def main():
lp = LoadParm()
lp.load_default()
print("\nLoaded loadparm:")
print(" samdb_url: ", lp.samdb_url())
print(" server_role: ", lp.server_role())
creds = Credentials()
creds.guess(lp)
print("\nCredentials:")
creds.set_kerberos_state(MUST_USE_KERBEROS)
# If MUST_USE_KERBEROS and we have no ticket, yields this error:
# "Failed to connect to 'ldap://dc1' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER"
# Local
#samdb = SamDB(lp=lp)
# Remote
samdb = SamDB(lp=lp, url='ldap://dc1', credentials=creds)
print("\nOpened SAM DB:")
print(" domain_dn: ", samdb.domain_dn())
print(" domain_dns_name:", samdb.domain_dns_name())
for q in sys.argv[1:]:
query(samdb, q)
def setUp(self):
super(DCKeytabTests, self).setUp()
self.lp = LoadParm()
self.lp.load_default()
self.creds = self.insta_creds(template=self.get_credentials())
self.ktfile = os.path.join(self.lp.get('private dir'), 'test.keytab')
self.principal = self.creds.get_principal()
def __init__(self, username=None, no_dry_run=False, mysql_string=None):
self.lp = LoadParm()
self.lp.set('debug level', '0')
self.lp.load_default()
self.username = username
self.no_dry_run = no_dry_run
self.conn = self._open_mysql_conn(mysql_string)
def setUp(self):
super(GPOTests, self).setUp()
self.server = os.environ["SERVER"]
self.dc_account = self.server.upper() + '$'
self.lp = LoadParm()
self.lp.load_default()
self.creds = self.insta_creds(template=self.get_credentials())
def __init__(self, parser):
from samba.param import LoadParm
optparse.OptionGroup.__init__(self, parser, "Samba Common Options")
self.add_option("-s",
"--configfile",
action="callback",
type=str,
metavar="FILE",
help="Configuration file",
callback=self._load_configfile)
self.add_option("-d",
"--debuglevel",
action="callback",
type=int,
metavar="DEBUGLEVEL",
help="debug level",
callback=self._set_debuglevel)
self.add_option("--option",
action="callback",
type=str,
metavar="OPTION",
help="set smb.conf option from command line",
callback=self._set_option)
self.add_option("--realm",
action="callback",
type=str,
metavar="REALM",
help="set the realm name",
callback=self._set_realm)
self._configfile = None
self._lp = LoadParm()
self.realm = None
def user_policy_apply(user, password):
user = user.split('\\')[-1]
logger = logging.getLogger('gpupdate')
logger.addHandler(logging.StreamHandler(sys.stdout))
logger.setLevel(logging.CRITICAL)
log_level = lp.log_level()
if log_level == 1:
logger.setLevel(logging.ERROR)
elif log_level == 2:
logger.setLevel(logging.WARNING)
elif log_level == 3:
logger.setLevel(logging.INFO)
elif log_level >= 4:
logger.setLevel(logging.DEBUG)
lp = LoadParm()
lp.load_default()
creds = Credentials()
creds.guess(lp)
creds.set_username(user)
creds.set_password(password)
_, user_exts = get_gp_client_side_extensions(logger)
gp_extensions = []
for ext in user_exts:
gp_extensions.append(ext(logger, lp, creds, store))
cache_dir = lp.get('cache directory')
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
try:
apply_gp(lp, creds, logger, store, gp_extensions)
except NTSTATUSError as e:
logger.info(e.message)
def get_ad_binddn_from_name(base, server, username, password):
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_username(username)
creds.set_password(password)
binddn = 'cn=%s,cn=users,%s' % (ldap.dn.escape_dn_chars(username), base)
try:
samdb = SamDB(url='ldap://%s' % server,
session_info=system_session(),
credentials=creds,
lp=lp)
res = samdb.search(base,
scope=ldb.SCOPE_SUBTREE,
expression=ldap.filter.filter_format(
'(samAccountName=%s)', [
username,
]),
attrs=['samaccountname'])
if res.count == 1:
binddn = res.msgs[0].get('dn', idx=0).extended_str()
except ldb.LdbError as ex:
MODULE.warn('get_dn_from_name() could not get binddn for user %s: %s' %
(username, ex))
return binddn
def setUp(self):
super(KCCTests, self).setUp()
self.lp = LoadParm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.creds.set_username(os.environ["USERNAME"])
self.creds.set_password(os.environ["PASSWORD"])
def dc_watcher(self):
(r1, w1) = os.pipe()
pid = os.fork()
if pid != 0:
