5 # Copyright Matthias Dieter Wallnoefer 2009
6 # Copyright Andrew Kroeger 2009
7 # Copyright Jelmer Vernooij 2009
8 # Copyright Giampaolo Lauria 2011
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
26 import samba.getopt as options
29 from samba.auth import system_session
30 from samba.samdb import SamDB
31 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
32 from samba.netcmd import (
40 class cmd_domain_passwordsettings(Command):
41 """Sets password settings
43 Password complexity, history length, minimum password length, the minimum
44 and maximum password age) on a Samba4 server.
47 synopsis = "%prog domain passwordsettings (show | set <options>)"
49 takes_optiongroups = {
50 "sambaopts": options.SambaOptions,
51 "versionopts": options.VersionOptions,
52 "credopts": options.CredentialsOptions,
56 Option("-H", help="LDB URL for database or target server", type=str),
57 Option("--quiet", help="Be quiet", action="store_true"),
58 Option("--complexity", type="choice", choices=["on","off","default"],
59 help="The password complexity (on | off | default). Default is 'on'"),
60 Option("--store-plaintext", type="choice", choices=["on","off","default"],
61 help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
62 Option("--history-length",
63 help="The password history length (<integer> | default). Default is 24.", type=str),
64 Option("--min-pwd-length",
65 help="The minimum password length (<integer> | default). Default is 7.", type=str),
66 Option("--min-pwd-age",
67 help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
68 Option("--max-pwd-age",
69 help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
72 takes_args = ["subcommand"]
74 def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
75 quiet=False, complexity=None, store_plaintext=None, history_length=None,
76 min_pwd_length=None, credopts=None, sambaopts=None,
78 lp = sambaopts.get_loadparm()
79 creds = credopts.get_credentials(lp)
81 samdb = SamDB(url=H, session_info=system_session(),
82 credentials=creds, lp=lp)
84 domain_dn = samdb.domain_dn()
85 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
86 attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
87 "minPwdAge", "maxPwdAge"])
90 pwd_props = int(res[0]["pwdProperties"][0])
91 pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
92 cur_min_pwd_len = int(res[0]["minPwdLength"][0])
94 cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
95 cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
97 raise CommandError("Could not retrieve password properties!", e)
99 if subcommand == "show":
100 self.message("Password informations for domain '%s'" % domain_dn)
102 if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
103 self.message("Password complexity: on")
105 self.message("Password complexity: off")
106 if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
107 self.message("Store plaintext passwords: on")
109 self.message("Store plaintext passwords: off")
110 self.message("Password history length: %d" % pwd_hist_len)
111 self.message("Minimum password length: %d" % cur_min_pwd_len)
112 self.message("Minimum password age (days): %d" % cur_min_pwd_age)
113 self.message("Maximum password age (days): %d" % cur_max_pwd_age)
114 elif subcommand == "set":
117 m.dn = ldb.Dn(samdb, domain_dn)
119 if complexity is not None:
120 if complexity == "on" or complexity == "default":
121 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
122 msgs.append("Password complexity activated!")
123 elif complexity == "off":
124 pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
125 msgs.append("Password complexity deactivated!")
127 if store_plaintext is not None:
128 if store_plaintext == "on" or store_plaintext == "default":
129 pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
130 msgs.append("Plaintext password storage for changed passwords activated!")
131 elif store_plaintext == "off":
132 pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
133 msgs.append("Plaintext password storage for changed passwords deactivated!")
135 if complexity is not None or store_plaintext is not None:
136 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
137 ldb.FLAG_MOD_REPLACE, "pwdProperties")
139 if history_length is not None:
140 if history_length == "default":
143 pwd_hist_len = int(history_length)
145 if pwd_hist_len < 0 or pwd_hist_len > 24:
146 raise CommandError("Password history length must be in the range of 0 to 24!")
148 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
149 ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
150 msgs.append("Password history length changed!")
152 if min_pwd_length is not None:
153 if min_pwd_length == "default":
156 min_pwd_len = int(min_pwd_length)
158 if min_pwd_len < 0 or min_pwd_len > 14:
159 raise CommandError("Minimum password length must be in the range of 0 to 14!")
161 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
162 ldb.FLAG_MOD_REPLACE, "minPwdLength")
163 msgs.append("Minimum password length changed!")
165 if min_pwd_age is not None:
166 if min_pwd_age == "default":
169 min_pwd_age = int(min_pwd_age)
171 if min_pwd_age < 0 or min_pwd_age > 998:
172 raise CommandError("Minimum password age must be in the range of 0 to 998!")
175 min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
177 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
178 ldb.FLAG_MOD_REPLACE, "minPwdAge")
179 msgs.append("Minimum password age changed!")
181 if max_pwd_age is not None:
182 if max_pwd_age == "default":
185 max_pwd_age = int(max_pwd_age)
187 if max_pwd_age < 0 or max_pwd_age > 999:
188 raise CommandError("Maximum password age must be in the range of 0 to 999!")
191 max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
193 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
194 ldb.FLAG_MOD_REPLACE, "maxPwdAge")
195 msgs.append("Maximum password age changed!")
197 if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
198 raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
201 msgs.append("All changes applied successfully!")
202 self.message("\n".join(msgs))
204 raise CommandError("Wrong argument '%s'!" % subcommand)
208 class cmd_domain(SuperCommand):
209 """Domain management"""
212 subcommands["passwordsettings"] = cmd_domain_passwordsettings()