python/samba/gp_sec_ext.py

   1 # gp_sec_ext kdc gpo policy
   2 # Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
   3 # Copyright (C) David Mulder <dmulder@suse.com> 2018
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 import os.path
  19 from samba.gpclass import gp_ext_setter, gp_inf_ext
  20
  21
  22 class inf_to_kdc_tdb(gp_ext_setter):
  23     def mins_to_hours(self):
  24         return '%d' % (int(self.val) / 60)
  25
  26     def days_to_hours(self):
  27         return '%d' % (int(self.val) * 24)
  28
  29     def set_kdc_tdb(self, val):
  30         old_val = self.gp_db.gpostore.get(self.attribute)
  31         self.logger.info('%s was changed from %s to %s' % (self.attribute,
  32                                                            old_val, val))
  33         if val is not None:
  34             self.gp_db.gpostore.store(self.attribute, val)
  35             self.gp_db.store(str(self), self.attribute, old_val)
  36         else:
  37             self.gp_db.gpostore.delete(self.attribute)
  38             self.gp_db.delete(str(self), self.attribute)
  39
  40     def mapper(self):
  41         return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
  42                  'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
  43                                                  self.mins_to_hours),
  44                  'kdc:renewal_lifetime': (self.set_kdc_tdb,
  45                                           self.days_to_hours),
  46                  }
  47
  48     def __str__(self):
  49         return 'Kerberos Policy'
  50
  51
  52 class inf_to_ldb(gp_ext_setter):
  53     '''This class takes the .inf file parameter (essentially a GPO file mapped
  54     to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
  55     object to update the parameter to Samba4. Not registry oriented whatsoever.
  56     '''
  57
  58     def ch_minPwdAge(self, val):
  59         old_val = self.ldb.get_minPwdAge()
  60         self.logger.info('KDC Minimum Password age was changed from %s to %s' \
  61                          % (old_val, val))
  62         self.gp_db.store(str(self), self.attribute, str(old_val))
  63         self.ldb.set_minPwdAge(val)
  64
  65     def ch_maxPwdAge(self, val):
  66         old_val = self.ldb.get_maxPwdAge()
  67         self.logger.info('KDC Maximum Password age was changed from %s to %s' \
  68                          % (old_val, val))
  69         self.gp_db.store(str(self), self.attribute, str(old_val))
  70         self.ldb.set_maxPwdAge(val)
  71
  72     def ch_minPwdLength(self, val):
  73         old_val = self.ldb.get_minPwdLength()
  74         self.logger.info(
  75             'KDC Minimum Password length was changed from %s to %s' \
  76             % (old_val, val))
  77         self.gp_db.store(str(self), self.attribute, str(old_val))
  78         self.ldb.set_minPwdLength(val)
  79
  80     def ch_pwdProperties(self, val):
  81         old_val = self.ldb.get_pwdProperties()
  82         self.logger.info('KDC Password Properties were changed from %s to %s' \
  83                          % (old_val, val))
  84         self.gp_db.store(str(self), self.attribute, str(old_val))
  85         self.ldb.set_pwdProperties(val)
  86
  87     def days2rel_nttime(self):
  88         seconds = 60
  89         minutes = 60
  90         hours = 24
  91         sam_add = 10000000
  92         val = (self.val)
  93         val = int(val)
  94         return str(-(val * seconds * minutes * hours * sam_add))
  95
  96     def mapper(self):
  97         '''ldap value : samba setter'''
  98         return {"minPwdAge": (self.ch_minPwdAge, self.days2rel_nttime),
  99                  "maxPwdAge": (self.ch_maxPwdAge, self.days2rel_nttime),
 100                  # Could be none, but I like the method assignment in
 101                  # update_samba
 102                  "minPwdLength": (self.ch_minPwdLength, self.explicit),
 103                  "pwdProperties": (self.ch_pwdProperties, self.explicit),
 104
 105                  }
 106
 107     def __str__(self):
 108         return 'System Access'
 109
 110
 111 class gp_sec_ext(gp_inf_ext):
 112     '''This class does the following two things:
 113         1) Identifies the GPO if it has a certain kind of filepath,
 114         2) Finally parses it.
 115     '''
 116
 117     count = 0
 118
 119     def __str__(self):
 120         return "Security GPO extension"
 121
 122     def list(self, rootpath):
 123         return os.path.join(rootpath,
 124                             "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
 125
 126     def listmachpol(self, rootpath):
 127         return os.path.join(rootpath, "Machine/Registry.pol")
 128
 129     def listuserpol(self, rootpath):
 130         return os.path.join(rootpath, "User/Registry.pol")
 131
 132     def apply_map(self):
 133         return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
 134                                                          inf_to_ldb),
 135                                   "MaximumPasswordAge": ("maxPwdAge",
 136                                                          inf_to_ldb),
 137                                   "MinimumPasswordLength": ("minPwdLength",
 138                                                             inf_to_ldb),
 139                                   "PasswordComplexity": ("pwdProperties",
 140                                                          inf_to_ldb),
 141                                   },
 142                 "Kerberos Policy": {"MaxTicketAge": (
 143                                         "kdc:user_ticket_lifetime",
 144                                         inf_to_kdc_tdb
 145                                     ),
 146                                     "MaxServiceAge": (
 147                                         "kdc:service_ticket_lifetime",
 148                                         inf_to_kdc_tdb
 149                                     ),
 150                                     "MaxRenewAge": (
 151                                         "kdc:renewal_lifetime",
 152                                         inf_to_kdc_tdb
 153                                     ),
 154                                     }
 155                 }
 156