sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

netcmd: Add samba-tool support for managing PSOs

Browse Source 
Add a new command 'samba-tool domain passwordsettings pso', with the
sub-command options: create, delete, set, list, show, show-user, apply,
unapply. The apply and unapply options apply the PSO to a user or group.
The show-user option shows the actual PSO (and its settings) that will
take effect for a given user.

The new commands are pretty self-contained in a new pso.py file. We
decided to add these new commands under the existing 'samba-tool domain
passwordsettings' command, as that's what users would be already
familiar with.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This commit is contained in:
Tim Beale 2018-04-23 10:47:21 +12:00 committed by Garming Sam
parent 1ebfe6957f
commit de131c16a6
3 changed files with 814 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
docs-xml/manpages/samba-tool.8.xml
View File

@ -333,6 +333,51 @@
<para>Show/set password settings.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso</title>
<para>Manage fine-grained Password Settings Objects (PSOs).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
<para>Applies a PSO's password policy to a user or group.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
<para>Creates a new Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
<para>Deletes a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso list [options]</title>
<para>Lists all Password Settings Objects (PSOs).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
<para>Modifies a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
<para>Displays a Password Settings Object (PSO).</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
<para>Displays the Password Settings that apply to a user.</para>
</refsect3>
<refsect3>
<title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
<para>Updates a PSO to no longer apply to a user or group.</para>
</refsect3>
<refsect3>
<title>domain provision</title>
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>

3
python/samba/netcmd/domain.py
View File

@ -99,6 +99,8 @@ from samba.provision.common import (
FILL_DRS
)
from samba.netcmd.pso import cmd_domain_passwordsettings_pso
string_version_to_constant = {
"2008_R2" : DS_DOMAIN_FUNCTION_2008_R2,
"2012": DS_DOMAIN_FUNCTION_2012,
@ -1530,6 +1532,7 @@ class cmd_domain_passwordsettings(SuperCommand):
"""Manage password policy settings."""
subcommands = {}
subcommands["pso"] = cmd_domain_passwordsettings_pso()
subcommands["show"] = cmd_domain_passwordsettings_show()
subcommands["set"] = cmd_domain_passwordsettings_set()

766
python/samba/netcmd/pso.py Normal file
View File

@ -0,0 +1,766 @@
# Manages Password Settings Objects
#
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import samba
import samba.getopt as options
import ldb
from samba.samdb import SamDB
from samba.netcmd import (Command, CommandError, Option, SuperCommand)
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.auth import system_session
import pdb
NEVER_TIMESTAMP = int(-0x8000000000000000)
def pso_container(samdb):
return "CN=Password Settings Container,CN=System,%s" % samdb.domain_dn()
def timestamp_to_mins(timestamp_str):
"""Converts a timestamp in -100 nanosecond units to minutes"""
# treat a timestamp of 'never' the same as zero (this should work OK for
# most settings, and it displays better than trying to convert
# -0x8000000000000000 to minutes)
if int(timestamp_str) == NEVER_TIMESTAMP:
return 0
else:
return abs(int(timestamp_str)) / (1e7 * 60)
def timestamp_to_days(timestamp_str):
"""Converts a timestamp in -100 nanosecond units to days"""
return timestamp_to_mins(timestamp_str) / (60 * 24)
def mins_to_timestamp(mins):
