def samdb_connect(ctx):
'''make a ldap connection to the server'''
try:
ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
session_info=system_session(),
credentials=ctx.creds,
lp=ctx.lp)
except Exception as e:
raise CommandError("LDAP connection to %s failed" % ctx.server, e)
def get_partition(samdb, part):
# Allow people to say "--partition=DOMAIN" rather than
# "--partition=DC=blah,DC=..."
if part is not None:
short_partitions, long_partitions = get_partition_maps(samdb)
part = short_partitions.get(part.upper(), part)
if part not in long_partitions:
raise CommandError("unknown partition %s" % part)
return part
def run(self, file, use_ntvfs=False, use_s3fs=False,
as_sddl=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(),
lp=lp)
except Exception, e:
raise CommandError("Unable to open samdb:", e)
def drsuapi_ReplicaInfo(ctx, info_type):
'''call a DsReplicaInfo'''
req1 = drsuapi.DsReplicaGetInfoRequest1()
req1.info_type = info_type
try:
(info_type, info) = ctx.drsuapi.DsReplicaGetInfo(ctx.drsuapi_handle, 1, req1)
except Exception, e:
raise CommandError("DsReplicaGetInfo of type %u failed" % info_type, e)
def run(self, ou_dn, credopts=None, sambaopts=None, versionopts=None,
H=None, description=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
full_ou_dn = samdb.normalize_dn_in_domain(ou_dn)
except Exception as e:
raise CommandError('Invalid ou_dn "%s": %s' % (ou_dn, e))
try:
samdb.create_ou(full_ou_dn, description=description)
except Exception as e:
raise CommandError('Failed to add ou "%s"' % full_ou_dn, e)
self.outf.write('Added ou "%s"\n' % full_ou_dn)
class cmd_delete(Command):
"""Delete an organizational unit.
The name of the organizational unit can be specified as a full DN
or without the domainDN component.
Examples:
samba-tool ou delete 'OU=OrgUnit,DC=samdom,DC=example,DC=com'
samba-tool ou delete 'OU=OrgUnit'
The examples show how an administrator would delete the ou 'OrgUnit'.
"""
synopsis = "%prog <ou_dn> [options]"
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
Option("--force-subtree-delete", dest="force_subtree_delete",
default=False, action='store_true',
help="Delete organizational unit and all children reclusively"),
]
takes_args = ["ou_dn"]
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
def run(self, ou_dn, credopts=None, sambaopts=None, versionopts=None,
H=None, force_subtree_delete=False):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = ldb.Dn(samdb, samdb.domain_dn())
try:
full_ou_dn = samdb.normalize_dn_in_domain(ou_dn)
except Exception, e:
raise CommandError('Invalid ou_dn "%s": %s' % (ou_dn, e.message))
controls = []
if force_subtree_delete:
controls = ["tree_delete:1"]
try:
res = samdb.search(base=full_ou_dn,
expression="(objectclass=organizationalUnit)",
scope=ldb.SCOPE_BASE, attrs=[])
if len(res) == 0:
self.outf.write('Unable to find ou "%s"\n' % ou_dn)
return
samdb.delete(full_ou_dn, controls)
except Exception, e:
raise CommandError('Failed to delete ou "%s"' % full_ou_dn, e)
def check_pso_constraints(min_pwd_length=None, history_length=None,
min_pwd_age=None, max_pwd_age=None):
"""Checks PSO settings fall within valid ranges"""
# check values as per section 3.1.1.5.2.2 Constraints in MS-ADTS spec
if history_length is not None and history_length > 1024:
raise CommandError("Bad password history length: "
"valid range is 0 to 1024")
if min_pwd_length is not None and min_pwd_length > 255:
raise CommandError("Bad minimum password length: "
"valid range is 0 to 255")
if min_pwd_age is not None and max_pwd_age is not None:
# note max-age=zero is a special case meaning 'never expire'
if min_pwd_age >= max_pwd_age and max_pwd_age != 0:
raise CommandError("Minimum password age must be less than "
"maximum age")
def run(self,
groupname,
listofmembers=None,
credopts=None,
sambaopts=None,
versionopts=None,
H=None,
member_base_dn=None,
member_dn=None,
object_types="user,group,computer"):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
if member_dn is None and listofmembers is None:
self.usage()
raise CommandError(
'Either listofmembers or --member-dn must be specified.')
