#!/usr/bin/python
# Unix SMB/CIFS implementation.
-# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
#
# Based on the original in EJS:
-# Copyright (C) Andrew Tridgell 2005
+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+"""Convenience functions for using the SAM."""
+
import samba
-import misc
+import glue
import ldb
+from samba.idmap import IDmapDB
+import pwd
+import time
+import base64
+
+__docformat__ = "restructuredText"
class SamDB(samba.Ldb):
- def __init__(self, url=None, session_info=None, credentials=None,
- modules_dir=None, lp=None):
- super(SamDB, self).__init__(session_info=session_info, credentials=credentials,
- modules_dir=modules_dir, lp=lp)
- misc.dsdb_set_global_schema(self)
- misc.ldb_register_samba_handlers(self)
- if url:
- self.connect(url)
-
- def add_foreign(self, domaindn, sid, desc):
- """Add a foreign security principle."""
- add = """
-dn: CN=%s,CN=ForeignSecurityPrincipals,%s
-objectClass: top
-objectClass: foreignSecurityPrincipal
-description: %s
- """ % (sid, domaindn, desc)
- # deliberately ignore errors from this, as the records may
- # already exist
- for msg in self.parse_ldif(add):
- self.add(msg[1])
-
- def setup_name_mapping(self, domaindn, sid, unixname):
- """Setup a mapping between a sam name and a unix name."""
- res = self.search(ldb.Dn(self, domaindn), ldb.SCOPE_SUBTREE,
- "objectSid=%s" % sid, ["dn"])
- assert len(res) == 1, "Failed to find record for objectSid %s" % sid
+ """The SAM database."""
- mod = """
-dn: %s
-changetype: modify
-replace: unixName
-unixName: %s
-""" % (res[0].dn, unixname)
- self.modify(self.parse_ldif(mod).next()[1])
+ def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
+ credentials=None, flags=0, options=None):
+ """Opens the Sam Database.
+ For parameter meanings see the super class (samba.Ldb)
+ """
+
+ self.lp = lp
+ if url is None:
+ url = lp.get("sam database")
+
+ super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
+ session_info=session_info, credentials=credentials, flags=flags,
+ options=options)
+
+ glue.dsdb_set_global_schema(self)
+
+ def connect(self, url=None, flags=0, options=None):
+ super(SamDB, self).connect(url=self.lp.private_path(url), flags=flags,
+ options=options)
def enable_account(self, user_dn):
- """enable the account.
+ """Enable an account.
:param user_dn: Dn of the account to enable.
"""
- res = self.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"])
+ res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"])
assert len(res) == 1
- userAccountControl = res[0].userAccountControl
- userAccountControl = userAccountControl - 2 # remove disabled bit
+ userAccountControl = int(res[0]["userAccountControl"][0])
+ if (userAccountControl & 0x2):
+ userAccountControl = userAccountControl & ~0x2 # remove disabled bit
+ if (userAccountControl & 0x20):
+ userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
+
mod = """
dn: %s
changetype: modify
replace: userAccountControl
userAccountControl: %u
""" % (user_dn, userAccountControl)
- self.modify(mod)
+ self.modify_ldif(mod)
+
+ def force_password_change_at_next_login(self, user_dn):
+ """Force a password change at next login
+
+ :param user_dn: Dn of the account to force password change on
+ """
+ mod = """
+dn: %s
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+""" % (user_dn)
+ self.modify_ldif(mod)
+
+ def domain_dn(self):
+ # find the DNs for the domain
+ res = self.search(base="",
+ scope=ldb.SCOPE_BASE,
+ expression="(defaultNamingContext=*)",
+ attrs=["defaultNamingContext"])
+ assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
+ return res[0]["defaultNamingContext"][0]
+
+ def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
+ """add a new user record.
+
+ :param username: Name of the new user.
+ :param unixname: Name of the unix user to map to.
