for this UID + + idmap.setup_name_mapping(user_sid, idmap.TYPE_UID, user[2]) + + except KeyError: + pass + # modify the userAccountControl to remove the disabled bit self.enable_account(user_dn) self.transaction_commit() -- cgit From c401aa93573460f10256218a6a1902839b17b884 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 22 May 2008 17:42:18 +0200 Subject: Use restructuredText formatting for docstrings. (This used to be commit 0cc58decd74d20f3d7dff93ddef1c8bce4d49ad0) --- source4/scripting/python/samba/samdb.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 198d1e9f5c..6465f49519 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -28,6 +28,8 @@ import ldb from samba.idmap import IDmapDB import pwd +__docformat__ = "restructuredText" + class SamDB(samba.Ldb): """The SAM database.""" -- cgit From 44ea6a26fd088f0f8c86817510ebe5a6cddf9158 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 12 Jul 2008 15:26:42 +1000 Subject: rename sambaPassword -> userPassword. This attribute is used in a very similar way (virtual attribute updating the password) in AD on Win2003, so eliminate the difference. This should not cause a problem for on-disk passwords, as by default we do not store the plaintext at all. Andrew Bartlett (This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3) --- source4/scripting/python/samba/samdb.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 6465f49519..c47cf4a0dc 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -112,7 +112,7 @@ userAccountControl: %u # now the real work self.add({"dn": user_dn, "sAMAccountName": username, - "sambaPassword": password, + "userPassword": password, "objectClass": "user"}) res = self.search(user_dn, scope=ldb.SCOPE_BASE, @@ -163,8 +163,8 @@ userAccountControl: %u setpw = """ dn: %s changetype: modify -replace: sambaPassword -sambaPassword: %s +replace: userPassword +userPassword: %s """ % (user_dn, password) self.modify_ldif(setpw) -- cgit From fff006bd84fc3fd1d9fdd22e3c20110285b2c144 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 1 Aug 2008 20:47:22 +0200 Subject: Move domain DN determination out of newuser function. (This used to be commit cbac27e6faa99ebaa3e6d653017c968db836560a) --- source4/scripting/python/samba/samdb.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index c47cf4a0dc..c7d93d6aff 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -86,6 +86,14 @@ userAccountControl: %u """ % (user_dn, userAccountControl) self.modify_ldif(mod) + def domain_dn(self): + # find the DNs for the domain and the domain users group + res = self.search("", scope=ldb.SCOPE_BASE, + expression="(defaultNamingContext=*)", + attrs=["defaultNamingContext"]) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) + return res[0]["defaultNamingContext"][0] + def newuser(self, username, unixname, password): """add a new user record. @@ -96,12 +104,7 @@ userAccountControl: %u # connect to the sam self.transaction_start() - # find the DNs for the domain and the domain users group - res = self.search("", scope=ldb.SCOPE_BASE, - expression="(defaultNamingContext=*)", - attrs=["defaultNamingContext"]) - assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) - domain_dn = res[0]["defaultNamingContext"][0] + domain_dn = self.domain_dn() assert(domain_dn is not None) user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) -- cgit From 9817f3d785ceb67819a9def0e8030272e4ba9e14 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 30 Aug 2008 07:32:44 +1000 Subject: Add a setexpiry operation in samdb.py This makes it easy to set the expiry (or no expiry) for a samdb user (This used to be commit 25171f18a4b242b5a731f4ac1eefc51cc82efd74) --- source4/scripting/python/samba/samdb.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'source4/scripting/python/samba/samdb.py') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index c7d93d6aff..4a64c2f76d 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -27,6 +27,7 @@ import misc import ldb from samba.idmap import IDmapDB import pwd +import time __docformat__ = "restructuredText" @@ -192,3 +193,35 @@ userPassword: %s :param invocation_id: GUID of the invocation id. """ misc.dsdb_set_ntds_invocation_id(self, invocation_id) + + def setexpiry(self, user, expiry_seconds, noexpiry): + """Set the password expiry for a user + + :param expiry_seconds: expiry time from now in seconds + :param noexpiry: if set, then don't expire password + """ + self.transaction_start(); + res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, + expression=("(samAccountName=%s)" % user), + attrs=["userAccountControl", "accountExpires"]) + assert len(res) == 1 + userAccountControl = int(res[0]["userAccountControl"][0]) + accountExpires = int(res[0]["accountExpires"][0]) + if noexpiry: + userAccountControl = userAccountControl | 0x10000 + accountExpires = 0 + else: + userAccountControl = userAccountControl & ~0x10000 + accountExpires = misc.unix2nttime(expiry_seconds + int(time.time())) + + mod = """ +dn: %s +changetype: modify +replace: userAccountControl +userAccountControl: %u +replace: accountExpires +accountExpires: %u +""" % (res[0].dn, userAccountControl, accountExpires) + # now change the database + self.modify_ldif(mod) + self.transaction_commit(); -- cgit