def run(self, username, password=None, credopts=None, sambaopts=None,
versionopts=None, H=None, must_change_at_next_login=False, random_password=False,
use_username_as_cn=False, userou=None, surname=None, given_name=None, initials=None,
profile_path=None, script_path=None, home_drive=None, home_directory=None,
job_title=None, department=None, company=None, description=None,
mail_address=None, internet_address=None, telephone_number=None, physical_delivery_office=None):
if random_password:
password = generate_random_password(128, 255)
while 1:
if password is not None and password is not '':
break
password = getpass("New Password: "******"Failed to add user '%s': " % username, e)
def test_ldap_change_password(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authentication" and
msg["Authentication"]["status"]
== "NT_STATUS_OK" and
msg["Authentication"]["serviceDescription"]
== "LDAP Password Change" and
msg["Authentication"]["authDescription"]
== "LDAP Modify")
new_password = samba.generate_random_password(32,32)
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n"
)
messages = self.waitForMessages(isLastExpectedMessage)
print "Received %d messages" % len(messages)
self.assertEquals(4,
len(messages),
"Did not receive the expected number of messages")
def create_user_account(self):
self.user_pass = samba.generate_random_password(32, 32)
self.user_name = USER_NAME
self.user_dn = "cn=%s,%s" % (self.user_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.user_dn)
utf16pw = unicode('"' + self.user_pass.encode('utf-8') + '"',
'utf-8').encode('utf-16-le')
self.ldb.add({
"dn": self.user_dn,
"objectclass": "user",
"sAMAccountName": "%s" % self.user_name,
"userAccountControl": str(UF_NORMAL_ACCOUNT),
"unicodePwd": utf16pw
})
self.user_creds = Credentials()
self.user_creds.guess(self.get_loadparm())
self.user_creds.set_password(self.user_pass)
self.user_creds.set_username(self.user_name)
self.user_creds.set_workstation(self.machine_name)
pass
def create_machine_account(self):
self.machine_pass = samba.generate_random_password(32, 32)
self.machine_name = MACHINE_NAME
self.machine_dn = "cn=%s,%s" % (self.machine_name,
self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.machine_dn)
utf16pw = unicode('"' + self.machine_pass.encode('utf-8') + '"',
'utf-8').encode('utf-16-le')
self.ldb.add({
"dn":
self.machine_dn,
"objectclass":
"computer",
"sAMAccountName":
"%s$" % self.machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd":
utf16pw
})
self.machine_creds = Credentials()
self.machine_creds.guess(self.get_loadparm())
self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
self.machine_creds.set_password(self.machine_pass)
self.machine_creds.set_username(self.machine_name + "$")
self.machine_creds.set_workstation(self.machine_name)
def create_user_account(self):
self.user_pass = samba.generate_random_password(32, 32)
self.user_name = USER_NAME
self.user_dn = "cn=%s,%s" % (self.user_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.user_dn)
utf16pw = unicode(
'"' + self.user_pass.encode('utf-8') + '"', 'utf-8'
).encode('utf-16-le')
self.ldb.add({
"dn": self.user_dn,
"objectclass": "user",
"sAMAccountName": "%s" % self.user_name,
"userAccountControl": str(UF_NORMAL_ACCOUNT),
"unicodePwd": utf16pw})
self.user_creds = Credentials()
self.user_creds.guess(self.get_loadparm())
self.user_creds.set_password(self.user_pass)
self.user_creds.set_username(self.user_name)
self.user_creds.set_workstation(self.machine_name)
pass
def create_machine_account(self):
self.machine_pass = samba.generate_random_password(32, 32)
self.machine_name = MACHINE_NAME
self.machine_dn = "cn=%s,%s" % (self.machine_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.machine_dn)
utf16pw = unicode(
'"' + self.machine_pass.encode('utf-8') + '"', 'utf-8'
).encode('utf-16-le')
self.ldb.add({
"dn": self.machine_dn,
"objectclass": "computer",
"sAMAccountName": "%s$" % self.machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd": utf16pw})
self.machine_creds = Credentials()
self.machine_creds.guess(self.get_loadparm())
self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
self.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
self.machine_creds.set_password(self.machine_pass)
self.machine_creds.set_username(self.machine_name + "$")
self.machine_creds.set_workstation(self.machine_name)
def test_ldap_replace_password(self):
dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
self.discardSetupMessages(dn)
new_password = samba.generate_random_password(32, 32)
self.ldb.modify_ldif("dn: " + dn + "\n" + "changetype: modify\n" +
"replace: userPassword\n" + "userPassword: "******"\n")
messages = self.waitForMessages(1, dn=dn)
print("Received %d messages" % len(messages))
self.assertEquals(1, len(messages),
"Did not receive the expected number of messages")
audit = messages[0]["dsdbChange"]
self.assertEquals("Modify", audit["operation"])
self.assertFalse(audit["performedAsSystem"])
self.assertTrue(dn.lower(), audit["dn"].lower())
self.assertRegexpMatches(audit["remoteAddress"], self.remoteAddress)
self.assertTrue(self.is_guid(audit["sessionId"]))
session_id = self.get_session()
self.assertEquals(session_id, audit["sessionId"])
service_description = self.get_service_description()
self.assertEquals(service_description, "LDAP")
self.assertTrue(self.is_guid(audit["transactionId"]))
attributes = audit["attributes"]
self.assertEquals(1, len(attributes))
actions = attributes["userPassword"]["actions"]
self.assertEquals(1, len(actions))
self.assertTrue(actions[0]["redacted"])
self.assertEquals("replace", actions[0]["action"])
def do_Netr_ServerPasswordSet2(self):
c = self.get_netlogon_connection()
(authenticator, subsequent) = self.get_authenticator(c)
PWD_LEN = 32
DATA_LEN = 512
newpass = samba.generate_random_password(PWD_LEN, PWD_LEN)
encoded = newpass.encode('utf-16-le')
pwd_len = len(encoded)
filler = [
x if isinstance(x, int) else ord(x)
for x in os.urandom(DATA_LEN - pwd_len)
]
pwd = netlogon.netr_CryptPassword()
pwd.length = pwd_len
pwd.data = filler + [
x if isinstance(x, int) else ord(x) for x in encoded
]
self.machine_creds.encrypt_netr_crypt_password(pwd)
c.netr_ServerPasswordSet2(self.server,
self.machine_creds.get_workstation(),
SEC_CHAN_WKSTA, self.machine_name,
authenticator, pwd)
self.machine_pass = newpass
self.machine_creds.set_password(newpass)
def run(self, username=None, filter=None, credopts=None, sambaopts=None,
versionopts=None, H=None, newpassword=None,
must_change_at_next_login=False, random_password=False):
if filter is None and username is None:
raise CommandError("Either the username or '--filter' must be specified!")
if random_password:
password = generate_random_password(128, 255)
else:
password = newpassword
while 1:
if password is not None and password is not '':
break
password = getpass("New Password: "******"(&(objectClass=user)(sAMAccountName={0!s}))".format((ldb.binary_encode(username)))
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
samdb.setpassword(filter, password,
force_change_at_next_login=must_change_at_next_login,
username=username)
except Exception, msg:
# FIXME: catch more specific exception
raise CommandError("Failed to set password for user '{0!s}': {1!s}".format(username or filter, msg))
def test_ldap_change_password_bad_original_password(self):
def isLastExpectedMessage(msg):
return (
(msg["type"] == "Authentication") and
(msg["Authentication"]["status"] == "NT_STATUS_WRONG_PASSWORD")
and (msg["Authentication"]["serviceDescription"]
== "LDAP Password Change")
and (msg["Authentication"]["authDescription"] == "LDAP Modify")
and
(msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON)
and (msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK))
new_password = samba.generate_random_password(32, 32)
try:
self.ldb.modify_ldif("dn: cn=" + USER_NAME + ",cn=users," +
self.base_dn + "\n" + "changetype: modify\n" +
"delete: userPassword\n" + "userPassword: "******"badPassword" + "\n" + "add: userPassword\n" +
"userPassword: "******"\n")
self.fail()
except LdbError as e1:
(num, msg) = e1.args
pass
messages = self.waitForMessages(isLastExpectedMessage)
print("Received %d messages" % len(messages))
self.assertEquals(4, len(messages),
"Did not receive the expected number of messages")
def test_ldap_change_password(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authentication" and
msg["Authentication"]["status"]
== "NT_STATUS_OK" and
msg["Authentication"]["serviceDescription"]
== "LDAP Password Change" and
msg["Authentication"]["authDescription"]
== "LDAP Modify")
new_password = samba.generate_random_password(32,32)
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n"
)
messages = self.waitForMessages(isLastExpectedMessage)
print "Received %d messages" % len(messages)
self.assertEquals(4,
len(messages),
"Did not receive the expected number of messages")
def test_ldap_change_password_bad_original_password(self):
def isLastExpectedMessage(msg):
return ((msg["type"] == "Authentication") and
(msg["Authentication"]["status"] ==
"NT_STATUS_WRONG_PASSWORD") and
(msg["Authentication"]["serviceDescription"] ==
"LDAP Password Change") and
(msg["Authentication"]["authDescription"] ==
"LDAP Modify"))
new_password = samba.generate_random_password(32, 32)
try:
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"badPassword" + "\n" +
"add: userPassword\n" +
"userPassword: "******"\n")
self.fail()
except LdbError as e1:
(num, msg) = e1.args
pass
messages = self.waitForMessages(isLastExpectedMessage)
print("Received %d messages" % len(messages))
self.assertEquals(4,
len(messages),
"Did not receive the expected number of messages")
def run(self, username=None, filter=None, credopts=None, sambaopts=None,
versionopts=None, H=None, newpassword=None,
must_change_at_next_login=False, random_password=False):
if filter is None and username is None:
raise CommandError("Either the username or '--filter' must be specified!")
