| blob | c292def0985d407b3eacfad1e5a799372fb65446 |
1 # user management
2 #
3 # Copyright Jelmer Vernooij 2010 <jelmer@samba.org>
4 # Copyright Theresa Halloran 2011 <theresahalloran@gmail.com>
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #
20 import builtins
22 import ldb
23 import pwd
24 import os
25 import io
26 import fcntl
27 import signal
28 import errno
29 import time
30 import base64
31 import binascii
41 credentials,
42 dsdb,
43 gensec,
44 generate_random_password,
45 Ldb,
46 nttime2float,
47 )
51 Command,
52 CommandError,
53 SuperCommand,
54 Option,
55 )
60 # python[3]-gpgme is abandoned since ubuntu 1804 and debian 9
61 # have to use python[3]-gpg instead
62 # The API is different, need to adapt.
65 """
66 Use python[3]-gpgme to decrypt GPG.
67 """
76 """
77 Use python[3]-gpg to decrypt GPG.
78 """
81 # plaintext, result, verify_result
83 return plaintext
90 import gpgme
91 gpg_decrypt = _gpgme_decrypt
93 pass
97 import gpg
98 gpg_decrypt = _gpg_decrypt
100 pass
110 disabled_virtual_attributes = {
111 }
113 virtual_attributes = {
116 },
119 },
122 },
123 }
127 algs = {
130 }
133 # The salt needs to be in [A-Za-z0-9./]
134 # base64 is close enough and as we had 16
135 # random bytes but only need 16 characters
136 # we can ignore the possible == at the end
137 # of the base64 string
138 # we just need to replace '+' by '.'
151 raise NotImplementedError("crypt.crypt(%s) returned a value with length %d, expected length is %d" % (
153 return crypt_value
156 import hashlib
159 }
165 }
169 import crypt
172 }
178 }
183 }
185 # Add the wDigest virtual attributes, virtualWDigest01 to virtualWDigest29
189 # Add Kerberos virtual attributes
193 virtual_attributes_help += "Possible supported virtual attributes: %s" % ", ".join(sorted(virtual_attributes.keys()))
195 virtual_attributes_help += "Unsupported virtual attributes: %s" % ", ".join(sorted(disabled_virtual_attributes.keys()))
199 """Add a new user.
201 This command adds a new user account to the Active Directory domain. The username specified on the command is the sAMaccountName.
203 User accounts may represent physical entities, such as people or may be used as service accounts for applications. User accounts are also referred to as security principals and are assigned a security identifier (SID).
205 A user account enables a user to logon to a computer and domain with an identity that can be authenticated. To maximize security, each user should have their own unique user account and password. A user's access to domain resources is based on permissions assigned to the user account.
207 Unix (RFC2307) attributes may be added to the user account. Attributes taken from NSS are obtained on the local machine. Explicitly given values override values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these attributes for UID/GID mapping.
209 The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.
211 Example1:
212 samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd
214 Example1 shows how to add a new user to the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The -U option is used to pass the userid and password authorized to issue the command remotely.
216 Example2:
217 sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login
219 Example2 shows how to add a new user to the domain against the local server. sudo is used so a user may run the command as root. In this example, after User2 is created, he/she will be forced to change their password when they logon.
221 Example3:
222 samba-tool user add User3 passw3rd --userou='OU=OrgUnit'
224 Example3 shows how to add a new user in the OrgUnit organizational unit.
226 Example4:
227 samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text'
229 Example4 shows how to add a new user with Unix UID, GID and login-shell set from the local NSS and GECOS set to 'some text'.
231 Example5:
233 --uid-number=10005 --login-shell=/bin/false --gid-number=10000
235 Example5 shows how to add a new RFC2307/NIS domain enabled user account. If
236 --nis-domain is set, then the other four parameters are mandatory.
238 """
241 takes_options = [
257 help="DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>'",
285 ]
289 takes_optiongroups = {
293 }
310 '--newpassword '
314 '--must-change-at-next-login '
322 break
324 break
334 uid = username
349 self.outf.write("You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n")
354 'the following options have to be given: '
355 '--nis-domain=, --uidNumber=, --login-shell='
356 ', --unix-home=, --gid-number= Operation '
362 samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login,
363 useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials,
364 profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
378 """Delete a user.
380 This command deletes a user account from the Active Directory domain. The username specified on the command is the sAMAccountName.
382 Once the account is deleted, all permissions and memberships associated with that account are deleted. If a new user account is added with the same name as a previously deleted account name, the new user does not have the previous permissions. The new account user will be assigned a new security identifier (SID) and permissions and memberships will have to be added.
384 The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.
386 Example1:
387 samba-tool user delete User1 -H ldap://samba.samdom.example.com --username=administrator --password=passw1rd
389 Example1 shows how to delete a user in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to issue the command on that server.
391 Example2:
392 sudo samba-tool user delete User2
394 Example2 shows how to delete a user in the domain against the local server. sudo is used so a user may run the command as root.
396 """
399 takes_options = [
402 ]
405 takes_optiongroups = {
409 }
439 """List all users."""
443 takes_options = [
461 ]
463 takes_optiongroups = {
467 }
492 current_nttime)
502 filter_disabled,
503 filter_expires)
510 return
515 continue
521 """Enable a user.
