def run(self, user, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleaneduser, realm, domain) = _get_user_realm_domain(user) print cleaneduser res = sam.search(expression="samaccountname=%s" % cleaneduser, scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) >0: spns = res[0].get("servicePrincipalName") found = False flag = ldb.FLAG_MOD_ADD if spns != None: print "User %s has the following servicePrincipalName: " % str(res[0].dn) for e in spns: print "\t %s" % (str(e)) else: print "User %s has no servicePrincipalName" % str(res[0].dn) else: raise CommandError("User %s not found" % user)
def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None): on = False if onoff == "on": on = True elif onoff == "off": on = False else: raise CommandError("Invalid argument [%s]" % onoff) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) search_filter = "sAMAccountName=%s" % cleanedaccount flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION try: sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True) except Exception, err: raise CommandError(err)
def run(self, accountname, principal, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["msDS-AllowedToDelegateTo"]) if len(res) == 0: raise CommandError("Unable to find account name '%s'" % accountname) assert (len(res) == 1) msg = ldb.Message() msg.dn = res[0].dn msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement( [principal], ldb.FLAG_MOD_DELETE, "msDS-AllowedToDelegateTo") try: sam.modify(msg) except Exception, err: raise CommandError(err)
def run(self, accountname, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) print "Searching for: %s" % (cleanedaccount) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["userAccountControl", "msDS-AllowedToDelegateTo"]) if len(res) != 1: raise CommandError("Account %s found %d times" % (accountname, len(res))) uac = int(res[0].get("userAccountControl")[0]) allowed = res[0].get("msDS-AllowedToDelegateTo") print "Account-DN: %s" % str(res[0].dn) if uac & dsdb.UF_TRUSTED_FOR_DELEGATION: print "UF_TRUSTED_FOR_DELEGATION: 1" else: print "UF_TRUSTED_FOR_DELEGATION: 0" if uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 1" else: print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0" if allowed != None: for a in allowed: print "msDS-AllowedToDelegateTo: %s" % (str(a))
def run(self, accountname, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["userAccountControl", "msDS-AllowedToDelegateTo"]) if len(res) == 0: raise CommandError("Unable to find account name '%s'" % accountname) assert(len(res) == 1) uac = int(res[0].get("userAccountControl")[0]) allowed = res[0].get("msDS-AllowedToDelegateTo") self.outf.write("Account-DN: %s\n" % str(res[0].dn)) self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n" % bool(uac & dsdb.UF_TRUSTED_FOR_DELEGATION)) self.outf.write("UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" % bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION)) if allowed is not None: for a in allowed: self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)
def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None, versionopts=None): on = False if onoff == "on": on = True elif onoff == "off": on = False else: raise CommandError("invalid argument: '%s' (choose from 'on', 'off')" % onoff) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp, fallback_machine=True) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) if H == None: path = paths.samdb else: path = H sam = SamDB(path, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION try: sam.toggle_userAccountFlags(search_filter, flag, flags_str="Trusted-to-Authenticate-for-Delegation", on=on, strict=True) except Exception as err: raise CommandError(err)
def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None): on = False if onoff == "on": on = True elif onoff == "off": on = False else: raise CommandError("Invalid argument [%s]" % onoff) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_FOR_DELEGATION try: sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True) except Exception, err: raise CommandError(err)
