diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/samdb.py | 58 | ||||
-rwxr-xr-x | source4/setup/newuser | 6 | ||||
-rw-r--r-- | source4/setup/setpassword | 181 |
3 files changed, 102 insertions, 143 deletions
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 3c6bb23c02..de0fd4ba04 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -77,10 +77,15 @@ unixName: %s :param user_dn: Dn of the account to enable. """ - res = self.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) + res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"]) assert len(res) == 1 - userAccountControl = res[0].userAccountControl - userAccountControl = userAccountControl - 2 # remove disabled bit + userAccountControl = res[0]["userAccountControl"][0] + userAccountControl = int(userAccountControl) + if (userAccountControl & 0x2): + userAccountControl = userAccountControl & ~0x2 # remove disabled bit + if (userAccountControl & 0x20): + userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit + mod = """ dn: %s changetype: modify @@ -103,13 +108,9 @@ userAccountControl: %u res = self.search("", scope=ldb.SCOPE_BASE, expression="(defaultNamingContext=*)", attrs=["defaultNamingContext"]) - assert(len(res) == 1 and res[0].defaultNamingContext is not None) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) domain_dn = res[0]["defaultNamingContext"][0] assert(domain_dn is not None) - dom_users = self.searchone(basedn=domain_dn, attribute="dn", - expression="name=Domain Users") - assert(dom_users is not None) - user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) # @@ -123,19 +124,44 @@ userAccountControl: %u "sambaPassword": password, "objectClass": "user"}) - # add the user to the users group as well - modgroup = """ + # modify the userAccountControl to remove the disabled bit + self.enable_account(user_dn) + self.transaction_commit() + + def setpassword(self, filter, password): + """Set a password on a user record + + :param filter: LDAP filter to find the user (eg samccountname=name) + :param password: Password for the user + """ + # connect to the sam + self.transaction_start() + + # find the DNs for the domain + res = self.search("", scope=ldb.SCOPE_BASE, + expression="(defaultNamingContext=*)", + attrs=["defaultNamingContext"]) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) + domain_dn = res[0]["defaultNamingContext"][0] + assert(domain_dn is not None) + + res = self.search(domain_dn, scope=ldb.SCOPE_SUBTREE, + expression=filter, + attrs=[]) + assert(len(res) == 1) + user_dn = res[0].dn + + setpw = """ dn: %s changetype: modify -add: member -member: %s -""" % (dom_users, user_dn) - +replace: sambaPassword +sambaPassword: %s +""" % (user_dn, password) - self.modify(modgroup) + self.modify_ldif(setpw) # modify the userAccountControl to remove the disabled bit - enable_account(self, user_dn) + self.enable_account(user_dn) self.transaction_commit() def set_domain_sid(self, sid): diff --git a/source4/setup/newuser b/source4/setup/newuser index 03ae4e5ffb..5f53aad9c6 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -10,7 +10,7 @@ import samba.getopt as options import optparse import pwd import sys - +from getpass import getpass from auth import system_session from samba.samdb import SamDB @@ -40,9 +40,7 @@ username = args[0] if len(args) > 1: password = args[1] else: - random_init(local) - options.password = randpass(12) - print "chose random password %s\n" % password + password = getpass("New Password: ") if opts.unixname is None: opts.unixname = username diff --git a/source4/setup/setpassword b/source4/setup/setpassword index 618e304077..1c87f4b1c8 100644 --- a/source4/setup/setpassword +++ b/source4/setup/setpassword @@ -1,123 +1,58 @@ -#!