523 This command enables a user account for logon to an Active Directory domain. The username specified on the command is the sAMAccountName. The username may also be specified using the --filter option.
525 There are many reasons why an account may become disabled. These include:
526 - If a user exceeds the account policy for logon attempts
527 - If an administrator disables the account
528 - If the account expires
530 The samba-tool user enable command allows an administrator to enable an account which has become disabled.
532 Additionally, the enable function allows an administrator to have a set of created user accounts defined and setup with default permissions that can be easily enabled for use.
534 The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.
536 Example1:
537 samba-tool user enable Testuser1 --URL=ldap://samba.samdom.example.com --username=administrator --password=passw1rd
539 Example1 shows how to enable a user in the domain against a remote LDAP server. The --URL parameter is used to specify the remote target server. The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to update that server.
541 Example2:
542 su samba-tool user enable Testuser2
544 Example2 shows how to enable user Testuser2 for use in the domain on the local server. sudo is used so a user may run the command as root.
546 Example3:
547 samba-tool user enable --filter=samaccountname=Testuser3
549 Example3 shows how to enable a user in the domain against a local LDAP server. It uses the --filter=samaccountname to specify the username.
551 """
554 takes_optiongroups = {
558 }
560 takes_options = [
564 ]
589 """Disable a user."""
593 takes_options = [
597 ]
601 takes_optiongroups = {
605 }
627 """Set the expiration of a user account.
629 The user can either be specified by their sAMAccountName or using the --filter option.
631 When a user account expires, it becomes disabled and the user is unable to logon. The administrator may issue the samba-tool user enable command to enable the account for logon. The permissions and memberships associated with the account are retained when the account is enabled.
633 The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command on a remote server.
635 Example1:
636 samba-tool user setexpiry User1 --days=20 --URL=ldap://samba.samdom.example.com --username=administrator --password=passw1rd
638 Example1 shows how to set the expiration of an account in a remote LDAP server. The --URL parameter is used to specify the remote target server. The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to update that server.
640 Example2:
641 sudo samba-tool user setexpiry User2 --noexpiry
643 Example2 shows how to set the account expiration of user User2 so it will never expire. The user in this example resides on the local server. sudo is used so a user may run the command as root.
645 Example3:
646 samba-tool user setexpiry --days=20 --filter=samaccountname=User3
648 Example3 shows how to set the account expiration date to end of day 20 days from the current day. The username or sAMAccountName is specified using the --filter= parameter and the username in this example is User3.
650 Example4:
651 samba-tool user setexpiry --noexpiry User4
652 Example4 shows how to set the account expiration so that it will never expire. The username and sAMAccountName in this example is User4.
654 """
657 takes_optiongroups = {
661 }
663 takes_options = [
669 ]
690 # FIXME: Catch more specific exception
702 """Change password for a user account (the one provided in authentication).
703 """
707 takes_options = [
709 ]
711 takes_optiongroups = {
715 }
723 # get old password now, to get the password prompts in the right order
728 password = newpassword
731 break
743 # FIXME: catch more specific exception
749 """Get the direct group memberships of a user account.
751 The username specified on the command is the sAMAccountName."""
754 takes_optiongroups = {
758 }
760 takes_options = [
767 ]
772 username,
801 user_groups = []
822 return
824 group_names = []
841 """Set the primary group a user account.
843 This command sets the primary group a user account. The username specified on
844 the command is the sAMAccountName. The primarygroupname is the sAMAccountName
845 of the new primary group. The user must be a member of the group.
847 The command may be run from the root userid or another authorized userid. The
848 -H or --URL= option can be used to execute the command against a remote server.
850 Example1:
851 samba-tool user setprimarygroup TestUser1 newPrimaryGroup --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd
853 Example1 shows how to set the primary group for TestUser1 on a remote LDAP
854 server. The --URL parameter is used to specify the remote target server. The
855 -U option is used to pass the username and password of a user that exists on
856 the remote server and is authorized to update the server.
857 """
860 takes_optiongroups = {
864 }
866 takes_options = [
869 ]
899 user_groups = []
903 user_group_sids = []
934 changetype: modify
935 delete: primaryGroupID
937 add: primaryGroupID
951 """Set or reset the password of a user account.
953 This command sets or resets the logon password for a user account. The username specified on the command is the sAMAccountName. The username may also be specified using the --filter option.
955 If the password is not specified on the command through the --newpassword parameter, the user is prompted for the password to be entered through the command line.
957 It is good security practice for the administrator to use the --must-change-at-next-login option which requires that when the user logs on to the account for the first time following the password change, he/she must change the password.
959 The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.
961 Example1:
962 samba-tool user setpassword TestUser1 --newpassword=passw0rd --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd
964 Example1 shows how to set the password of user TestUser1 on a remote LDAP server. The --URL parameter is used to specify the remote target server. The -U option is used to pass the username and password of a user that exists on the remote server and is authorized to update the server.
966 Example2:
967 sudo samba-tool user setpassword TestUser2 --newpassword=passw0rd --must-change-at-next-login
969 Example2 shows how an administrator would reset the TestUser2 user's password to passw0rd. The user is running under the root userid using the sudo command. In this example the user TestUser2 must change their password the next time they logon to the account.
