python/samba/netcmd/user/add.py

   1 # user management
   2 #
   3 # add user
   4 #
   5 # Copyright Jelmer Vernooij 2010 <jelmer@samba.org>
   6 # Copyright Theresa Halloran 2011 <theresahalloran@gmail.com>
   7 #
   8 # This program is free software; you can redistribute it and/or modify
   9 # it under the terms of the GNU General Public License as published by
  10 # the Free Software Foundation; either version 3 of the License, or
  11 # (at your option) any later version.
  12 #
  13 # This program is distributed in the hope that it will be useful,
  14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 # GNU General Public License for more details.
  17 #
  18 # You should have received a copy of the GNU General Public License
  19 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 #
  21
  22 import pwd
  23 from getpass import getpass
  24
  25 import samba.getopt as options
  26 from samba import generate_random_password
  27 from samba.auth import system_session
  28 from samba.netcmd import Command, CommandError, Option
  29 from samba.samdb import SamDB
  30
  31
  32 class cmd_user_add(Command):
  33     """Add a new user.
  34
  35 This command adds a new user account to the Active Directory domain.  The username specified on the command is the sAMaccountName.
  36
  37 User accounts may represent physical entities, such as people or may be used as service accounts for applications.  User accounts are also referred to as security principals and are assigned a security identifier (SID).
  38
  39 A user account enables a user to logon to a computer and domain with an identity that can be authenticated.  To maximize security, each user should have their own unique user account and password.  A user's access to domain resources is based on permissions assigned to the user account.
  40
  41 Unix (RFC2307) attributes may be added to the user account. Attributes taken from NSS are obtained on the local machine. Explicitly given values override values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these attributes for UID/GID mapping.
  42
  43 The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command against a remote server.
  44
  45 Example1:
  46 samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd
  47
  48 Example1 shows how to add a new user to the domain against a remote LDAP server.  The -H parameter is used to specify the remote target server.  The -U option is used to pass the userid and password authorized to issue the command remotely.
  49
  50 Example2:
  51 sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login
  52
  53 Example2 shows how to add a new user to the domain against the local server.   sudo is used so a user may run the command as root.  In this example, after User2 is created, he/she will be forced to change their password when they logon.
  54
  55 Example3:
  56 samba-tool user add User3 passw3rd --userou='OU=OrgUnit'
  57
  58 Example3 shows how to add a new user in the OrgUnit organizational unit.
  59
  60 Example4:
  61 samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text'
  62
  63 Example4 shows how to add a new user with Unix UID, GID and login-shell set from the local NSS and GECOS set to 'some text'.
  64
  65 Example5:
  66 samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5 \\
  67     --uid-number=10005 --login-shell=/bin/false --gid-number=10000
  68
  69 Example5 shows how to add a new RFC2307/NIS domain enabled user account. If
  70 --nis-domain is set, then the other four parameters are mandatory.
  71
  72 """
  73     synopsis = "%prog <username> [<password>] [options]"
  74
  75     takes_options = [
  76         Option("-H", "--URL", help="LDB URL for database or target server", type=str,
  77                metavar="URL", dest="H"),
  78         Option("--must-change-at-next-login",
  79                help="Force password to be changed on next login",
  80                action="store_true"),
  81         Option("--random-password",
  82                help="Generate random password",
  83                action="store_true"),
  84         Option("--smartcard-required",
  85                help="Require a smartcard for interactive logons",
  86                action="store_true"),
  87         Option("--use-username-as-cn",
  88                help="Force use of username as user's CN",
  89                action="store_true"),
  90         Option("--userou",
  91                help="DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>'",
  92                type=str),
  93         Option("--surname", help="User's surname", type=str),
  94         Option("--given-name", help="User's given name", type=str),
  95         Option("--initials", help="User's initials", type=str),
  96         Option("--profile-path", help="User's profile path", type=str),
  97         Option("--script-path", help="User's logon script path", type=str),
  98         Option("--home-drive", help="User's home drive letter", type=str),
  99         Option("--home-directory", help="User's home directory path", type=str),
 100         Option("--job-title", help="User's job title", type=str),
 101         Option("--department", help="User's department", type=str),
 102         Option("--company", help="User's company", type=str),
 103         Option("--description", help="User's description", type=str),
 104         Option("--mail-address", help="User's email address", type=str),
 105         Option("--internet-address", help="User's home page", type=str),
 106         Option("--telephone-number", help="User's phone number", type=str),
 107         Option("--physical-delivery-office", help="User's office location", type=str),
 108         Option("--rfc2307-from-nss",
 109                help="Copy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell)",
 110                action="store_true"),
 111         Option("--nis-domain", help="User's Unix/RFC2307 NIS domain", type=str),
 112         Option("--unix-home", help="User's Unix/RFC2307 home directory",
 113                type=str),
 114         Option("--uid", help="User's Unix/RFC2307 username", type=str),
 115         Option("--uid-number", help="User's Unix/RFC2307 numeric UID", type=int),
 116         Option("--gid-number", help="User's Unix/RFC2307 primary GID number", type=int),
 117         Option("--gecos", help="User's Unix/RFC2307 GECOS field", type=str),
 118         Option("--login-shell", help="User's Unix/RFC2307 login shell", type=str),
 119     ]
 120
 121     takes_args = ["username", "password?"]