"""Converts a value in minutes to -100 nanosecond units"""
timestamp = -int((1e7) * 60 * mins)
return str(timestamp)
def days_to_timestamp(days):
"""Converts a value in days to -100 nanosecond units"""
timestamp = mins_to_timestamp(days * 60 * 24)
return str(timestamp)
def show_pso_by_dn(outf, samdb, dn, show_applies_to=True):
"""Displays the password settings for a PSO specified by DN"""
# map from the boolean LDB value to the CLI string the user sees
on_off_str = { "TRUE" : "on", "FALSE" : "off" }
pso_attrs = ['name', 'msDS-PasswordSettingsPrecedence',
'msDS-PasswordReversibleEncryptionEnabled',
'msDS-PasswordHistoryLength', 'msDS-MinimumPasswordLength',
'msDS-PasswordComplexityEnabled', 'msDS-MinimumPasswordAge',
'msDS-MaximumPasswordAge', 'msDS-LockoutObservationWindow',
'msDS-LockoutThreshold', 'msDS-LockoutDuration',
'msDS-PSOAppliesTo']
res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=pso_attrs)
pso_res = res[0]
outf.write("Password information for PSO '%s'\n" % pso_res['name'])
outf.write("\n")
outf.write("Precedence (lowest is best): %s\n" %
pso_res['msDS-PasswordSettingsPrecedence'])
bool_str = str(pso_res['msDS-PasswordComplexityEnabled'])
outf.write("Password complexity: %s\n" % on_off_str[bool_str])
bool_str = str(pso_res['msDS-PasswordReversibleEncryptionEnabled'])
outf.write("Store plaintext passwords: %s\n" % on_off_str[bool_str])
outf.write("Password history length: %s\n" %
pso_res['msDS-PasswordHistoryLength'])
outf.write("Minimum password length: %s\n" %
pso_res['msDS-MinimumPasswordLength'])
outf.write("Minimum password age (days): %d\n" %
timestamp_to_days(pso_res['msDS-MinimumPasswordAge'][0]))
outf.write("Maximum password age (days): %d\n" %
timestamp_to_days(pso_res['msDS-MaximumPasswordAge'][0]))
outf.write("Account lockout duration (mins): %d\n" %
timestamp_to_mins(pso_res['msDS-LockoutDuration'][0]))
outf.write("Account lockout threshold (attempts): %s\n" %
pso_res['msDS-LockoutThreshold'])
outf.write("Reset account lockout after (mins): %d\n" %
timestamp_to_mins(pso_res['msDS-LockoutObservationWindow'][0]))
if show_applies_to:
if 'msDS-PSOAppliesTo' in pso_res:
outf.write("\nPSO applies directly to %d groups/users:\n" %
len(pso_res['msDS-PSOAppliesTo']))
for dn in pso_res['msDS-PSOAppliesTo']:
outf.write(" %s\n" % dn)
else:
outf.write("\nNote: PSO does not apply to any users or groups.\n")
def check_pso_valid(samdb, pso_dn, name):
"""Gracefully bail out if we can't view/modify the PSO specified"""
# the base scope search for the PSO throws an error if it doesn't exist
try:
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE,
attrs=['msDS-PasswordSettingsPrecedence'])
except Exception as e:
raise CommandError("Unable to find PSO '%s'" % name)
# users need admin permission to modify/view a PSO. In this case, the
# search succeeds, but it doesn't return any attributes
if 'msDS-PasswordSettingsPrecedence' not in res[0]:
raise CommandError("You may not have permission to view/modify PSOs")
def show_pso_for_user(outf, samdb, username):
"""Displays the password settings for a specific user"""
search_filter = "(&(sAMAccountName=%s)(objectClass=user))" % username
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=search_filter,
attrs=['msDS-ResultantPSO', 'msDS-PSOApplied'])
if len(res) == 0:
outf.write("User '%s' not found.\n" % username)
elif 'msDS-ResultantPSO' not in res[0]:
outf.write("No PSO applies to user '%s'. The default domain settings apply.\n"
% username)
outf.write("Refer to 'samba-tool domain passwordsettings show'.\n")
else:
# sanity-check user has permissions to view PSO details (non-admin
# users can view msDS-ResultantPSO, but not the actual PSO details)
check_pso_valid(samdb, res[0]['msDS-ResultantPSO'][0], "???")