971 Example3:
972 samba-tool user setpassword --filter=samaccountname=TestUser3 --newpassword=passw0rd
974 Example3 shows how an administrator would reset TestUser3 user's password to passw0rd using the --filter= option to specify the username.
976 """
979 takes_optiongroups = {
983 }
985 takes_options = [
1002 ]
1013 password = newpassword
1018 '--newpassword '
1022 '--must-change-at-next-login '
1026 '--clear-smartcard-required '
1034 break
1036 break
1063 # FIXME: catch more specific exception
1078 # FIXME: catch more specific exception
1090 # We use sort here in order to have a predictable processing order
1091 # this might not be strictly needed, but also doesn't hurt here
1098 # using anonymous here, results in no authentication
1099 # which means we can get system privileges via
1100 # the privileged ldapi socket
1105 pass
1107 pass
1122 #
1123 # Make sure we're connected as SYSTEM
1124 #
1137 return samdb
1144 return None
1148 return val
1149 return None
1154 continue
1156 return None
1158 formats = [
1162 ]
1167 return None
1170 continue
1171 return fm
1172 return None
1179 opts = []
1180 a = {}
1187 return a
1192 requested_attrs = []
1193 implicit_attrs = []
1199 search_attrs = []
1204 continue
1206 # also add it as implicit attr,
1207 # where we just do
1208 # search_attrs.append(a["attr"])
1209 # later on
1211 continue
1213 continue
1217 required_attrs = [
1219 "userPrincipalName"
1220 ]
1227 required_attrs = [
1230 ]
1237 continue
1243 search_controls = []
1253 # FIXME: catch more specific exception
1271 calculated = {}
1277 return None
1284 continue
1286 continue
1289 return None
1298 primary_krb5)
1315 #
1316 # Samba adds 'Primary:SambaGPG' at the end.
1317 # When Windows sets the password it keeps
1318 # 'Primary:SambaGPG' and rotates it to
1319 # the beginning. So we can only use the value,
1320 # if it is the last one.
1321 #
1322 # In order to get more protection we verify
1323 # the nthash of the decrypted utf16 password
1324 # against the stored nthash in unicodePwd if
1325 # available, otherwise against the first 16
1326 # bytes of the AES256 key.
1327 #
1332 #
1333 # We only use the password if it matches
1334 # the current nthash stored in the unicodePwd
1335 # attribute, or the current AES256 key.
1336 #
1346 current_hash = unicodePwd
1367 return None
1369 return u8
1371 # Extract the WDigest hash for the value specified by i.
1372 # Builds an htdigest compatible value
1378 user = account_name
1379 realm = domain
1387 user = account_name
1390 user = account_name
1399 user = account_name
1408 user = account_name
1411 user = account_name
1420 user = account_upn
1438 user = account_name
1439 realm = DIGEST
1442 realm = DIGEST
1445 realm = DIGEST
1447 user = account_upn
1448 realm = DIGEST
1451 realm = DIGEST
1454 realm = DIGEST
1457 realm = DIGEST
1459 # Differs from spec, see tests
1461 realm = DIGEST
1463 # Differs from spec, see tests
1465 realm = DIGEST
1470 primary_wdigest)
1475 return None
1477 # get the value for a virtualCrypt attribute.
1478 # look for an exact match on algorithm and rounds in supplemental creds
1479 # if not found calculate using Primary:CLEARTEXT
1480 # if no Primary:CLEARTEXT return the first supplementalCredential
1481 # that matches the algorithm.
1489 # No exact match on algorithm and number of rounds
1490 # try and calculate one from the Primary:CLEARTEXT
1495 # in py2 using get_bytes should ensure u8 is unmodified
1496 # in py3 it will be decoded
1499 # Unable to calculate a hash with the specified
1500 # number of rounds, fall back to the first hash using
1501 # the specified algorithm
1502 sv = fb
1504 return None
1511 # Check that the NT hash or AES256 key have not been changed
1512 # without updating the user password hashes. This indicates that
1513 # password has been changed without updating the supplemental
1514 # credentials.
1516 current_hash = unicodePwd
1526 prefix = scheme_prefix
1532 # in PY2 this should just do nothing and in PY3 if bytes
1533 # it will decode them
1538 scheme_match = h_value
1542 # No match on the number of rounds, return the value of the
1543 # first matching scheme
1546 # Extract the rounds value from the options of a virtualCrypt attribute
1547 # i.e. options = "rounds=20;other=ignored;" will return 20
1548 # if the rounds option is not found or the value is not a number, 0 is returned
1549 # which indicates that the default number of rounds should be used.
1559 # We use sort here in order to have a predictable processing order
1564 continue
1566 continue
1567 vattr = ra
1568 break
1570 continue
1576 continue
1579 continue
1580 v = u8
1584 continue
1588 continue
1591 continue
1602 continue
1603 v = x
1608 continue
1609 v = x
1611 # Samba adds 'Primary:SambaGPG' at the end.
1612 # When Windows sets the password it keeps
1613 # 'Primary:SambaGPG' and rotates it to
1614 # the beginning. So we can only use the value,
1615 # if it is the last one.
