if os.path.isfile(log_file):
self.log = tdb.open(log_file)
else:
- self.log = tdb.Tdb(log_file, 0, tdb.DEFAULT, os.O_CREAT|os.O_RDWR)
+ self.log = tdb.Tdb(log_file, 0, tdb.DEFAULT, os.O_CREAT |os.O_RDWR)
def start(self):
self.log.transaction_start()
raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname)
if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:
raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname)
- if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):
+ if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):
raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname)
ctx.promote_from_dn = res[0].dn
"nETBIOSName": ctx.domain_name,
"dnsRoot": ctx.dnsdomain,
"trustParent": ctx.parent_partition_dn,
- "systemFlags": str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN),
+ "systemFlags": str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC |samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN),
"ntSecurityDescriptor": sd_binary,
}
olduac = uac
- uac &= ~(UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION|UF_PARTIAL_SECRETS_ACCOUNT)
+ uac &= ~(UF_SERVER_TRUST_ACCOUNT |UF_TRUSTED_FOR_DELEGATION |UF_PARTIAL_SECRETS_ACCOUNT)
uac |= UF_WORKSTATION_TRUST_ACCOUNT
msg = ldb.Message()
def get_gpo_info(samdb, gpo=None, displayname=None, dn=None,
- sd_flags=security.SECINFO_OWNER|security.SECINFO_GROUP|security.SECINFO_DACL|security.SECINFO_SACL):
+ sd_flags=security.SECINFO_OWNER |security.SECINFO_GROUP |security.SECINFO_DACL |security.SECINFO_SACL):
'''Get GPO information using gpo, displayname or dn'''
policies_dn = samdb.get_default_basedn()
continue
try:
- sd_flags = security.SECINFO_OWNER|security.SECINFO_GROUP|security.SECINFO_DACL
+ sd_flags = security.SECINFO_OWNER |security.SECINFO_GROUP |security.SECINFO_DACL
gmsg = self.samdb.search(base=g['dn'], scope=ldb.SCOPE_BASE,
attrs=['name', 'displayName', 'flags',
'nTSecurityDescriptor'],
"objectClass": "user"}
if smartcard_required:
- ldbmessage["userAccountControl"] = str(dsdb.UF_NORMAL_ACCOUNT|dsdb.UF_SMARTCARD_REQUIRED)
+ ldbmessage["userAccountControl"] = str(dsdb.UF_NORMAL_ACCOUNT |dsdb.UF_SMARTCARD_REQUIRED)
setpassword = False
if surname is not None:
next_rid = entry['rid'] + 1
user = s3db.getsampwnam(username)
- acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
+ acct_type = (user.acct_ctrl & (samr.ACB_NORMAL |samr.ACB_WSTRUST |samr.ACB_SVRTRUST |samr.ACB_DOMTRUST))
if acct_type == samr.ACB_SVRTRUST:
logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username)
continue
- elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$':
+ elif acct_type == (samr.ACB_NORMAL |samr.ACB_WSTRUST) and username[-1] == '$':
logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
- elif acct_type == (samr.ACB_NORMAL|samr.ACB_SVRTRUST) and username[-1] == '$':
+ elif acct_type == (samr.ACB_NORMAL |samr.ACB_SVRTRUST) and username[-1] == '$':
logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
"""
lvalue = long(value)
- str = "%d-%d" % (lvalue&0xFFFFFFFF, lvalue>>32)
+ str = "%d-%d" % (lvalue &0xFFFFFFFF, lvalue >>32)
return str
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["uac1"] = MessageElement(str(uac|UF_PASSWORD_EXPIRED),
+ m["uac1"] = MessageElement(str(uac |UF_PASSWORD_EXPIRED),
FLAG_MOD_REPLACE,
"userAccountControl")
ldb.modify(m)
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
m["userAccountControl"] = MessageElement(
- str(UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED),
+ str(UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED),
FLAG_MOD_REPLACE, "userAccountControl")
ldb.modify(m)
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED)
+ UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED)
self.assertEqual(int(res[0]["pwdLastSet"][0]), lastset)
lastset1 = int(res[0]["pwdLastSet"][0])
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 2)
ldb.add({
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
"objectclass": "user",
- "userAccountControl": str(UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE),
+ "userAccountControl": str(UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE),
})
res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE)
+ UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE)
self.assertEqual(int(res[0]["pwdLastSet"][0]), 0)
self.assertTrue("msDS-KeyVersionNumber" in res[0])
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 1)
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
m["userAccountControl"] = MessageElement(
- str(UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_SMARTCARD_REQUIRED),
+ str(UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_SMARTCARD_REQUIRED),
FLAG_MOD_REPLACE, "userAccountControl")
ldb.modify(m)
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_SMARTCARD_REQUIRED)
+ UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_SMARTCARD_REQUIRED)
self.assertEqual(int(res[0]["pwdLastSet"][0]), 0)
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 2)
self.assertTrue(len(res[0]["replPropertyMetaData"]) == 1)
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
m["userAccountControl"] = MessageElement(
- str(UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED),
+ str(UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED),
FLAG_MOD_REPLACE, "userAccountControl")
ldb.modify(m)
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED)
+ UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED)
self.assertEqual(int(res[0]["pwdLastSet"][0]), 0)
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 2)
self.assertTrue(len(res[0]["replPropertyMetaData"]) == 1)
ldb.add({
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
"objectclass": "user",
- "userAccountControl": str(UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED|UF_ACCOUNTDISABLE),
+ "userAccountControl": str(UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED |UF_ACCOUNTDISABLE),
})
res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED|UF_ACCOUNTDISABLE)
+ UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED |UF_ACCOUNTDISABLE)
self.assertEqual(int(res[0]["pwdLastSet"][0]), 0)