try:
samdb = SamDB(url=H,
session_info=system_session(),
credentials=creds,
lp=lp)
groupmembers = []
if member_dn is not None:
groupmembers += member_dn
if listofmembers is not None:
groupmembers += listofmembers.split(',')
group_member_types = object_types.split(',')
if member_base_dn is not None:
member_base_dn = samdb.normalize_dn_in_domain(member_base_dn)
samdb.add_remove_group_members(groupname,
groupmembers,
add_members_operation=True,
member_types=group_member_types,
member_base_dn=member_base_dn)
except Exception as e:
# FIXME: catch more specific exception
raise CommandError('Failed to add members %r to group "%s" - %s' %
(groupmembers, groupname, e))
self.outf.write("Added members to group %s\n" % groupname)
def run(self,
accountname,
onoff,
H=None,
credopts=None,
sambaopts=None,
versionopts=None):
on = False
if onoff == "on":
on = True
elif onoff == "off":
on = False
else:
raise CommandError(
"invalid argument: '%s' (choose from 'on', 'off')" % onoff)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
if H == None:
path = paths.samdb
else:
path = H
sam = SamDB(path,
session_info=system_session(),
credentials=creds,
lp=lp)
# TODO once I understand how, use the domain info to naildown
# to the correct domain
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
try:
sam.toggle_userAccountFlags(
search_filter,
flag,
flags_str="Trusted-to-Authenticate-for-Delegation",
on=on,
strict=True)
except Exception, err:
raise CommandError(err)
def run(self, server, zone, name, rtype, olddata, newdata,
sambaopts=None, credopts=None, versionopts=None):
if rtype.upper() not in ('A', 'AAAA', 'PTR', 'CNAME', 'NS', 'MX', 'SOA', 'SRV', 'TXT'):
raise CommandError('Updating record of type %s is not supported' % rtype)
record_type = dns_type_flag(rtype)
rec = data_to_dns_record(record_type, newdata)
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp)
dns_conn = dns_connect(server, self.lp, self.creds)
rec_match = dns_record_match(dns_conn, server, zone, name, record_type,
olddata)
if not rec_match:
raise CommandError('Record or zone does not exist.')
# Copy properties from existing record to new record
rec.dwFlags = rec_match.dwFlags
rec.dwSerial = rec_match.dwSerial
rec.dwTtlSeconds = rec_match.dwTtlSeconds
rec.dwTimeStamp = rec_match.dwTimeStamp
add_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
add_rec_buf.rec = rec
del_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
del_rec_buf.rec = rec_match
try:
dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
0,
server,
zone,
name,
add_rec_buf,
del_rec_buf)
except WERRORError as e:
if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
self.outf.write('Zone does not exist; record could not be updated.\n')
raise e
self.outf.write('Record updated successfully\n')
def run(self, sambaopts, versionopts, section_name=None,
parameter_name=None, client_ip=None, client_name=None,
verbose=False, suppress_prompt=None, show_all_parameters=False,
server=None):
if server:
raise NotImplementedError("--server not yet implemented")
if show_all_parameters:
raise NotImplementedError("--show-all-parameters not yet implemented")
if client_name is not None and client_ip is None:
raise CommandError("Both a DNS name and an IP address are "
"required for the host access check")
try:
lp = sambaopts.get_loadparm()
except RuntimeError as err:
raise CommandError(err)
# We need this to force the output
samba.set_debug_level(2)
logger = self.get_logger("testparm")
logger.info("Loaded smb config files from %s", lp.configfile)
logger.info("Loaded services file OK.")