 122
 123     takes_optiongroups = {
 124         "sambaopts": options.SambaOptions,
 125         "credopts": options.CredentialsOptions,
 126         "versionopts": options.VersionOptions,
 127     }
 128
 129     def run(self, username, password=None, credopts=None, sambaopts=None,
 130             versionopts=None, H=None, must_change_at_next_login=False,
 131             random_password=False, use_username_as_cn=False, userou=None,
 132             surname=None, given_name=None, initials=None, profile_path=None,
 133             script_path=None, home_drive=None, home_directory=None,
 134             job_title=None, department=None, company=None, description=None,
 135             mail_address=None, internet_address=None, telephone_number=None,
 136             physical_delivery_office=None, rfc2307_from_nss=False,
 137             nis_domain=None, unix_home=None, uid=None, uid_number=None,
 138             gid_number=None, gecos=None, login_shell=None,
 139             smartcard_required=False):
 140
 141         if smartcard_required:
 142             if password is not None and password != '':
 143                 raise CommandError('It is not allowed to specify '
 144                                    '--newpassword '
 145                                    'together with --smartcard-required.')
 146             if must_change_at_next_login:
 147                 raise CommandError('It is not allowed to specify '
 148                                    '--must-change-at-next-login '
 149                                    'together with --smartcard-required.')
 150
 151         if random_password and not smartcard_required:
 152             password = generate_random_password(128, 255)
 153
 154         while True:
 155             if smartcard_required:
 156                 break
 157             if password is not None and password != '':
 158                 break
 159             password = getpass("New Password: ")
 160             passwordverify = getpass("Retype Password: ")
 161             if not password == passwordverify:
 162                 password = None
 163                 self.outf.write("Sorry, passwords do not match.\n")
 164
 165         if rfc2307_from_nss:
 166                 pwent = pwd.getpwnam(username)
 167                 if uid is None:
 168                     uid = username
 169                 if uid_number is None:
 170                     uid_number = pwent[2]
 171                 if gid_number is None:
 172                     gid_number = pwent[3]
 173                 if gecos is None:
 174                     gecos = pwent[4]
 175                 if login_shell is None:
 176                     login_shell = pwent[6]
 177
 178         lp = sambaopts.get_loadparm()
 179         creds = credopts.get_credentials(lp)
 180
 181         if uid_number or gid_number:
 182             if not lp.get("idmap_ldb:use rfc2307"):
 183                 self.outf.write("You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n")
 184
 185         if nis_domain is not None:
 186             if None in (uid_number, login_shell, unix_home, gid_number):
 187                 raise CommandError('Missing parameters. To enable NIS features, '
 188                                    'the following options have to be given: '
 189                                    '--nis-domain=, --uidNumber=, --login-shell='
 190                                    ', --unix-home=, --gid-number= Operation '
 191                                    'cancelled.')
 192
 193         try:
 194             samdb = SamDB(url=H, session_info=system_session(),
 195                           credentials=creds, lp=lp)
 196             samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login,
 197                           useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials,
 198                           profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
 199                           jobtitle=job_title, department=department, company=company, description=description,
 200                           mailaddress=mail_address, internetaddress=internet_address,
 201                           telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office,
 202                           nisdomain=nis_domain, unixhome=unix_home, uid=uid,
 203                           uidnumber=uid_number, gidnumber=gid_number,
 204                           gecos=gecos, loginshell=login_shell,
 205                           smartcard_required=smartcard_required)
 206         except Exception as e:
 207             raise CommandError("Failed to add user '%s': " % username, e)
 208
 209         self.outf.write("User '%s' added successfully\n" % username)