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 1)
self.assertTrue(len(res[0]["replPropertyMetaData"]) == 1)
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
m["userAccountControl"] = MessageElement(
- str(UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED),
+ str(UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED),
FLAG_MOD_REPLACE, "userAccountControl")
ldb.modify(m)
self.assertEqual(int(res[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED)
+ UF_NORMAL_ACCOUNT |UF_SMARTCARD_REQUIRED)
self.assertEqual(int(res[0]["pwdLastSet"][0]), 0)
self.assertEqual(int(res[0]["msDS-KeyVersionNumber"][0]), 1)
self.assertTrue(len(res[0]["replPropertyMetaData"]) == 1)
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
+ m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
try:
self.samdb.modify(m)
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
+ m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
try:
self.samdb.modify(m)
scope=SCOPE_SUBTREE,
attrs=["userAccountControl"])
- self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD)
+ self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD)
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT|UF_TRUSTED_FOR_DELEGATION),
+ m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT |UF_PARTIAL_SECRETS_ACCOUNT |UF_TRUSTED_FOR_DELEGATION),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
try:
self.admin_samdb.modify(m)
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT),
+ m["userAccountControl"] = ldb.MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT |UF_PARTIAL_SECRETS_ACCOUNT),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
self.admin_samdb.modify(m)
scope=SCOPE_SUBTREE,
attrs=["userAccountControl"])
- self.assertEqual(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT)
+ self.assertEqual(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT |UF_PARTIAL_SECRETS_ACCOUNT)
m = ldb.Message()
m.dn = res[0].dn
m["userAccountControl"] = ldb.MessageElement(str(UF_ACCOUNTDISABLE),
for bit in bits:
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(bit|UF_PASSWD_NOTREQD),
+ m["userAccountControl"] = ldb.MessageElement(str(bit |UF_PASSWD_NOTREQD),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
try:
self.samdb.modify(m)
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(bit|UF_PASSWD_NOTREQD),
+ m["userAccountControl"] = ldb.MessageElement(str(bit |UF_PASSWD_NOTREQD),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
try:
self.admin_samdb.modify(m)
attrs=["userAccountControl"])
if bit in ignored_bits:
- self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD, "Bit 0x%08x shouldn't stick" % bit)
+ self.assertEqual(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT |UF_PASSWD_NOTREQD, "Bit 0x%08x shouldn't stick" % bit)
else:
if bit in account_types:
- self.assertEqual(int(res[0]["userAccountControl"][0]), bit|UF_PASSWD_NOTREQD, "Bit 0x%08x didn't stick" % bit)
+ self.assertEqual(int(res[0]["userAccountControl"][0]), bit |UF_PASSWD_NOTREQD, "Bit 0x%08x didn't stick" % bit)
else:
- self.assertEqual(int(res[0]["userAccountControl"][0]), bit|UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD, "Bit 0x%08x didn't stick" % bit)
+ self.assertEqual(int(res[0]["userAccountControl"][0]), bit |UF_NORMAL_ACCOUNT |UF_PASSWD_NOTREQD, "Bit 0x%08x didn't stick" % bit)
try:
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(bit|UF_PASSWD_NOTREQD|UF_ACCOUNTDISABLE),
+ m["userAccountControl"] = ldb.MessageElement(str(bit |UF_PASSWD_NOTREQD |UF_ACCOUNTDISABLE),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
self.samdb.modify(m)
if bit in account_types:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- bit|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ bit |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should have been added (0X%08x vs 0X%08x)"
% (bit, int(res[0]["userAccountControl"][0]),
- bit|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD))
+ bit |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD))
elif bit in ignored_bits:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should have been added (0X%08x vs 0X%08x)"
% (bit, int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD))
+ UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD))
else:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- bit|UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ bit |UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should have been added (0X%08x vs 0X%08x)"
% (bit, int(res[0]["userAccountControl"][0]),
- bit|UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD))
+ bit |UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD))
try:
m = ldb.Message()
m.dn = res[0].dn
- m["userAccountControl"] = ldb.MessageElement(str(UF_PASSWD_NOTREQD|UF_ACCOUNTDISABLE),
+ m["userAccountControl"] = ldb.MessageElement(str(UF_PASSWD_NOTREQD |UF_ACCOUNTDISABLE),
ldb.FLAG_MOD_REPLACE, "userAccountControl")
self.samdb.modify(m)
if bit in priv_to_remove_bits:
if bit in priv_to_remove_bits:
if bit in account_types:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- bit|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ bit |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should not have been removed" % bit)
else:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- bit|UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ bit |UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should not have been removed" % bit)
else:
self.assertEqual(int(res[0]["userAccountControl"][0]),
- UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_PASSWD_NOTREQD,
+ UF_NORMAL_ACCOUNT |UF_ACCOUNTDISABLE |UF_PASSWD_NOTREQD,
"bit 0X%08x should have been removed" % bit)
def test_uac_bits_unrelated_modify_normal(self):
computername = self.computernames[0]
self.add_computer_ldap(computername,
- others={"userAccountControl": [str(UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT)]},
+ others={"userAccountControl": [str(UF_WORKSTATION_TRUST_ACCOUNT |UF_PARTIAL_SECRETS_ACCOUNT)]},
samdb=self.admin_samdb)
res = self.admin_samdb.search("%s" % self.base_dn,
expression="(&(objectClass=computer)(samAccountName=%s$))" % computername,