outf.write("The following PSO settings apply to user '%s'.\n\n" %
username)
show_pso_by_dn(outf, samdb, res[0]['msDS-ResultantPSO'][0],
show_applies_to=False)
# PSOs that apply directly to a user don't necessarily have the best
# precedence, which could be a little confusing for PSO management
if 'msDS-PSOApplied' in res[0]:
outf.write("\nNote: PSO applies directly to user (any group PSOs are overridden)\n")
else:
outf.write("\nPSO applies to user via group membership.\n")
def make_pso_ldb_msg(outf, samdb, pso_dn, create, lockout_threshold=None,
complexity=None, precedence=None, store_plaintext=None,
history_length=None, min_pwd_length=None,
min_pwd_age=None, max_pwd_age=None, lockout_duration=None,
reset_account_lockout_after=None):
"""Packs the given PSO settings into an LDB message"""
m = ldb.Message()
m.dn = ldb.Dn(samdb, pso_dn)
if create:
ldb_oper = ldb.FLAG_MOD_ADD
m["msDS-objectClass"] = ldb.MessageElement("msDS-PasswordSettings",
ldb_oper, "objectClass")
else:
ldb_oper = ldb.FLAG_MOD_REPLACE
if precedence is not None:
m["msDS-PasswordSettingsPrecedence"] = ldb.MessageElement(str(precedence),
ldb_oper, "msDS-PasswordSettingsPrecedence")
if complexity is not None:
bool_str = "TRUE" if complexity == "on" else "FALSE"
m["msDS-PasswordComplexityEnabled"] = ldb.MessageElement(bool_str,
ldb_oper, "msDS-PasswordComplexityEnabled")
if store_plaintext is not None:
bool_str = "TRUE" if store_plaintext == "on" else "FALSE"
m["msDS-msDS-PasswordReversibleEncryptionEnabled"] = \
ldb.MessageElement(bool_str, ldb_oper,
"msDS-PasswordReversibleEncryptionEnabled")
if history_length is not None:
m["msDS-PasswordHistoryLength"] = ldb.MessageElement(str(history_length),
ldb_oper, "msDS-PasswordHistoryLength")
if min_pwd_length is not None:
m["msDS-MinimumPasswordLength"] = ldb.MessageElement(str(min_pwd_length),
ldb_oper, "msDS-MinimumPasswordLength")
if min_pwd_age is not None:
min_pwd_age_ticks = days_to_timestamp(min_pwd_age)
m["msDS-MinimumPasswordAge"] = ldb.MessageElement(min_pwd_age_ticks,
ldb_oper, "msDS-MinimumPasswordAge")
if max_pwd_age is not None:
# Windows won't let you set max-pwd-age to zero. Here we take zero to
# mean 'never expire' and use the timestamp corresponding to 'never'
if max_pwd_age == 0:
max_pwd_age_ticks = str(NEVER_TIMESTAMP)
else:
max_pwd_age_ticks = days_to_timestamp(max_pwd_age)
m["msDS-MaximumPasswordAge"] = ldb.MessageElement(max_pwd_age_ticks,
ldb_oper, "msDS-MaximumPasswordAge")
if lockout_duration is not None:
lockout_duration_ticks = mins_to_timestamp(lockout_duration)
m["msDS-LockoutDuration"] = ldb.MessageElement(lockout_duration_ticks,
ldb_oper, "msDS-LockoutDuration")
if lockout_threshold is not None:
m["msDS-LockoutThreshold"] = ldb.MessageElement(str(lockout_threshold),
ldb_oper, "msDS-LockoutThreshold")
if reset_account_lockout_after is not None:
observation_window_ticks = mins_to_timestamp(reset_account_lockout_after)
m["msDS-LockoutObservationWindow"] = ldb.MessageElement(observation_window_ticks,
ldb_oper, "msDS-LockoutObservationWindow")
return m
def check_pso_constraints(min_pwd_length=None, history_length=None,
min_pwd_age=None, max_pwd_age=None):
"""Checks PSO settings fall within valid ranges"""
# check values as per section 3.1.1.5.2.2 Constraints in MS-ADTS spec
if history_length is not None and history_length > 1024:
raise CommandError("Bad password history length: valid range is 0 to 1024")
if min_pwd_length is not None and min_pwd_length > 255:
raise CommandError("Bad minimum password length: valid range is 0 to 255")
if min_pwd_age is not None and max_pwd_age is not None:
# note max-age=zero is a special case meaning 'never expire'
if min_pwd_age >= max_pwd_age and max_pwd_age != 0:
raise CommandError("Minimum password age must be less than the maximum age")
# the same args are used for both create and set commands
pwd_settings_options = [
Option("--complexity", type="choice", choices=["on","off"],
help="The password complexity (on | off)."),
Option("--store-plaintext", type="choice", choices=["on","off"],
help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off)."),
Option("--history-length",
help="The password history length (<integer>).", type=int),
Option("--min-pwd-length",
help="The minimum password length (<integer>).", type=int),
Option("--min-pwd-age",
help="The minimum password age (<integer in days>). Default is domain setting.", type=int),
Option("--max-pwd-age",
help="The maximum password age (<integer in days>). Default is domain setting.", type=int),
Option("--account-lockout-duration",
help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins>). Default is domain setting", type=int),
Option("--account-lockout-threshold",
help="The number of bad password attempts allowed before locking out the account (<integer>). Default is domain setting.", type=int),
Option("--reset-account-lockout-after",
help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer in mins>). Default is domain setting.", type=int),
]
def num_options_in_args(options, args):
"""
Returns the number of options specified that are present in the args.