1618 continue
1620 v = kerberos_salt
1622 continue
1626 continue
1631 continue
1636 continue
1638 continue
1646 continue
1647 srcattr = k
1648 break
1649 return srcattr
1653 return None
1658 return vfl
1663 return None
1664 # 0 or 9223372036854775807 mean no value too
1666 return None
1668 return None
1670 return vfl
1675 return None
1681 return None
1682 raise
1683 return v
1688 return None
1691 return v
1696 return None
1698 return v
1700 generated_formats = {}
1704 continue
1706 continue
1709 continue
1712 continue
1723 continue
1726 # Now filter out implicit attributes
1731 continue
1733 break
1735 continue
1740 continue
1741 dattr = ia
1742 break
1744 continue
1747 continue
1749 return obj
1756 password_attrs = []
1766 # Take the real name
1767 pa = va
1768 break
1771 return password_attrs
1775 """Get the password fields of a user/computer account.
1777 This command gets the logon password for a user/computer account.
1779 The username specified on the command is the sAMAccountName.
1780 The username may also be specified using the --filter option.
1782 The command must be run from the root user id or another authorized user id.
1783 The '-H' or '--URL' option only supports ldapi:// or [tdb://] and can be
1784 used to adjust the local path. By default tdb:// is used by default.
1786 The '--attributes' parameter takes a comma separated list of attributes,
1787 which will be printed or given to the script specified by '--script'. If a
1788 specified attribute is not available on an object it's silently omitted.
1789 All attributes defined in the schema (e.g. the unicodePwd attribute holds
1790 the NTHASH) and the following virtual attributes are possible (see --help
1791 for which virtual attributes are supported in your environment):
1793 virtualClearTextUTF16: The raw cleartext as stored in the
1794 'Primary:CLEARTEXT' (or 'Primary:SambaGPG'
1795 with '--decrypt-samba-gpg') buffer inside of the
1796 supplementalCredentials attribute. This typically
1797 contains valid UTF-16-LE, but may contain random
1798 bytes, e.g. for computer accounts.
1800 virtualClearTextUTF8: As virtualClearTextUTF16, but converted to UTF-8
1801 (only from valid UTF-16-LE).
1803 virtualSSHA: As virtualClearTextUTF8, but a salted SHA-1
1806 virtualCryptSHA256: As virtualClearTextUTF8, but a salted SHA256
1808 with a $5$... salt, see crypt(3) on modern systems.
1809 The number of rounds used to calculate the hash can
1810 also be specified. By appending ";rounds=x" to the
1811 attribute name i.e. virtualCryptSHA256;rounds=10000
1812 will calculate a SHA256 hash with 10,000 rounds.
1813 Non numeric values for rounds are silently ignored.
1814 The value is calculated as follows:
1815 1) If a value exists in 'Primary:userPassword' with
1816 the specified number of rounds it is returned.
1817 2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG'
1818 with '--decrypt-samba-gpg'. Calculate a hash with
1819 the specified number of rounds.
1820 3) Return the first CryptSHA256 value in
1821 'Primary:userPassword'.
1824 virtualCryptSHA512: As virtualClearTextUTF8, but a salted SHA512
1826 with a $6$... salt, see crypt(3) on modern systems.
1827 The number of rounds used to calculate the hash can
1828 also be specified. By appending ";rounds=x" to the
1829 attribute name i.e. virtualCryptSHA512;rounds=10000
1830 will calculate a SHA512 hash with 10,000 rounds.
1831 Non numeric values for rounds are silently ignored.
1832 The value is calculated as follows:
1833 1) If a value exists in 'Primary:userPassword' with
1834 the specified number of rounds it is returned.
1835 2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG'
1836 with '--decrypt-samba-gpg'. Calculate a hash with
1837 the specified number of rounds.
1838 3) Return the first CryptSHA512 value in
1839 'Primary:userPassword'.
1841 virtualWDigestNN: The individual hash values stored in
1842 'Primary:WDigest' where NN is the hash number in
1843 the range 01 to 29.
1844 NOTE: As at 22-05-2017 the documentation:
1845 3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
1846 https://msdn.microsoft.com/en-us/library/cc245680.aspx
1847 is incorrect.
1849 virtualKerberosSalt: This results the salt string that is used to compute
1850 Kerberos keys from a UTF-8 cleartext password.
1852 virtualSambaGPG: The raw cleartext as stored in the
1853 'Primary:SambaGPG' buffer inside of the
1854 supplementalCredentials attribute.
1855 See the 'password hash gpg key ids' option in
1856 smb.conf.
1858 The '--decrypt-samba-gpg' option triggers decryption of the
1859 Primary:SambaGPG buffer. Check with '--help' if this feature is available
1860 in your environment or not (the python-gpgme package is required). Please
1861 note that you might need to set the GNUPGHOME environment variable. If the
1862 decryption key has a passphrase you have to make sure that the GPG_AGENT_INFO
1863 environment variable has been set correctly and the passphrase is already
1864 known by the gpg-agent.