+ :param password: Password for the new user
+ """
+ # connect to the sam
+ self.transaction_start()
+ try:
+ user_dn = "CN=%s,CN=Users,%s" % (username, self.domain_dn())
+
+ #
+ # the new user record. note the reliance on the samdb module to
+ # fill in a sid, guid etc
+ #
+ # now the real work
+ self.add({"dn": user_dn,
+ "sAMAccountName": username,
+ "userPassword": password,
+ "objectClass": "user"})
+
+ res = self.search(user_dn, scope=ldb.SCOPE_BASE,
+ expression="objectclass=*",
+ attrs=["objectSid"])
+ assert len(res) == 1
+ user_sid = self.schema_format_value("objectSid", res[0]["objectSid"][0])
+
+ try:
+ idmap = IDmapDB(lp=self.lp)
+
+ user = pwd.getpwnam(unixname)
+ # setup ID mapping for this UID
+
+ idmap.setup_name_mapping(user_sid, idmap.TYPE_UID, user[2])
+
+ except KeyError:
+ pass
+
+ if force_password_change_at_next_login:
+ self.force_password_change_at_next_login(user_dn)
+
+ # modify the userAccountControl to remove the disabled bit
+ self.enable_account(user_dn)
+ except:
+ self.transaction_cancel()
+ raise
+ self.transaction_commit()
- def newuser(self, username, unixname, password, message):
- """add a new user record"""
+ def setpassword(self, filter, password, force_password_change_at_next_login=False):
+ """Set a password on a user record
+
+ :param filter: LDAP filter to find the user (eg samccountname=name)
+ :param password: Password for the user
+ """
# connect to the sam
self.transaction_start()
+ try:
+ res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=filter, attrs=[])
+ assert(len(res) == 1)
+ user_dn = res[0].dn
- # find the DNs for the domain and the domain users group
- res = self.search("", SCOPE_BASE, "defaultNamingContext=*",
- ["defaultNamingContext"])
- assert(len(res) == 1 and res[0].defaultNamingContext is not None)
- domain_dn = res[0].defaultNamingContext
- assert(domain_dn is not None)
- dom_users = searchone(self, domain_dn, "name=Domain Users", "dn")
- assert(dom_users is not None)
-
- user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn)
-
- #
- # the new user record. note the reliance on the samdb module to fill
- # in a sid, guid etc
- #
- ldif = """
-dn: %s
-sAMAccountName: %s
-unixName: %s
-sambaPassword: %s
-objectClass: user
- """ % (user_dn, username, unixname, password)
- # add the user to the users group as well
- modgroup = """
-dn: %s
-changetype: modify
-add: member
-member: %s
-""" % (dom_users, user_dn)
+ mod = ldb.Message()
+ mod.dn = user_dn
+ glue.samdb_set_password(samdb=self, user_dn=str(user_dn),
+ dom_dn=self.domain_dn(), mod=mod, new_password=password,
+ user_change=True)
- # now the real work
- message("Adding user %s" % user_dn)
- self.add(ldif)
+ self.modify(mod)
- message("Modifying group %s" % dom_users)
- self.modify(modgroup)
+ if force_password_change_at_next_login:
+ self.force_password_change_at_next_login(user_dn)
- # modify the userAccountControl to remove the disabled bit
- enable_account(self, user_dn)
+ # modify the userAccountControl to remove the disabled bit
+ self.enable_account(user_dn)
+ except:
+ self.transaction_cancel()
+ raise
self.transaction_commit()
- def set_domain_sid(self, sid):
- misc.samdb_set_domain_sid(self, sid)
+ def setexpiry(self, user, expiry_seconds, noexpiry):
+ """Set the account expiry for a user
+
+ :param expiry_seconds: expiry time from now in seconds
+ :param noexpiry: if set, then don't expire password
+ """
+ self.transaction_start()
+ try:
+ res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=("(samAccountName=%s)" % user),
+ attrs=["userAccountControl", "accountExpires"])
+ assert len(res) == 1
+ userAccountControl = int(res[0]["userAccountControl"][0])
+ accountExpires = int(res[0]["accountExpires"][0])
+ if noexpiry:
+ userAccountControl = userAccountControl | 0x10000
+ accountExpires = 0
+ else:
+ userAccountControl = userAccountControl & ~0x10000
+ accountExpires = glue.unix2nttime(expiry_seconds + int(time.time()))
+
+ mod = """
+dn: %s
+changetype: modify
+replace: userAccountControl
+userAccountControl: %u
+replace: accountExpires
+accountExpires: %u
+""" % (res[0].dn, userAccountControl, accountExpires)
+ # now change the database
+ self.modify_ldif(mod)
+ except:
+ self.transaction_cancel()
+ raise
+ self.transaction_commit();
- def attach_schema_from_ldif(self, pf, df):
- misc.dsdb_attach_schema_from_ldif_file(self, pf, df)