sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

s4/net: Make pwsettings a net subcommand.

Browse Source
This commit is contained in:
Jelmer Vernooij 2009-12-28 16:04:19 +01:00 committed by Jelmer Vernooij
parent 8c19cd2dea
commit eaf4a9afb2
2 changed files with 187 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
source4/scripting/python/samba/netcmd/pwsettings.py Executable file
View File

@ -0,0 +1,187 @@
#!/usr/bin/python
#
# Sets password settings.
# (Password complexity, history length, minimum password length, the minimum
# and maximum password age) on a Samba4 server
#
# Copyright Matthias Dieter Wallnoefer 2009
# Copyright Andrew Kroeger 2009
# Copyright Jelmer Vernooij 2009
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import samba.getopt as options
import optparse
import ldb
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
from samba.netcmd import Command, CommandError, Option
class cmd_pwsettings(Command):
"""Sets password settings.
Password complexity, history length, minimum password length, the minimum
and maximum password age) on a Samba4 server.
"""
synopsis = "(show | set <options>)"
takes_optiongroups = [
options.SambaOptions,
options.VersionOptions,
options.CredentialsOptions,
]
takes_options = [
Option("-H", help="LDB URL for database or target server", type=str),
Option("--quiet", help="Be quiet", action="store_true"),
Option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'"),
Option("--history-length",
help="The password history length (<integer> | default). Default is 24.", type=str),
Option("--min-pwd-length",
help="The minimum password length (<integer> | default). Default is 7.", type=str),
Option("--min-pwd-age",
help="The minimum password age (<integer in days> | default). Default is 0.", type=str),
Option("--max-pwd-age",
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
]
def run(self, H=None, min_pwd_age=None, max_pwd_age=None, quiet=False,
complexity=None, history_length=None, min_pwd_length=None,
username=None, simple_bind_dn=None, no_pass=None, workgroup=None,
kerberos=None, configfile=None, password=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if H is not None:
url = H
else:
url = lp.get("sam database")
samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
domain_dn = SamDB.domain_dn(samdb)
res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
"maxPwdAge"])
assert(len(res) == 1)
try:
pwd_props = int(res[0]["pwdProperties"][0])
pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except KeyError:
raise CommandError("Could not retrieve password properties!")
if args[0] == "show":
self.message("Password informations for domain '%s'" % domain_dn)
self.message("")
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
self.message("Password complexity: on")
else:
self.message("Password complexity: off")
self.message("Password history length: %d" % pwd_hist_len)
self.message("Minimum password length: %d" % min_pwd_len)
self.message("Minimum password age (days): %d" % min_pwd_age)
self.message("Maximum password age (days): %d" % max_pwd_age)
elif args[0] == "set":
msgs = []
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
if complexity is not None:
if complexity == "on" or complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
msgs.append("Password complexity activated!")
elif complexity == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
msgs.append("Password complexity deactivated!")
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
ldb.FLAG_MOD_REPLACE, "pwdProperties")
if history_length is not None:
if history_length == "default":
pwd_hist_len = 24
else:
pwd_hist_len = int(history_length)
if pwd_hist_len < 0 or pwd_hist_len > 24:
raise CommandError("Password history length must be in the range of 0 to 24!")
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
msgs.append("Password history length changed!")
if min_pwd_length is not None:
if min_pwd_length == "default":
min_pwd_len = 7
else:
min_pwd_len = int(min_pwd_length)
if min_pwd_len < 0 or min_pwd_len > 14:
raise CommandError("Minimum password length must be in the range of 0 to 14!")
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
ldb.FLAG_MOD_REPLACE, "minPwdLength")
msgs.append("Minimum password length changed!")
if min_pwd_age is not None:
if min_pwd_age == "default":
min_pwd_age = 0
else:
min_pwd_age = int(min_pwd_age)
if min_pwd_age < 0 or min_pwd_age > 998:
raise CommandError("Minimum password age must be in the range of 0 to 998!")
# days -> ticks
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "minPwdAge")
msgs.append("Minimum password age changed!")
if max_pwd_age is not None:
if max_pwd_age == "default":
max_pwd_age = 43
else:
max_pwd_age = int(max_pwd_age)
if max_pwd_age < 0 or max_pwd_age > 999:
raise CommandError("Maximum password age must be in the range of 0 to 999!")
# days -> ticks
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
samdb.modify(m)
msgs.append("All changes applied successfully!")
self.message("\n".join(msgs))
else:
raise CommandError("Wrong argument '" + args[0] + "'!")

