2007-11-21 13:07:16 +01:00
# Unix SMB/CIFS implementation.
2008-01-25 01:02:13 +01:00
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
2009-12-30 21:48:42 +01:00
#
2008-01-25 01:02:13 +01:00
# Based on the original in EJS:
2007-11-21 13:07:16 +01:00
# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
2009-12-30 21:48:42 +01:00
#
2007-11-21 13:07:16 +01:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
2009-12-30 21:48:42 +01:00
#
2007-11-21 13:07:16 +01:00
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
2009-12-30 21:48:42 +01:00
#
2007-11-21 13:07:16 +01:00
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
2008-05-24 04:01:57 +02:00
""" Samba 4. """
2008-05-22 17:42:18 +02:00
__docformat__ = " restructuredText "
2007-11-21 13:07:16 +01:00
import os
2015-01-22 11:23:09 +00:00
import time
2016-12-13 11:26:53 +01:00
import ldb
2011-06-06 14:39:19 +10:00
import samba . param
2024-02-15 21:20:24 +00:00
import re
2016-12-13 11:26:53 +01:00
from samba import _glue
2017-01-02 08:51:19 +01:00
from samba . _ldb import Ldb as _Ldb
2007-11-21 13:07:16 +01:00
2012-02-18 23:59:48 +01:00
2011-02-03 13:49:29 +11:00
def source_tree_topdir ( ) :
2011-09-13 01:27:50 +02:00
""" Return the top level source directory. """
2012-02-18 23:59:48 +01:00
paths = [ " ../../.. " , " ../../../.. " ]
2011-02-03 13:49:29 +11:00
for p in paths :
topdir = os . path . normpath ( os . path . join ( os . path . dirname ( __file__ ) , p ) )
if os . path . exists ( os . path . join ( topdir , ' source4 ' ) ) :
return topdir
raise RuntimeError ( " unable to find top level source directory " )
2007-12-16 15:33:58 +01:00
2012-02-18 23:59:48 +01:00
2011-02-03 13:49:29 +11:00
def in_source_tree ( ) :
2011-09-13 01:27:50 +02:00
""" Return True if we are running from within the samba source tree """
2011-02-03 13:49:29 +11:00
try :
topdir = source_tree_topdir ( )
except RuntimeError :
return False
return True
2007-12-16 17:17:37 +01:00
2010-04-04 02:01:47 +02:00
class Ldb ( _Ldb ) :
2009-12-30 21:48:42 +01:00
""" Simple Samba-specific LDB subclass that takes care
2007-12-17 08:20:20 +01:00
of setting up the modules dir , credentials pointers , etc .
2009-12-30 21:48:42 +01:00
Please note that this is intended to be for all Samba LDB files ,
not necessarily the Sam database . For Sam - specific helper
2007-12-17 08:20:20 +01:00
functions see samdb . py .
2007-11-21 13:07:16 +01:00
"""
2010-09-21 21:33:30 -07:00
2009-08-15 15:20:09 +02:00
def __init__ ( self , url = None , lp = None , modules_dir = None , session_info = None ,
credentials = None , flags = 0 , options = None ) :
""" Opens a Samba Ldb file.
2007-12-17 08:20:20 +01:00
2007-12-17 11:12:36 +01:00
: param url : Optional LDB URL to open
2009-08-15 15:20:09 +02:00
: param lp : Optional loadparm object
: param modules_dir : Optional modules directory
2007-12-17 08:20:20 +01:00
: param session_info : Optional session information
: param credentials : Optional credentials , defaults to anonymous .
2009-08-15 15:20:09 +02:00
: param flags : Optional LDB flags
: param options : Additional options ( optional )
2007-12-17 08:20:20 +01:00
This is different from a regular Ldb file in that the Samba - specific
2009-12-30 21:48:42 +01:00
modules - dir is used by default and that credentials and session_info
2007-12-17 08:20:20 +01:00
can be passed through ( required by some modules ) .