def run(self, user, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleaneduser, realm, domain) = _get_user_realm_domain(user) self.outf.write(cleaneduser + "\n") res = sam.search( expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) > 0: spns = res[0].get("servicePrincipalName") if spns is not None: self.outf.write( "User %s has the following servicePrincipalName: \n" % res[0].dn) for e in spns: self.outf.write("\t %s\n" % e) else: self.outf.write("User %s has no servicePrincipalName\n" % res[0].dn) else: raise CommandError("User %s not found" % user)
def run(self, accountname, principal, H=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) if H == None: path = paths.samdb else: path = H sam = SamDB(path, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["msDS-AllowedToDelegateTo"]) if len(res) == 0: raise CommandError("Unable to find account name '%s'" % accountname) assert(len(res) == 1) msg = ldb.Message() msg.dn = res[0].dn msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal], ldb.FLAG_MOD_DELETE, "msDS-AllowedToDelegateTo") try: sam.modify(msg) except Exception as err: raise CommandError(err)
def run(self, accountname, principal, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) res = sam.search(expression="sAMAccountName=%s" % cleanedaccount, scope=ldb.SCOPE_SUBTREE, attrs=["msDS-AllowedToDelegateTo"]) if len(res) != 1: raise CommandError("Account %s found %d times" % (accountname, len(res))) msg = ldb.Message() msg.dn = res[0].dn msg["msDS-AllowedToDelegateTo"] = ldb.MessageElement([principal], ldb.FLAG_MOD_ADD, "msDS-AllowedToDelegateTo") try: sam.modify(msg) except Exception, err: raise CommandError(err)
def run(self, user, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleaneduser, realm, domain) = _get_user_realm_domain(user) self.outf.write(cleaneduser+"\n") res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) >0: spns = res[0].get("servicePrincipalName") found = False flag = ldb.FLAG_MOD_ADD if spns != None: self.outf.write( "User %s has the following servicePrincipalName: \n" % res[0].dn) for e in spns: self.outf.write("\t %s\n" % e) else: self.outf.write("User %s has no servicePrincipalName" % res[0].dn) else: raise CommandError("User %s not found" % user)
def check_restored_database(self, bkp_lp, expect_secrets=True): paths = provision.provision_paths_from_lp(bkp_lp, bkp_lp.get("realm")) bkp_pd = get_prim_dom(paths.secrets, bkp_lp) self.assertEqual(len(bkp_pd), 1) acn = bkp_pd[0].get('samAccountName') self.assertIsNotNone(acn) self.assertEqual(str(acn[0]), self.new_server + '$') self.assertIsNotNone(bkp_pd[0].get('secret')) samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=bkp_lp, credentials=self.get_credentials()) # check that the backup markers have been removed from the restored DB res = samdb.search(base=ldb.Dn(samdb, "@SAMBA_DSDB"), scope=ldb.SCOPE_BASE, attrs=self.backup_markers) self.assertEqual(len(res), 1) for marker in self.backup_markers: self.assertIsNone(res[0].get(marker), "%s backup-marker left behind" % marker) # check that the repsFrom and repsTo values have been removed # from the restored DB res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=['repsFrom', 'repsTo']) self.assertEqual(len(res), 1) self.assertIsNone(res[0].get('repsFrom')) self.assertIsNone(res[0].get('repsTo')) res = samdb.search(base=samdb.get_config_basedn(), scope=ldb.SCOPE_BASE, attrs=['repsFrom', 'repsTo']) self.assertEqual(len(res), 1) self.assertIsNone(res[0].get('repsFrom')) self.assertIsNone(res[0].get('repsTo')) # check the DB is using the backend we supplied if self.backend: res = samdb.search(base="@PARTITION", scope=ldb.SCOPE_BASE, attrs=["backendStore"]) backend = str(res[0].get("backendStore")) self.assertEqual(backend, self.backend) # check the restored DB has the expected partitions/DC/FSMO roles self.assert_partitions_present(samdb) self.assert_dcs_present(samdb, self.new_server, expected_count=1) self.assert_fsmo_roles(samdb, self.new_server, self.server) self.assert_secrets(samdb, expect_secrets=expect_secrets) # check we still have an uptodateness vector for the original DC self.assert_repl_uptodate_vector(samdb) return samdb
