-#!/usr/bin/env python
-#
# delegation management
#
# Copyright Matthieu Patou mat@samba.org 2010
# Copyright Stefan Metzmacher metze@samba.org 2011
# Copyright Bjoern Baumbach bb@sernet.de 2011
-# Copyright Giampaolo Lauria 2011 <lauria2@yahoo.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
import samba.getopt as options
import ldb
-import re
from samba import provision
from samba import dsdb
from samba.samdb import SamDB
from samba.auth import system_session
+from samba.netcmd.common import _get_user_realm_domain
from samba.netcmd import (
Command,
CommandError,
Option
)
-def _get_user_realm_domain(user):
- """ get the realm or the domain and the base user
- from user like:
- * username
- * DOMAIN\username
- * username@REALM
- """
- baseuser = user
- realm = ""
- domain = ""
- m = re.match(r"(\w+)\\(\w+$)", user)
- if m:
- domain = m.group(1)
- baseuser = m.group(2)
- return (baseuser.lower(), domain.upper(), realm)
- m = re.match(r"(\w+)@(\w+)", user)
- if m:
- baseuser = m.group(1)
- realm = m.group(2)
- return (baseuser.lower(), domain, realm.upper())
class cmd_delegation_show(Command):
"""Show the delegation setting of an account."""
- synopsis = "%prog delegation show <accountname>"
+
+ synopsis = "%prog <accountname> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
takes_args = ["accountname"]
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
- print "Searching for: %s" % (cleanedaccount)
- res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
- scope=ldb.SCOPE_SUBTREE,
- attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
- if len(res) != 1:
- raise CommandError("Account %s found %d times" % (accountname, len(res)))
+
+ res = sam.search(expression="sAMAccountName=%s" %
+ ldb.binary_encode(cleanedaccount),
+ scope=ldb.SCOPE_SUBTREE,
+ attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
+ if len(res) == 0:
+ raise CommandError("Unable to find account name '%s'" % accountname)
+ assert(len(res) == 1)
uac = int(res[0].get("userAccountControl")[0])
allowed = res[0].get("msDS-AllowedToDelegateTo")
- print "Account-DN: %s" % str(res[0].dn)
-
- if uac & dsdb.UF_TRUSTED_FOR_DELEGATION:
- print "UF_TRUSTED_FOR_DELEGATION: 1"
- else:
- print "UF_TRUSTED_FOR_DELEGATION: 0"
+ self.outf.write("Account-DN: %s\n" % str(res[0].dn))
+ self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n"
+ % bool(uac & dsdb.UF_TRUSTED_FOR_DELEGATION))
+ self.outf.write("UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" %
+ bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION))
- if uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:
- print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 1"
- else:
- print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0"
-
- if allowed != None:
+ if allowed is not None:
for a in allowed:
- print "msDS-AllowedToDelegateTo: %s" % (str(a))
+ self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)
+
class cmd_delegation_for_any_service(Command):
"""Set/unset UF_TRUSTED_FOR_DELEGATION for an account."""
- synopsis = "%prog delegation for-any-service <accountname> on|off"
+
+ synopsis = "%prog <accountname> [(on|off)] [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
takes_args = ["accountname", "onoff"]
- def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, accountname, onoff, credopts=None, sambaopts=None,
+ versionopts=None):
on = False
if onoff == "on":
elif onoff == "off":
on = False
else:
- raise CommandError("Invalid argument [%s]" % onoff)
+ raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
- search_filter = "sAMAccountName=%s" % cleanedaccount
+ search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
flag = dsdb.UF_TRUSTED_FOR_DELEGATION
try:
- sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
+ sam.toggle_userAccountFlags(search_filter, flag,
+ flags_str="Trusted-for-Delegation",
+ on=on, strict=True)
except Exception, err:
raise CommandError(err)
+
class cmd_delegation_for_any_protocol(Command):
"""Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account."""
- synopsis = "%prog delegation for-any-protocol <accountname> on|off"
+
+ synopsis = "%prog <accountname> [(on|off)] [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
takes_args = ["accountname", "onoff"]
- def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, accountname, onoff, credopts=None, sambaopts=None,
+ versionopts=None):
on = False
if onoff == "on":
elif onoff == "off":
on = False
else:
- raise CommandError("Invalid argument [%s]" % onoff)
+ raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
- search_filter = "sAMAccountName=%s" % cleanedaccount
+ search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
try:
- sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
+ sam.toggle_userAccountFlags(search_filter, flag,
+ flags_str="Trusted-to-Authenticate-for-Delegation",
+ on=on, strict=True)
except Exception, err:
raise CommandError(err)
+
class cmd_delegation_add_service(Command):
- """Add a service principal as msDS-AllowedToDelegateTo"""
- synopsis = "%prog delegation add-service <accountname> <principal>"
+ """Add a service principal as msDS-AllowedToDelegateTo."""
+
+ synopsis = "%prog <accountname> <principal> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
takes_args = ["accountname", "principal"]
- def run(self, accountname, principal, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, accountname, principal, credopts=None, sambaopts=None,
+ versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
- res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
- scope=ldb.SCOPE_SUBTREE,
- attrs=["msDS-AllowedToDelegateTo"])
- if len(res) != 1:
- raise CommandError("Account %s found %d times" % (accountname, len(res)))
+ res = sam.search(expression="sAMAccountName=%s" %
+ ldb.binary_encode(cleanedaccount),
+ scope=ldb.SCOPE_SUBTREE,
+ attrs=["msDS-AllowedToDelegateTo"])
+ if len(res) == 0:
+ raise CommandError("Unable to find account name '%s'" % accountname)
+ assert(len(res) == 1)
msg = ldb.Message()
msg.dn = res[0].dn
msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
- ldb.FLAG_MOD_ADD,
- "msDS-AllowedToDelegateTo")
+ ldb.FLAG_MOD_ADD,
+ "msDS-AllowedToDelegateTo")
try:
sam.modify(msg)
except Exception, err:
raise CommandError(err)
+
class cmd_delegation_del_service(Command):
- """Add a service principal as msDS-AllowedToDelegateTo"""
- synopsis = "%prog delegation del-service <accountname> <principal>"
+ """Delete a service principal as msDS-AllowedToDelegateTo."""
+
+ synopsis = "%prog <accountname> <principal> [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
takes_args = ["accountname", "principal"]
- def run(self, accountname, principal, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, accountname, principal, credopts=None, sambaopts=None,
+ versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
- res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
- scope=ldb.SCOPE_SUBTREE,
- attrs=["msDS-AllowedToDelegateTo"])
- if len(res) != 1:
- raise CommandError("Account %s found %d times" % (accountname, len(res)))
+ res = sam.search(expression="sAMAccountName=%s" %
+ ldb.binary_encode(cleanedaccount),
+ scope=ldb.SCOPE_SUBTREE,
+ attrs=["msDS-AllowedToDelegateTo"])
+ if len(res) == 0:
+ raise CommandError("Unable to find account name '%s'" % accountname)
+ assert(len(res) == 1)
msg = ldb.Message()
msg.dn = res[0].dn
msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
- ldb.FLAG_MOD_DELETE,
- "msDS-AllowedToDelegateTo")
+ ldb.FLAG_MOD_DELETE,
+ "msDS-AllowedToDelegateTo")
try:
sam.modify(msg)
except Exception, err:
raise CommandError(err)
+
class cmd_delegation(SuperCommand):
- """Delegation management [server connection needed]"""
+ """Delegation management."""
subcommands = {}
subcommands["show"] = cmd_delegation_show()