if random_password:
password = generate_random_password(128, 255)
else:
password = newpassword
while 1:
if password is not None and password is not '':
break
password = getpass("New Password: "******"(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username))
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
samdb.setpassword(filter, password,
force_change_at_next_login=must_change_at_next_login,
username=username)
except Exception, msg:
# FIXME: catch more specific exception
raise CommandError("Failed to set password for user '%s': %s" % (username or filter, msg))
def run(self, username, password=None, credopts=None, sambaopts=None,
versionopts=None, H=None, must_change_at_next_login=False,
random_password=False, use_username_as_cn=False, userou=None,
surname=None, given_name=None, initials=None, profile_path=None,
script_path=None, home_drive=None, home_directory=None,
job_title=None, department=None, company=None, description=None,
mail_address=None, internet_address=None, telephone_number=None,
physical_delivery_office=None):
if random_password:
password = generate_random_password(128, 255)
while True:
if password is not None and password is not '':
break
password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
try:
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login,
useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials,
profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
jobtitle=job_title, department=department, company=company, description=description,
mailaddress=mail_address, internetaddress=internet_address,
telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office)
except Exception, e:
raise CommandError("Failed to add user '%s': " % username, e)
def run(self, username=None, filter=None, credopts=None, sambaopts=None,
versionopts=None, H=None, newpassword=None,
must_change_at_next_login=False, random_password=False,
smartcard_required=False, clear_smartcard_required=False):
if filter is None and username is None:
raise CommandError("Either the username or '--filter' must be specified!")
password = newpassword
if smartcard_required:
if password is not None and password is not '':
raise CommandError('It is not allowed to specifiy '
'--newpassword '
'together with --smartcard-required.')
if must_change_at_next_login:
raise CommandError('It is not allowed to specifiy '
'--must-change-at-next-login '
'together with --smartcard-required.')
if clear_smartcard_required:
raise CommandError('It is not allowed to specifiy '
'--clear-smartcard-required '
'together with --smartcard-required.')
if random_password and not smartcard_required:
password = generate_random_password(128, 255)
while True:
if smartcard_required:
break
if password is not None and password is not '':
break
password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")
if filter is None:
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username))
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
if smartcard_required:
command = ""
try:
command = "Failed to set UF_SMARTCARD_REQUIRED for user '%s'" % (username or filter)
flags = dsdb.UF_SMARTCARD_REQUIRED
samdb.toggle_userAccountFlags(filter, flags, on=True)
command = "Failed to enable account for user '%s'" % (username or filter)
samdb.enable_account(filter)
except Exception, msg:
# FIXME: catch more specific exception
raise CommandError("%s: %s" % (command, msg))
self.outf.write("Added UF_SMARTCARD_REQUIRED OK\n")
def join_subdomain(server=None, creds=None, lp=None, site=None, netbios_name=None,
targetdir=None, parent_domain=None, dnsdomain=None, netbios_domain=None):
"""join as a DC"""
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, parent_domain)
ctx.subdomain = True
ctx.parent_domain_name = ctx.domain_name
ctx.domain_name = netbios_domain
ctx.realm = dnsdomain
ctx.parent_dnsdomain = ctx.dnsdomain
ctx.parent_partition_dn = ctx.get_parent_partition_dn()
ctx.dnsdomain = dnsdomain
ctx.partition_dn = "CN=%s,CN=Partitions,%s" % (ctx.domain_name, ctx.config_dn)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
ctx.domsid = str(security.random_sid())
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname, ctx.dnsdomain)
ctx.trustdom_pass = samba.generate_random_password(128, 128)
ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION
ctx.SPNs.append('E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%s' % ctx.dnsdomain)
ctx.secure_channel_type = misc.SEC_CHAN_BDC
ctx.replica_flags = (drsuapi.DRSUAPI_DRS_WRIT_REP |
drsuapi.DRSUAPI_DRS_INIT_SYNC |
drsuapi.DRSUAPI_DRS_PER_SYNC |
drsuapi.DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
ctx.domain_replica_flags = ctx.replica_flags
ctx.do_join()
print "Created domain %s (SID %s) as a DC" % (ctx.domain_name, ctx.domsid)
def update_dns_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the dns both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
expression = "samAccountName=dns-%s" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression)
if len(secrets_msg) == 1:
res = samdb.search(expression=expression, attrs=[])
assert len(res) == 1
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode("utf-16-le")
msg["clearTextPassword"] = ldb.MessageElement(mputf16, ldb.FLAG_MOD_REPLACE, "clearTextPassword")
samdb.modify(msg)
res = samdb.search(expression=expression, attrs=["msDs-keyVersionNumber"])
assert len(res) == 1
kvno = str(res[0]["msDs-keyVersionNumber"])
msg = ldb.Message(secrets_msg[0].dn)
msg["secret"] = ldb.MessageElement(machinepass, ldb.FLAG_MOD_REPLACE, "secret")
msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno, ldb.FLAG_MOD_REPLACE, "msDS-KeyVersionNumber")
secrets_ldb.modify(msg)
def create_machine_account(cls):
cls.machine_pass = samba.generate_random_password(32, 32)
cls.machine_name = MACHINE_NAME
cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(cls.ldb, cls.machine_dn)
utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le')
cls.ldb.add({
"dn":
cls.machine_dn,
"objectclass":
"computer",
"sAMAccountName":
"%s$" % cls.machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd":
utf16pw
})
cls.machine_creds = Credentials()
cls.machine_creds.guess(cls.lp)
cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper())
cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper())
cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
cls.machine_creds.set_password(cls.machine_pass)
cls.machine_creds.set_username(cls.machine_name + "$")
cls.machine_creds.set_workstation(cls.machine_name)
def test_ldap_change_password_bad_user(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"] == "LDAP" and
msg["Authorization"]["authType"] == "krb5")
new_password = samba.generate_random_password(32, 32)
try:
self.ldb.modify_ldif(
"dn: cn=" + "badUser" + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n")
self.fail()
except LdbError as e:
(num, msg) = e.args
pass
messages = self.waitForMessages(isLastExpectedMessage)
print("Received %d messages" % len(messages))
self.assertEquals(3,
len(messages),
"Did not receive the expected number of messages")
def SetPassword(self):
if not self._check_session():
return json.dumps(self.AuthErr);
try:
rid = request.params.get("rid",self.rid)
username = request.params.get("account","")
password = request.params.get("password",samba.generate_random_password(7,15))
#response.write(password);
if(self.model.isAuthenticate()):
if(not self.model.SetPassword(username,password)):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
UnlockUserAccount = request.params.get("UnlockUserAccount",False)
if(UnlockUserAccount != False):
if(not self.model.EnableAccount(rid,username,True)):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
ForcePasswordChange = request.params.get("ForcePasswordChange","off").strip();
if(ForcePasswordChange == "on"):
if(not self.model.ForcePasswordChangeAtNextLogin(rid,username)):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
else:
if(not self.model.ForcePasswordChangeAtNextLogin(rid,username,False)):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
except Exception,e:
if(len(e.args)>1):
return json.dumps({'success': False, 'msg': e.args[1],'num':e.args[0]})
else:
return json.dumps({'success': False, 'msg': e.args,'num':-1})
def create_user_account(cls):
cls.user_pass = samba.generate_random_password(32, 32)
cls.user_name = USER_NAME
cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(cls.ldb, cls.user_dn)
utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le')
cls.ldb.add({
"dn": cls.user_dn,
"objectclass": "user",
"sAMAccountName": "%s" % cls.user_name,
"userAccountControl": str(UF_NORMAL_ACCOUNT),
"unicodePwd": utf16pw
})
cls.user_creds = Credentials()
cls.user_creds.guess(cls.lp)
cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper())
cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper())
cls.user_creds.set_password(cls.user_pass)
cls.user_creds.set_username(cls.user_name)
cls.user_creds.set_workstation(cls.machine_name)
