mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
samba-tool: add new "user unlock" command
Can be used to unlock a user when the badPwdCount has been reached. Introduces SamDB error classes, as suggested by Douglas Bagnall <douglas.bagnall@catalyst.net.nz> - thanks! This helps to handle expected failures. Tracebacks of really unexpected failures will not be hidden. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
parent
27480333fd
commit
0bc93500a8
@ -1465,6 +1465,12 @@
|
||||
<para>Sets or resets the password of a user account.</para>
|
||||
</refsect3>
|
||||
|
||||
<refsect3>
|
||||
<title>user unlock <replaceable>username</replaceable> [options]</title>
|
||||
<para>This command unlocks a user account in the Active Directory
|
||||
domain.</para>
|
||||
</refsect3>
|
||||
|
||||
<refsect3>
|
||||
<title>user getpassword <replaceable>username</replaceable> [options]</title>
|
||||
<para>Gets the password of a user account.</para>
|
||||
|
@ -33,7 +33,7 @@ import binascii
|
||||
from subprocess import Popen, PIPE, STDOUT, check_call, CalledProcessError
|
||||
from getpass import getpass
|
||||
from samba.auth import system_session
|
||||
from samba.samdb import SamDB
|
||||
from samba.samdb import SamDB, SamDBError, SamDBNotFoundError
|
||||
from samba.dcerpc import misc
|
||||
from samba.dcerpc import security
|
||||
from samba.dcerpc import drsblobs
|
||||
@ -3257,6 +3257,77 @@ unixHomeDirectory: {6}
|
||||
self.outf.write("Modified User '{}' successfully\n"
|
||||
.format(username))
|
||||
|
||||
class cmd_user_unlock(Command):
|
||||
"""Unlock a user account.
|
||||
|
||||
This command unlocks a user account in the Active Directory domain. The
|
||||
username specified on the command is the sAMAccountName. The username may
|
||||
also be specified using the --filter option.
|
||||
|
||||
The command may be run from the root userid or another authorized userid.
|
||||
The -H or --URL= option can be used to execute the command against a remote
|
||||
server.
|
||||
|
||||
Example:
|
||||
samba-tool user unlock user1 -H ldap://samba.samdom.example.com \\
|
||||
--username=Administrator --password=Passw0rd
|
||||
|
||||
The example shows how to unlock a user account in the domain against a
|
||||
remote LDAP server. The -H parameter is used to specify the remote target
|
||||
server. The --username= and --password= options are used to pass the
|
||||
username and password of a user that exists on the remote server and is
|
||||
authorized to issue the command on that server.
|
||||
"""
|
||||
|
||||
synopsis = "%prog (<username>|--filter <filter>) [options]"
|
||||
|
||||
takes_options = [
|
||||
Option("-H",
|
||||
"--URL",
|
||||
help="LDB URL for database or target server",
|
||||
type=str,
|
||||
metavar="URL",
|
||||
dest="H"),
|
||||
Option("--filter",
|
||||
help="LDAP Filter to set password on",
|
||||
type=str),
|
||||
]
|
||||
|
||||
takes_args = ["username?"]
|
||||
|
||||
takes_optiongroups = {
|
||||
"sambaopts": options.SambaOptions,
|
||||
"credopts": options.CredentialsOptions,
|
||||
"versionopts": options.VersionOptions,
|
||||
}
|
||||
|
||||
def run(self,
|
||||
username=None,
|
||||
sambaopts=None,
|
||||
credopts=None,
|
||||
versionopts=None,
|
||||
filter=None,
|
||||
H=None):
|
||||
if username is None and filter is None:
|
||||
raise CommandError("Either the username or '--filter' must be "
|
||||
"specified!")
|
||||
|
||||
if filter is None:
|
||||
filter = ("(&(objectClass=user)(sAMAccountName=%s))" % (
|
||||
ldb.binary_encode(username)))
|
||||
|
||||
lp = sambaopts.get_loadparm()
|
||||
creds = credopts.get_credentials(lp, fallback_machine=True)
|
||||
|
||||
samdb = SamDB(url=H,
|
||||
session_info=system_session(),
|
||||
credentials=creds,
|
||||
lp=lp)
|
||||
try:
|
||||
samdb.unlock_account(filter)
|
||||
except (SamDBError, ldb.LdbError) as msg:
|
||||
raise CommandError("Failed to unlock user '%s': %s" % (
|
||||
username or filter, msg))
|
||||
|
||||
class cmd_user_sensitive(Command):
|
||||
"""Set/unset or show UF_NOT_DELEGATED for an account."""
|
||||
@ -3336,5 +3407,6 @@ class cmd_user(SuperCommand):
|
||||
subcommands["show"] = cmd_user_show()
|
||||
subcommands["move"] = cmd_user_move()
|
||||
subcommands["rename"] = cmd_user_rename()
|
||||
subcommands["unlock"] = cmd_user_unlock()
|
||||
subcommands["addunixattrs"] = cmd_user_add_unix_attrs()
|
||||
subcommands["sensitive"] = cmd_user_sensitive()
|
||||
|
@ -42,6 +42,11 @@ __docformat__ = "restructuredText"
|
||||
def get_default_backend_store():
|
||||
return "tdb"
|
||||
|
||||
class SamDBError(Exception):
|
||||
pass
|
||||
|
||||
class SamDBNotFoundError(SamDBError):
|
||||
pass
|
||||
|
||||
class SamDB(samba.Ldb):
|
||||
"""The SAM database."""
|
||||
@ -179,6 +184,31 @@ dn: %s
|
||||
changetype: modify
|
||||
replace: pwdLastSet
|
||||
pwdLastSet: 0
|
||||
""" % (user_dn)
|
||||
self.modify_ldif(mod)
|
||||
|
||||
def unlock_account(self, search_filter):
|
||||
"""Unlock a user account by resetting lockoutTime to 0.
|
||||
This does also reset the badPwdCount to 0.
|
||||
|
||||
:param search_filter: LDAP filter to find the user (e.g.
|
||||
sAMAccountName=username)
|
||||
"""
|
||||
res = self.search(base=self.domain_dn(),
|
||||
scope=ldb.SCOPE_SUBTREE,
|
||||
expression=search_filter,
|
||||
attrs=[])
|
||||
if len(res) == 0:
|
||||
raise SamDBNotFoundError('Unable to find user "%s"' % search_filter)
|
||||
if len(res) != 1:
|
||||
raise SamDBError('User "%s" is not unique' % search_filter)
|
||||
user_dn = res[0].dn
|
||||
|
||||
mod = """
|
||||
dn: %s
|
||||
changetype: modify
|
||||
replace: lockoutTime
|
||||
lockoutTime: 0
|
||||
""" % (user_dn)
|
||||
self.modify_ldif(mod)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user