def run(self, account, sambaopts=None,
credopts=None, versionopts=None, server=None):
if server is None:
raise Exception("You must supply a server")
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
# connect to the remote and local SAMs
samdb = SamDB(url="ldap://%s" % server,
session_info=system_session(),
credentials=creds, lp=lp)
local_samdb = SamDB(url=None, session_info=system_session(),
credentials=creds, lp=lp)
# work out the source and destination GUIDs
dc_ntds_dn = self.get_dsServiceName(samdb)
res = samdb.search(base=dc_ntds_dn, scope=ldb.SCOPE_BASE, attrs=["invocationId"])
source_dsa_invocation_id = misc.GUID(local_samdb.schema_format_value("objectGUID", res[0]["invocationId"][0]))
dn = self.get_dn(samdb, account)
print "Replicating DN %s" % dn
destination_dsa_guid = misc.GUID(local_samdb.get_ntds_GUID())
local_samdb.transaction_start()
repl = drs_Replicate("ncacn_ip_tcp:%s[seal,print]" % server, lp, creds, local_samdb)
try:
repl.replicate(dn, source_dsa_invocation_id, destination_dsa_guid,
exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET, rodc=True)
except Exception, e:
raise CommandError("Error replicating DN %s" % dn, e)
def join_provision_own_domain(ctx):
'''provision the local SAM'''
# we now operate exclusively on the local database, which
# we need to reopen in order to get the newly created schema
print("Reconnecting to local samdb")
ctx.samdb = SamDB(url=ctx.local_samdb.url,
session_info=system_session(),
lp=ctx.local_samdb.lp,
global_schema=False)
ctx.samdb.set_invocation_id(str(ctx.invocation_id))
ctx.local_samdb = ctx.samdb
print("Finding domain GUID from ncName")
res = ctx.local_samdb.search(base=ctx.partition_dn, scope=ldb.SCOPE_BASE, attrs=['ncName'],
controls=["extended_dn:1:1"])
domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
print("Got domain GUID %s" % domguid)
print("Calling own domain provision")
logger = logging.getLogger("provision")
logger.addHandler(logging.StreamHandler(sys.stdout))
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
presult = provision_fill(ctx.local_samdb, secrets_ldb,
logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
domainguid=domguid,
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="domain controller",
lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6)
print("Provision OK for domain %s" % ctx.names.dnsdomain)
def setUp(self):
super(MapTestCase, self).setUp()
ldb = Ldb(self.ldburl, lp=cmdline_loadparm, session_info=system_session())
ldif = read_datafile("provision_samba3sam.ldif")
ldb.add_ldif(self.samba4.subst(ldif))
self.setup_modules(ldb, self.samba3, self.samba4)
del ldb
self.ldb = Ldb(self.ldburl, lp=cmdline_loadparm, session_info=system_session())
def setUp(self):
super(Samba3SamTestCase, self).setUp()
ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
self.samba3.setup_data("samba3.ldif")
ldif = read_datafile("provision_samba3sam.ldif")
ldb.add_ldif(self.samba4.subst(ldif))
self.setup_modules(ldb, self.samba3, self.samba4)
del ldb
self.ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
def setUp(self):
super(EncryptedSecretsTests, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.session = system_session()
self.creds.guess(self.lp)
self.session = system_session()
self.ldb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
def setUp(self):
super(MapTestCase, self).setUp()
ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
ldb.set_opaque("skip_allocate_sids", "true");
ldif = read_datafile("provision_samba3sam.ldif")
ldb.add_ldif(self.samba4.subst(ldif))
self.setup_modules(ldb, self.samba3, self.samba4)
del ldb
self.ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
self.ldb.set_opaque("skip_allocate_sids", "true");
def add_user(self, options=None, clear_text=False, ldb=None):
# set any needed options
if options is not None:
for (option, value) in options:
self.lp.set(option, value)
if ldb is None:
self.creds = Credentials()
self.session = system_session()
self.creds.guess(self.lp)
self.session = system_session()
self.ldb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
else:
self.ldb = ldb
res = self.ldb.search(base=self.ldb.get_config_basedn(),
expression="ncName=%s" % self.ldb.get_default_basedn(),
attrs=["nETBIOSName"])
self.netbios_domain = res[0]["nETBIOSName"][0]
self.dns_domain = self.ldb.domain_dns_name()
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
# permit password changes during this test
PasswordCommon.allow_password_changes(self, self.ldb)
self.base_dn = self.ldb.domain_dn()
account_control = 0
if clear_text:
# Restore the current domain setting on exit.
pwdProperties = self.ldb.get_pwdProperties()
self.addCleanup(self.ldb.set_pwdProperties, pwdProperties)
# Update the domain setting
self.set_store_cleartext(clear_text)
account_control |= UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
# (Re)adds the test user USER_NAME with password USER_PASS
# and userPrincipalName UPN
delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
self.ldb.add({
"dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
"objectclass": "user",
"sAMAccountName": USER_NAME,
"userPassword": USER_PASS,
"userPrincipalName": UPN,
"userAccountControl": str(account_control)
})
def run(self, *accounts, **kwargs):
sambaopts = kwargs.get("sambaopts")
credopts = kwargs.get("credopts")
versionpts = kwargs.get("versionopts")
server = kwargs.get("server")
accounts_file = kwargs.get("file")
if server is None:
raise Exception("You must supply a server")
if accounts_file is not None:
accounts = []
if accounts_file == "-":
for line in sys.stdin:
accounts.append(line.strip())
else:
for line in open(accounts_file, 'r'):
accounts.append(line.strip())
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
# connect to the remote and local SAMs
samdb = SamDB(url="ldap://%s" % server,
session_info=system_session(),
credentials=creds, lp=lp)
local_samdb = SamDB(url=None, session_info=system_session(),
credentials=creds, lp=lp)
destination_dsa_guid = misc.GUID(local_samdb.get_ntds_GUID())
repl = drs_Replicate("ncacn_ip_tcp:%s[seal,print]" % server, lp, creds,
local_samdb, destination_dsa_guid)
for account in accounts:
# work out the source and destination GUIDs
dc_ntds_dn = samdb.get_dsServiceName()
res = samdb.search(base=dc_ntds_dn, scope=ldb.SCOPE_BASE, attrs=["invocationId"])
source_dsa_invocation_id = misc.GUID(local_samdb.schema_format_value("objectGUID", res[0]["invocationId"][0]))
dn = self.get_dn(samdb, account)
self.outf.write("Replicating DN %s\n" % dn)
local_samdb.transaction_start()
try:
repl.replicate(dn, source_dsa_invocation_id, destination_dsa_guid,
exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET, rodc=True)
except Exception, e:
local_samdb.transaction_cancel()
raise CommandError("Error replicating DN %s" % dn, e)
local_samdb.transaction_commit()
def ldif_to_samdb(dburl, lp, ldif_file, forced_local_dsa=None):
"""Routine to import all objects and attributes that are relevent
to the KCC algorithms from a previously exported LDIF file.
The point of this function is to allow a programmer/debugger to
import an LDIF file with non-security relevent information that
was previously extracted from a DC database. The LDIF file is used
to create a temporary abbreviated database. The KCC algorithm can
then run against this abbreviated database for debug or test
verification that the topology generated is computationally the
same between different OSes and algorithms.
:param dburl: path to the temporary abbreviated db to create
:param ldif_file: path to the ldif file to import
"""
if os.path.exists(dburl):
raise LdifError("Specify a database (%s) that doesn't already exist." %
dburl)