def test_supplementalCredentials_cleartext_pso(self):
"""Checks that a PSO's cleartext setting can override the domain's"""
# create a user that stores plain-text passwords
self.add_user(clear_text=True)
# check that clear-text is present in the supplementary-credentials
self.assert_cleartext(expect_cleartext=True, password=USER_PASS)
# create a PSO overriding the plain-text setting & apply it to the user
no_plaintext_pso = PasswordSettings("no-plaintext-PSO",
self.ldb,
precedence=200,
store_plaintext=False)
self.addCleanup(self.ldb.delete, no_plaintext_pso.dn)
userdn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
no_plaintext_pso.apply_to(userdn)
# set the password to update the cleartext password stored
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
# this time cleartext shouldn't be in the supplementary creds
self.assert_cleartext(expect_cleartext=False)
# unapply PSO, update password, and check we get the cleartext again
no_plaintext_pso.unapply(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
# Now update the domain setting and check we no longer get cleartext
self.set_store_cleartext(False)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=False)
# create a PSO overriding the domain setting & apply it to the user
plaintext_pso = PasswordSettings("plaintext-PSO",
self.ldb,
precedence=100,
store_plaintext=True)
self.addCleanup(self.ldb.delete, plaintext_pso.dn)
plaintext_pso.apply_to(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
def test_supplementalCredentials_cleartext_pso(self):
"""Checks that a PSO's cleartext setting can override the domain's"""
# create a user that stores plain-text passwords
self.add_user(clear_text=True)
# check that clear-text is present in the supplementary-credentials
self.assert_cleartext(expect_cleartext=True, password=USER_PASS)
# create a PSO overriding the plain-text setting & apply it to the user
no_plaintext_pso = PasswordSettings("no-plaintext-PSO", self.ldb,
precedence=200,
store_plaintext=False)
self.addCleanup(self.ldb.delete, no_plaintext_pso.dn)
userdn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
no_plaintext_pso.apply_to(userdn)
# set the password to update the cleartext password stored
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
# this time cleartext shouldn't be in the supplementary creds
self.assert_cleartext(expect_cleartext=False)
# unapply PSO, update password, and check we get the cleartext again
no_plaintext_pso.unapply(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
# Now update the domain setting and check we no longer get cleartext
self.set_store_cleartext(False)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=False)
# create a PSO overriding the domain setting & apply it to the user
plaintext_pso = PasswordSettings("plaintext-PSO", self.ldb,
precedence=100, store_plaintext=True)
self.addCleanup(self.ldb.delete, plaintext_pso.dn)
plaintext_pso.apply_to(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
def setUp(self):
super(DirsyncBaseTests, self).setUp()
self.ldb_admin = SamDB(ldapshost, credentials=creds, session_info=system_session(lp), lp=lp)
self.base_dn = self.ldb_admin.domain_dn()
self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
self.user_pass = samba.generate_random_password(12, 16)
self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
#used for anonymous login
print("baseDN: %s" % self.base_dn)
def set_admin_password(logger, samdb, username):
"""Sets a randomly generated password for the backup DB's admin user"""
adminpass = samba.generate_random_password(12, 32)
logger.info("Setting %s password in backup to: %s" % (username, adminpass))
logger.info("Run 'samba-tool user setpassword %s' after restoring DB" %
username)
samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))"
% ldb.binary_encode(username), adminpass,
force_change_at_next_login=False,
username=username)
def run(self, username, password=None, credopts=None, sambaopts=None,
versionopts=None, H=None, must_change_at_next_login=False,
random_password=False, use_username_as_cn=False, userou=None,
surname=None, given_name=None, initials=None, profile_path=None,
script_path=None, home_drive=None, home_directory=None,
job_title=None, department=None, company=None, description=None,
mail_address=None, internet_address=None, telephone_number=None,
physical_delivery_office=None, rfc2307_from_nss=False,
uid=None, uid_number=None, gid_number=None, gecos=None, login_shell=None):
if random_password:
password = generate_random_password(128, 255)
while True:
if password is not None and password is not '':
break
password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")
if rfc2307_from_nss:
pwent = pwd.getpwnam(username)
if uid is None:
uid = username
if uid_number is None:
uid_number = pwent[2]
if gid_number is None:
gid_number = pwent[3]
if gecos is None:
gecos = pwent[4]
if login_shell is None:
login_shell = pwent[6]
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if uid_number or gid_number:
if not lp.get("idmap_ldb:use rfc2307"):
self.outf.write("You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n")
try:
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login,
useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials,
profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
jobtitle=job_title, department=department, company=company, description=description,
mailaddress=mail_address, internetaddress=internet_address,
telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office,
uid=uid, uidnumber=uid_number, gidnumber=gid_number, gecos=gecos, loginshell=login_shell)
except Exception, e:
raise CommandError("Failed to add user '%s': " % username, e)
def create_user_account(self, user_id):
self.user_name = ("SAMR_USER_%d" % user_id)
self.user_pass = generate_random_password(32, 32)
self.user_dn = "cn=%s,cn=users,%s" % (self.user_name, self.samdb.domain_dn())
samba.tests.delete_force(self.samdb, self.user_dn)
self.samdb.newuser(self.user_name,
self.user_pass,
description="Password for " + self.user_name + " is " + self.user_pass,
givenname=self.user_name,
surname=self.user_name)
def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd):
if not self.configured:
return None
self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd)
if not self.remote_domain.read_only:
trustdom_pass = samba.generate_random_password(128, 128)
self.remote_domain.establish_trust(self.local_domain, trustdom_pass)
self.local_domain.establish_trust(self.remote_domain, trustdom_pass)
result = self.remote_domain.verify_trust(self.local_domain)
return dict(local=self.local_domain, remote=self.remote_domain, verified=result)
return None
def join_subdomain(server=None,
creds=None,
lp=None,
site=None,
netbios_name=None,
targetdir=None,
parent_domain=None,
dnsdomain=None,
netbios_domain=None,
machinepass=None):
"""join as a DC"""
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir,
parent_domain, machinepass)
ctx.subdomain = True
ctx.parent_domain_name = ctx.domain_name
ctx.domain_name = netbios_domain
ctx.realm = dnsdomain
ctx.parent_dnsdomain = ctx.dnsdomain
ctx.parent_partition_dn = ctx.get_parent_partition_dn()
ctx.dnsdomain = dnsdomain
ctx.partition_dn = "CN=%s,CN=Partitions,%s" % (ctx.domain_name,
ctx.config_dn)
ctx.naming_master = ctx.get_naming_master()
if ctx.naming_master != ctx.server:
print("Reconnecting to naming master %s" % ctx.naming_master)
ctx.server = ctx.naming_master
ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
session_info=system_session(),
credentials=ctx.creds,
lp=ctx.lp)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
ctx.domsid = str(security.random_sid())
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname, ctx.dnsdomain)
ctx.trustdom_pass = samba.generate_random_password(128, 128)
ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION
ctx.SPNs.append('E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%s' %
ctx.dnsdomain)
ctx.secure_channel_type = misc.SEC_CHAN_BDC
ctx.replica_flags = (drsuapi.DRSUAPI_DRS_WRIT_REP
| drsuapi.DRSUAPI_DRS_INIT_SYNC
| drsuapi.DRSUAPI_DRS_PER_SYNC
| drsuapi.DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
| drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
ctx.domain_replica_flags = ctx.replica_flags
ctx.do_join()
print "Created domain %s (SID %s) as a DC" % (ctx.domain_name, ctx.domsid)
def setUp(self):
super(DirsyncBaseTests, self).setUp()
self.ldb_admin = SamDB(ldapshost,
credentials=creds,
session_info=system_session(lp),
lp=lp)
self.base_dn = self.ldb_admin.domain_dn()
self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
self.user_pass = samba.generate_random_password(12, 16)
self.configuration_dn = self.ldb_admin.get_config_basedn(
).get_linearized()
self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
#used for anonymous login
print("baseDN: %s" % self.base_dn)
def create_account(self, name, machine_account=False, spn=None, upn=None):
'''Create an account for testing.