valid = self.do_global_checks(lp, logger)
valid = valid and self.do_share_checks(lp, logger)
if client_name is not None and client_ip is not None:
self.check_client_access(lp, logger, client_name, client_ip)
else:
if section_name is not None or parameter_name is not None:
if parameter_name is None:
lp[section_name].dump(verbose)
else:
lp.dump_a_parameter(parameter_name, section_name)
else:
if not suppress_prompt:
self.outf.write("Press enter to see a dump of your service definitions\n")
sys.stdin.readline()
lp.dump(verbose)
if valid:
return
else:
raise CommandError("Invalid smb.conf")
def seize_role(self, role, samdb, force):
res = samdb.search("",
scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
assert len(res) == 1
serviceName = res[0]["dsServiceName"][0]
domain_dn = samdb.domain_dn()
self.infrastructure_dn = "CN=Infrastructure," + domain_dn
self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
self.schema_dn = str(samdb.get_schema_basedn())
self.rid_dn = "CN=RID Manager$,CN=System," + domain_dn
m = ldb.Message()
if role == "rid":
m.dn = ldb.Dn(samdb, self.rid_dn)
elif role == "pdc":
m.dn = ldb.Dn(samdb, domain_dn)
elif role == "naming":
m.dn = ldb.Dn(samdb, self.naming_dn)
elif role == "infrastructure":
m.dn = ldb.Dn(samdb, self.infrastructure_dn)
elif role == "schema":
m.dn = ldb.Dn(samdb, self.schema_dn)
else:
raise CommandError("Invalid FSMO role.")
#first try to transfer to avoid problem if the owner is still active
if force is None:
self.message("Attempting transfer...")
try:
transfer_role(self.outf, role, samdb)
self.outf.write("FSMO seize was not required, as transfer of '%s' role was successful\n" % role)
return
except CommandError:
#transfer failed, use the big axe...
self.message("Transfer unsuccessful, seizing...")
else:
self.message("Will not attempt transfer, seizing...")
m["fSMORoleOwner"]= ldb.MessageElement(
serviceName, ldb.FLAG_MOD_REPLACE,
"fSMORoleOwner")
try:
samdb.modify(m)
except LdbError, (num, msg):
raise CommandError("Failed to initiate role seize of '%s' role: %s" % (role, msg))
def get_gpo_containers(samdb, gpo):
'''lists dn of containers for a GPO'''
search_expr = "(&(objectClass=*)(gPLink=*%s*))" % gpo
try:
msg = samdb.search(expression=search_expr, attrs=['gPLink'])
except Exception as e:
raise CommandError("Could not find container(s) with GPO %s" % gpo, e)
return msg
def get_fsmo_roleowner(samdb, roledn):
"""Gets the owner of an FSMO role
:param roledn: The DN of the FSMO role
"""
res = samdb.search(roledn, scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
if len(res) == 0:
raise CommandError('"%s" does not have a FSMO roleowner' % roledn)
master_owner = res[0]["fSMORoleOwner"][0]
return master_owner
def run(self, name, user, H=None,
credopts=None,
sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
sam = SamDB(H, session_info=system_session(),
credentials=creds, lp=lp)
res = sam.search(
expression="servicePrincipalName=%s" % ldb.binary_encode(name),
scope=ldb.SCOPE_SUBTREE)
if len(res) != 0:
raise CommandError("Service principal %s already"
" affected to another user" % name)
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
res = sam.search(
expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])
if len(res) > 0:
res[0].dn
msg = ldb.Message()
spns = res[0].get("servicePrincipalName")
tab = []
found = False
flag = ldb.FLAG_MOD_ADD
if spns is not None:
for e in spns:
if str(e) == name:
found = True
tab.append(str(e))
flag = ldb.FLAG_MOD_REPLACE
tab.append(name)
msg.dn = res[0].dn
msg["servicePrincipalName"] = ldb.MessageElement(tab, flag,
"servicePrincipalName")
if not found:
sam.modify(msg)
else:
raise CommandError("Service principal %s already"
" affected to %s" % (name, user))
else:
raise CommandError("User %s not found" % user)
def del_gpo_link(samdb, container_dn, gpo):
'''delete GPO link for the container'''
# Check if valid Container DN and get existing GPlinks
try:
msg = samdb.search(base=container_dn,
scope=ldb.SCOPE_BASE,
expression="(objectClass=*)",
attrs=['gPLink'])[0]
except Exception, e:
raise CommandError("Container '%s' does not exist" % container_dn, e)
def seize_dns_role(self, role, samdb, credopts, sambaopts, versionopts,
force):
"""Seize DNS FSMO role. """
serviceName = samdb.get_dsServiceName()
domain_dn = samdb.domain_dn()
forest_dn = samba.dn_from_dns_name(samdb.forest_dns_name())
self.domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
self.forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
m = ldb.Message()
if role == "domaindns":
m.dn = ldb.Dn(samdb, self.domaindns_dn)
elif role == "forestdns":
m.dn = ldb.Dn(samdb, self.forestdns_dn)
else:
raise CommandError("Invalid FSMO role.")
