1 # gp_sec_ext kdc gpo policy
2 # Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
3 # Copyright (C) David Mulder <dmulder@suse.com> 2018
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 from samba.gpclass import gp_ext_setter, gp_inf_ext
22 class inf_to_kdc_tdb(gp_ext_setter):
23 def mins_to_hours(self):
24 return '%d' % (int(self.val) / 60)
26 def days_to_hours(self):
27 return '%d' % (int(self.val) * 24)
29 def set_kdc_tdb(self, val):
30 old_val = self.gp_db.gpostore.get(self.attribute)
31 self.logger.info('%s was changed from %s to %s' % (self.attribute,
34 self.gp_db.gpostore.store(self.attribute, val)
35 self.gp_db.store(str(self), self.attribute, old_val)
37 self.gp_db.gpostore.delete(self.attribute)
38 self.gp_db.delete(str(self), self.attribute)
41 return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
42 'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
44 'kdc:renewal_lifetime': (self.set_kdc_tdb,
49 return 'Kerberos Policy'
52 class inf_to_ldb(gp_ext_setter):
53 '''This class takes the .inf file parameter (essentially a GPO file mapped
54 to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
55 object to update the parameter to Samba4. Not registry oriented whatsoever.
58 def ch_minPwdAge(self, val):
59 old_val = self.ldb.get_minPwdAge()
60 self.logger.info('KDC Minimum Password age was changed from %s to %s' \
62 self.gp_db.store(str(self), self.attribute, str(old_val))
63 self.ldb.set_minPwdAge(val)
65 def ch_maxPwdAge(self, val):
66 old_val = self.ldb.get_maxPwdAge()
67 self.logger.info('KDC Maximum Password age was changed from %s to %s' \
69 self.gp_db.store(str(self), self.attribute, str(old_val))
70 self.ldb.set_maxPwdAge(val)
72 def ch_minPwdLength(self, val):
73 old_val = self.ldb.get_minPwdLength()
75 'KDC Minimum Password length was changed from %s to %s' \
77 self.gp_db.store(str(self), self.attribute, str(old_val))
78 self.ldb.set_minPwdLength(val)
80 def ch_pwdProperties(self, val):
81 old_val = self.ldb.get_pwdProperties()
82 self.logger.info('KDC Password Properties were changed from %s to %s' \
84 self.gp_db.store(str(self), self.attribute, str(old_val))
85 self.ldb.set_pwdProperties(val)
87 def days2rel_nttime(self):
94 return str(-(val * seconds * minutes * hours * sam_add))
97 '''ldap value : samba setter'''
98 return {"minPwdAge": (self.ch_minPwdAge, self.days2rel_nttime),
99 "maxPwdAge": (self.ch_maxPwdAge, self.days2rel_nttime),
100 # Could be none, but I like the method assignment in
102 "minPwdLength": (self.ch_minPwdLength, self.explicit),
103 "pwdProperties": (self.ch_pwdProperties, self.explicit),
108 return 'System Access'
111 class gp_sec_ext(gp_inf_ext):
112 '''This class does the following two things:
113 1) Identifies the GPO if it has a certain kind of filepath,
114 2) Finally parses it.
120 return "Security GPO extension"
122 def list(self, rootpath):
123 return os.path.join(rootpath,
124 "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
126 def listmachpol(self, rootpath):
127 return os.path.join(rootpath, "Machine/Registry.pol")
129 def listuserpol(self, rootpath):
130 return os.path.join(rootpath, "User/Registry.pol")
133 return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
135 "MaximumPasswordAge": ("maxPwdAge",
137 "MinimumPasswordLength": ("minPwdLength",
139 "PasswordComplexity": ("pwdProperties",
142 "Kerberos Policy": {"MaxTicketAge": (
143 "kdc:user_ticket_lifetime",
147 "kdc:service_ticket_lifetime",
151 "kdc:renewal_lifetime",