/bin/sh -exec smbscript "$0" ${1+"$@"} -/* - set a user's password on a Samba4 server - Copyright Andrew Tridgell 2005 - Copyright Andrew Bartlett 2006 - Released under the GNU GPL v2 or later -*/ - -options = GetOptions(ARGV, - "POPT_AUTOHELP", - 'username=s', - 'filter=s', - 'newpassword=s', - "POPT_COMMON_SAMBA", - "POPT_COMMON_VERSION", - "POPT_COMMON_CREDENTIALS", - 'quiet'); - -if (options == undefined) { - println("Failed to parse options"); - return -1; -} - -libinclude("base.js"); -libinclude("provision.js"); - -/* - print a message if quiet is not set -*/ -function message() -{ - if (options["quiet"] == undefined) { - print(vsprintf(arguments)); - } -} - -/* - show some help -*/ -function ShowHelp() -{ - print(" -Samba4 newuser - -newuser [options] - --username USERNAME username - --filter LDAPFILTER LDAP Filter to set password on - --newpassword PASSWORD set password - -You must provide either a filter or a username, as well as password -"); - exit(1); -} - -if (options['username'] == undefined && options['filter'] == undefined) { - ShowHelp(); -} - -if (options['newpassword'] == undefined) { - ShowHelp(); -} - - var lp = loadparm_init(); - var samdb = lp.get("sam database"); - var ldb = ldb_init(); - random_init(local); - ldb.session_info = system_session(); - ldb.credentials = options.get_credentials(); - - /* connect to the sam */ - var ok = ldb.connect(samdb); - assert(ok); - - ldb.transaction_start(); - -/* find the DNs for the domain and the domain users group */ -var attrs = new Array("defaultNamingContext"); -var attrs2 = new Array("cn"); -res = ldb.search("defaultNamingContext=*", "", ldb.SCOPE_BASE, attrs); -assert(res.error == 0); -assert(res.msgs.length == 1 && res.msgs[0].defaultNamingContext != undefined); -var domain_dn = res.msgs[0].defaultNamingContext; -assert(domain_dn != undefined); - -if (options['filter'] != undefined) { - var res = ldb.search(options['filter'], - domain_dn, ldb.SCOPE_SUBTREE, attrs2); - if (res.error != 0 || res.msgs.length != 1) { - message("Failed to find record for filter %s\n", options['filter']); - exit(1); - } -} else { - var res = ldb.search(sprintf("samAccountName=%s", options['username']), - domain_dn, ldb.SCOPE_SUBTREE, attrs2); - if (res.error != 0 || res.msgs.length != 1) { - message("Failed to find record for user %s\n", options['username']); - exit(1); - } -} - -var mod = sprintf(" -dn: %s -changetype: modify -replace: sambaPassword -sambaPassword: %s -", - res[0].dn, options['newpassword']); -var ok = ldb.modify(mod); -if (ok.error != 0) { - message("set password for %s failed - %s\n", - res[0].dn, ok.errstr); - ldb.transaction_cancel(); - exit(1); -} else { - message("set password for %s (%s) succeded\n", - res[0].dn, res[0].cn); - - ldb.transaction_commit(); -} - - -return 0; +#!/usr/bin/python +# +# add a new user to a Samba4 server +# Copyright Andrew Tridgell 2005 +# Copyright Jelmer Vernooij 2008 +# Released under the GNU GPL v2 or later +# + +import samba.getopt as options +import optparse +import pwd +import sys +from getpass import getpass +from auth import system_session +from samba.samdb import SamDB + +parser = optparse.OptionParser("setpassword [username] [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--filter", help="LDAP Filter to set password on", type=str) +parser.add_option("--newpassword", help="Set password", type=str) + +opts, args = parser.parse_args() + +# +# print a message if quiet is not set +# +def message(text): + if not opts.quiet: + print text + +if len(args) == 0: + parser.print_usage() + sys.exit(1) + +password = opts.password; +if password is None: + password = getpass("New Password: ") + +filter = opts.filter + +if filter is None: + username = args[0] + if username is None: + print "Either username or --filter must be specified" + + filter = "(&(objectclass=user)(samAccountName=" + username + "))" + + +creds = credopts.get_credentials() + +lp = sambaopts.get_loadparm() +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), + credentials=creds, lp=lp) +samdb.setpassword(filter, password) |