#first try to transfer to avoid problem if the owner is still active
seize = False
master_owner = get_fsmo_roleowner(samdb, m.dn)
if master_owner != serviceName:
if force is None:
self.message("Attempting transfer...")
if not transfer_dns_role(self.outf, sambaopts, credopts, role,
samdb):
#transfer failed, use the big axe...
seize = True
self.message("Transfer unsuccessful, seizing...")
else:
self.message(
"Not seizing role as transfer was successful\n")
if force is not None or seize == True:
self.message("Seizing %s FSMO role..." % role)
m["fSMORoleOwner"] = ldb.MessageElement(
serviceName, ldb.FLAG_MOD_REPLACE, "fSMORoleOwner")
try:
samdb.modify(m)
except LdbError, (num, msg):
raise CommandError("Failed to seize '%s' role: %s" %
(role, msg))
self.outf.write("FSMO seize of '%s' role successful\n" % role)
return True
def run(self,
computername,
new_ou_dn,
credopts=None,
sambaopts=None,
versionopts=None,
H=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H,
session_info=system_session(),
credentials=creds,
lp=lp)
domain_dn = ldb.Dn(samdb, samdb.domain_dn())
samaccountname = computername
if not computername.endswith('$'):
samaccountname = "%s$" % computername
filter = (
"(&(sAMAccountName=%s)(sAMAccountType=%u))" %
(ldb.binary_encode(samaccountname), dsdb.ATYPE_WORKSTATION_TRUST))
try:
res = samdb.search(base=domain_dn,
expression=filter,
scope=ldb.SCOPE_SUBTREE)
computer_dn = res[0].dn
except IndexError:
raise CommandError('Unable to find computer "%s"' % (computername))
full_new_ou_dn = ldb.Dn(samdb, new_ou_dn)
if not full_new_ou_dn.is_child_of(domain_dn):
full_new_ou_dn.add_base(domain_dn)
new_computer_dn = ldb.Dn(samdb, str(computer_dn))
new_computer_dn.remove_base_components(len(computer_dn) - 1)
new_computer_dn.add_base(full_new_ou_dn)
try:
samdb.rename(computer_dn, new_computer_dn)
except Exception as e:
raise CommandError('Failed to move computer "%s"' % computername,
e)
self.outf.write('Moved computer "%s" to "%s"\n' %
(computername, new_ou_dn))
def run(self,
old_ou_dn,
new_parent_dn,
credopts=None,
sambaopts=None,
versionopts=None,
H=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H,
session_info=system_session(),
credentials=creds,
lp=lp)
domain_dn = ldb.Dn(samdb, samdb.domain_dn())
try:
full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn)
except Exception as e:
raise CommandError('Invalid old_ou_dn "%s": %s' %
(old_ou_dn, e.message))
try:
full_new_parent_dn = samdb.normalize_dn_in_domain(new_parent_dn)
except Exception as e:
raise CommandError('Invalid new_parent_dn "%s": %s' %
(new_parent_dn, e.message))
full_new_ou_dn = ldb.Dn(samdb, str(full_old_ou_dn))
full_new_ou_dn.remove_base_components(len(full_old_ou_dn) - 1)
full_new_ou_dn.add_base(full_new_parent_dn)
try:
res = samdb.search(base=full_old_ou_dn,
expression="(objectclass=organizationalUnit)",
scope=ldb.SCOPE_BASE,
attrs=[])
if len(res) == 0:
self.outf.write('Unable to find ou "%s"\n' % full_old_ou_dn)
return
samdb.rename(full_old_ou_dn, full_new_ou_dn)
except Exception as e:
raise CommandError('Failed to move ou "%s"' % full_old_ou_dn, e)
self.outf.write('Moved ou "%s" into "%s"\n' %
(full_old_ou_dn, full_new_parent_dn))
def dns_connect(server, lp, creds):
if server.lower() == 'localhost':
server = '127.0.0.1'
binding_str = "ncacn_ip_tcp:%s[sign]" % server
try:
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
except RuntimeError as e:
raise CommandError('Connecting to DNS RPC server %s failed with %s' % (server, e))
return dns_conn
def get_sid_for_restore(samdb):
# Find the DN of the RID set of the server
res = samdb.search(base=ldb.Dn(samdb, samdb.get_serverName()),