def run(self, name, user=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) res = sam.search(expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName", "samAccountName"]) if len(res) > 0: result = None if user is not None: (cleaneduser, realm, domain) = _get_user_realm_domain(user) for elem in res: if str(elem["samAccountName"]).lower() == cleaneduser: result = elem if result is None: raise CommandError("Unable to find user %s with" " spn %s" % (user, name)) else: if len(res) != 1: listUser = "" for r in res: listUser = "******" % (listUser, str(r.dn)) raise CommandError( "More than one user has the spn %s " "and no specific user was specified, list of users" " with this spn:%s" % (name, listUser)) else: result = res[0] msg = ldb.Message() spns = result.get("servicePrincipalName") tab = [] if spns is not None: for e in spns: if str(e) != name: tab.append(str(e)) flag = ldb.FLAG_MOD_REPLACE msg.dn = result.dn msg["servicePrincipalName"] = ldb.MessageElement( tab, flag, "servicePrincipalName") sam.modify(msg) else: raise CommandError("Service principal %s not affected" % name)
def run(self, name, user, force=False, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) res = sam.search( expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE, ) if len(res) != 0 and not force: raise CommandError("Service principal %s already" " affected to another user" % name) (cleaneduser, realm, domain) = _get_user_realm_domain(user) res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) > 0: res[0].dn msg = ldb.Message() spns = res[0].get("servicePrincipalName") tab = [] found = False flag = ldb.FLAG_MOD_ADD if spns != None: for e in spns: if str(e) == name: found = True tab.append(str(e)) flag = ldb.FLAG_MOD_REPLACE tab.append(name) msg.dn = res[0].dn msg["servicePrincipalName"] = ldb.MessageElement( tab, flag, "servicePrincipalName") if not found: sam.modify(msg) else: raise CommandError("Service principal %s already" " affected to %s" % (name, user)) else: raise CommandError("User %s not found" % user)
def setUp(self): super(SamDBTestCase, self).setUp() invocationid = str(uuid.uuid4()) domaindn = "DC=COM,DC=EXAMPLE" self.domaindn = domaindn configdn = "CN=Configuration," + domaindn schemadn = "CN=Schema," + configdn domainguid = str(uuid.uuid4()) policyguid = DEFAULT_POLICY_GUID domainsid = security.random_sid() path = os.path.join(self.tempdir, "samdb.ldb") session_info = system_session() hostname="foo" domain="EXAMPLE" dnsdomain="example.com" serverrole="domain controller" policyguid_dc = DEFAULT_DC_POLICY_GUID smbconf = os.path.join(self.tempdir, "smb.conf") make_smbconf(smbconf, hostname, domain, dnsdomain, serverrole, self.tempdir) self.lp = param.LoadParm() self.lp.load(smbconf) names = guess_names(lp=self.lp, hostname=hostname, domain=domain, dnsdomain=dnsdomain, serverrole=serverrole, domaindn=self.domaindn, configdn=configdn, schemadn=schemadn) paths = provision_paths_from_lp(self.lp, names.dnsdomain) logger = logging.getLogger("provision") provision_backend = ProvisionBackend("ldb", paths=paths, lp=self.lp, credentials=None, names=names, logger=logger) schema = Schema(domainsid, invocationid=invocationid, schemadn=names.schemadn, serverdn=names.serverdn, am_rodc=False) self.samdb = setup_samdb(path, session_info, provision_backend, self.lp, names, logger, domainsid, domainguid, policyguid, policyguid_dc, False, "secret", "secret", "secret", invocationid, "secret", None, "domain controller", schema=schema)
def run(self, name, user=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) res = sam.search( expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName", "samAccountName"]) if len(res) >0: result = None if user is not None: (cleaneduser, realm, domain) = _get_user_realm_domain(user) for elem in res: if str(elem["samAccountName"]).lower() == cleaneduser: result = elem if result is None: raise CommandError("Unable to find user %s with" " spn %s" % (user, name)) else: if len(res) != 1: listUser = "" for r in res: listUser = "******" % (listUser, str(r.dn)) raise CommandError("More than one user has the spn %s " "and no specific user was specified, list of users" " with this spn:%s" % (name, listUser)) else: result=res[0] msg = ldb.Message() spns = result.get("servicePrincipalName") tab = [] if spns is not None: for e in spns: if str(e) != name: tab.append(str(e)) flag = ldb.FLAG_MOD_REPLACE msg.dn = result.dn msg["servicePrincipalName"] = ldb.MessageElement(tab, flag, "servicePrincipalName") sam.modify(msg) else: raise CommandError("Service principal %s not affected" % name)