(There can be other args besides just the ones we're interested in, which
is why argc on its own is not enough)
"""
num_opts = 0
for opt in options:
for arg in args:
# The option should be a sub-string of the CLI argument for a match
if str(opt) in arg:
num_opts += 1
return num_opts
class cmd_domain_pwdsettings_pso_create(Command):
"""Creates a new Password Settings Object (PSO).
PSOs are a way to tailor different password settings (lockout policy,
minimum password length, etc) for specific users or groups.
The psoname is a unique name for the new Password Settings Object.
When multiple PSOs apply to a user, the precedence determines which PSO
will take effect. The PSO with the lowest precedence will take effect.
For most arguments, the default value (if unspecified) is the current
domain passwordsettings value. To see these values, enter the command
'samba-tool domain passwordsettings show'.
To apply the new PSO to user(s) or group(s), enter the command
'samba-tool domain passwordsettings pso apply'.
"""
synopsis = "%prog <psoname> <precedence> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = pwd_settings_options + [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["psoname", "precedence"]
def run(self, psoname, precedence, H=None, min_pwd_age=None,
max_pwd_age=None, complexity=None, store_plaintext=None,
history_length=None, min_pwd_length=None,
account_lockout_duration=None, account_lockout_threshold=None,
reset_account_lockout_after=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
precedence = int(precedence)
except ValueError:
raise CommandError("The PSO's precedence should be a numerical value. Try --help")
# sanity-check that the PSO doesn't already exist
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
try:
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE)
except Exception as e:
pass
else:
raise CommandError("PSO '%s' already exists" % psoname)
# we expect the user to specify at least one password-policy setting,
# otherwise there's no point in creating a PSO
num_pwd_args = num_options_in_args(pwd_settings_options, self.raw_argv)
if num_pwd_args == 0:
raise CommandError("Please specify at least one password policy setting. Try --help")
# it's unlikely that the user will specify all 9 password policy
# settings on the CLI - current domain password-settings as the default
# values for unspecified arguments
if num_pwd_args < len(pwd_settings_options):
self.message("Not all password policy options have been specified.")
self.message("For unspecified options, the current domain password settings will be used as the default values.")
# lookup the current domain password-settings
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_BASE,
attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
"minPwdAge", "maxPwdAge", "lockoutDuration",
"lockoutThreshold", "lockOutObservationWindow"])
assert(len(res) == 1)
# use the domain settings for any missing arguments
pwd_props = int(res[0]["pwdProperties"][0])
if complexity is None:
prop_flag = DOMAIN_PASSWORD_COMPLEX
complexity = "on" if pwd_props & prop_flag else "off"
if store_plaintext is None:
prop_flag = DOMAIN_PASSWORD_STORE_CLEARTEXT
store_plaintext = "on" if pwd_props & prop_flag else "off"
if history_length is None:
history_length = int(res[0]["pwdHistoryLength"][0])
if min_pwd_length is None:
min_pwd_length = int(res[0]["minPwdLength"][0])
if min_pwd_age is None:
min_pwd_age = timestamp_to_days(res[0]["minPwdAge"][0])
if max_pwd_age is None:
max_pwd_age = timestamp_to_days(res[0]["maxPwdAge"][0])
if account_lockout_duration is None:
account_lockout_duration = \
timestamp_to_mins(res[0]["lockoutDuration"][0])
if account_lockout_threshold is None:
account_lockout_threshold = int(res[0]["lockoutThreshold"][0])
if reset_account_lockout_after is None:
reset_account_lockout_after = \
timestamp_to_mins(res[0]["lockOutObservationWindow"][0])
check_pso_constraints(max_pwd_age=max_pwd_age, min_pwd_age=min_pwd_age,
history_length=history_length,
min_pwd_length=min_pwd_length)
# pack the settings into an LDB message
m = make_pso_ldb_msg(self.outf, samdb, pso_dn, create=True,
complexity=complexity, precedence=precedence,
store_plaintext=store_plaintext,
history_length=history_length,
min_pwd_length=min_pwd_length,
min_pwd_age=min_pwd_age, max_pwd_age=max_pwd_age,
lockout_duration=account_lockout_duration,
lockout_threshold=account_lockout_threshold,
reset_account_lockout_after=reset_account_lockout_after)
# create the new PSO
try:
samdb.add(m)
self.message("PSO successfully created: %s" % pso_dn)
# display the new PSO's settings
show_pso_by_dn(self.outf, samdb, pso_dn, show_applies_to=False)
except ldb.LdbError as e:
(num, msg) = e.args
if num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS:
raise CommandError("Administrator permissions are needed to create a PSO.")
