sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-23 00:23:53 +03:00
Code Activity

netcmd: Split 'domain passwordsettings' into a super-command

Browse Source 
The show and set options are not really related to each other at all, so
it makes sense to split the code into 2 separate commands.

We also want to add separate sub-commands for PSOs in a subsequent
patch.

Because of the way the sub-command was implemented previously, it meant
that you could specify other command-line options before the 'set' or
'show' keyword, and the command would still be accepted. However, now
that it's a super-command 'set'/'show' needs to be specified before any
additional arguments, so we need to update the test code to reflect
this.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
This commit is contained in:
Tim Beale
2018-05-03 12:12:04 +12:00
committed by Garming Sam
parent 0da9dbbf5a
commit 7255e0ced3
7 changed files with 237 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

422
python/samba/netcmd/domain.py
View File

@@ -1263,18 +1263,10 @@ class cmd_domain_level(Command):
else:
raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
class cmd_domain_passwordsettings_show(Command):
"""Display current password settings for the domain."""
class cmd_domain_passwordsettings(Command):
"""Set password settings.
Password complexity, password lockout policy, history length,
minimum password length, the minimum and maximum password age) on
a Samba AD DC server.
Use against a Windows DC is possible, but group policy will override it.
"""
synopsis = "%prog (show|set <options>) [options]"
synopsis = "%prog [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
@@ -1285,34 +1277,9 @@ class cmd_domain_passwordsettings(Command):
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
Option("--quiet", help="Be quiet", action="store_true"),
Option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'"),
Option("--store-plaintext", type="choice", choices=["on","off","default"],
help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
Option("--history-length",
help="The password history length (<integer> | default). Default is 24.", type=str),
Option("--min-pwd-length",
help="The minimum password length (<integer> | default). Default is 7.", type=str),
Option("--min-pwd-age",
help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
Option("--max-pwd-age",
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
Option("--account-lockout-duration",
help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
Option("--account-lockout-threshold",
help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
Option("--reset-account-lockout-after",
help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
]
takes_args = ["subcommand"]
def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
quiet=False, complexity=None, store_plaintext=None, history_length=None,
min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None,
reset_account_lockout_after=None, credopts=None, sambaopts=None,
versionopts=None):
def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
@@ -1345,170 +1312,227 @@ class cmd_domain_passwordsettings(Command):
except Exception as e:
raise CommandError("Could not retrieve password properties!", e)
if subcommand == "show":
self.message("Password informations for domain '%s'" % domain_dn)
self.message("")
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
self.message("Password complexity: on")
else:
self.message("Password complexity: off")
if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
self.message("Store plaintext passwords: on")
else:
self.message("Store plaintext passwords: off")
self.message("Password history length: %d" % pwd_hist_len)
self.message("Minimum password length: %d" % cur_min_pwd_len)
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
self.message("Maximum password age (days): %d" % cur_max_pwd_age)
self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration)
self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold)
self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after)
elif subcommand == "set":
msgs = []
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
pwd_props = int(samdb.get_pwdProperties())
if complexity is not None:
if complexity == "on" or complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
msgs.append("Password complexity activated!")
elif complexity == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
msgs.append("Password complexity deactivated!")
if store_plaintext is not None:
if store_plaintext == "on" or store_plaintext == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
msgs.append("Plaintext password storage for changed passwords activated!")
elif store_plaintext == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
msgs.append("Plaintext password storage for changed passwords deactivated!")
if complexity is not None or store_plaintext is not None:
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
ldb.FLAG_MOD_REPLACE, "pwdProperties")
if history_length is not None:
if history_length == "default":
pwd_hist_len = 24
else:
pwd_hist_len = int(history_length)
if pwd_hist_len < 0 or pwd_hist_len > 24:
raise CommandError("Password history length must be in the range of 0 to 24!")
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
msgs.append("Password history length changed!")
if min_pwd_length is not None:
if min_pwd_length == "default":
min_pwd_len = 7
else:
min_pwd_len = int(min_pwd_length)
if min_pwd_len < 0 or min_pwd_len > 14:
raise CommandError("Minimum password length must be in the range of 0 to 14!")
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
ldb.FLAG_MOD_REPLACE, "minPwdLength")
msgs.append("Minimum password length changed!")
if min_pwd_age is not None:
if min_pwd_age == "default":
min_pwd_age = 1
else:
min_pwd_age = int(min_pwd_age)
if min_pwd_age < 0 or min_pwd_age > 998:
raise CommandError("Minimum password age must be in the range of 0 to 998!")
# days -> ticks
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "minPwdAge")
msgs.append("Minimum password age changed!")
if max_pwd_age is not None:
if max_pwd_age == "default":
max_pwd_age = 43
else:
max_pwd_age = int(max_pwd_age)
if max_pwd_age < 0 or max_pwd_age > 999:
raise CommandError("Maximum password age must be in the range of 0 to 999!")
# days -> ticks
if max_pwd_age == 0:
max_pwd_age_ticks = -0x8000000000000000
else:
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
if account_lockout_duration is not None:
if account_lockout_duration == "default":
account_lockout_duration = 30
else:
account_lockout_duration = int(account_lockout_duration)
if account_lockout_duration < 0 or account_lockout_duration > 99999:
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
# minutes -> ticks
if account_lockout_duration == 0:
account_lockout_duration_ticks = -0x8000000000000000
else:
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
ldb.FLAG_MOD_REPLACE, "lockoutDuration")
msgs.append("Account lockout duration changed!")
if account_lockout_threshold is not None:
if account_lockout_threshold == "default":
account_lockout_threshold = 0
else:
account_lockout_threshold = int(account_lockout_threshold)
m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
msgs.append("Account lockout threshold changed!")
if reset_account_lockout_after is not None:
if reset_account_lockout_after == "default":
reset_account_lockout_after = 30
else:
reset_account_lockout_after = int(reset_account_lockout_after)
if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999:
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
# minutes -> ticks
if reset_account_lockout_after == 0:
reset_account_lockout_after_ticks = -0x8000000000000000
else:
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
msgs.append("Duration to reset account lockout after changed!")
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
if len(m) == 0:
raise CommandError("You must specify at least one option to set. Try --help")
samdb.modify(m)
msgs.append("All changes applied successfully!")
self.message("\n".join(msgs))
self.message("Password informations for domain '%s'" % domain_dn)
self.message("")
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
self.message("Password complexity: on")
else:
raise CommandError("Wrong argument '%s'!" % subcommand)
self.message("Password complexity: off")
if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
self.message("Store plaintext passwords: on")
else:
self.message("Store plaintext passwords: off")
self.message("Password history length: %d" % pwd_hist_len)
self.message("Minimum password length: %d" % cur_min_pwd_len)
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
self.message("Maximum password age (days): %d" % cur_max_pwd_age)
self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration)
self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold)
self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after)
class cmd_domain_passwordsettings_set(Command):
"""Set password settings.
Password complexity, password lockout policy, history length,
minimum password length, the minimum and maximum password age) on
a Samba AD DC server.
Use against a Windows DC is possible, but group policy will override it.
"""
synopsis = "%prog <options> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
Option("--quiet", help="Be quiet", action="store_true"),
Option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'"),
Option("--store-plaintext", type="choice", choices=["on","off","default"],
help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
Option("--history-length",
help="The password history length (<integer> | default). Default is 24.", type=str),
Option("--min-pwd-length",
help="The minimum password length (<integer> | default). Default is 7.", type=str),
Option("--min-pwd-age",
help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