The dn of the created account is added to self.accounts,
which is used by tearDown to clean up the created accounts.
'''
dn = "cn=%s,%s" % (name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, dn)
if machine_account:
object_class = "computer"
account_name = "%s$" % name
account_control = str(UF_WORKSTATION_TRUST_ACCOUNT)
else:
object_class = "user"
account_name = name
account_control = str(UF_NORMAL_ACCOUNT)
password = generate_random_password(32, 32)
utf16pw = ('"%s"' % password).encode('utf-16-le')
details = {
"dn": dn,
"objectclass": object_class,
"sAMAccountName": account_name,
"userAccountControl": account_control,
"unicodePwd": utf16pw
}
if spn is not None:
details["servicePrincipalName"] = spn
if upn is not None:
details["userPrincipalName"] = upn
self.ldb.add(details)
creds = Credentials()
creds.guess(self.lp)
creds.set_realm(self.ldb.domain_dns_name().upper())
creds.set_domain(self.ldb.domain_netbios_name().upper())
creds.set_password(password)
creds.set_username(account_name)
if machine_account:
creds.set_workstation(name)
#
# Save the account name so it can be deleted in the tearDown
self.accounts.append(dn)
return (creds, dn)
def update_krbtgt_account_password(samdb, names):
"""Update (change) the password of the krbtgt account
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param names: List of key provision parameters"""
expression = "samAccountName=krbtgt"
res = samdb.search(expression=expression, attrs=[])
assert len(res) == 1
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode("utf-16-le")
msg["clearTextPassword"] = ldb.MessageElement(mputf16, ldb.FLAG_MOD_REPLACE, "clearTextPassword")
samdb.modify(msg)
def update_krbtgt_account_password(samdb, names):
"""Update (change) the password of the krbtgt account
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param names: List of key provision parameters"""
expression = "samAccountName=krbtgt"
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode('utf-16-le')
msg["clearTextPassword"] = ldb.MessageElement(mputf16,
ldb.FLAG_MOD_REPLACE,
"clearTextPassword")
samdb.modify(msg)
def join_ad_full_credentials(self, realm, realm_server, realm_admin,
realm_passwd):
if not self.configured:
return None
self.__populate_remote_domain(realm, realm_server, realm_admin,
realm_passwd)
if not self.remote_domain.read_only:
trustdom_pass = samba.generate_random_password(128, 128)
self.remote_domain.establish_trust(self.local_domain,
trustdom_pass)
self.local_domain.establish_trust(self.remote_domain,
trustdom_pass)
result = self.remote_domain.verify_trust(self.local_domain)
return dict(local=self.local_domain,
remote=self.remote_domain,
verified=result)
return None
def do_Netr_ServerPasswordSet2(self):
c = self.get_netlogon_connection()
(authenticator, subsequent) = self.get_authenticator(c)
PWD_LEN = 32
DATA_LEN = 512
newpass = samba.generate_random_password(PWD_LEN, PWD_LEN)
filler = [ord(x) for x in os.urandom(DATA_LEN - PWD_LEN)]
pwd = netlogon.netr_CryptPassword()
pwd.length = PWD_LEN
pwd.data = filler + [ord(x) for x in newpass]
self.machine_creds.encrypt_netr_crypt_password(pwd)
c.netr_ServerPasswordSet2(self.server,
self.machine_creds.get_workstation(),
SEC_CHAN_WKSTA, self.machine_name,
authenticator, pwd)
self.machine_pass = newpass
self.machine_creds.set_password(newpass)
def netlogon(self):
server = os.environ["SERVER"]
host = os.environ["SERVER_IP"]
lp = self.get_loadparm()
credentials = self.get_credentials()
session = system_session()
ldb = SamDB(url="ldap://%s" % host,
session_info=session,
credentials=credentials,
lp=lp)
machine_pass = samba.generate_random_password(32, 32)
machine_name = MACHINE_NAME
machine_dn = "cn=%s,%s" % (machine_name, ldb.domain_dn())
delete_force(ldb, machine_dn)
utf16pw = ('"%s"' % get_string(machine_pass)).encode('utf-16-le')
ldb.add({
"dn":
machine_dn,
"objectclass":
"computer",
"sAMAccountName":
"%s$" % machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd":
utf16pw
})
machine_creds = Credentials()
machine_creds.guess(lp)
machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
machine_creds.set_password(machine_pass)
machine_creds.set_username(machine_name + "$")
machine_creds.set_workstation(machine_name)
netlogon.netlogon("ncacn_ip_tcp:%s[schannel,seal]" % server, lp,
machine_creds)
delete_force(ldb, machine_dn)
def set_password(self, **kwargs):
try:
con = self.connection_service.connection()
except Exception as e:
return ResponseStatus(status.HTTP_500_INTERNAL_SERVER_ERROR,
'Invalid server details "%s": ' % (e), None)
request = kwargs['request']
username = request['username']
password = request['password']
random_password = request['random_password']
must_change_at_next_login = False
if random_password == True:
password = generate_random_password(128, 255)
must_change_at_next_login = True
print(must_change_at_next_login)
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (
ldb.binary_encode(username))
exp = ("(&(sAMAccountName=%s)(sAMAccountType=805306368))" %
ldb.binary_encode(username))
domain_dn = con.domain_dn()
try:
res = con.search(base=domain_dn,
scope=ldb.SCOPE_SUBTREE,
expression=exp,
attrs=["dn"])
if (len(res) == 0):
return ResponseStatus(status.HTTP_404_NOT_FOUND,
'no user "%s"' % username, None)
except Exception as e:
return ResponseStatus(
status.HTTP_400_BAD_REQUEST,
'unable to find user "%s": %s' % (username, e), None)
try:
con.setpassword(
filter,
password,
force_change_at_next_login=must_change_at_next_login,
username=username)
except Exception as e:
return ResponseStatus(status.HTTP_409_CONFLICT, None, None)
return ResponseStatus(status.HTTP_200_OK, None, None)
def update_machine_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the current DC both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
expression = "samAccountName=%s$" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression,
attrs=["secureChannelType"])
if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
res = samdb.search(expression=expression, attrs=[])
assert (len(res) == 1)
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode('utf-16-le')
msg["clearTextPassword"] = ldb.MessageElement(mputf16,
ldb.FLAG_MOD_REPLACE,
"clearTextPassword")
samdb.modify(msg)
res = samdb.search(expression=("samAccountName=%s$" %
names.netbiosname),
attrs=["msDs-keyVersionNumber"])
assert (len(res) == 1)
kvno = int(str(res[0]["msDs-keyVersionNumber"]))
secChanType = int(secrets_msg[0]["secureChannelType"][0])
secretsdb_self_join(secrets_ldb,
domain=names.domain,
realm=names.realm,
domainsid=names.domainsid,
dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname,
machinepass=machinepass,
key_version_number=kvno,
secure_channel_type=secChanType)
else:
raise ProvisioningError("Unable to find a Secure Channel"
"of type SEC_CHAN_BDC")
def join_subdomain(server=None, creds=None, lp=None, site=None,
netbios_name=None, targetdir=None, parent_domain=None, dnsdomain=None,
netbios_domain=None, machinepass=None, use_ntvfs=False,
dns_backend=None):
"""Join as a DC."""