# Use ["modules:"] as we are attempting to build a sam
# database as opposed to start it here.
tmpdb = Ldb(url=dburl, session_info=system_session(),
lp=lp, options=["modules:"])
tmpdb.transaction_start()
try:
data = read_and_sub_file(ldif_file, None)
tmpdb.add_ldif(data, None)
if forced_local_dsa:
tmpdb.modify_ldif("""dn: @ROOTDSE
changetype: modify
replace: dsServiceName
dsServiceName: CN=NTDS Settings,%s
""" % forced_local_dsa)
tmpdb.add_ldif("""dn: @MODULES
@LIST: rootdse,extended_dn_in,extended_dn_out_ldb,objectguid
-
""")
except Exception as estr:
tmpdb.transaction_cancel()
raise LdifError("Failed to import %s: %s" % (ldif_file, estr))
tmpdb.transaction_commit()
# We have an abbreviated list of options here because we have built
# an abbreviated database. We use the rootdse and extended-dn
# modules only during this re-open
samdb = SamDB(url=dburl, session_info=system_session(), lp=lp)
return samdb
def run(self, file, use_ntvfs=False, use_s3fs=False,
as_sddl=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service)
if as_sddl:
try:
domain_sid = security.dom_sid(samdb.domain_sid)
except:
raise CommandError("Unable to read domain SID from configuration files")
self.outf.write(acl.as_sddl(domain_sid)+"\n")
else:
self.outf.write(ndr_print(acl))
def test_join_time_ridalloc(self):
"""Perform a join against the RID manager and assert we have a RID Set"""
fsmo_dn = ldb.Dn(self.ldb_dc1, "CN=RID Manager$,CN=System," + self.ldb_dc1.domain_dn())
(fsmo_owner, fsmo_not_owner) = self._determine_fSMORoleOwner(fsmo_dn)
targetdir = self._test_join(fsmo_owner['dns_name'], "RIDALLOCTEST5")
try:
# Connect to the database
ldb_url = "tdb://%s" % os.path.join(targetdir, "private/sam.ldb")
smbconf = os.path.join(targetdir, "etc/smb.conf")
lp = self.get_loadparm()
new_ldb = SamDB(ldb_url, credentials=self.get_credentials(),
session_info=system_session(lp), lp=lp)
# 1. Get server name
res = new_ldb.search(base=ldb.Dn(new_ldb, new_ldb.get_serverName()),
scope=ldb.SCOPE_BASE, attrs=["serverReference"])
# 2. Get server reference
server_ref_dn = ldb.Dn(new_ldb, res[0]['serverReference'][0])
# 3. Assert we get the RID Set
res = new_ldb.search(base=server_ref_dn,
scope=ldb.SCOPE_BASE, attrs=['rIDSetReferences'])
self.assertTrue("rIDSetReferences" in res[0])
finally:
self._test_force_demote(fsmo_owner['dns_name'], "RIDALLOCTEST5")
shutil.rmtree(targetdir, ignore_errors=True)
def run(self, groupname, credopts=None, sambaopts=None, versionopts=None,
H=None, group_attrs=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
attrs = None
if group_attrs:
attrs = group_attrs.split(",")
filter = ("(&(sAMAccountType=%d)(sAMAccountName=%s))" %
( ATYPE_SECURITY_GLOBAL_GROUP,
ldb.binary_encode(groupname)))
domaindn = samdb.domain_dn()
try:
res = samdb.search(base=domaindn, expression=filter,
scope=ldb.SCOPE_SUBTREE, attrs=attrs)
user_dn = res[0].dn
except IndexError:
raise CommandError('Unable to find group "%s"' % (groupname))
for msg in res:
user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
self.outf.write(user_ldif)
def run(self, groupname, new_parent_dn, credopts=None, sambaopts=None,
versionopts=None, H=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = ldb.Dn(samdb, samdb.domain_dn())
filter = ("(&(sAMAccountName=%s)(objectClass=group))" %
groupname)
try:
res = samdb.search(base=domain_dn,
expression=filter,
scope=ldb.SCOPE_SUBTREE)
group_dn = res[0].dn
except IndexError:
raise CommandError('Unable to find group "%s"' % (groupname))
try:
full_new_parent_dn = samdb.normalize_dn_in_domain(new_parent_dn)
except Exception as e:
raise CommandError('Invalid new_parent_dn "%s": %s' %
(new_parent_dn, e.message))
full_new_group_dn = ldb.Dn(samdb, str(group_dn))
full_new_group_dn.remove_base_components(len(group_dn)-1)
full_new_group_dn.add_base(full_new_parent_dn)
try:
samdb.rename(group_dn, full_new_group_dn)
except Exception as e:
raise CommandError('Failed to move group "%s"' % groupname, e)
self.outf.write('Moved group "%s" into "%s"\n' %
(groupname, full_new_parent_dn))
def run(self, groupname, credopts=None, sambaopts=None, versionopts=None, H=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
filter = ("(&(sAMAccountName=%s)(objectClass=group))" %
groupname)
try:
res = samdb.search(base=samdb.domain_dn(),
scope=ldb.SCOPE_SUBTREE,