198
source4/setup/pwsettings
View File

@ -1,198 +0,0 @@
#!/usr/bin/python
#
# Sets password settings (Password complexity, history length, minimum password
# length, the minimum and maximum password age) on a Samba4 server
#
# Copyright Matthias Dieter Wallnoefer 2009
# Copyright Andrew Kroeger 2009
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
import ldb
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
parser = optparse.OptionParser("pwsettings (show | set <options>)")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("-H", help="LDB URL for database or target server", type=str)
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'")
parser.add_option("--history-length",
help="The password history length (<integer> | default). Default is 24.", type=str)
parser.add_option("--min-pwd-length",
help="The minimum password length (<integer> | default). Default is 7.", type=str)
parser.add_option("--min-pwd-age",
help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
parser.add_option("--max-pwd-age",
help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
opts, args = parser.parse_args()
#
# print a message if quiet is not set
#
def message(text):
if not opts.quiet:
print text
if len(args) == 0:
parser.print_usage()
sys.exit(1)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if opts.H is not None:
url = opts.H
else:
url = lp.get("sam database")
samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
domain_dn = SamDB.domain_dn(samdb)
res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
"maxPwdAge"])
assert(len(res) == 1)
try:
pwd_props = int(res[0]["pwdProperties"][0])
pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except KeyError:
print >>sys.stderr, "ERROR: Could not retrieve password properties!"
if args[0] == "show":
print >>sys.stderr, "So no settings can be displayed!"
sys.exit(1)
if args[0] == "show":
message("Password informations for domain '" + domain_dn + "'")
message("")
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
message("Password complexity: on")
else:
message("Password complexity: off")
message("Password history length: " + str(pwd_hist_len))
message("Minimum password length: " + str(min_pwd_len))
message("Minimum password age (days): " + str(min_pwd_age))
message("Maximum password age (days): " + str(max_pwd_age))
elif args[0] == "set":
msgs = []
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
if opts.complexity is not None:
if opts.complexity == "on" or opts.complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
msgs.append("Password complexity activated!")
elif opts.complexity == "off":
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
msgs.append("Password complexity deactivated!")
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
ldb.FLAG_MOD_REPLACE, "pwdProperties")
if opts.history_length is not None:
if opts.history_length == "default":
pwd_hist_len = 24
else:
pwd_hist_len = int(opts.history_length)
if pwd_hist_len < 0 or pwd_hist_len > 24:
print >>sys.stderr, "ERROR: Password history length must be in the range of 0 to 24!"
sys.exit(1)
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
msgs.append("Password history length changed!")
if opts.min_pwd_length is not None:
if opts.min_pwd_length == "default":
min_pwd_len = 7
else:
min_pwd_len = int(opts.min_pwd_length)
if min_pwd_len < 0 or min_pwd_len > 14:
print >>sys.stderr, "ERROR: Minimum password length must be in the range of 0 to 14!"
sys.exit(1)
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
ldb.FLAG_MOD_REPLACE, "minPwdLength")
msgs.append("Minimum password length changed!")
if opts.min_pwd_age is not None:
if opts.min_pwd_age == "default":
min_pwd_age = 0
else:
min_pwd_age = int(opts.min_pwd_age)
if min_pwd_age < 0 or min_pwd_age > 998:
print >>sys.stderr, "ERROR: Minimum password age must be in the range of 0 to 998!"
sys.exit(1)
# days -> ticks
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "minPwdAge")
msgs.append("Minimum password age changed!")
if opts.max_pwd_age is not None:
if opts.max_pwd_age == "default":
max_pwd_age = 43
else:
max_pwd_age = int(opts.max_pwd_age)
if max_pwd_age < 0 or max_pwd_age > 999:
print >>sys.stderr, "ERROR: Maximum password age must be in the range of 0 to 999!"
sys.exit(1)
# days -> ticks
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
sys.exit(1)
samdb.modify(m)
msgs.append("All changes applied successfully!")
message("\n".join(msgs))
else:
print >>sys.stderr, "ERROR: Wrong argument '" + args[0] + "'!"
sys.exit(1)