def check_restored_database(self, bkp_lp, expect_secrets=True): paths = provision.provision_paths_from_lp(bkp_lp, bkp_lp.get("realm")) bkp_pd = get_prim_dom(paths.secrets, bkp_lp) self.assertEqual(len(bkp_pd), 1) acn = bkp_pd[0].get('samAccountName') self.assertIsNotNone(acn) self.assertEqual(acn[0].replace('$', ''), self.new_server) self.assertIsNotNone(bkp_pd[0].get('secret')) samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=bkp_lp, credentials=self.get_credentials()) # check that the backup markers have been removed from the restored DB res = samdb.search(base=ldb.Dn(samdb, "@SAMBA_DSDB"), scope=ldb.SCOPE_BASE, attrs=self.backup_markers) self.assertEqual(len(res), 1) for marker in self.backup_markers: self.assertIsNone(res[0].get(marker), "%s backup-marker left behind" % marker) # check that the repsFrom and repsTo values have been removed # from the restored DB res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=['repsFrom', 'repsTo']) self.assertEqual(len(res), 1) self.assertIsNone(res[0].get('repsFrom')) self.assertIsNone(res[0].get('repsTo')) res = samdb.search(base=samdb.get_config_basedn(), scope=ldb.SCOPE_BASE, attrs=['repsFrom', 'repsTo']) self.assertEqual(len(res), 1) self.assertIsNone(res[0].get('repsFrom')) self.assertIsNone(res[0].get('repsTo')) # check the restored DB has the expected partitions/DC/FSMO roles self.assert_partitions_present(samdb) self.assert_dcs_present(samdb, self.new_server, expected_count=1) self.assert_fsmo_roles(samdb, self.new_server, self.server) self.assert_secrets(samdb, expect_secrets=expect_secrets) return samdb
def run(self, accountname, H=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) if H == None: path = paths.samdb else: path = H sam = SamDB(path, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) res = sam.search( expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["userAccountControl", "msDS-AllowedToDelegateTo"]) if len(res) == 0: raise CommandError("Unable to find account name '%s'" % accountname) assert (len(res) == 1) uac = int(res[0].get("userAccountControl")[0]) allowed = res[0].get("msDS-AllowedToDelegateTo") self.outf.write("Account-DN: %s\n" % str(res[0].dn)) self.outf.write("UF_TRUSTED_FOR_DELEGATION: %s\n" % bool(uac & dsdb.UF_TRUSTED_FOR_DELEGATION)) self.outf.write( "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: %s\n" % bool(uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION)) if allowed is not None: for a in allowed: self.outf.write("msDS-AllowedToDelegateTo: %s\n" % a)
def run(self, accountname, onoff, H=None, credopts=None, sambaopts=None, versionopts=None): on = False if onoff == "on": on = True elif onoff == "off": on = False else: raise CommandError( "invalid argument: '%s' (choose from 'on', 'off')" % onoff) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp, fallback_machine=True) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) if H == None: path = paths.samdb else: path = H sam = SamDB(path, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION try: sam.toggle_userAccountFlags( search_filter, flag, flags_str="Trusted-to-Authenticate-for-Delegation", on=on, strict=True) except Exception, err: raise CommandError(err)
def run(self, accountname, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) print "Searching for: %s" % (cleanedaccount) res = sam.search( expression="sAMAccountName=%s" % cleanedaccount, scope=ldb.SCOPE_SUBTREE, attrs=["userAccountControl", "msDS-AllowedToDelegateTo"]) if len(res) != 1: raise CommandError("Account %s found %d times" % (accountname, len(res))) uac = int(res[0].get("userAccountControl")[0]) allowed = res[0].get("msDS-AllowedToDelegateTo") print "Account-DN: %s" % str(res[0].dn) if uac & dsdb.UF_TRUSTED_FOR_DELEGATION: print "UF_TRUSTED_FOR_DELEGATION: 1" else: print "UF_TRUSTED_FOR_DELEGATION: 0" if uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 1" else: print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0" if allowed != None: for a in allowed: print "msDS-AllowedToDelegateTo: %s" % (str(a))