scope=ldb.SCOPE_BASE,
attrs=["serverReference"])
server_ref_dn = ldb.Dn(samdb, res[0]['serverReference'][0])
res = samdb.search(base=server_ref_dn,
scope=ldb.SCOPE_BASE,
attrs=['rIDSetReferences'])
rid_set_dn = ldb.Dn(samdb, res[0]['rIDSetReferences'][0])
# Get the alloc pools and next RID of the RID set
res = samdb.search(
base=rid_set_dn,
scope=ldb.SCOPE_SUBTREE,
expression="(rIDNextRID=*)",
attrs=['rIDAllocationPool', 'rIDPreviousAllocationPool', 'rIDNextRID'])
# Decode the bounds of the RID allocation pools
rid = int(res[0].get('rIDNextRID')[0])
def split_val(num):
high = (0xFFFFFFFF00000000 & int(num)) >> 32
low = 0x00000000FFFFFFFF & int(num)
return low, high
pool_l, pool_h = split_val(res[0].get('rIDPreviousAllocationPool')[0])
npool_l, npool_h = split_val(res[0].get('rIDAllocationPool')[0])
# Calculate next RID based on pool bounds
if rid == npool_h:
raise CommandError('Out of RIDs, finished AllocPool')
if rid == pool_h:
if pool_h == npool_h:
raise CommandError('Out of RIDs, finished PrevAllocPool.')
rid = npool_l
else:
rid += 1
# Construct full SID
sid = dom_sid(samdb.get_domain_sid())
return str(sid) + '-' + str(rid)
def run(self, attribute, H=None, credopts=None, sambaopts=None,
versionopts=None, searchflags=None):
if searchflags is None:
raise CommandError('A value to modify must be provided.')
# Parse the search flags to a set of bits to modify.
searchflags_int = None
if searchflags is not None:
searchflags_int = 0
flags = searchflags.split(',')
# We have to normalise all the values. To achieve this predictably
# we title case (Fattrindex), then swapcase (fATTINDEX)
flags = [ x.capitalize().swapcase() for x in flags ]
for flag in flags:
if flag not in bitFields['searchflags'].keys():
raise CommandError("Unknown flag '%s', please see --help" % flag)
bit_loc = 31 - bitFields['searchflags'][flag]
# Now apply the bit.
searchflags_int = searchflags_int | (1 << bit_loc)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
schema_dn = samdb.schema_dn()
# For now we make assumptions about the CN
attr_dn = 'cn=%s,%s' % (attribute, schema_dn)
m = ldb.Message()
m.dn = ldb.Dn(samdb, attr_dn)
if searchflags_int is not None:
m['searchFlags'] = ldb.MessageElement(
str(searchflags_int), ldb.FLAG_MOD_REPLACE, 'searchFlags')
samdb.modify(m)
samdb.set_schema_update_now()
self.outf.write("modified %s" % attr_dn)
def run(self,
file,
use_ntvfs=False,
use_s3fs=False,
as_sddl=False,
xattr_backend=None,
eadb_file=None,
credopts=None,
sambaopts=None,
versionopts=None,
service=None):
lp = sambaopts.get_loadparm()
try:
samdb = SamDB(session_info=system_session(), lp=lp)
except Exception as e:
raise CommandError("Unable to open samdb:", e)
if not use_ntvfs and not use_s3fs:
use_ntvfs = "smb" in lp.get("server services")
elif use_s3fs:
use_ntvfs = False
s3conf = s3param.get_context()
s3conf.load(lp.configfile)
# ensure we are using the right samba_dsdb passdb backend, no matter what
s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
acl = getntacl(lp,
file,
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service)
if as_sddl:
try:
domain_sid = security.dom_sid(samdb.domain_sid)
except:
raise CommandError(
"Unable to read domain SID from configuration files")
self.outf.write(acl.as_sddl(domain_sid) + "\n")
else:
self.outf.write(ndr_print(acl))
def dns_client_version(cli_version):
version = cli_version.upper()
if version == 'W2K':
client_version = dnsserver.DNS_CLIENT_VERSION_W2K
elif version == 'DOTNET':
client_version = dnsserver.DNS_CLIENT_VERSION_DOTNET
elif version == 'LONGHORN':