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, parent_domain,
machinepass, use_ntvfs, dns_backend)
ctx.subdomain = True
ctx.parent_domain_name = ctx.domain_name
ctx.domain_name = netbios_domain
ctx.realm = dnsdomain
ctx.parent_dnsdomain = ctx.dnsdomain
ctx.parent_partition_dn = ctx.get_parent_partition_dn()
ctx.dnsdomain = dnsdomain
ctx.partition_dn = "CN=%s,CN=Partitions,%s" % (ctx.domain_name, ctx.config_dn)
ctx.naming_master = ctx.get_naming_master()
if ctx.naming_master != ctx.server:
print("Reconnecting to naming master %s" % ctx.naming_master)
ctx.server = ctx.naming_master
ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
session_info=system_session(),
credentials=ctx.creds, lp=ctx.lp)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
ctx.domsid = str(security.random_sid())
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname, ctx.dnsdomain)
ctx.trustdom_pass = samba.generate_random_password(128, 128)
ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION
ctx.SPNs.append('E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%s' % ctx.dnsdomain)
ctx.secure_channel_type = misc.SEC_CHAN_BDC
ctx.replica_flags = (drsuapi.DRSUAPI_DRS_WRIT_REP |
drsuapi.DRSUAPI_DRS_INIT_SYNC |
drsuapi.DRSUAPI_DRS_PER_SYNC |
drsuapi.DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
ctx.domain_replica_flags = ctx.replica_flags
ctx.do_join()
print "Created domain %s (SID %s) as a DC" % (ctx.domain_name, ctx.domsid)
def test_ldap_change_password_bad_user(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"]
== "LDAP" and
msg["Authorization"]["authType"] == "krb5")
new_password = samba.generate_random_password(32,32)
try:
self.ldb.modify_ldif(
"dn: cn=" + "badUser" + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n"
)
self.fail()
except LdbError, (num, msg):
pass
def test_ldap_change_password(self):
def isLastExpectedMessage(msg):
return ((msg["type"] == "Authentication")
and (msg["Authentication"]["status"] == "NT_STATUS_OK")
and (msg["Authentication"]["serviceDescription"]
== "LDAP Password Change") and
(msg["Authentication"]["authDescription"] == "LDAP Modify")
and (msg["Authentication"]["eventId"]
== EVT_ID_SUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK))
new_password = samba.generate_random_password(32, 32)
self.ldb.modify_ldif("dn: cn=" + USER_NAME + ",cn=users," +
self.base_dn + "\n" + "changetype: modify\n" +
"delete: userPassword\n" + "userPassword: "******"\n" + "add: userPassword\n" +
"userPassword: "******"\n")
self.assertTrue(self.waitForMessages(isLastExpectedMessage),
"Did not receive the expected message")
def set_admin_password(logger, samdb):
"""Sets a randomly generated password for the backup DB's admin user"""
# match the admin user by RID
domainsid = samdb.get_domain_sid()
match_admin = "(objectsid=%s-%s)" % (domainsid,
security.DOMAIN_RID_ADMINISTRATOR)
search_expr = "(&(objectClass=user)%s)" % (match_admin,)
# retrieve the admin username (just in case it's been renamed)
res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=search_expr)
username = str(res[0]['samaccountname'])
adminpass = samba.generate_random_password(12, 32)
logger.info("Setting %s password in backup to: %s" % (username, adminpass))
logger.info("Run 'samba-tool user setpassword %s' after restoring DB" %
username)
samdb.setpassword(search_expr, adminpass, force_change_at_next_login=False,
username=username)
def test_ldap_change_password_bad_user(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"]
== "LDAP" and
msg["Authorization"]["authType"] == "krb5")
new_password = samba.generate_random_password(32,32)
try:
self.ldb.modify_ldif(
"dn: cn=" + "badUser" + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n"
)
self.fail()
except LdbError, (num, msg):
pass
def setUp(self):
super(DsdbTests, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.session = system_session()
self.samdb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
# Create a test user
user_name = "dsdb-user-" + str(uuid.uuid4().hex[0:6])
user_pass = samba.generate_random_password(32, 32)
user_description = "Test user for dsdb test"
base_dn = self.samdb.domain_dn()
self.account_dn = "CN=" + user_name + ",CN=Users," + base_dn
self.samdb.newuser(username=user_name,
password=user_pass,
description=user_description)
# Cleanup (teardown)
self.addCleanup(delete_force, self.samdb, self.account_dn)
# Get server reference DN
res = self.samdb.search(base=ldb.Dn(self.samdb,
self.samdb.get_serverName()),
scope=ldb.SCOPE_BASE,
attrs=["serverReference"])
# Get server reference
self.server_ref_dn = ldb.Dn(
self.samdb, res[0]["serverReference"][0].decode("utf-8"))
# Get RID Set DN
res = self.samdb.search(base=self.server_ref_dn,
scope=ldb.SCOPE_BASE,
attrs=["rIDSetReferences"])
rid_set_refs = res[0]
self.assertIn("rIDSetReferences", rid_set_refs)
rid_set_str = rid_set_refs["rIDSetReferences"][0].decode("utf-8")
self.rid_set_dn = ldb.Dn(self.samdb, rid_set_str)
def test_ldap_change_password(self):
dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
self.discardSetupMessages(dn)
new_password = samba.generate_random_password(32, 32)
dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
self.ldb.modify_ldif(
"dn: " + dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"\n" +
"add: userPassword\n" +
"userPassword: "******"\n")
messages = self.waitForMessages(1)
print("Received %d messages" % len(messages))
self.assertEquals(1,
len(messages),
"Did not receive the expected number of messages")
audit = messages[0]["dsdbChange"]
self.assertEquals("Modify", audit["operation"])
self.assertFalse(audit["performedAsSystem"])
self.assertEquals(dn, audit["dn"])
self.assertRegexpMatches(audit["remoteAddress"],
self.remoteAddress)
self.assertTrue(self.is_guid(audit["sessionId"]))
session_id = self.get_session()
self.assertEquals(session_id, audit["sessionId"])
service_description = self.get_service_description()
self.assertEquals(service_description, "LDAP")
attributes = audit["attributes"]
self.assertEquals(1, len(attributes))
actions = attributes["userPassword"]["actions"]
self.assertEquals(2, len(actions))
self.assertTrue(actions[0]["redacted"])
self.assertEquals("delete", actions[0]["action"])
self.assertTrue(actions[1]["redacted"])
self.assertEquals("add", actions[1]["action"])
def update_dns_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the dns both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
expression = "samAccountName=dns-%s" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression)
if len(secrets_msg) == 1:
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode('utf-16-le')
msg["clearTextPassword"] = ldb.MessageElement(mputf16,
ldb.FLAG_MOD_REPLACE,
"clearTextPassword")
samdb.modify(msg)
res = samdb.search(expression=expression,
attrs=["msDs-keyVersionNumber"])
assert(len(res) == 1)
kvno = str(res[0]["msDs-keyVersionNumber"])
msg = ldb.Message(secrets_msg[0].dn)
msg["secret"] = ldb.MessageElement(machinepass,
ldb.FLAG_MOD_REPLACE,
"secret")
msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
ldb.FLAG_MOD_REPLACE,
"msDS-KeyVersionNumber")
secrets_ldb.modify(msg)
else:
raise ProvisioningError("Unable to find an object"
" with %s" % expression )
def update_machine_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the current DC both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
expression = "samAccountName=%s$" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression,
attrs=["secureChannelType"])
if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
mputf16 = machinepass.encode('utf-16-le')
msg["clearTextPassword"] = ldb.MessageElement(mputf16,
ldb.FLAG_MOD_REPLACE,
"clearTextPassword")
samdb.modify(msg)
res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
attrs=["msDs-keyVersionNumber"])
assert(len(res) == 1)
kvno = int(str(res[0]["msDs-keyVersionNumber"]))
secChanType = int(secrets_msg[0]["secureChannelType"][0])
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm,
domainsid=names.domainsid,
dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname,
machinepass=machinepass,
key_version_number=kvno,
secure_channel_type=secChanType)
else:
raise ProvisioningError("Unable to find a Secure Channel"
"of type SEC_CHAN_BDC")
def create(self, **kwargs):
try:
con = self.connection_service.connection()
except Exception as e:
return ResponseStatus(status.HTTP_500_INTERNAL_SERVER_ERROR,
'Invalid server details "%s": ' % (e), None)
request = kwargs['request']
username = request['username']
print(username)
userou = "OU=" + request['userou']
password = request['password']
random_password = request['random_password']
must_change_at_next_login = False
if random_password == True:
password = generate_random_password(128, 255)
must_change_at_next_login = True
print(must_change_at_next_login)
try:
con.newuser(username,