expression=filter,
attrs=["dn"])
group_dn = res[0].dn
except IndexError:
raise CommandError('Unable to find group "%s"' % (groupname))
try:
samdb.delete(group_dn)
except Exception as e:
# FIXME: catch more specific exception
raise CommandError('Failed to remove group "%s"' % groupname, e)
self.outf.write("Deleted group %s\n" % groupname)
def run(self, acl, file, use_ntvfs=False, use_s3fs=False,
quiet=False,xattr_backend=None,eadb_file=None,
credopts=None, sambaopts=None, versionopts=None,
service=None):
logger = self.get_logger()
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
try:
domain_sid = security.dom_sid(samdb.domain_sid)
except:
raise CommandError("Unable to read domain SID from configuration files")
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service)
if use_ntvfs:
logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")
def setUp(self):
super(SitesBaseTests, self).setUp()
self.ldb = SamDB(ldaphost, credentials=creds,
session_info=system_session(lp), lp=lp)
self.base_dn = self.ldb.domain_dn()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.configuration_dn = self.ldb.get_config_basedn().get_linearized()
def join_finalise(ctx):
"""finalise the join, mark us synchronised and setup secrets db"""
print "Sending DsReplicateUpdateRefs for all the partitions"
ctx.send_DsReplicaUpdateRefs(ctx.schema_dn)
ctx.send_DsReplicaUpdateRefs(ctx.config_dn)
ctx.send_DsReplicaUpdateRefs(ctx.base_dn)
print "Setting isSynchronized and dsServiceName"
m = ldb.Message()
m.dn = ldb.Dn(ctx.local_samdb, "@ROOTDSE")
m["isSynchronized"] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_REPLACE, "isSynchronized")
m["dsServiceName"] = ldb.MessageElement("<GUID=%s>" % str(ctx.ntds_guid), ldb.FLAG_MOD_REPLACE, "dsServiceName")
ctx.local_samdb.modify(m)
if ctx.subdomain:
return
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
print "Setting up secrets database"
secretsdb_self_join(
secrets_ldb,
domain=ctx.domain_name,
realm=ctx.realm,
dnsdomain=ctx.dnsdomain,
netbiosname=ctx.myname,
domainsid=security.dom_sid(ctx.domsid),
machinepass=ctx.acct_pass,
secure_channel_type=ctx.secure_channel_type,
key_version_number=ctx.key_version_number,
)
def run(self, user, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
sam = SamDB(paths.samdb, session_info=system_session(),
credentials=creds, lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
self.outf.write(cleaneduser+"\n")
res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
scope=ldb.SCOPE_SUBTREE,
attrs=["servicePrincipalName"])
if len(res) >0:
spns = res[0].get("servicePrincipalName")
found = False
flag = ldb.FLAG_MOD_ADD
if spns != None:
self.outf.write(
"User %s has the following servicePrincipalName: \n" %
res[0].dn)
for e in spns:
self.outf.write("\t %s\n" % e)
else:
self.outf.write("User %s has no servicePrincipalName" %
res[0].dn)
else:
raise CommandError("User %s not found" % user)
def setUp(self):
super(SchemaTests_msDS_isRODC, self).setUp()
self.ldb = SamDB(host, credentials=creds,
session_info=system_session(lp), lp=lp, options=ldb_options)
res = self.ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["defaultNamingContext"])
self.assertEquals(len(res), 1)
self.base_dn = res[0]["defaultNamingContext"][0]
def __init__(
ctx,
server=None,
creds=None,
lp=None,
site=None,
netbios_name=None,
targetdir=None,
domain=None,
machinepass=None,
):
ctx.creds = creds
ctx.lp = lp
ctx.site = site
ctx.netbios_name = netbios_name
ctx.targetdir = targetdir
ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
ctx.net = Net(creds=ctx.creds, lp=ctx.lp)
if server is not None:
ctx.server = server
else:
print ("Finding a writeable DC for domain '%s'" % domain)
ctx.server = ctx.find_dc(domain)
print ("Found DC %s" % ctx.server)
ctx.samdb = SamDB(url="ldap://%s" % ctx.server, session_info=system_session(), credentials=ctx.creds, lp=ctx.lp)
try:
ctx.samdb.search(scope=ldb.SCOPE_ONELEVEL, attrs=["dn"])
except ldb.LdbError, (enum, estr):
raise DCJoinException(estr)
def run(self, username=None, filter=None, credopts=None, sambaopts=None,
versionopts=None, H=None, newpassword=None,
must_change_at_next_login=False, random_password=False):
if filter is None and username is None:
raise CommandError("Either the username or '--filter' must be specified!")