"""
2007-12-17 11:12:36 +01:00
2007-12-17 08:20:20 +01:00
if modules_dir is not None :
2007-12-17 11:12:36 +01:00
self . set_modules_dir ( modules_dir )
2011-06-06 14:39:19 +10:00
else :
self . set_modules_dir ( os . path . join ( samba . param . modules_dir ( ) , " ldb " ) )
2007-12-17 11:12:36 +01:00
2007-12-17 08:20:20 +01:00
if session_info is not None :
2008-05-23 03:20:37 +02:00
self . set_session_info ( session_info )
2007-12-17 11:12:36 +01:00
2009-08-15 15:20:09 +02:00
if credentials is not None :
self . set_credentials ( credentials )
2007-12-20 15:53:56 +01:00
2007-12-17 08:20:20 +01:00
if lp is not None :
2008-05-23 03:20:37 +02:00
self . set_loadparm ( lp )
2007-12-17 11:12:36 +01:00
2009-08-15 15:20:09 +02:00
# This must be done before we load the schema, as these handlers for
# objectSid and objectGUID etc must take precedence over the 'binary
# attribute' declaration in the schema
2010-04-04 02:07:46 +02:00
self . register_samba_handlers ( )
2009-08-15 15:20:09 +02:00
# TODO set debug
2010-09-29 01:09:09 +03:00
def msg ( l , text ) :
2016-12-13 11:26:53 +01:00
print ( text )
2018-07-30 18:19:49 +12:00
# self.set_debug(msg)
2007-12-18 02:21:14 +01:00
2010-04-04 02:01:47 +02:00
self . set_utf8_casefold ( )
2009-08-15 15:20:09 +02:00
# Allow admins to force non-sync ldb for all databases
2009-08-17 21:40:19 +10:00
if lp is not None :
2018-06-03 18:35:15 +12:00
nosync_p = lp . get ( " ldb:nosync " )
2012-09-27 09:30:47 -07:00
if nosync_p is not None and nosync_p :
2010-04-08 20:28:11 +02:00
flags | = ldb . FLG_NOSYNC
2009-08-15 15:20:09 +02:00
2016-12-13 11:26:53 +01:00
self . set_create_perms ( 0o600 )
2009-10-27 19:52:21 +01:00
2009-08-17 21:40:19 +10:00
if url is not None :
self . connect ( url , flags , options )
2007-12-18 02:21:28 +01:00
2009-12-30 21:48:42 +01:00
def searchone ( self , attribute , basedn = None , expression = None ,
2007-12-19 23:27:38 +01:00
scope = ldb . SCOPE_BASE ) :
2007-12-23 19:19:41 -06:00
""" Search for one attribute as a string.
2009-12-30 21:48:42 +01:00
2007-12-23 19:19:41 -06:00
: param basedn : BaseDN for the search .
: param attribute : Name of the attribute
: param expression : Optional search expression .
: param scope : Search scope ( defaults to base ) .
: return : Value of attribute as a string or None if it wasn ' t found.
"""
2007-12-18 17:21:13 +01:00
res = self . search ( basedn , scope , expression , [ attribute ] )
2007-12-17 08:20:20 +01:00
if len ( res ) != 1 or res [ 0 ] [ attribute ] is None :
return None
2007-12-19 23:27:31 +01:00
values = set ( res [ 0 ] [ attribute ] )
assert len ( values ) == 1
2008-01-25 03:54:33 +01:00
return self . schema_format_value ( attribute , values . pop ( ) )
2007-12-17 08:20:20 +01:00
2009-09-06 21:08:08 +02:00
def erase_users_computers ( self , dn ) :
2010-06-20 02:32:23 +02:00
""" Erases user and computer objects from our AD.
2010-11-28 14:09:30 +01:00
2010-06-20 02:32:23 +02:00
This is needed since the ' samldb ' module denies the deletion of primary
groups . Therefore all groups shouldn ' t be primary somewhere anymore.