1866 Attributes with time values can take an additional format specifier, which
1867 converts the time value into the requested format. The format can be specified
1868 by adding ";format=formatSpecifier" to the requested attribute name, whereby
1869 "formatSpecifier" must be a valid specifier. The syntax looks like:
1871 --attributes=attributeName;format=formatSpecifier
1873 The following format specifiers are available:
1874 - GeneralizedTime (e.g. 20210224113259.0Z)
1875 - UnixTime (e.g. 1614166392)
1876 - TimeSpec (e.g. 161416639.267546892)
1878 Attributes with an original NTTIME value of 0 and 9223372036854775807 are
1879 treated as non-existing value.
1881 Example1:
1882 samba-tool user getpassword TestUser1 --attributes=pwdLastSet,virtualClearTextUTF8
1884 Example2:
1885 samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-KeyVersionNumber,unicodePwd,virtualClearTextUTF16
1887 """
1893 takes_optiongroups = {
1896 }
1898 takes_options = [
1908 ]
1946 """Sync the password of user accounts.
1948 This syncs logon passwords for user accounts.
1950 Note that this command should run on a single domain controller only
1951 (typically the PDC-emulator). However the "password hash gpg key ids"
1952 option should to be configured on all domain controllers.
1954 The command must be run from the root user id or another authorized user id.
1955 The '-H' or '--URL' option only supports ldapi:// and can be used to adjust the
1956 local path. By default, ldapi:// is used with the default path to the
1957 privileged ldapi socket.
1959 This command has three modes: "Cache Initialization", "Sync Loop Run" and
1960 "Sync Loop Terminate".
1963 Cache Initialization
1964 ====================
1966 The first time, this command needs to be called with
1967 '--cache-ldb-initialize' in order to initialize its cache.
1969 The cache initialization requires '--attributes' and allows the following
1970 optional options: '--decrypt-samba-gpg', '--script', '--filter' or
1971 '-H/--URL'.
1973 The '--attributes' parameter takes a comma separated list of attributes,
1974 which will be printed or given to the script specified by '--script'. If a
1975 specified attribute is not available on an object it will be silently omitted.
1976 All attributes defined in the schema (e.g. the unicodePwd attribute holds
1977 the NTHASH) and the following virtual attributes are possible (see '--help'
1978 for supported virtual attributes in your environment):
1980 virtualClearTextUTF16: The raw cleartext as stored in the
1981 'Primary:CLEARTEXT' (or 'Primary:SambaGPG'
1982 with '--decrypt-samba-gpg') buffer inside of the
1983 supplementalCredentials attribute. This typically
1984 contains valid UTF-16-LE, but may contain random
1985 bytes, e.g. for computer accounts.
1987 virtualClearTextUTF8: As virtualClearTextUTF16, but converted to UTF-8
1988 (only from valid UTF-16-LE).
1990 virtualSSHA: As virtualClearTextUTF8, but a salted SHA-1
1993 virtualCryptSHA256: As virtualClearTextUTF8, but a salted SHA256
1995 with a $5$... salt, see crypt(3) on modern systems.
1996 The number of rounds used to calculate the hash can
1997 also be specified. By appending ";rounds=x" to the
1998 attribute name i.e. virtualCryptSHA256;rounds=10000
1999 will calculate a SHA256 hash with 10,000 rounds.
2000 Non numeric values for rounds are silently ignored.
2001 The value is calculated as follows:
2002 1) If a value exists in 'Primary:userPassword' with
2003 the specified number of rounds it is returned.
2004 2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG' with
2005 '--decrypt-samba-gpg'. Calculate a hash with
2006 the specified number of rounds
2007 3) Return the first CryptSHA256 value in
2008 'Primary:userPassword'.
2010 virtualCryptSHA512: As virtualClearTextUTF8, but a salted SHA512
2012 with a $6$... salt, see crypt(3) on modern systems.
2013 The number of rounds used to calculate the hash can
2014 also be specified. By appending ";rounds=x" to the
2015 attribute name i.e. virtualCryptSHA512;rounds=10000
2016 will calculate a SHA512 hash with 10,000 rounds.
2017 Non numeric values for rounds are silently ignored.
2018 The value is calculated as follows:
2019 1) If a value exists in 'Primary:userPassword' with
2020 the specified number of rounds it is returned.
2021 2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG' with
2022 '--decrypt-samba-gpg'. Calculate a hash with
2023 the specified number of rounds.
2024 3) Return the first CryptSHA512 value in
2025 'Primary:userPassword'.
2027 virtualWDigestNN: The individual hash values stored in
2028 'Primary:WDigest' where NN is the hash number in
2029 the range 01 to 29.
2030 NOTE: As at 22-05-2017 the documentation:
2031 3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
2032 https://msdn.microsoft.com/en-us/library/cc245680.aspx
2033 is incorrect.
2035 virtualKerberosSalt: This results the salt string that is used to compute
2036 Kerberos keys from a UTF-8 cleartext password.
2038 virtualSambaGPG: The raw cleartext as stored in the
2039 'Primary:SambaGPG' buffer inside of the
2040 supplementalCredentials attribute.
2041 See the 'password hash gpg key ids' option in
2042 smb.conf.
2044 The '--decrypt-samba-gpg' option triggers decryption of the
2045 Primary:SambaGPG buffer. Check with '--help' if this feature is available
2046 in your environment or not (the python-gpgme package is required). Please
2047 note that you might need to set the GNUPGHOME environment variable. If the
2048 decryption key has a passphrase you have to make sure that the GPG_AGENT_INFO
2049 environment variable has been set correctly and the passphrase is already
2050 known by the gpg-agent.