if random_password:
password = generate_random_password(128, 255)
else:
password = newpassword
while 1:
if password is not None and password is not '':
break
password = getpass("New Password: "******"(&(objectClass=user)(sAMAccountName={0!s}))".format((ldb.binary_encode(username)))
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
samdb.setpassword(filter, password,
force_change_at_next_login=must_change_at_next_login,
username=username)
except Exception, msg:
# FIXME: catch more specific exception
raise CommandError("Failed to set password for user '{0!s}': {1!s}".format(username or filter, msg))
def setUp(self):
super(RodcCmdTestCase, self).setUp()
self.lp = samba.param.LoadParm()
self.lp.load(os.environ["SMB_CONF_PATH"])
self.creds = Credentials()
self.creds.set_username(os.environ["DC_USERNAME"])
self.creds.set_password(os.environ["DC_PASSWORD"])
self.creds.guess(self.lp)
self.session = system_session()
self.ldb = SamDB("ldap://" + os.environ["DC_SERVER"],
session_info=self.session, credentials=self.creds,lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ldb.newuser("sambatool1", "1qazXSW@")
self.ldb.newuser("sambatool2", "2wsxCDE#")
self.ldb.newuser("sambatool3", "3edcVFR$")
self.ldb.newuser("sambatool4", "4rfvBGT%")
self.ldb.newuser("sambatool5", "5tjbNHY*")
self.ldb.newuser("sambatool6", "6yknMJU*")
self.ldb.add_remove_group_members("Allowed RODC Password Replication Group",
["sambatool1", "sambatool2", "sambatool3",
"sambatool4", "sambatool5"],
add_members_operation=True)
def deprovision(setup_path, lp, creds, firstorg=None, firstou=None, reporter=None):
"""Remote all configuration entries added by the OpenChange
installation.
:param setup_path: Path to the setup directory.
:param names: provision names object.
:param lp: Loadparm context
:param creds: Credentials Context
:param reporter: A progress reporter instance (subclass of AbstractProgressReporter)
"""
if reporter is None:
reporter = TextProgressReporter()
session_info = system_session()
lp.set("dsdb:schema update allowed", "yes")
names = guess_names_from_smbconf(lp, None, None)
samdb = SamDB(url=get_ldb_url(lp, creds, names), session_info=session_info,
credentials=creds, lp=lp)
try:
deprovision_schema(setup_path, names, lp, creds, reporter, "AD/oc_provision_configuration.ldif", "Remove Exchange configuration objects")
except LdbError, ldb_error:
print ("[!] error while deprovisioning the Exchange configuration"
" objects (%d): %s" % ldb_error.args)
def setUp(self):
super(AuthLogTestsNetLogonBadCreds, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.session = system_session()
self.ldb = SamDB(
session_info=self.session,
credentials=self.creds,
lp=self.lp)
self.domain = os.environ["DOMAIN"]
self.netbios_name = "NetLogonBad"
self.machinepass = "******"
self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
self.base_dn = self.ldb.domain_dn()
self.dn = ("cn=%s,cn=users,%s" %
(self.netbios_name, self.base_dn))
utf16pw = unicode(
'"' + self.machinepass.encode('utf-8') + '"', 'utf-8'
).encode('utf-16-le')
self.ldb.add({
"dn": self.dn,
"objectclass": "computer",
"sAMAccountName": "%s$" % self.netbios_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd": utf16pw})
def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None,
versionopts=None):
on = False
if onoff == "on":
on = True
elif onoff == "off":
on = False
else:
raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
if H == None:
path = paths.samdb
else:
path = H
sam = SamDB(path, session_info=system_session(),
credentials=creds, lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
try:
sam.toggle_userAccountFlags(search_filter, flag,
flags_str="Trusted-to-Authenticate-for-Delegation",
on=on, strict=True)
except Exception as err:
raise CommandError(err)
def run(self, accountname, principal, H=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
if H == None:
path = paths.samdb
else:
path = H
sam = SamDB(path, session_info=system_session(),
credentials=creds, lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
res = sam.search(expression="sAMAccountName=%s" %
ldb.binary_encode(cleanedaccount),
scope=ldb.SCOPE_SUBTREE,
attrs=["msDS-AllowedToDelegateTo"])
if len(res) == 0:
raise CommandError("Unable to find account name '%s'" % accountname)
assert(len(res) == 1)
msg = ldb.Message()
msg.dn = res[0].dn
msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal],
ldb.FLAG_MOD_DELETE,
"msDS-AllowedToDelegateTo")
try:
sam.modify(msg)
except Exception as err:
raise CommandError(err)
def __init__(self):
self.samba_lp = LoadParm()
self.samba_lp.set("debug level", "0")
self.samba_lp.load_default()
url = self.samba_lp.get("dcerpc_mapiproxy:samdb_url") or self.samba_lp.private_path("sam.ldb")
self.samdb = SamDB(url=url, lp=self.samba_lp, session_info=system_session())
self.conn = self._open_mysql_connection()
def run(self, username=None, filter=None, credopts=None, sambaopts=None,
versionopts=None, H=None, newpassword=None,
must_change_at_next_login=None):
if filter is None and username is None:
raise CommandError("Either the username or '--filter' must be specified!")
