1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
#!/usr/bin/python
# Unix SMB/CIFS implementation.
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
#
# Based on the original in EJS:
# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""Convenience functions for using the SAM."""
import samba
import misc
import ldb
class SamDB(samba.Ldb):
"""The SAM database."""
def __init__(self, url=None, session_info=None, credentials=None,
modules_dir=None, lp=None):
"""Open the Sam Database.
:param url: URL of the database.
"""
super(SamDB, self).__init__(session_info=session_info, credentials=credentials,
modules_dir=modules_dir, lp=lp)
assert misc.dsdb_set_global_schema(self) == 0
if url:
self.connect(url)
def add_foreign(self, domaindn, sid, desc):
"""Add a foreign security principle."""
add = """
dn: CN=%s,CN=ForeignSecurityPrincipals,%s
objectClass: top
objectClass: foreignSecurityPrincipal
description: %s
""" % (sid, domaindn, desc)
# deliberately ignore errors from this, as the records may
# already exist
for msg in self.parse_ldif(add):
self.add(msg[1])
def setup_name_mapping(self, domaindn, sid, unixname):
"""Setup a mapping between a sam name and a unix name.
:param domaindn: DN of the domain.
:param sid: SID of the NT-side of the mapping.
:param unixname: Unix name to map to.
"""
res = self.search(domaindn, ldb.SCOPE_SUBTREE,
"objectSid=%s" % sid, ["dn"])
assert len(res) == 1, "Failed to find record for objectSid %s" % sid
mod = """
dn: %s
changetype: modify
replace: unixName
unixName: %s
""" % (res[0].dn, unixname)
self.modify(self.parse_ldif(mod).next()[1])
def enable_account(self, user_dn):
"""Enable an account.
:param user_dn: Dn of the account to enable.
"""
res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"])
assert len(res) == 1
userAccountControl = res[0]["userAccountControl"][0]
userAccountControl = int(userAccountControl)
if (userAccountControl & 0x2):
userAccountControl = userAccountControl & ~0x2 # remove disabled bit
if (userAccountControl & 0x20):
userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
mod = """
dn: %s
changetype: modify
replace: userAccountControl
userAccountControl: %u
""" % (user_dn, userAccountControl)
self.modify_ldif(mod)
def newuser(self, username, unixname, password):
"""add a new user record.
:param username: Name of the new user.
:param unixname: Name of the unix user to map to.
:param password: Password for the new user
"""
# connect to the sam
self.transaction_start()
# find the DNs for the domain and the domain users group
res = self.search("", scope=ldb.SCOPE_BASE,
expression="(defaultNamingContext=*)",
attrs=["defaultNamingContext"])
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
domain_dn = res[0]["defaultNamingContext"][0]
assert(domain_dn is not None)
user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn)
#
# the new user record. note the reliance on the samdb module to fill
# in a sid, guid etc
#
# now the real work
self.add({"dn": user_dn,
"sAMAccountName": username,
"unixName": unixname,
"sambaPassword": password,
"objectClass": "user"})
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
self.transaction_commit()
def setpassword(self, filter, password):
"""Set a password on a user record
:param filter: LDAP filter to find the user (eg samccountname=name)
:param password: Password for the user
"""
# connect to the sam
self.transaction_start()
# find the DNs for the domain
res = self.search("", scope=ldb.SCOPE_BASE,
expression="(defaultNamingContext=*)",
attrs=["defaultNamingContext"])
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
domain_dn = res[0]["defaultNamingContext"][0]
assert(domain_dn is not None)
res = self.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
expression=filter,
attrs=[])
assert(len(res) == 1)
user_dn = res[0].dn
setpw = """
dn: %s
changetype: modify
replace: sambaPassword
sambaPassword: %s
""" % (user_dn, password)
self.modify_ldif(setpw)
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
self.transaction_commit()
def set_domain_sid(self, sid):
"""Change the domain SID used by this SamDB.
:param sid: The new domain sid to use.
"""
misc.samdb_set_domain_sid(self, sid)
def attach_schema_from_ldif(self, pf, df):
misc.dsdb_attach_schema_from_ldif_file(self, pf, df)
def set_invocation_id(self, invocation_id):
"""Set the invocation id for this SamDB handle.
:param invocation_id: GUID of the invocation id.
"""
misc.dsdb_set_ntds_invocation_id(self, invocation_id)
|