# Parent process return the result socket to the caller.
return r1
# Load the lp context for the Domain Controller, rather than the
# member server.
config_file = os.environ["DC_SERVERCONFFILE"]
lp_ctx = LoadParm()
lp_ctx.load(config_file)
#
# Is the message a SamLogon authentication?
def is_sam_logon(m):
if m is None:
return False
msg = json.loads(m)
return (msg["type"] == "Authentication" and
msg["Authentication"]["serviceDescription"] == "SamLogon")
#
# Handler function for received authentication messages.
def message_handler(context, msgType, src, message):
# Print the message to help debugging the tests.
# as it's a JSON message it does not look like a sub-unit message.
print(message)
self.dc_msgs.append(message)
# Set up a messaging context to listen for authentication events on
# the domain controller.
msg_ctx = Messaging((1, ), lp_ctx=lp_ctx)
msg_ctx.irpc_add_name(AUTH_EVENT_NAME)
msg_handler_and_context = (message_handler, None)
msg_ctx.register(msg_handler_and_context, msg_type=MSG_AUTH_LOG)
# Wait for the SamLogon message.
# As there could be other SamLogon's in progress we need to collect
# all the SamLogons and let the caller match them to the session.
self.dc_msgs = []
start_time = time.time()
while (time.time() - start_time < 1):
msg_ctx.loop_once(0.1)
# Only interested in SamLogon messages, filter out the rest
msgs = list(filter(is_sam_logon, self.dc_msgs))
if msgs:
for m in msgs:
m += "\n"
os.write(w1, get_bytes(m))
else:
os.write(w1, get_bytes("None\n"))
os.close(w1)
msg_ctx.deregister(msg_handler_and_context, msg_type=MSG_AUTH_LOG)
msg_ctx.irpc_remove_name(AUTH_EVENT_NAME)
os._exit(0)
def test_setntacl_invalidbackend(self):
lp = LoadParm()
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
open(self.tempf, 'w').write("empty")
self.assertRaises(XattrBackendError, setntacl, lp, self.tempf, acl,
"S-1-5-21-2212615479-2695158682-2101375467", "ttdb",
os.path.join(self.tempdir, "eadbtest.tdb"))
def force_drs_replication(source_dc=None,
destination_dc=None,
partition_dn=None,
direction="in"):
if not package_installed('univention-samba4'):
print(
'force_drs_replication(): skip, univention-samba4 not installed.')