"""
2009-09-06 21:08:08 +02:00
try :
res = self . search ( base = dn , scope = ldb . SCOPE_SUBTREE , attrs = [ ] ,
2018-07-30 18:16:12 +12:00
expression = " (|(objectclass=user)(objectclass=computer)) " )
2016-12-13 11:26:53 +01:00
except ldb . LdbError as error :
( errno , estr ) = error . args
2010-03-01 05:04:23 +01:00
if errno == ldb . ERR_NO_SUCH_OBJECT :
# Ignore no such object errors
return
else :
raise
2009-09-06 21:08:08 +02:00
try :
for msg in res :
2010-06-18 22:20:22 +02:00
self . delete ( msg . dn , [ " relax:0 " ] )
2016-12-13 11:26:53 +01:00
except ldb . LdbError as error :
( errno , estr ) = error . args
2010-03-01 05:04:23 +01:00
if errno != ldb . ERR_NO_SUCH_OBJECT :
# Ignore no such object errors
raise
2009-09-06 21:08:08 +02:00
2009-08-17 11:33:25 +10:00
def erase_except_schema_controlled ( self ) :
2010-06-10 23:12:53 +02:00
""" Erase this ldb.
2010-11-28 14:09:30 +01:00
2010-06-10 23:12:53 +02:00
: note : Removes all records , except those that are controlled by
Samba4 ' s schema.
"""
2009-09-06 21:08:08 +02:00
2008-01-11 16:13:46 +01:00
basedn = " "
2009-09-06 21:08:08 +02:00
# Try to delete user/computer accounts to allow deletion of groups
self . erase_users_computers ( basedn )
2023-06-06 13:31:52 +02:00
# Delete the 'visible' records, and the invisible 'deleted' records (if
2012-02-18 23:59:48 +01:00
# this DB supports it)
2009-12-30 21:48:42 +01:00
for msg in self . search ( basedn , ldb . SCOPE_SUBTREE ,
2018-07-30 18:16:12 +12:00
" (&(|(objectclass=*)(distinguishedName=*))(!(distinguishedName=@BASEINFO))) " ,
[ ] , controls = [ " show_deleted:0 " , " show_recycled:0 " ] ) :
2007-12-19 23:27:38 +01:00
try :
2010-06-18 22:20:22 +02:00
self . delete ( msg . dn , [ " relax:0 " ] )
2016-12-13 11:26:53 +01:00
except ldb . LdbError as error :
( errno , estr ) = error . args
2010-03-01 05:04:23 +01:00
if errno != ldb . ERR_NO_SUCH_OBJECT :
# Ignore no such object errors
raise
2009-12-30 21:48:42 +01:00
res = self . search ( basedn , ldb . SCOPE_SUBTREE ,
2018-07-30 18:16:12 +12:00
" (&(|(objectclass=*)(distinguishedName=*))(!(distinguishedName=@BASEINFO))) " ,
[ ] , controls = [ " show_deleted:0 " , " show_recycled:0 " ] )
2007-12-17 08:20:20 +01:00
assert len ( res ) == 0
2007-11-21 13:07:16 +01:00
2009-08-13 14:37:06 +10:00
# delete the specials
2009-12-30 21:48:42 +01:00
for attr in [ " @SUBCLASSES " , " @MODULES " ,
2009-08-13 14:37:06 +10:00
" @OPTIONS " , " @PARTITION " , " @KLUDGEACL " ] :
try :
2010-06-18 22:20:22 +02:00
self . delete ( attr , [ " relax:0 " ] )
2016-12-13 11:26:53 +01:00
except ldb . LdbError as error :
( errno , estr ) = error . args
2010-03-01 05:04:23 +01:00
if errno != ldb . ERR_NO_SUCH_OBJECT :
# Ignore missing dn errors
raise
2009-08-13 14:37:06 +10:00
2009-08-17 11:33:25 +10:00
def erase ( self ) :
""" Erase this ldb, removing all records. """
self . erase_except_schema_controlled ( )
# delete the specials
for attr in [ " @INDEXLIST " , " @ATTRIBUTES " ] :
try :
2010-06-18 22:20:22 +02:00
self . delete ( attr , [ " relax:0 " ] )
2016-12-13 11:26:53 +01:00
except ldb . LdbError as error :
( errno , estr ) = error . args
2010-03-01 16:24:29 +01:00
if errno != ldb . ERR_NO_SUCH_OBJECT :
2010-03-01 05:04:23 +01:00
# Ignore missing dn errors
raise
2009-08-17 11:33:25 +10:00
2007-12-19 23:27:38 +01:00
def load_ldif_file_add ( self , ldif_path ) :
""" Load a LDIF file.