2052 The '--script' option specifies a custom script that is called whenever any
2053 of the dirsyncAttributes (see below) was changed. The script is called
2054 without any arguments. It gets the LDIF for exactly one object on STDIN.
2055 If the script processed the object successfully it has to respond with a
2056 single line starting with 'DONE-EXIT: ' followed by an optional message.
2058 Note that the script might be called without any password change, e.g. if
2059 the account was disabled (a userAccountControl change) or the
2060 sAMAccountName was changed. The objectGUID,isDeleted,isRecycled attributes
2061 are always returned as unique identifier of the account. It might be useful
2062 to also ask for non-password attributes like: objectSid, sAMAccountName,
2063 userPrincipalName, userAccountControl, pwdLastSet and msDS-KeyVersionNumber.
2064 Depending on the object, some attributes may not be present/available,
2065 but you always get the current state (and not a diff).
2067 If no '--script' option is specified, the LDIF will be printed on STDOUT or
2068 into the logfile.
2070 The default filter for the LDAP_SERVER_DIRSYNC_OID search is:
2072 (!(sAMAccountName=krbtgt*)))
2073 This means only normal (non-krbtgt) user
2074 accounts are monitored. The '--filter' can modify that, e.g. if it's
2075 required to also sync computer accounts.
2078 Sync Loop Run
2079 =============
2081 This (default) mode runs in an endless loop waiting for password related
2082 changes in the active directory database. It makes use of the
2083 LDAP_SERVER_DIRSYNC_OID and LDAP_SERVER_NOTIFICATION_OID controls in order
2084 get changes in a reliable fashion. Objects are monitored for changes of the
2085 following dirsyncAttributes:
2087 unicodePwd, dBCSPwd, supplementalCredentials, pwdLastSet, sAMAccountName,
2088 userPrincipalName and userAccountControl.
2090 It recovers from LDAP disconnects and updates the cache in conservative way
2091 (in single steps after each successfully processed change). An error from
2092 the script (specified by '--script') will result in fatal error and this
2093 command will exit. But the cache state should be still valid and can be
2094 resumed in the next "Sync Loop Run".
2096 The '--logfile' option specifies an optional (required if '--daemon' is
2097 specified) logfile that takes all output of the command. The logfile is
2098 automatically reopened if fstat returns st_nlink == 0.
2100 The optional '--daemon' option will put the command into the background.
2102 You can stop the command without the '--daemon' option, also by hitting
2103 strg+c.
2105 If you specify the '--no-wait' option the command skips the
2106 LDAP_SERVER_NOTIFICATION_OID 'waiting' step and exit once
2107 all LDAP_SERVER_DIRSYNC_OID changes are consumed.
2109 Sync Loop Terminate
2110 ===================
2112 In order to terminate an already running command (likely as daemon) the
2113 '--terminate' option can be used. This also requires the '--logfile' option
2114 to be specified.
2117 Example1:
2119 --attributes=virtualClearTextUTF8
2120 samba-tool user syncpasswords
2122 Example2:
2127 --script=/path/to/my-custom-syncpasswords-script.py
2129 --logfile=/var/log/samba/user-syncpasswords.log
2131 --logfile=/var/log/samba/user-syncpasswords.log
2133 """
2139 takes_optiongroups = {
2142 }
2144 takes_options = [
2172 ]
2237 ")"
2239 dirsync_secret_attrs = [
2243 ]
2252 ]
2265 # We always return these in order to track deletions
2278 pass
2304 msg)
2306 return
2309 cache_attrs = [
2318 ]
2332 raise CommandError("cache_ldb[%s] not initialized, use --cache-ldb-initialize the first time" % (
2333 cache_ldb))
2336 cache_ldb))
2349 "".join("dirsyncAttribute:: %s\n" % base64.b64encode(get_bytes(a)).decode('utf8') for a in self.dirsync_attrs) +\
2351 "".join("passwordAttribute:: %s\n" % base64.b64encode(get_bytes(a)).decode('utf8') for a in self.password_attrs)
2391 return
2413 return
2426 return
2445 return
2460 return False
2463 raise
2474 raise
2482 pass
2484 return True
2493 raise
2496 return False
2505 # We leave the function with the shared lock.
2506 return False
2511 # Try 5 times to get the exclusive lock.
2521 raise
2523 break
2544 raise
2557 return
2564 # This cookie can be extremely long
2565 # log_msg("dirsyncControls: %r\n" % self.dirsync_controls)
2574 return
2588 attrs=[])
2590 return True
2591 return False
2625 return
2643 break
2664 return
2669 continue
2691 return
2699 return
2710 continue
2714 pass
2727 return
2732 return
2736 return
2753 retry_sleep = retry_sleep_min
2761 retry_sleep = retry_sleep_max
2769 raise
2779 return
2783 """Modify User AD object.
2785 This command will allow editing of a user account in the Active Directory
2786 domain. You will then be able to add or change attributes and their values.
2788 The username specified on the command is the sAMAccountName.
2790 The command may be run from the root userid or another authorized userid.
2792 The -H or --URL= option can be used to execute the command against a remote
2793 server.