return
if not source_dc:
source_dc = get_available_s4connector_dc()
if not source_dc:
return 1
if not destination_dc:
destination_dc = socket.gethostname()
if destination_dc == source_dc:
return
if not partition_dn:
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
samdb = SamDB("tdb://%s" % lp.private_path("sam.ldb"),
session_info=system_session(lp),
lp=lp)
partition_dn = str(samdb.domain_dn())
print("USING partition_dn:", partition_dn)
if direction == "in":
cmd = ("/usr/bin/samba-tool", "drs", "replicate", destination_dc,
source_dc, partition_dn)
else:
cmd = ("/usr/bin/samba-tool", "drs", "replicate", source_dc,
destination_dc, partition_dn)
return subprocess.call(cmd)
def test_setntacl(self):
lp = LoadParm()
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
setntacl(lp, self.tempf, acl,
"S-1-5-21-2212615479-2695158682-2101375467")
os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
def test_setntacl_forcenative(self):
if os.getuid() == 0:
raise SkipTest("Running test as root, test skipped")
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
DOMAIN_SID, self.session_info, "native")
def _wait_for_drs_replication(ldap_filter, attrs=None, base=None, scope=ldb.SCOPE_SUBTREE, lp=None, timeout=360, delta_t=1, verbose=True, should_exist=True, controls=None):
# type: (str, Union[List[str], None, str], Optional[str], int, Optional[LoadParm], int, int, bool, bool, Optional[List[str]]) -> None
if not package_installed('univention-samba4'):
if package_installed('univention-samba'):
time.sleep(15)
print('Sleeping 15 seconds as a workaround for http://forge.univention.org/bugzilla/show_bug.cgi?id=52145')
elif verbose:
print('wait_for_drs_replication(): skip, univention-samba4 not installed.')
return
if not attrs:
attrs = ['dn']
elif not isinstance(attrs, list):
attrs = [attrs]
if not lp:
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
samdb = SamDB("tdb://%s" % lp.private_path("sam.ldb"), session_info=system_session(lp), lp=lp)
if not controls:
controls = ["domain_scope:0"]
if base is None:
ucr = config_registry.ConfigRegistry()
ucr.load()
base = ucr['samba4/ldap/base']
else:
if len(ldap.dn.str2dn(base)[0]) > 1:
if verbose:
print('wait_for_drs_replication(): skip, multiple RDNs are not supported')
return
if not base:
if verbose:
print('wait_for_drs_replication(): skip, no samba domain found')
return
if verbose:
print("Waiting for DRS replication, filter: %r, base: %r, scope: %r, should_exist: %r" % (ldap_filter, base, scope, should_exist), end=' ')
t = t0 = time.time()
while t < t0 + timeout:
try:
res = samdb.search(base=base, scope=scope, expression=ldap_filter, attrs=attrs, controls=controls)
if bool(res) is bool(should_exist):
if verbose:
print("\nDRS replication took %d seconds" % (t - t0, ))
return # res
except ldb.LdbError as exc:
(_num, msg) = exc.args
if _num == ldb.ERR_INVALID_DN_SYNTAX:
raise
if _num == ldb.ERR_NO_SUCH_OBJECT and not should_exist:
if verbose:
print("\nDRS replication took %d seconds" % (t - t0, ))
return
print("Error during samdb.search: %s" % (msg, ))
print('.', end=' ')
time.sleep(delta_t)
t = time.time()
raise DRSReplicationFailed("DRS replication for filter: %r failed due to timeout after %d sec." % (ldap_filter, t - t0))
def test_setntacl_getntacl(self):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info)
facl = getntacl(lp, self.tempf, self.session_info)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEqual(facl.as_sddl(anysid), NTACL_SDDL)
os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
def wait_for_drs_replication(ldap_filter, attrs=None, base=None, scope=ldb.SCOPE_SUBTREE, lp=None, timeout=360, delta_t=1, verbose=True, should_exist=True, controls=None):
if not package_installed('univention-samba4'):
if verbose:
print('wait_for_drs_replication(): skip, univention-samba4 not installed.')