password,
force_password_change_at_next_login_req=
must_change_at_next_login,
userou=userou,
surname=request['surname'],
givenname=request['name'],
company=request['company'],
telephonenumber=request['telephone'],
description=request['description'],
mailaddress=request['mail_address'])
except Exception as e:
return ResponseStatus(
status.HTTP_409_CONFLICT,
'Failed to create user "%s": %s' % (request['username'], e),
None)
return ResponseStatus(status.HTTP_201_CREATED, request['username'],
None)
def do_Netr_ServerPasswordSet2(self):
c = self.get_netlogon_connection()
(authenticator, subsequent) = self.get_authenticator(c)
PWD_LEN = 32
DATA_LEN = 512
newpass = samba.generate_random_password(PWD_LEN, PWD_LEN)
encoded = newpass.encode('utf-16-le')
pwd_len = len(encoded)
filler = [ord(x) for x in os.urandom(DATA_LEN-pwd_len)]
pwd = netlogon.netr_CryptPassword()
pwd.length = pwd_len
pwd.data = filler + [ord(x) for x in encoded]
self.machine_creds.encrypt_netr_crypt_password(pwd)
c.netr_ServerPasswordSet2(self.server,
self.machine_creds.get_workstation(),
SEC_CHAN_WKSTA,
self.machine_name,
authenticator,
pwd)
self.machine_pass = newpass
self.machine_creds.set_password(newpass)
def setUp(self):
super(DsdbTests, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.session = system_session()
self.samdb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
# Create a test user
user_name = "samdb-testuser"
user_pass = samba.generate_random_password(32, 32)
user_description = "Test user for dsdb test"
base_dn = self.samdb.domain_dn()
self.account_dn = "cn=" + user_name + ",cn=Users," + base_dn
delete_force(self.samdb, self.account_dn)
self.samdb.newuser(username=user_name,
password=user_pass,
description=user_description)
def test_ldap_change_password_bad_original_password(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authentication" and
msg["Authentication"]["status"]
== "NT_STATUS_WRONG_PASSWORD" and
msg["Authentication"]["serviceDescription"]
== "LDAP Password Change" and
msg["Authentication"]["authDescription"]
== "LDAP Modify")
new_password = samba.generate_random_password(32,32)
try:
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: "******"badPassword" + "\n" +
"add: userPassword\n" +
"userPassword: "******"\n"
)
self.fail()
except LdbError, (num, msg):
pass
def setUp(self):
super(DsdbTests, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.session = system_session()
self.samdb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
# Create a test user
user_name = "dsdb-user-" + str(uuid.uuid4().hex[0:6])
user_pass = samba.generate_random_password(32, 32)
user_description = "Test user for dsdb test"
base_dn = self.samdb.domain_dn()
self.account_dn = "cn=" + user_name + ",cn=Users," + base_dn
self.samdb.newuser(username=user_name,
password=user_pass,
description=user_description)
# Cleanup (teardown)
self.addCleanup(delete_force, self.samdb, self.account_dn)
def create_machine_account(self):
self.machine_pass = samba.generate_random_password(32, 32)
self.machine_name = MACHINE_NAME
self.machine_dn = "cn=%s,%s" % (self.machine_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.machine_dn)
# get unicode str for both py2 and py3
pass_unicode = self.machine_pass.encode('utf-8').decode('utf-8')
utf16pw = u'"{}"'.format(pass_unicode).encode('utf-16-le')
self.ldb.add({
"dn": self.machine_dn,
"objectclass": "computer",
"sAMAccountName": "%s$" % self.machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd": utf16pw})
self.machine_creds = Credentials()
self.machine_creds.guess(self.get_loadparm())
self.machine_creds.set_password(self.machine_pass)
self.machine_creds.set_username(self.machine_name + "$")
self.machine_creds.set_workstation(self.machine_name)
def run(self, username, password=None, credopts=None, sambaopts=None,
versionopts=None, H=None, must_change_at_next_login=False,
random_password=False, use_username_as_cn=False, userou=None,
surname=None, given_name=None, initials=None, profile_path=None,
script_path=None, home_drive=None, home_directory=None,
job_title=None, department=None, company=None, description=None,
mail_address=None, internet_address=None, telephone_number=None,
physical_delivery_office=None, rfc2307_from_nss=False,
nis_domain=None, unix_home=None, uid=None, uid_number=None,
gid_number=None, gecos=None, login_shell=None,
smartcard_required=False):
if smartcard_required:
if password is not None and password is not '':
raise CommandError('It is not allowed to specifiy '
'--newpassword '
'together with --smartcard-required.')
if must_change_at_next_login:
raise CommandError('It is not allowed to specifiy '
'--must-change-at-next-login '
'together with --smartcard-required.')
if random_password and not smartcard_required:
password = generate_random_password(128, 255)
while True:
if smartcard_required:
break
if password is not None and password is not '':
break
password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")
if rfc2307_from_nss:
pwent = pwd.getpwnam(username)
if uid is None:
uid = username
if uid_number is None:
uid_number = pwent[2]
if gid_number is None:
gid_number = pwent[3]
if gecos is None:
gecos = pwent[4]
if login_shell is None:
login_shell = pwent[6]
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if uid_number or gid_number:
if not lp.get("idmap_ldb:use rfc2307"):
self.outf.write("You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n")
if nis_domain is not None:
if None in (uid_number, login_shell, unix_home, gid_number):
raise CommandError('Missing parameters. To enable NIS features, '
'the following options have to be given: '
'--nis-domain=, --uidNumber=, --login-shell='
', --unix-home=, --gid-number= Operation '
'cancelled.')
try:
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login,
useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials,
profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
jobtitle=job_title, department=department, company=company, description=description,
mailaddress=mail_address, internetaddress=internet_address,
telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office,
nisdomain=nis_domain, unixhome=unix_home, uid=uid,
uidnumber=uid_number, gidnumber=gid_number,
gecos=gecos, loginshell=login_shell,
smartcard_required=smartcard_required)
except Exception, e:
raise CommandError("Failed to add user '%s': " % username, e)
def AddUser(self):
try:
if not self._check_session():
return json.dumps(self.AuthErr);
username = request.params.get("username","")
password = request.params.get("password",samba.generate_random_password(7,15))
fullname = request.params.get("fullname","")
description = request.params.get("description","")
iscopy = request.params.get("iscopy","false")
changepassword = request.params.get("changepassword","false");
if(changepassword!="false"):
changepassword = True
else:
changepassword = False
cannotchangepassword = request.params.get("cannotchangepassword","false");
if(cannotchangepassword!="false"):
cannotchangepassword = True
else:
cannotchangepassword = False
passwordexpires = request.params.get("passwordexpires","false");
if(passwordexpires!="false"):
passwordexpires = True
else:
passwordexpires = False
disable = request.params.get("disable","false");
if(disable!="false"):
disable = True
else:
disable = False
rid = self.model.AddUser(username);
if rid == False:
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
if(iscopy!="false"):
self.iscopy=True;
self.rid=rid;
self.UpdateUser();
else:
user = User(username,fullname,description,rid);
user.must_change_password = changepassword;
user.cannot_change_password = cannotchangepassword;
user.password_never_expires = passwordexpires;
user.account_disabled = disable;
if not self.model.UpdateUser(user):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
if(not self.model.SetPassword(username,password)):
raise Exception(self.model.LastErrorNumber,self.model.LastErrorStr)
except Exception,e:
if(len(e.args)>1):
return json.dumps({'success': False, 'msg': e.args[1],'num':e.args[0]})
else:
return json.dumps({'success': False, 'msg': e.args,'num':-1})
def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=False, dns_backend=None, use_ntvfs=False):
"""Upgrade from samba3 database to samba4 AD database
:param samba3: samba3 object
:param logger: Logger object
:param targetdir: samba4 database directory
:param session_info: Session information
"""
serverrole = samba3.lp.server_role()
domainname = samba3.lp.get("workgroup")
realm = samba3.lp.get("realm")
netbiosname = samba3.lp.get("netbios name")
if samba3.lp.get("ldapsam:trusted") is None:
samba3.lp.set("ldapsam:trusted", "yes")
# secrets db
try:
secrets_db = samba3.get_secrets_db()
except IOError as e:
raise ProvisioningError(
"Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?"