2795 Example1:
2797 -U administrator --password=passw1rd
2799 Example1 shows how to edit a users attributes in the domain against a remote
2800 LDAP server.
2802 The -H parameter is used to specify the remote target server.
2804 Example2:
2805 samba-tool user edit User2
2807 Example2 shows how to edit a users attributes in the domain against a local
2808 LDAP server.
2810 Example3:
2811 samba-tool user edit User3 --editor=nano
2813 Example3 shows how to edit a users attributes in the domain against a local
2814 LDAP server using the 'nano' editor.
2816 """
2819 takes_options = [
2824 ]
2827 takes_optiongroups = {
2831 }
2853 import tempfile
2879 return
2890 """Display a user AD object.
2892 This command displays a user account and it's attributes in the Active
2893 Directory domain.
2894 The username specified on the command is the sAMAccountName.
2896 The command may be run from the root userid or another authorized userid.
2898 The -H or --URL= option can be used to execute the command against a remote
2899 server.
2901 The '--attributes' parameter takes a comma separated list of the requested
2902 attributes. Without '--attributes' or with '--attributes=*' all usually
2903 available attributes are selected.
2904 Hidden attributes in addition to all usually available attributes can be
2905 selected with e.g. '--attributes=*,msDS-UserPasswordExpiryTimeComputed'.
2906 If a specified attribute is not available on a user object it's silently
2907 omitted.
2909 Attributes with time values can take an additional format specifier, which
2910 converts the time value into the requested format. The format can be specified
2911 by adding ";format=formatSpecifier" to the requested attribute name, whereby
2912 "formatSpecifier" must be a valid specifier. The syntax looks like:
2914 --attributes=attributeName;format=formatSpecifier
2916 The following format specifiers are available:
2917 - GeneralizedTime (e.g. 20210224113259.0Z)
2918 - UnixTime (e.g. 1614166392)
2919 - TimeSpec (e.g. 161416639.267546892)
2921 Attributes with an original NTTIME value of 0 and 9223372036854775807 are
2922 treated as non-existing value.
2924 Example1:
2926 -U administrator --password=passw1rd
2928 Example1 shows how to display a users attributes in the domain against a remote
2929 LDAP server.
2931 The -H parameter is used to specify the remote target server.
2933 Example2:
2934 samba-tool user show User2
2936 Example2 shows how to display a users attributes in the domain against a local
2937 LDAP server.
2939 Example3:
2940 samba-tool user show User2 --attributes=objectSid,memberOf
2942 Example3 shows how to display a users objectSid and memberOf attributes.
2944 Example4:
2946 --attributes='pwdLastSet;format=GeneralizedTime,pwdLastSet;format=UnixTime'
2948 The result of Example 4 provides the pwdLastSet attribute values in the
2949 specified format:
2950 dn: CN=User2,CN=Users,DC=samdom,DC=example,DC=com
2951 pwdLastSet;format=GeneralizedTime: 20210120105207.0Z
2952 pwdLastSet;format=UnixTime: 1611139927
2953 """
2956 takes_options = [
2961 "which will be printed. "
2962 "Possible supported virtual attributes: "
2965 ]
2968 takes_optiongroups = {
2972 }
3005 """Move a user to an organizational unit/container.
3007 This command moves a user account into the specified organizational unit
3008 or container.
3009 The username specified on the command is the sAMAccountName.
3010 The name of the organizational unit or container can be specified as a
3011 full DN or without the domainDN component.
3013 The command may be run from the root userid or another authorized userid.
3015 The -H or --URL= option can be used to execute the command against a remote
3016 server.
3018 Example1:
3020 -H ldap://samba.samdom.example.com -U administrator
3022 Example1 shows how to move a user User1 into the 'OrgUnit' organizational
3023 unit on a remote LDAP server.
3025 The -H parameter is used to specify the remote target server.
3027 Example2:
3028 samba-tool user move User1 CN=Users
3030 Example2 shows how to move a user User1 back into the CN=Users container
3031 on the local server.
3032 """
3036 takes_options = [
3039 ]
3042 takes_optiongroups = {
3046 }
3085 """Rename a user and related attributes.
3087 This command allows to set the user's name related attributes. The user's
3088 CN will be renamed automatically.
3089 The user's new CN will be made up by combining the given-name, initials
3090 and surname. A dot ('.') will be appended to the initials automatically
3091 if required.
3092 Use the --force-new-cn option to specify the new CN manually and the
3093 --reset-cn option to reset this change.
3095 Use an empty attribute value to remove the specified attribute.
3097 The username specified on the command is the sAMAccountName.
3099 The command may be run locally from the root userid or another authorized
3100 userid.
3102 The -H or --URL= option can be used to execute the command against a remote
3103 server.
3105 Example1:
3106 samba-tool user rename johndoe --surname='Bloggs'
3108 Example1 shows how to change the surname of a user 'johndoe' to 'Bloggs' on
3109 the local server. The user's CN will be renamed automatically, based on
3110 the given name, initials and surname.