return
if not lp:
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
if not attrs:
attrs = ['dn']
elif not isinstance(attrs, list):
attrs = [attrs]
samdb = SamDB("tdb://%s" % lp.private_path("sam.ldb"), session_info=system_session(lp), lp=lp)
if not controls:
controls = ["domain_scope:0"]
if base is None:
base = samdb.domain_dn()
else:
if len(ldap.dn.str2dn(base)[0]) > 1:
if verbose:
print('wait_for_drs_replication(): skip, multiple RDNs are not supported')
return
if not base or base == 'None':
if verbose:
print('wait_for_drs_replication(): skip, no samba domain found')
return
if verbose:
print("Waiting for DRS replication, filter: %r, base: %r, scope: %r, should_exist: %r" % (ldap_filter, base, scope, should_exist), end=' ')
t = t0 = time.time()
while t < t0 + timeout:
try:
res = samdb.search(base=base, scope=scope, expression=ldap_filter, attrs=attrs, controls=controls)
if res and should_exist:
if verbose:
print("\nDRS replication took %d seconds" % (t - t0, ))
return res
if not res and not should_exist:
if verbose:
print("\nDRS replication took %d seconds" % (t - t0, ))
return res
except ldb.LdbError as exc:
(_num, msg) = exc.args
if _num == ldb.ERR_INVALID_DN_SYNTAX:
raise
if _num == ldb.ERR_NO_SUCH_OBJECT and not should_exist:
if verbose:
print("\nDRS replication took %d seconds" % (t - t0, ))
return
print("Error during samdb.search: %s" % (msg, ))
print('.', end=' ')
time.sleep(delta_t)
t = time.time()
raise DRSReplicationFailed("DRS replication for filter: %r failed due to timeout after %d sec." % (ldap_filter, t - t0))
def parse_gpext_conf(smb_conf):
lp = LoadParm()
if smb_conf is not None:
lp.load(smb_conf)
else:
lp.load_default()
ext_conf = lp.state_path('gpext.conf')
parser = ConfigParser()
parser.read(ext_conf)
return lp, parser
def __init__(self, user, password):
self.user = user
self.password = password
_isLastErrorAvailable = False
self.lp = LoadParm()
self.lp.load_default()
self.logger = logging.getLogger(__name__)
self.logger.addHandler(logging.StreamHandler(sys.stdout))
self.logger.setLevel(logging.INFO)
def __init__(self):
self.samba_lp = LoadParm()
self.samba_lp.set('debug level', '0')
self.samba_lp.load_default()
url = self.samba_lp.get('dcerpc_mapiproxy:samdb_url') or \
self.samba_lp.private_path("sam.ldb")
self.samdb = SamDB(url=url,
lp=self.samba_lp,
session_info=system_session())
self.conn = self._open_mysql_connection()
def test_setntacl_getntacl_param(self):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, "tdb",
os.path.join(self.tempdir, "eadbtest.tdb"))
facl = getntacl(lp, self.tempf, "tdb", os.path.join(
self.tempdir, "eadbtest.tdb"))
domsid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(domsid), NTACL_SDDL)
os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
def test_setntacl_forcenative(self):
if os.getuid() == 0:
raise SkipTest("Running test as root, test skipped")
lp = LoadParm()
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
self.assertRaises(Exception, setntacl, lp, self.tempf, acl,
"S-1-5-21-2212615479-2695158682-2101375467",
"native")
def __init__(self):
self.configRegistry = ConfigRegistry()
self.configRegistry.load()
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
self.samdb = SamDB(url='/var/lib/samba/private/sam.ldb',
session_info=system_session(),
credentials=creds,
lp=lp)
def connection(self):
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_username("")
creds.set_password("")
con = SamDB(url='ldap://192.168.100.26:389',
session_info=system_session(),
credentials=creds,
lp=lp)
return con
def test_setntacl_getntacl(self):
lp = LoadParm()
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
setntacl(lp, self.tempf, acl,
"S-1-5-21-2212615479-2695158682-2101375467")
facl = getntacl(lp, self.tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(facl.as_sddl(anysid), acl)
os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
def __init__(self, user, password):