def run(self, name, user, force=False, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) res = sam.search( expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE) if len(res) != 0 and not force: raise CommandError("Service principal %s already" " affected to another user" % name) (cleaneduser, realm, domain) = _get_user_realm_domain(user) res = sam.search( expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) >0: res[0].dn msg = ldb.Message() spns = res[0].get("servicePrincipalName") tab = [] found = False flag = ldb.FLAG_MOD_ADD if spns is not None: for e in spns: if str(e) == name: found = True tab.append(str(e)) flag = ldb.FLAG_MOD_REPLACE tab.append(name) msg.dn = res[0].dn msg["servicePrincipalName"] = ldb.MessageElement(tab, flag, "servicePrincipalName") if not found: sam.modify(msg) else: raise CommandError("Service principal %s already" " affected to %s" % (name, user)) else: raise CommandError("User %s not found" % user)
def get_paths(param, targetdir=None, smbconf=None): """Get paths to important provision objects (smb.conf, ldb files, ...) :param param: Param object :param targetdir: Directory where the provision is (or will be) stored :param smbconf: Path to the smb.conf file :return: A list with the path of important provision objects""" if targetdir is not None: etcdir = os.path.join(targetdir, "etc") if not os.path.exists(etcdir): os.makedirs(etcdir) smbconf = os.path.join(etcdir, "smb.conf") if smbconf is None: smbconf = param.default_path() if not os.path.exists(smbconf): raise ProvisioningError("Unable to find smb.conf") lp = param.LoadParm() lp.load(smbconf) paths = provision_paths_from_lp(lp, lp.get("realm")) return paths
def get_paths(param, targetdir=None, smbconf=None): """Get paths to important provision objects (smb.conf, ldb files, ...) :param param: Param object :param targetdir: Directory where the provision is (or will be) stored :param smbconf: Path to the smb.conf file :return: A list with the path of important provision objects""" if targetdir is not None: etcdir = os.path.join(targetdir, "etc") if not os.path.exists(etcdir): os.makedirs(etcdir) smbconf = os.path.join(etcdir, "smb.conf") if smbconf is None: smbconf = param.default_path() if not os.path.exists(smbconf): raise ProvisioningError("Unable to find smb.conf") lp = param.LoadParm() lp.load(smbconf) paths = provision_paths_from_lp(lp, lp.get("realm")) return paths
def setUp(self): super(SamDBTestCase, self).setUp() invocationid = str(uuid.uuid4()) domaindn = "DC=COM,DC=EXAMPLE" self.domaindn = domaindn configdn = "CN=Configuration," + domaindn schemadn = "CN=Schema," + configdn domainguid = str(uuid.uuid4()) policyguid = DEFAULT_POLICY_GUID domainsid = security.random_sid() path = os.path.join(self.tempdir, "samdb.ldb") session_info = system_session() hostname = "foo" domain = "EXAMPLE" dnsdomain = "example.com" serverrole = "domain controller" policyguid_dc = DEFAULT_DC_POLICY_GUID smbconf = os.path.join(self.tempdir, "smb.conf") make_smbconf(smbconf, hostname, domain, dnsdomain, serverrole, self.tempdir) self.lp = param.LoadParm() self.lp.load(smbconf) names = guess_names(lp=self.lp, hostname=hostname, domain=domain, dnsdomain=dnsdomain, serverrole=serverrole, domaindn=self.domaindn, configdn=configdn, schemadn=schemadn) paths = provision_paths_from_lp(self.lp, names.dnsdomain) logger = logging.getLogger("provision") provision_backend = ProvisionBackend("ldb", paths=paths, lp=self.lp, credentials=None, names=names, logger=logger) schema = Schema(domainsid, invocationid=invocationid, schemadn=names.schemadn, serverdn=names.serverdn, am_rodc=False) self.samdb = setup_samdb(path, session_info, provision_backend, self.lp, names, logger, domainsid, domainguid, policyguid, policyguid_dc, False, "secret", "secret", "secret", invocationid, "secret", None, "domain controller", schema=schema)
def get_paths(): smbconf = param.default_path() lp = param.LoadParm() lp.load(smbconf) return provision_paths_from_lp(lp, 'foo')