% (samba3.privatedir_path("secrets.tdb"), str(e))
)
if not domainname:
domainname = secrets_db.domains()[0]
logger.warning("No workgroup specified in smb.conf file, assuming '%s'", domainname)
if not realm:
if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
raise ProvisioningError(
"No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create."
)
else:
realm = domainname.upper()
logger.warning("No realm specified in smb.conf file, assuming '%s'", realm)
# Find machine account and password
next_rid = 1000
try:
machinepass = secrets_db.get_machine_password(netbiosname)
except KeyError:
machinepass = None
if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
base_dn = samba3.lp.get("ldap suffix")
ldapuser = samba3.lp.get("ldap admin dn")
ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
if ldappass is None:
raise ProvisioningError(
"ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation."
)
ldappass = ldappass.strip("\x00")
ldap = True
else:
ldapuser = None
ldappass = None
ldap = False
# We must close the direct pytdb database before the C code loads it
secrets_db.close()
# Connect to old password backend
passdb.set_secrets_dir(samba3.lp.get("private dir"))
s3db = samba3.get_sam_db()
# Get domain sid
try:
domainsid = passdb.get_global_sam_sid()
except passdb.error:
raise Exception("Can't find domain sid for '%s', Exiting." % domainname)
# Get machine account, sid, rid
try:
machineacct = s3db.getsampwnam("%s$" % netbiosname)
except passdb.error:
machinerid = None
machinesid = None
else:
machinesid, machinerid = machineacct.user_sid.split()
# Export account policy
logger.info("Exporting account policy")
policy = s3db.get_account_policy()
# Export groups from old passdb backend
logger.info("Exporting groups")
grouplist = s3db.enum_group_mapping()
groupmembers = {}
for group in grouplist:
sid, rid = group.sid.split()
if sid == domainsid:
if rid >= next_rid:
next_rid = rid + 1
# Get members for each group/alias
if group.sid_name_use == lsa.SID_NAME_ALIAS:
try:
members = s3db.enum_aliasmem(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn("Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e)
continue
elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
try:
members = s3db.enum_group_members(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn("Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e)
continue
elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
(group_dom_sid, rid) = group.sid.split()
if group_dom_sid != security.dom_sid(security.SID_BUILTIN):
logger.warn(
"Ignoring 'well known' group '%s' (should already be in AD, and have no members)", group.nt_name
)
continue
# A number of buggy databases mix up well known groups and aliases.
try:
members = s3db.enum_aliasmem(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn("Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e)
continue
else:
logger.warn("Ignoring group '%s' %s with sid_name_use=%d", group.nt_name, group.sid, group.sid_name_use)
continue
# Export users from old passdb backend
logger.info("Exporting users")
userlist = s3db.search_users(0)
userdata = {}
uids = {}
admin_user = None
for entry in userlist:
if machinerid and machinerid == entry["rid"]:
continue
username = entry["account_name"]
if entry["rid"] < 1000:
logger.info(" Skipping wellknown rid=%d (for username=%s)", entry["rid"], username)
continue
if entry["rid"] >= next_rid:
next_rid = entry["rid"] + 1
user = s3db.getsampwnam(username)
acct_type = user.acct_ctrl & (samr.ACB_NORMAL | samr.ACB_WSTRUST | samr.ACB_SVRTRUST | samr.ACB_DOMTRUST)
if acct_type == samr.ACB_SVRTRUST:
logger.warn(
" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'"
% username[:-1]
)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
elif acct_type == samr.ACB_DOMTRUST:
logger.warn(
" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust"
% username[:-1]
)
continue
elif acct_type == (samr.ACB_WSTRUST) and username[-1] != "$":
logger.warn(
" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration."
% username
)
continue
elif acct_type == (samr.ACB_NORMAL | samr.ACB_WSTRUST) and username[-1] == "$":
logger.warn(
" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member"
% username
)
user.acct_ctrl = user.acct_ctrl & ~samr.ACB_NORMAL
elif acct_type == (samr.ACB_NORMAL | samr.ACB_SVRTRUST) and username[-1] == "$":
logger.warn(
" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member"
% username
)
user.acct_ctrl = user.acct_ctrl & ~samr.ACB_NORMAL
elif acct_type == 0 and username[-1] != "$":
user.acct_ctrl = user.acct_ctrl | samr.ACB_NORMAL
elif acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST:
pass
else:
raise ProvisioningError(
"""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
Please fix this account before attempting to upgrade again
"""
% (username, user.acct_ctrl, samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST)
)
userdata[username] = user
try:
uids[username] = s3db.sid_to_id(user.user_sid)[0]
except passdb.error:
try:
uids[username] = pwd.getpwnam(username).pw_uid
except KeyError:
pass
if not admin_user and username.lower() == "root":
admin_user = username
if username.lower() == "administrator":
admin_user = username
try:
group_memberships = s3db.enum_group_memberships(user)
for group in group_memberships:
if str(group) in groupmembers:
if user.user_sid not in groupmembers[str(group)]:
groupmembers[str(group)].append(user.user_sid)
else:
groupmembers[str(group)] = [user.user_sid]
except passdb.error as e:
logger.warn("Ignoring group memberships of '%s' %s: %s", username, user.user_sid, e)
logger.info("Next rid = %d", next_rid)
# Check for same username/groupname
group_names = set([g.nt_name for g in grouplist])
user_names = set([u["account_name"] for u in userlist])
common_names = group_names.intersection(user_names)
if common_names:
logger.error("Following names are both user names and group names:")
for name in common_names:
logger.error(" %s" % name)
raise ProvisioningError("Please remove common user/group names before upgrade.")
# Check for same user sid/group sid
group_sids = set([str(g.sid) for g in grouplist])
if len(grouplist) != len(group_sids):
raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
user_sids = set(["%s-%u" % (domainsid, u["rid"]) for u in userlist])
if len(userlist) != len(user_sids):
raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
common_sids = group_sids.intersection(user_sids)
if common_sids:
logger.error("Following sids are both user and group sids:")
for sid in common_sids:
logger.error(" %s" % str(sid))
raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
# Get posix attributes from ldap or the os
homes = {}
shells = {}
pgids = {}
if ldap:
creds = Credentials()
creds.guess(samba3.lp)
creds.set_bind_dn(ldapuser)
creds.set_password(ldappass)
urls = samba3.lp.get("passdb backend").split(":", 1)[1].strip('"')
for url in urls.split():
try:
ldb_object = Ldb(url, credentials=creds)
except ldb.LdbError as e:
raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
else:
break
logger.info("Exporting posix attributes")
userlist = s3db.search_users(0)
for entry in userlist:
username = entry["account_name"]
if username in uids.keys():
try:
if ldap:
homes[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "homeDirectory"
)
else:
homes[username] = pwd.getpwnam(username).pw_dir
except KeyError:
pass
except IndexError:
pass
try:
if ldap:
shells[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "loginShell"
)
else:
shells[username] = pwd.getpwnam(username).pw_shell
except KeyError:
pass
except IndexError:
pass
try:
if ldap:
pgids[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "gidNumber"
)
else:
pgids[username] = pwd.getpwnam(username).pw_gid
except KeyError:
pass
except IndexError:
pass
logger.info("Reading WINS database")
samba3_winsdb = None
try:
samba3_winsdb = samba3.get_wins_db()
except IOError as e:
logger.warn("Cannot open wins database, Ignoring: %s", str(e))
if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
dns_backend = "NONE"