else:
raise CommandError("Failed to create PSO '%s': %s" %(pso_dn, msg))
class cmd_domain_pwdsettings_pso_set(Command):
"""Modifies a Password Settings Object (PSO)."""
synopsis = "%prog <psoname> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = pwd_settings_options + [
Option("--precedence", type=int,
help="This PSO's precedence relative to other PSOs. Lower precedence is better (<integer>)."),
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
]
takes_args = ["psoname"]
def run(self, psoname, H=None, precedence=None, min_pwd_age=None,
max_pwd_age=None, complexity=None, store_plaintext=None,
history_length=None, min_pwd_length=None,
account_lockout_duration=None, account_lockout_threshold=None,
reset_account_lockout_after=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
# sanity-check the PSO exists
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
check_pso_valid(samdb, pso_dn, psoname)
# we expect the user to specify at least one password-policy setting
num_pwd_args = num_options_in_args(pwd_settings_options, self.raw_argv)
if num_pwd_args == 0 and precedence is None:
raise CommandError("Please specify at least one password policy setting. Try --help")
if min_pwd_age is not None or max_pwd_age is not None:
# if we're modifying either the max or min pwd-age, check the max is
# always larger. We may have to fetch the PSO's setting to verify this
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE,
attrs=['msDS-MinimumPasswordAge',
'msDS-MaximumPasswordAge'])
if min_pwd_age is None:
min_pwd_age = timestamp_to_days(res[0]['msDS-MinimumPasswordAge'][0])
if max_pwd_age is None:
max_pwd_age = timestamp_to_days(res[0]['msDS-MaximumPasswordAge'][0])
check_pso_constraints(max_pwd_age=max_pwd_age, min_pwd_age=min_pwd_age,
history_length=history_length,
min_pwd_length=min_pwd_length)
# pack the settings into an LDB message
m = make_pso_ldb_msg(self.outf, samdb, pso_dn, create=False,
complexity=complexity, precedence=precedence,
store_plaintext=store_plaintext,
history_length=history_length,
min_pwd_length=min_pwd_length,
min_pwd_age=min_pwd_age, max_pwd_age=max_pwd_age,
lockout_duration=account_lockout_duration,
lockout_threshold=account_lockout_threshold,
reset_account_lockout_after=reset_account_lockout_after)
# update the PSO
try:
samdb.modify(m)
self.message("Successfully updated PSO: %s" % pso_dn)
# display the new PSO's settings
show_pso_by_dn(self.outf, samdb, pso_dn, show_applies_to=False)
except ldb.LdbError as e:
(num, msg) = e.args
raise CommandError("Failed to update PSO '%s': %s" %(pso_dn, msg))
class cmd_domain_pwdsettings_pso_delete(Command):
"""Deletes a Password Settings Object (PSO)."""
synopsis = "%prog <psoname> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["psoname"]
def run(self, psoname, H=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
# sanity-check the PSO exists
check_pso_valid(samdb, pso_dn, psoname)
samdb.delete(pso_dn)
self.message("Deleted PSO %s" % psoname)
def pso_cmp(a, b):
"""Compares two PSO LDB search results"""
a_precedence = int(a['msDS-PasswordSettingsPrecedence'][0])
b_precedence = int(b['msDS-PasswordSettingsPrecedence'][0])
return a_precedence - b_precedence
class cmd_domain_pwdsettings_pso_list(Command):
"""Lists all Password Settings Objects (PSOs)."""
synopsis = "%prog [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
res = samdb.search(pso_container(samdb), scope=ldb.SCOPE_SUBTREE,
attrs=['name', 'msDS-PasswordSettingsPrecedence'],
expression="(objectClass=msDS-PasswordSettings)")
# an unprivileged search against Windows returns nothing here. On Samba
# we get the PSO names, but not their attributes
if len(res) == 0 or 'msDS-PasswordSettingsPrecedence' not in res[0]:
self.outf.write("No PSOs are present, or you don't have permission to view them.\n")
return
# sort the PSOs so they're displayed in order of precedence
pso_list = sorted(res, cmp=pso_cmp)
self.outf.write("Precedence | PSO name\n")
self.outf.write("--------------------------------------------------\n")
for pso in pso_list:
precedence = pso['msDS-PasswordSettingsPrecedence']
self.outf.write("%-10s | %s\n" %(precedence, pso['name']))
class cmd_domain_pwdsettings_pso_show(Command):
"""Display a Password Settings Object's details."""