client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
else:
raise CommandError('Unknown client version %s' % cli_version)
return client_version
def run(self,
groupname,
credopts=None,
sambaopts=None,
versionopts=None,
H=None,
full_dn=False):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
try:
samdb = SamDB(url=H,
session_info=system_session(),
credentials=creds,
lp=lp)
search_filter = "(&(objectClass=group)(samaccountname=%s))" % groupname
res = samdb.search(samdb.domain_dn(),
scope=ldb.SCOPE_SUBTREE,
expression=(search_filter),
attrs=["objectSid"])
if (len(res) != 1):
return
group_dn = res[0].get('dn', idx=0)
object_sid = res[0].get('objectSid', idx=0)
object_sid = ndr_unpack(security.dom_sid, object_sid)
(group_dom_sid, rid) = object_sid.split()
search_filter = "(|(primaryGroupID=%s)(memberOf=%s))" % (rid,
group_dn)
res = samdb.search(samdb.domain_dn(),
scope=ldb.SCOPE_SUBTREE,
expression=(search_filter),
attrs=["samAccountName", "cn"])
if (len(res) == 0):
return
for msg in res:
if full_dn:
self.outf.write("%s\n" % msg.get("dn"))
continue
member_name = msg.get("samAccountName", idx=0)
if member_name is None:
member_name = msg.get("cn", idx=0)
self.outf.write("%s\n" % member_name)
except Exception as e:
raise CommandError(
'Failed to list members of "%s" group ' % groupname, e)
def run(self, sitename, sambaopts=None, credopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
url = lp.private_path("sam.ldb")
if not os.path.exists(url):
raise CommandError("secret database not found at %s " % url)
samdb = SamDB(url=url,
session_info=system_session(),
credentials=creds,
lp=lp)
samdb.transaction_start()
try:
ok = sites.delete_site(samdb, samdb.get_config_basedn(), sitename)
samdb.transaction_commit()
except sites.SiteException, e:
samdb.transaction_cancel()
raise CommandError("Error while removing site %s, error: %s" %
(sitename, str(e)))
def run(self, username=None, sambaopts=None, credopts=None,
versionopts=None, H=None, filter=None, days=None, noexpiry=None):
if username is None and filter is None:
raise CommandError("Either the username or '--filter' must be specified!")
if filter is None:
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username))
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
try:
samdb.setexpiry(filter, days*24*3600, no_expiry_req=noexpiry)
except Exception, msg:
# FIXME: Catch more specific exception
raise CommandError("Failed to set expiry for user '%s': %s" % (
username or filter, msg))
def run(self, username, credopts=None, sambaopts=None, versionopts=None,
H=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp, fallback_machine=True)
try:
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
samdb.deleteuser(username)
except Exception, e:
raise CommandError('Failed to remove user "%s"' % username, e)
def get_neighbours(self, info_type):
req1 = drsuapi.DsReplicaGetInfoRequest1()
req1.info_type = info_type
try:
(info_type, info) = self.drsuapi.DsReplicaGetInfo(
self.drsuapi_handle, 1, req1)
except Exception as e:
raise CommandError("DsReplicaGetInfo of type %u failed" % info_type, e)
reps = [self.parse_neighbour(n) for n in info.array]
return reps
def drsuapi_connect(ctx):
'''make a DRSUAPI connection to the server'''
binding_options = "seal"
if ctx.lp.get("log level") >= 5:
binding_options += ",print"
binding_string = "ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options)
try:
ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)
(ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drs_DsBind(ctx.drsuapi)
except Exception, e:
raise CommandError("DRS connection to %s failed" % ctx.server, e)
