def add_group_from_mapping_entry(samdb, groupmap, logger): """Add or modify group from group mapping entry param samdb: Samba4 SAM database param groupmap: Groupmap entry param logger: Logger object """ # First try to see if we already have this entry try: msg = samdb.search(base='<SID=%s>' % str(groupmap.sid), scope=ldb.SCOPE_BASE) found = True except ldb.LdbError as e1: (ecode, emsg) = e1.args if ecode == ldb.ERR_NO_SUCH_OBJECT: found = False else: raise ldb.LdbError(ecode, emsg) if found: logger.warn( 'Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.', str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0]) else: if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP: # In a lot of Samba3 databases, aliases are marked as well known groups (group_dom_sid, rid) = groupmap.sid.split() if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)): return m = ldb.Message() # We avoid using the format string to avoid needing to escape the CN values m.dn = ldb.Dn(samdb, "CN=X,CN=Users") m.dn.set_component(0, "CN", groupmap.nt_name) m.dn.add_base(samdb.get_default_basedn()) m['objectClass'] = ldb.MessageElement('group', ldb.FLAG_MOD_ADD, 'objectClass') m['objectSid'] = ldb.MessageElement(ndr_pack(groupmap.sid), ldb.FLAG_MOD_ADD, 'objectSid') m['sAMAccountName'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD, 'sAMAccountName') if groupmap.comment: m['description'] = ldb.MessageElement(groupmap.comment, ldb.FLAG_MOD_ADD, 'description') # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP: m['groupType'] = ldb.MessageElement( str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP), ldb.FLAG_MOD_ADD, 'groupType') try: samdb.add(m, controls=["relax:0"]) except ldb.LdbError as e: logger.warn('Could not add group name=%s (%s)', groupmap.nt_name, str(e))
def search_samdb(self, s4_dns=None, ldapfilter=None): search_result = [] if s4_dns: if not type(s4_dns) in (type(()), type([])): raise ValueError( "'s4_dns' is of type %s, must be list or tuple" % type(s4_dns)) if not ldapfilter: ldapfilter = '(objectClass=*)' error_dns = [] missing_dns = [] for targetdn in s4_dns: guid = None try: res = self.samdb.search(targetdn, scope=ldb.SCOPE_BASE, expression=ldapfilter, attrs=["objectGuid", "uSNChanged"]) for msg in res: guid_blob = msg.get("objectGuid", idx=0) guid = ndr_unpack(misc.GUID, guid_blob) usn = msg.get("uSNChanged", idx=0) search_result.append((targetdn, guid, usn)) if not guid: missing_dns.append(targetdn) except ldb.LdbError as ex: error_dns.append((targetdn, ex.args[1])) if error_dns: raise ldb.LdbError(1, error_dns, [r[0] for r in search_result]) if missing_dns: raise GuidNotFound(1, missing_dns, [r[0] for r in search_result]) else: guid = None res = self.samdb.search(expression=ldapfilter, attrs=["objectGuid", "uSNChanged"]) for msg in res: guid_blob = msg.get("objectGuid", idx=0) guid = ndr_unpack(misc.GUID, guid_blob) usn = msg.get("uSNChanged", idx=0) search_result.append((str(msg.dn), guid, usn)) if not guid: raise GuidNotFound(2, "No match") return search_result
def add_group_from_mapping_entry(samdb, groupmap, logger): """Add or modify group from group mapping entry param samdb: Samba4 SAM database param groupmap: Groupmap entry param logger: Logger object """ # First try to see if we already have this entry try: msg = samdb.search(base='<SID=%s>' % str(groupmap.sid), scope=ldb.SCOPE_BASE) found = True except ldb.LdbError, (ecode, emsg): if ecode == ldb.ERR_NO_SUCH_OBJECT: found = False else: raise ldb.LdbError(ecode, emsg)