3112 Example2:
3114 --surname=Bloggs -H ldap://samba.samdom.example.com -U administrator
3116 Example2 shows how to rename the CN of a user 'johndoe' to 'John Bloggs (Sales)'.
3117 Additionally the surname ('sn' attribute) is set to 'Bloggs'.
3118 The -H parameter is used to specify the remote target server.
3119 """
3123 takes_options = [
3142 "initials and surname. Use this option to reset "
3157 ]
3160 takes_optiongroups = {
3164 }
3171 # illegal options
3210 # use the sAMAccountname as CN if no name is given
3215 new_user_cn = force_new_cn
3223 # CN must change, if the new CN is different and the old CN is the
3224 # standard CN or the change is forced with force-new-cn or reset-cn
3237 'You can manage the upn '
3238 'suffixes with the "samba-tool domain '
3273 continue
3298 return False
3302 return False
3304 return True
3308 """Add RFC2307 attributes to a user.
3310 This command adds Unix attributes to a user account in the Active
3311 Directory domain.
3313 The username specified on the command is the sAMaccountName.
3315 You must supply a unique uidNumber.
3317 Unix (RFC2307) attributes will be added to the user account.
3319 If you supply a gidNumber with '--gid-number', this will be used for the
3320 users Unix 'gidNumber' attribute.
3322 If '--gid-number' is not supplied, the users Unix gidNumber will be set to the
3323 one found in 'Domain Users', this means Domain Users must have a gidNumber
3324 attribute.
3326 if '--unix-home' is not supplied, the users Unix home directory will be
3327 set to /home/DOMAIN/username
3329 if '--login-shell' is not supplied, the users Unix login shell will be
3330 set to '/bin/sh'
3332 if ---gecos' is not supplied, the users Unix gecos field will be set to the
3333 users 'CN'
3335 Add 'idmap_ldb:use rfc2307 = Yes' to the smb.conf on DCs, to use these
3336 attributes for UID/GID mapping.
3338 The command may be run from the root userid or another authorised userid.
3339 The -H or --URL= option can be used to execute the command against a
3340 remote server.
3342 Example1:
3343 samba-tool user addunixattrs User1 10001
3345 Example1 shows how to add RFC2307 attributes to a domain enabled user
3346 account, Domain Users will be set as the users gidNumber.
3348 The users Unix ID will be set to '10001', provided this ID isn't already
3349 in use.
3351 Example2:
3352 samba-tool user addunixattrs User2 10002 --gid-number=10001 \
3353 --unix-home=/home/User2
3355 Example2 shows how to add RFC2307 attributes to a domain enabled user
3356 account.
3358 The users Unix ID will be set to '10002', provided this ID isn't already
3359 in use.
3361 The users gidNumber attribute will be set to '10001'
3363 The users Unix home directory will be set to '/home/user2'
3365 Example3:
3366 samba-tool user addunixattrs User3 10003 --gid-number=10001 \
3367 --login-shell=/bin/false --gecos='User3 test'
3369 Example3 shows how to add RFC2307 attributes to a domain enabled user
3370 account.
3372 The users Unix ID will be set to '10003', provided this ID isn't already
3373 in use.
3375 The users gidNumber attribute will be set to '10001'
3377 The users Unix login shell will be set to '/bin/false'
3379 The users gecos field will be set to 'User3 test'
3381 Example4:
3382 samba-tool user addunixattrs User4 10004 --gid-number=10001 \
3383 --unix-home=/home/User4 --login-shell=/bin/bash --gecos='User4 test'
3385 Example4 shows how to add RFC2307 attributes to a domain enabled user
3386 account.
3388 The users Unix ID will be set to '10004', provided this ID isn't already
3389 in use.
3391 The users gidNumber attribute will be set to '10001'
3393 The users Unix home directory will be set to '/home/User4'
3395 The users Unix login shell will be set to '/bin/bash'
3397 The users gecos field will be set to 'User4 test'
3399 """
3403 takes_options = [
3413 ]
3417 takes_optiongroups = {
3421 }
3435 # Check that uidNumber supplied isn't already in use
3445 # Check user exists and doesn't have a uidNumber
3482 # obtain nETBIOS Domain Name
3492 "You may want to set 'idmap_ldb:use rfc2307 = Yes'"
3493 " in smb.conf to use the attributes for "
3498 changetype: modify
3499 add: uidNumber
3501 add: gidnumber
3503 add: gecos
3505 add: uid
3507 add: loginshell
3509 add: unixHomeDirectory
3525 """Unlock a user account.
3527 This command unlocks a user account in the Active Directory domain. The
3528 username specified on the command is the sAMAccountName. The username may
3529 also be specified using the --filter option.
3531 The command may be run from the root userid or another authorized userid.
3532 The -H or --URL= option can be used to execute the command against a remote
3533 server.
3535 Example:
3537 --username=Administrator --password=Passw0rd
3539 The example shows how to unlock a user account in the domain against a
3540 remote LDAP server. The -H parameter is used to specify the remote target
3541 server. The --username= and --password= options are used to pass the
3542 username and password of a user that exists on the remote server and is
3543 authorized to issue the command on that server.
3544 """
3548 takes_options = [
3558 ]
3562 takes_optiongroups = {
3566 }
3597 """Set/unset or show UF_NOT_DELEGATED for an account."""
3601 takes_optiongroups = {
3605 }
3607 takes_options = [
3610 ]
3639 return
3654 """User management."""
3656 subcommands = {}