password = newpassword
if password is None:
password = getpass("New Password: "******"(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
samdb.setpassword(filter, password,
force_change_at_next_login=must_change_at_next_login,
username=username)
except Exception, e:
raise CommandError('Failed to set password for user "%s"' % username, e)
def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None):
on = False
if onoff == "on":
on = True
elif onoff == "off":
on = False
else:
raise CommandError("Invalid argument [%s]" % onoff)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
sam = SamDB(paths.samdb, session_info=system_session(),
credentials=creds, lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
flag = dsdb.UF_TRUSTED_FOR_DELEGATION
try:
sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
except Exception, err:
raise CommandError(err)
def run(self, accountname, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
sam = SamDB(paths.samdb, session_info=system_session(),
credentials=creds, lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
print "Searching for: %s" % (cleanedaccount)
res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount),
scope=ldb.SCOPE_SUBTREE,
attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
if len(res) != 1:
raise CommandError("Account %s found %d times" % (accountname, len(res)))
uac = int(res[0].get("userAccountControl")[0])
allowed = res[0].get("msDS-AllowedToDelegateTo")
print "Account-DN: %s" % str(res[0].dn)
if uac & dsdb.UF_TRUSTED_FOR_DELEGATION:
print "UF_TRUSTED_FOR_DELEGATION: 1"
else:
print "UF_TRUSTED_FOR_DELEGATION: 0"
if uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:
print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 1"
else:
print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0"
if allowed != None:
for a in allowed:
print "msDS-AllowedToDelegateTo: %s" % (str(a))
from samba.param import LoadParm
from samba.provision import (
ProvisionPaths,
ProvisionNames,
)
from samba.provision.common import (setup_path, setup_add_ldif, setup_ldb)
from samba.provision.sambadns import secretsdb_setup_dns
if __name__ == '__main__':
## most of this is extracted from source4/scripting/python/samba/provision/*
lp = LoadParm()
lp.load('/etc/samba/smb.conf')
samdb = SamDB('/var/lib/samba/private/sam.ldb',
session_info=system_session(lp),
lp=lp)
secretsdb = samba.Ldb('/var/lib/samba/private/secrets.ldb',
session_info=system_session(lp),
lp=lp)
paths = ProvisionPaths()
paths.private_dir = lp.get("private dir")
names = ProvisionNames()
# NT domain, kerberos realm, root dn, domain dn, domain dns name
names.realm = lp.get("realm").upper()
names.domain = lp.get("workgroup").upper()
names.domaindn = samdb.domain_dn()
names.dnsdomain = samba.ldb.Dn(samdb,
names.domaindn).canonical_str().replace(
def test_multiple_searches(self):
"""The maximum number of concurrent vlv searches per connection is
currently set at 3. That means if you open 4 VLV searches the
cookie on the first one should fail.
"""
# Windows has a limit of 10 VLVs where there are low numbers
# of objects in each search.
attrs = ([
x for x in self.users[0].keys() if x not in ('dn', 'objectclass')
] * 2)[:12]
vlv_cookies = []
for attr in attrs:
sort_control = "server_sort:1:0:%s" % attr
res = self.ldb.search(self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control, "vlv:1:1:1:1:0"])
cookie = get_cookie(res.controls, len(self.users))
vlv_cookies.append(cookie)
time.sleep(0.2)
# now this one should fail
self.assertRaises(
ldb.LdbError,
self.ldb.search,
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[0]])
# and this one should succeed
res = self.ldb.search(
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])
# this one should fail because it is a new connection and
# doesn't share cookies
new_ldb = SamDB(host,
credentials=creds,
session_info=system_session(lp),
lp=lp)
self.assertRaises(
ldb.LdbError,
new_ldb.search,
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:1:1:1:1:0:%s" % vlv_cookies[-1]])
# but now without the critical flag it just does no VLV.
new_ldb.search(
self.ou,
scope=ldb.SCOPE_ONELEVEL,
attrs=[attr],
controls=[sort_control,
"vlv:0:1:1:1:0:%s" % vlv_cookies[-1]])