self.user = user
self.password = password
self.lp = LoadParm()
self.lp.load_default()
self.ip = '127.0.0.1'
self.WorkGroup = str(self.lp.get("workgroup"))
self.creds = credentials.Credentials()
self.creds.set_username(self.user)
self.creds.set_password(self.password)
self.creds.set_domain(self.WorkGroup)
self.creds.set_workstation("")
def main():
args = parse_args()
logging.basicConfig(level=logging.DEBUG if args.debug else logging.WARNING)
inpipe = sys.stdin
outpipe = sys.stdout
if args.unix:
import socket
try:
os.remove(args.unix)
except OSError:
pass
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.bind(args.unix)
os.chmod(args.unix, 0o777)
logger.debug("Bound unix socket: {}".format(args.unix))
logger.info("Waiting for connection at {}".format(args.unix))
sock.listen(1)
csock, client_address = sock.accept()
logger.info("Accepted connection from {}".format(client_address))
inpipe = outpipe = csock.makefile()
lp = LoadParm()
lp.load_default()
creds = Credentials()
creds.guess(lp)
creds.set_kerberos_state(MUST_USE_KERBEROS)
# If MUST_USE_KERBEROS and we have no ticket, yields this error:
# "Failed to connect to 'ldap://dc1' with backend 'ldap': LDAP client
# internal error: NT_STATUS_INVALID_PARAMETER"
# lp is required by ldap_connect_send() -> lpcfg_resolve_context()
samdb = SamDB(lp=lp, url=args.url, credentials=creds)
logger.debug("Opened SAM DB:")
logger.debug(" domain_dn: {}".format(samdb.domain_dn()))
logger.debug(" domain_dns_name: {}".format(samdb.domain_dns_name()))
try:
r = SambaResponder(samdb, inpipe, outpipe)
r.run()
finally:
if args.unix:
try:
os.remove(args.unix)
except OSError:
pass
def test_setntacl(self):
random.seed()
lp = LoadParm()
path = os.environ['SELFTEST_PREFIX']
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
tempf = os.path.join(path,
"pytests" + str(int(100000 * random.random())))
ntacl = xattr.NTACL()
ntacl.version = 1
open(tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(path, "eadbtest.tdb"))
setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467")
os.unlink(tempf)
def test_setntacl_invalidbackend(self):
random.seed()
lp = LoadParm()
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
path = os.environ['SELFTEST_PREFIX']
tempf = os.path.join(path,
"pytests" + str(int(100000 * random.random())))
ntacl = xattr.NTACL()
ntacl.version = 1
open(tempf, 'w').write("empty")
self.assertRaises(XattrBackendError, setntacl, lp, tempf, acl,
"S-1-5-21-2212615479-2695158682-2101375467", "ttdb",
os.path.join(path, "eadbtest.tdb"))
def set_acl(path, sddl):
print('start set_acl!')
print(path)
print(sddl)
sid = security.dom_sid("S-1-5-21-3874029520-2253553080-878871061")
print(sid)
try:
lp = LoadParm()
setntacl(lp, path, sddl, sid)
except Exception, e:
print str(e)
def wait_for_drs_replication(ldap_filter,
attrs=None,
base=None,
scope=ldb.SCOPE_SUBTREE,
lp=None,
timeout=360,
delta_t=1,
verbose=True):
if not package_installed('univention-samba4'):
if verbose:
print 'wait_for_drs_replication(): skip, univention-samba4 not installed.'
return
if not lp:
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
if not attrs:
attrs = ['dn']
elif not isinstance(attrs, list):
attrs = [attrs]
samdb = SamDB("tdb://%s" % lp.private_path("sam.ldb"),
session_info=system_session(lp),
lp=lp)
controls = ["domain_scope:0"]
if base is None:
base = samdb.domain_dn()
if not base or base == 'None':
if verbose:
print 'wait_for_drs_replication(): skip, no samba domain found'
return
if verbose:
print "Waiting for DRS replication, filter: '%s'" % (ldap_filter, ),
t = t0 = time.time()
while t < t0 + timeout:
try:
res = samdb.search(base=base,
scope=scope,
expression=ldap_filter,
attrs=attrs,
controls=controls)
if res:
if verbose:
print "\nDRS replication took %d seconds" % (t - t0, )
return res
except ldb.LdbError as (_num, msg):
print "Error during samdb.search: %s" % (msg, )
print '.',
time.sleep(delta_t)
t = time.time()