: param ldif_path : Path to LDIF file .
"""
2021-09-01 15:42:28 +12:00
with open ( ldif_path , ' r ' ) as ldif_file :
self . add_ldif ( ldif_file . read ( ) )
2007-12-19 23:27:38 +01:00
2009-11-20 13:22:38 +02:00
def add_ldif ( self , ldif , controls = None ) :
2007-12-29 18:14:15 -06:00
""" Add data based on a LDIF string.
: param ldif : LDIF text .
"""
2007-12-19 23:27:38 +01:00
for changetype , msg in self . parse_ldif ( ldif ) :
assert changetype == ldb . CHANGETYPE_NONE
2010-09-29 01:09:09 +03:00
self . add ( msg , controls )
2007-12-19 23:27:38 +01:00
2009-11-20 13:22:38 +02:00
def modify_ldif ( self , ldif , controls = None ) :
2007-12-29 18:14:15 -06:00
""" Modify database based on a LDIF string.
: param ldif : LDIF text .
"""
2008-01-02 01:52:31 -06:00
for changetype , msg in self . parse_ldif ( ldif ) :
2023-03-13 14:42:29 +01:00
if changetype == ldb . CHANGETYPE_NONE :
changetype = ldb . CHANGETYPE_MODIFY
2010-06-20 02:32:23 +02:00
if changetype == ldb . CHANGETYPE_ADD :
2010-01-06 09:15:35 +11:00
self . add ( msg , controls )
2023-03-13 14:42:29 +01:00
elif changetype == ldb . CHANGETYPE_MODIFY :
2010-01-06 09:15:35 +11:00
self . modify ( msg , controls )
2023-03-13 14:56:55 +01:00
elif changetype == ldb . CHANGETYPE_DELETE :
deldn = msg
self . delete ( deldn , controls )
2023-03-13 15:03:39 +01:00
elif changetype == ldb . CHANGETYPE_MODRDN :
olddn = msg [ " olddn " ]
deleteoldrdn = msg [ " deleteoldrdn " ]
newdn = msg [ " newdn " ]
if deleteoldrdn is False :
raise ValueError ( " Invalid ldb.CHANGETYPE_MODRDN with deleteoldrdn=False " )
self . rename ( olddn , newdn , controls )
2023-03-13 14:42:29 +01:00
else :
raise ValueError ( " Invalid ldb.CHANGETYPE_ %u : %s " % ( changetype , msg ) )
2007-12-23 19:19:41 -06:00
2007-11-21 13:07:16 +01:00
def substitute_var ( text , values ) :
2010-06-10 23:12:53 +02:00
""" Substitute strings of the form $ {NAME} in str, replacing
2010-06-20 15:22:49 +02:00
with substitutions from values .
2009-12-30 21:48:42 +01:00
2023-06-06 13:31:52 +02:00
: param text : Text in which to substitute .
2007-11-21 13:07:16 +01:00
: param values : Dictionary with keys and values .
"""
for ( name , value ) in values . items ( ) :
2020-07-04 13:47:44 +12:00
assert isinstance ( name , str ) , " %r is not a string " % name
assert isinstance ( value , str ) , " Value %r for %s is not a string " % ( value , name )
2007-11-21 13:07:16 +01:00
text = text . replace ( " $ { %s } " % name , value )
return text
2007-12-10 10:29:45 +01:00
2008-01-24 22:18:27 +01:00
def check_all_substituted ( text ) :
2010-11-28 14:09:30 +01:00
""" Check that all substitution variables in a string have been replaced.
2008-01-24 22:18:27 +01:00
If not , raise an exception .
