1 # gp_sec_ext kdc gpo policy
2 # Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
3 # Copyright (C) David Mulder <dmulder@suse.com> 2018
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 from samba.gpclass import gp_ext_setter, gp_inf_ext
20 from samba.auth import system_session
22 from ldb import LdbError
23 from samba.samdb import SamDB
28 class inf_to_kdc_tdb(gp_ext_setter):
29 def mins_to_hours(self):
30 return '%d' % (int(self.val) / 60)
32 def days_to_hours(self):
33 return '%d' % (int(self.val) * 24)
35 def set_kdc_tdb(self, val):
36 old_val = self.gp_db.gpostore.get(self.attribute)
37 self.logger.info('%s was changed from %s to %s' % (self.attribute,
40 self.gp_db.gpostore.store(self.attribute, val)
41 self.gp_db.store(str(self), self.attribute, old_val)
43 self.gp_db.gpostore.delete(self.attribute)
44 self.gp_db.delete(str(self), self.attribute)
47 return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
48 'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
50 'kdc:renewal_lifetime': (self.set_kdc_tdb,
55 return 'Kerberos Policy'
58 class inf_to_ldb(gp_ext_setter):
59 '''This class takes the .inf file parameter (essentially a GPO file mapped
60 to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
61 object to update the parameter to Samba4. Not registry oriented whatsoever.
64 def __init__(self, logger, gp_db, lp, creds, key, value):
65 super(inf_to_ldb, self).__init__(logger, gp_db, lp, creds, key, value)
67 self.ldb = SamDB(self.lp.samdb_url(),
68 session_info=system_session(),
69 credentials=self.creds,
71 except (NameError, LdbError):
72 raise Exception('Failed to load SamDB for assigning Group Policy')
74 def ch_minPwdAge(self, val):
75 old_val = self.ldb.get_minPwdAge()
76 self.logger.info('KDC Minimum Password age was changed from %s to %s'
78 self.gp_db.store(str(self), self.attribute, str(old_val))
79 self.ldb.set_minPwdAge(val)
81 def ch_maxPwdAge(self, val):
82 old_val = self.ldb.get_maxPwdAge()
83 self.logger.info('KDC Maximum Password age was changed from %s to %s'
85 self.gp_db.store(str(self), self.attribute, str(old_val))
86 self.ldb.set_maxPwdAge(val)
88 def ch_minPwdLength(self, val):
89 old_val = self.ldb.get_minPwdLength()
91 'KDC Minimum Password length was changed from %s to %s'
93 self.gp_db.store(str(self), self.attribute, str(old_val))
94 self.ldb.set_minPwdLength(val)
96 def ch_pwdProperties(self, val):
97 old_val = self.ldb.get_pwdProperties()
98 self.logger.info('KDC Password Properties were changed from %s to %s'
100 self.gp_db.store(str(self), self.attribute, str(old_val))
101 self.ldb.set_pwdProperties(val)
103 def days2rel_nttime(self):
110 return str(-(val * seconds * minutes * hours * sam_add))
113 '''ldap value : samba setter'''
114 return {"minPwdAge": (self.ch_minPwdAge, self.days2rel_nttime),
115 "maxPwdAge": (self.ch_maxPwdAge, self.days2rel_nttime),
116 # Could be none, but I like the method assignment in
118 "minPwdLength": (self.ch_minPwdLength, self.explicit),
119 "pwdProperties": (self.ch_pwdProperties, self.explicit),
124 return 'System Access'
127 class gp_sec_ext(gp_inf_ext):
128 '''This class does the following two things:
129 1) Identifies the GPO if it has a certain kind of filepath,
130 2) Finally parses it.
136 return "Security GPO extension"
139 return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
141 "MaximumPasswordAge": ("maxPwdAge",
143 "MinimumPasswordLength": ("minPwdLength",
145 "PasswordComplexity": ("pwdProperties",
148 "Kerberos Policy": {"MaxTicketAge": (
149 "kdc:user_ticket_lifetime",
153 "kdc:service_ticket_lifetime",
157 "kdc:renewal_lifetime",
163 def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
164 if self.lp.get('server role') != 'active directory domain controller':
166 inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
167 apply_map = self.apply_map()
168 for gpo in deleted_gpo_list:
169 self.gp_db.set_guid(gpo[0])
170 for section in gpo[1].keys():
171 current_section = apply_map.get(section)
172 if not current_section:
174 for key, value in gpo[1][section].items():
176 for _, tup in current_section.items():
180 value = value.encode('ascii', 'ignore') \
182 setter(self.logger, self.gp_db, self.lp, self.creds,
184 self.gp_db.delete(section, key)
187 for gpo in changed_gpo_list:
188 if gpo.file_sys_path:
189 self.gp_db.set_guid(gpo.name)
190 path = os.path.join(gpo.file_sys_path, inf_file)
191 inf_conf = self.parse(path)
194 for section in inf_conf.sections():
195 current_section = apply_map.get(section)
196 if not current_section:
198 for key, value in inf_conf.items(section):
199 if current_section.get(key):
200 (att, setter) = current_section.get(key)
201 value = value.encode('ascii', 'ignore')
202 setter(self.logger, self.gp_db, self.lp,
203 self.creds, att, value).update_samba()