synopsis = "%prog <psoname> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["psoname"]
def run(self, psoname, H=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
check_pso_valid(samdb, pso_dn, psoname)
show_pso_by_dn(self.outf, samdb, pso_dn)
class cmd_domain_pwdsettings_pso_show_user(Command):
"""Displays the Password Settings that apply to a user."""
synopsis = "%prog <username> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["username"]
def run(self, username, H=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
show_pso_for_user(self.outf, samdb, username)
class cmd_domain_pwdsettings_pso_apply(Command):
"""Applies a PSO's password policy to a user or group.
When a PSO is applied to a group, it will apply to all users (and groups)
that are members of that group. If a PSO applies directly to a user, it
will override any group membership PSOs for that user.
When multiple PSOs apply to a user, either directly or through group
membership, the PSO with the lowest precedence will take effect.
"""
synopsis = "%prog <psoname> <user-or-group-name> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["psoname", "user_or_group"]
def run(self, psoname, user_or_group, H=None, credopts=None,
sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
# sanity-check the PSO exists
check_pso_valid(samdb, pso_dn, psoname)
# lookup the user/group by account-name to gets its DN
search_filter = "(sAMAccountName=%s)" % user_or_group
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=search_filter)
if len(res) == 0:
raise CommandError("The specified user or group '%s' was not found"
% user_or_group)
# modify the PSO to apply to the user/group specified
target_dn = str(res[0].dn)
m = ldb.Message()
m.dn = ldb.Dn(samdb, pso_dn)
m["msDS-PSOAppliesTo"] = ldb.MessageElement(target_dn, ldb.FLAG_MOD_ADD,
"msDS-PSOAppliesTo")
try:
samdb.modify(m)
except ldb.LdbError as e:
(num, msg) = e.args
# most likely error - PSO already applies to that user/group
if num == ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS:
raise CommandError("PSO '%s' already applies to '%s'"
% (psoname, user_or_group))
else:
raise CommandError("Failed to update PSO '%s': %s" %(psoname,
msg))
self.message("PSO '%s' applied to '%s'" %(psoname, user_or_group))
class cmd_domain_pwdsettings_pso_unapply(Command):
"""Updates a PSO to no longer apply to a user or group."""
synopsis = "%prog <psoname> <user-or-group-name> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
]
takes_args = ["psoname", "user_or_group"]
def run(self, psoname, user_or_group, H=None, credopts=None,
sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
# sanity-check the PSO exists
check_pso_valid(samdb, pso_dn, psoname)
# lookup the user/group by account-name to gets its DN
search_filter = "(sAMAccountName=%s)" % user_or_group
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=search_filter)
if len(res) == 0:
raise CommandError("The specified user or group '%s' was not found"
% user_or_group)
# modify the PSO to apply to the user/group specified
target_dn = str(res[0].dn)
m = ldb.Message()
m.dn = ldb.Dn(samdb, pso_dn)
m["msDS-PSOAppliesTo"] = ldb.MessageElement(target_dn, ldb.FLAG_MOD_DELETE,
"msDS-PSOAppliesTo")
try:
samdb.modify(m)
except ldb.LdbError as e:
(num, msg) = e.args
# most likely error - PSO doesn't apply to that user/group
if num == ldb.ERR_NO_SUCH_ATTRIBUTE:
raise CommandError("PSO '%s' doesn't apply to '%s'"
% (psoname, user_or_group))
else:
raise CommandError("Failed to update PSO '%s': %s" %(psoname,
msg))
self.message("PSO '%s' no longer applies to '%s'" %(psoname, user_or_group))
class cmd_domain_passwordsettings_pso(SuperCommand):
"""Manage fine-grained Password Settings Objects (PSOs)."""
subcommands = {}
subcommands["apply"] = cmd_domain_pwdsettings_pso_apply()
subcommands["create"] = cmd_domain_pwdsettings_pso_create()
subcommands["delete"] = cmd_domain_pwdsettings_pso_delete()
subcommands["list"] = cmd_domain_pwdsettings_pso_list()
subcommands["set"] = cmd_domain_pwdsettings_pso_set()
subcommands["show"] = cmd_domain_pwdsettings_pso_show()
subcommands["show-user"] = cmd_domain_pwdsettings_pso_show_user()
subcommands["unapply"] = cmd_domain_pwdsettings_pso_unapply()