2009-12-30 21:48:42 +01:00
2008-01-24 22:18:27 +01:00
: param text : The text to search for substitution variables
"""
2018-07-30 14:56:46 +12:00
if " $ { " not in text :
2009-02-24 01:02:26 +01:00
return
2009-12-30 21:48:42 +01:00
2008-01-24 22:18:27 +01:00
var_start = text . find ( " $ { " )
var_end = text . find ( " } " , var_start )
2009-12-30 21:48:42 +01:00
2010-11-28 14:09:30 +01:00
raise Exception ( " Not all variables substituted: %s " %
2018-07-30 18:18:25 +12:00
text [ var_start : var_end + 1 ] )
2008-01-24 22:18:27 +01:00
2010-09-29 01:53:22 +03:00
def read_and_sub_file ( file_name , subst_vars ) :
2009-10-30 14:31:25 +11:00
""" Read a file and sub in variables found in it
2009-12-30 21:48:42 +01:00
2010-09-29 01:53:22 +03:00
: param file_name : File to be read ( typically from setup directory )
2023-11-28 15:02:00 +13:00
: param subst_vars : Optional variables to substitute in the file .
2009-10-30 14:31:25 +11:00
"""
2021-09-01 15:42:28 +12:00
with open ( file_name , ' r ' , encoding = " utf-8 " ) as data_file :
data = data_file . read ( )
if subst_vars is not None :
data = substitute_var ( data , subst_vars )
check_all_substituted ( data )
2009-10-30 14:31:25 +11:00
return data
2009-10-30 15:18:42 +11:00
def setup_file ( template , fname , subst_vars = None ) :
""" Setup a file in the private dir.
: param template : Path of the template file .
: param fname : Path of the file to create .
: param subst_vars : Substitution variables .
"""
2010-06-10 23:12:53 +02:00
if os . path . exists ( fname ) :
os . unlink ( fname )
2009-10-30 15:18:42 +11:00
data = read_and_sub_file ( template , subst_vars )
2010-06-10 23:12:53 +02:00
f = open ( fname , ' w ' )
try :
f . write ( data )
finally :
f . close ( )
2009-10-30 15:18:42 +11:00
2018-07-30 18:21:29 +12:00
2012-02-26 20:51:04 +01:00
MAX_NETBIOS_NAME_LEN = 15
2018-07-30 18:20:39 +12:00
2012-02-26 20:51:04 +01:00
def is_valid_netbios_char ( c ) :
return ( c . isalnum ( ) or c in " !#$ % & ' ()-.@^_ {} ~ " )
2009-10-30 15:18:42 +11:00
2012-05-27 14:17:52 +02:00
2007-12-10 10:29:45 +01:00
def valid_netbios_name ( name ) :
""" Check whether a name is valid as a NetBIOS name. """
2009-04-05 23:17:43 +02:00
# See crh's book (1.4.1.1)
2012-02-26 20:51:04 +01:00
if len ( name ) > MAX_NETBIOS_NAME_LEN :
2007-12-10 10:29:45 +01:00
return False
2012-05-27 14:17:52 +02:00
for x in name :
if not is_valid_netbios_char ( x ) :
return False
return True
2007-12-10 10:29:45 +01:00
2009-08-13 11:37:38 +02:00
2011-08-24 15:32:57 +10:00
def dn_from_dns_name ( dnsdomain ) :
""" return a DN from a DNS name domain/forest root """
return " DC= " + " ,DC= " . join ( dnsdomain . split ( " . " ) )
2018-07-30 18:20:39 +12:00
2015-01-22 11:23:09 +00:00
def current_unix_time ( ) :
return int ( time . time ( ) )
2018-07-30 18:20:39 +12:00
2016-01-28 13:52:44 +01:00
def arcfour_encrypt ( key , data ) :
2017-03-10 16:20:06 +02:00
from samba . crypto import arcfour_crypt_blob
return arcfour_crypt_blob ( data , key )
2016-01-28 13:52:44 +01:00
2018-07-30 18:21:29 +12:00
2024-04-03 11:15:14 +02:00
def aead_aes_256_cbc_hmac_sha512 ( plaintext , cek , key_salt , mac_salt , iv ) :
from samba . crypto import aead_aes_256_cbc_hmac_sha512_blob
return aead_aes_256_cbc_hmac_sha512_blob (
plaintext ,
cek ,
key_salt ,
mac_salt ,
iv
)
2024-02-15 21:20:24 +00:00
GUID_RE = re . compile (
" [0-9a-f] {8} -[0-9a-f] {4} -[0-9a-f] {4} -[0-9a-f] {4} -[0-9a-f] {12} " )
GUID_MIXCASE_RE = re . compile (
" [0-9a-f] {8} -[0-9a-f] {4} -[0-9a-f] {4} -[0-9a-f] {4} -[0-9a-f] {12} " ,
flags = re . IGNORECASE )
def string_is_guid ( string , lower_case_only = False ) :
""" Is the string an ordinary undecorated string GUID?