# If we found an admin user, set a fake pw that we will override.
# This avoids us printing out an admin password that we won't actually
# set.
if admin_user:
adminpass = generate_random_password(12, 32)
else:
adminpass = None
# Do full provision
result = provision(
logger,
session_info,
targetdir=targetdir,
realm=realm,
domain=domainname,
domainsid=domainsid,
next_rid=next_rid,
dc_rid=machinerid,
adminpass=adminpass,
dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
hostname=netbiosname.lower(),
machinepass=machinepass,
serverrole=serverrole,
samdb_fill=FILL_FULL,
useeadb=useeadb,
dns_backend=dns_backend,
use_rfc2307=True,
use_ntvfs=use_ntvfs,
skip_sysvolacl=True,
)
result.report_logger(logger)
# Import WINS database
logger.info("Importing WINS database")
if samba3_winsdb:
import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
# Set Account policy
logger.info("Importing Account policy")
import_sam_policy(result.samdb, policy, logger)
# Migrate IDMAP database
logger.info("Importing idmap database")
import_idmap(result.idmap, samba3, logger)
# Set the s3 context for samba4 configuration
new_lp_ctx = s3param.get_context()
new_lp_ctx.load(result.lp.configfile)
new_lp_ctx.set("private dir", result.lp.get("private dir"))
new_lp_ctx.set("state directory", result.lp.get("state directory"))
new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
# Start a new transaction (should speed this up a little, due to index churn)
result.samdb.transaction_start()
logger.info("Adding groups")
try:
# Export groups to samba4 backend
logger.info("Importing groups")
for g in grouplist:
# Ignore uninitialized groups (gid = -1)
if g.gid != -1:
add_group_from_mapping_entry(result.samdb, g, logger)
add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
add_posix_attrs(
samdb=result.samdb,
sid=g.sid,
name=g.nt_name,
nisdomain=domainname.lower(),
xid_type="ID_TYPE_GID",
logger=logger,
)
except:
# We need this, so that we do not give even more errors due to not cancelling the transaction
result.samdb.transaction_cancel()
raise
logger.info("Committing 'add groups' transaction to disk")
result.samdb.transaction_commit()
logger.info("Adding users")
# Start a new transaction (should speed this up a little, due to index churn)
result.samdb.transaction_start()
try:
# Export users to samba4 backend
logger.info("Importing users")
for username in userdata:
if username.lower() == "administrator":
if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
logger.error(
"User 'Administrator' in your existing directory has SID %s, expected it to be %s"
% (userdata[username].user_sid, dom_sid(str(domainsid) + "-500"))
)
raise ProvisioningError(
"User 'Administrator' in your existing directory does not have SID ending in -500"
)
if username.lower() == "root":
if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
logger.warn("User root has been replaced by Administrator")
else:
logger.warn(
"User root has been kept in the directory, it should be removed in favour of the Administrator user"
)
s4_passdb.add_sam_account(userdata[username])
if username in uids:
add_ad_posix_idmap_entry(
result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger
)
if (
(username in homes)
and (homes[username] is not None)
and (username in shells)
and (shells[username] is not None)
and (username in pgids)
and (pgids[username] is not None)
):
add_posix_attrs(
samdb=result.samdb,
sid=userdata[username].user_sid,
name=username,
nisdomain=domainname.lower(),
xid_type="ID_TYPE_UID",
home=homes[username],
shell=shells[username],
pgid=pgids[username],
logger=logger,
)
except:
# We need this, so that we do not give even more errors due to not cancelling the transaction
result.samdb.transaction_cancel()
raise
logger.info("Committing 'add users' transaction to disk")
result.samdb.transaction_commit()
logger.info("Adding users to groups")
# Start a new transaction (should speed this up a little, due to index churn)
result.samdb.transaction_start()
try:
for g in grouplist:
if str(g.sid) in groupmembers:
add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
except:
# We need this, so that we do not give even more errors due to not cancelling the transaction
result.samdb.transaction_cancel()
raise
logger.info("Committing 'add users to groups' transaction to disk")
result.samdb.transaction_commit()
# Set password for administrator
if admin_user:
logger.info("Setting password for administrator")
admin_userdata = s4_passdb.getsampwnam("administrator")
admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
if userdata[admin_user].lanman_passwd:
admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
admin_userdata.pass_last_set_time = userdata[admin_user].pass_last_set_time
if userdata[admin_user].pw_history:
admin_userdata.pw_history = userdata[admin_user].pw_history
s4_passdb.update_sam_account(admin_userdata)
logger.info("Administrator password has been set to password of user '%s'", admin_user)
if result.server_role == "active directory domain controller":
setsysvolacl(
result.samdb,
result.paths.netlogon,
result.paths.sysvol,
result.paths.root_uid,
result.paths.root_gid,
security.dom_sid(result.domainsid),
result.names.dnsdomain,
result.names.domaindn,
result.lp,
use_ntvfs,
)
logger.info("Reading WINS database")
samba3_winsdb = None
try:
samba3_winsdb = samba3.get_wins_db()
except IOError, e:
logger.warn('Cannot open wins database, Ignoring: %s', str(e))
if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
dns_backend = "NONE"
# If we found an admin user, set a fake pw that we will override.
# This avoids us printing out an admin password that we won't actually
# set.
if admin_user:
adminpass = generate_random_password(12, 32)
else:
adminpass = None
# Do full provision
result = provision(logger, session_info,
targetdir=targetdir, realm=realm, domain=domainname,
domainsid=str(domainsid), next_rid=next_rid,
dc_rid=machinerid, adminpass = adminpass,
dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
hostname=netbiosname.lower(), machinepass=machinepass,
serverrole=serverrole, samdb_fill=FILL_FULL,
useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
use_ntvfs=use_ntvfs, skip_sysvolacl=True)
result.report_logger(logger)
from samba.auth import system_session
from samba.tests import TestCase
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs
from samba.dcerpc.samr import DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.dsdb import UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
from samba.tests import delete_force
import ldb
import os
import samba
import binascii
import md5
USER_NAME = "PasswordHashTestUser"
USER_PASS = samba.generate_random_password(32,32)
UPN = "*****@*****.**"
# Get named package from the passed supplemental credentials
#
# returns the package and it's position within the supplemental credentials
def get_package(sc, name):
if sc is None:
return None
idx = 0
for p in sc.sub.packages:
idx += 1
if name == p.name:
return (idx, p)
def __init__(ctx, server=None, creds=None, lp=None, site=None,
netbios_name=None, targetdir=None, domain=None):
ctx.creds = creds
ctx.lp = lp
ctx.site = site
ctx.netbios_name = netbios_name
ctx.targetdir = targetdir
ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
ctx.net = Net(creds=ctx.creds, lp=ctx.lp)
if server is not None:
ctx.server = server
else:
print("Finding a writeable DC for domain '%s'" % domain)
ctx.server = ctx.find_dc(domain)
print("Found DC %s" % ctx.server)
ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
session_info=system_session(),
credentials=ctx.creds, lp=ctx.lp)
ctx.myname = netbios_name
ctx.samname = "%s$" % ctx.myname
ctx.base_dn = str(ctx.samdb.get_default_basedn())
ctx.root_dn = str(ctx.samdb.get_root_basedn())
ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
ctx.config_dn = str(ctx.samdb.get_config_basedn())
ctx.domsid = ctx.samdb.get_domain_sid()
ctx.domain_name = ctx.get_domain_name()
lp.set("workgroup", ctx.domain_name)
print("workgroup is %s" % ctx.domain_name)
ctx.dc_ntds_dn = ctx.get_dsServiceName()
ctx.dc_dnsHostName = ctx.get_dnsHostName()
ctx.behavior_version = ctx.get_behavior_version()
ctx.acct_pass = samba.generate_random_password(32, 40)
# work out the DNs of all the objects we will be adding
ctx.server_dn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (ctx.myname, ctx.site, ctx.config_dn)
ctx.ntds_dn = "CN=NTDS Settings,%s" % ctx.server_dn
topology_base = "CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%s" % ctx.base_dn
if ctx.dn_exists(topology_base):
ctx.topology_dn = "CN=%s,%s" % (ctx.myname, topology_base)
else:
ctx.topology_dn = None
ctx.dnsdomain = ldb.Dn(ctx.samdb, ctx.base_dn).canonical_str().split('/')[0]
ctx.realm = ctx.dnsdomain
lp.set("realm", ctx.realm)
print("realm is %s" % ctx.realm)
ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)
ctx.acct_dn = "CN=%s,OU=Domain Controllers,%s" % (ctx.myname, ctx.base_dn)
ctx.tmp_samdb = None
ctx.SPNs = [ "HOST/%s" % ctx.myname,
"HOST/%s" % ctx.dnshostname,
"GC/%s/%s" % (ctx.dnshostname, ctx.dnsdomain) ]
# these elements are optional
ctx.never_reveal_sid = None
ctx.reveal_sid = None
ctx.connection_dn = None
ctx.RODC = False
ctx.krbtgt_dn = None
ctx.drsuapi = None
ctx.managedby = None