Option("--max-pwd-age",
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
Option("--account-lockout-duration",
help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
Option("--account-lockout-threshold",
help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
Option("--reset-account-lockout-after",
help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
]
def run(self, H=None, min_pwd_age=None, max_pwd_age=None,
quiet=False, complexity=None, store_plaintext=None, history_length=None,
min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None,
reset_account_lockout_after=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
msgs = []
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
pwd_props = int(samdb.get_pwdProperties())
if complexity is not None:
if complexity == "on" or complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
msgs.append("Password complexity activated!")
elif complexity == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
msgs.append("Password complexity deactivated!")
if store_plaintext is not None:
if store_plaintext == "on" or store_plaintext == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
msgs.append("Plaintext password storage for changed passwords activated!")
elif store_plaintext == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
msgs.append("Plaintext password storage for changed passwords deactivated!")
if complexity is not None or store_plaintext is not None:
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
ldb.FLAG_MOD_REPLACE, "pwdProperties")
if history_length is not None:
if history_length == "default":
pwd_hist_len = 24
else:
pwd_hist_len = int(history_length)
if pwd_hist_len < 0 or pwd_hist_len > 24:
raise CommandError("Password history length must be in the range of 0 to 24!")
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
msgs.append("Password history length changed!")
if min_pwd_length is not None:
if min_pwd_length == "default":
min_pwd_len = 7
else:
min_pwd_len = int(min_pwd_length)
if min_pwd_len < 0 or min_pwd_len > 14:
raise CommandError("Minimum password length must be in the range of 0 to 14!")
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
ldb.FLAG_MOD_REPLACE, "minPwdLength")
msgs.append("Minimum password length changed!")
if min_pwd_age is not None:
if min_pwd_age == "default":
min_pwd_age = 1
else:
min_pwd_age = int(min_pwd_age)
if min_pwd_age < 0 or min_pwd_age > 998:
raise CommandError("Minimum password age must be in the range of 0 to 998!")
# days -> ticks
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "minPwdAge")
msgs.append("Minimum password age changed!")
if max_pwd_age is not None:
if max_pwd_age == "default":
max_pwd_age = 43
else:
max_pwd_age = int(max_pwd_age)
if max_pwd_age < 0 or max_pwd_age > 999:
raise CommandError("Maximum password age must be in the range of 0 to 999!")
# days -> ticks
if max_pwd_age == 0:
max_pwd_age_ticks = -0x8000000000000000
else:
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
if account_lockout_duration is not None:
if account_lockout_duration == "default":
account_lockout_duration = 30
else:
account_lockout_duration = int(account_lockout_duration)
if account_lockout_duration < 0 or account_lockout_duration > 99999:
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
# minutes -> ticks
if account_lockout_duration == 0:
account_lockout_duration_ticks = -0x8000000000000000
else:
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
ldb.FLAG_MOD_REPLACE, "lockoutDuration")
msgs.append("Account lockout duration changed!")
if account_lockout_threshold is not None:
if account_lockout_threshold == "default":
account_lockout_threshold = 0
else:
account_lockout_threshold = int(account_lockout_threshold)
m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
msgs.append("Account lockout threshold changed!")
if reset_account_lockout_after is not None:
if reset_account_lockout_after == "default":
reset_account_lockout_after = 30
else:
reset_account_lockout_after = int(reset_account_lockout_after)
if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999:
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
# minutes -> ticks
if reset_account_lockout_after == 0:
reset_account_lockout_after_ticks = -0x8000000000000000
else:
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
msgs.append("Duration to reset account lockout after changed!")
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
if len(m) == 0:
raise CommandError("You must specify at least one option to set. Try --help")
samdb.modify(m)
msgs.append("All changes applied successfully!")
self.message("\n".join(msgs))
class cmd_domain_passwordsettings(SuperCommand):
"""Manage password policy settings."""
subcommands = {}
subcommands["show"] = cmd_domain_passwordsettings_show()
subcommands["set"] = cmd_domain_passwordsettings_set()
class cmd_domain_classicupgrade(Command):
"""Upgrade from Samba classic (NT4-like) database to Samba AD DC database.