That is , like 12345678 - abcd - 1234 - FEED - 1234567890 ab , and not like
variants which have surrounding curly brackets or lack hyphens .
If lower case_only is true , only lowercase hex characters are
accepted . This is tighter than we ever require , but matches what
we usually emit .
"""
# Note: it is rightly tempting to use misc.GUID() here and catch
# the error, but misc.GUID is more forgiving than we want,
# allowing all kinds of weird variants.
if lower_case_only :
m = GUID_RE . fullmatch ( string )
else :
m = GUID_MIXCASE_RE . fullmatch ( string )
if m is None :
return False
return True
2020-07-04 16:20:47 +12:00
def enable_net_export_keytab ( ) :
""" This function modifies the samba.net.Net class to contain
an export_keytab ( ) method . """
# This looks very strange because it is.
#
# The dckeytab modules contains nothing, but the act of importing
# it pushes a method into samba.net.Net. It ended up this way
2023-12-18 17:57:56 +13:00
# because Net.export_keytab() only works on AD DC builds, and
# people sometimes want to compile Samba without the AD DC while
2020-07-04 16:20:47 +12:00
# still having a working samba-tool.
#
# There is probably a better way to do this than a magic module
# import (yes, that's a FIXME if you can be bothered).
from samba import net
from samba import dckeytab
2010-04-08 20:34:40 +02:00
version = _glue . version
interface_ips = _glue . interface_ips
2018-05-25 07:52:02 +02:00
fault_setup = _glue . fault_setup
2010-04-08 20:34:40 +02:00
set_debug_level = _glue . set_debug_level
2010-11-29 13:26:48 +11:00
get_debug_level = _glue . get_debug_level
2020-12-02 15:42:10 +01:00
float2nttime = _glue . float2nttime
nttime2float = _glue . nttime2float
2010-11-27 23:47:30 +11:00
nttime2string = _glue . nttime2string
nttime2unix = _glue . nttime2unix
unix2nttime = _glue . unix2nttime
2010-04-08 20:34:40 +02:00
generate_random_password = _glue . generate_random_password
2016-08-23 09:35:50 +02:00
generate_random_machine_password = _glue . generate_random_machine_password
2017-11-28 15:45:30 +13:00
check_password_quality = _glue . check_password_quality
2017-11-02 10:15:29 +13:00
generate_random_bytes = _glue . generate_random_bytes
2011-05-18 12:06:25 +10:00
strcasecmp_m = _glue . strcasecmp_m
strstr_m = _glue . strstr_m
2015-10-10 09:30:17 +13:00
is_ntvfs_fileserver_built = _glue . is_ntvfs_fileserver_built
2015-10-09 15:06:52 +02:00
is_heimdal_built = _glue . is_heimdal_built
2020-09-18 11:27:24 -06:00
is_ad_dc_built = _glue . is_ad_dc_built
2021-03-19 12:31:42 -06:00
is_selftest_enabled = _glue . is_selftest_enabled
2024-08-27 15:06:02 -06:00
is_rust_built = _glue . is_rust_built
2016-11-01 15:23:58 +13:00
NTSTATUSError = _glue . NTSTATUSError
HRESULTError = _glue . HRESULTError
WERRORError = _glue . WERRORError
2016-11-01 16:09:20 +13:00
DsExtendedError = _glue . DsExtendedError