search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib: Move the "expired" for gencache_parse calculation into gencache.c
[Samba.git] / python / samba / samdb.py
blobfa3e4b1b33405a41849fcf766bdcae389b8885de
1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
3 # Copyright (C) Matthias Dieter Wallnoefer 2009
4 #
5 # Based on the original in EJS:
6 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
7 # Copyright (C) Giampaolo Lauria <lauria2@yahoo.com> 2011
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #
22
23 """Convenience functions for using the SAM."""
24
25 import samba
26 import ldb
27 import time
28 import base64
29 import os
30 import re
31 from samba import dsdb, dsdb_dns
32 from samba.ndr import ndr_unpack, ndr_pack
33 from samba.dcerpc import drsblobs, misc
34 from samba.common import normalise_int32
35 from samba.compat import text_type
36 from samba.dcerpc import security
37
38 __docformat__ = "restructuredText"
39
40
41 def get_default_backend_store():
42 return "tdb"
43
44
45 class SamDB(samba.Ldb):
46 """The SAM database."""
47
48 hash_oid_name = {}
49 hash_well_known = {}
50
51 def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
52 credentials=None, flags=ldb.FLG_DONT_CREATE_DB,
53 options=None, global_schema=True,
54 auto_connect=True, am_rodc=None):
55 self.lp = lp
56 if not auto_connect:
57 url = None
58 elif url is None and lp is not None:
59 url = lp.samdb_url()
60
61 self.url = url
62
63 super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
64 session_info=session_info, credentials=credentials, flags=flags,
65 options=options)
66
67 if global_schema:
68 dsdb._dsdb_set_global_schema(self)
69
70 if am_rodc is not None:
71 dsdb._dsdb_set_am_rodc(self, am_rodc)
72
73 def connect(self, url=None, flags=0, options=None):
74 '''connect to the database'''
75 if self.lp is not None and not os.path.exists(url):
76 url = self.lp.private_path(url)
77 self.url = url
78
79 super(SamDB, self).connect(url=url, flags=flags,
80 options=options)
81
82 def am_rodc(self):
83 '''return True if we are an RODC'''
84 return dsdb._am_rodc(self)
85
86 def am_pdc(self):
87 '''return True if we are an PDC emulator'''
88 return dsdb._am_pdc(self)
89
90 def domain_dn(self):
91 '''return the domain DN'''
92 return str(self.get_default_basedn())
93
94 def schema_dn(self):
95 '''return the schema partition dn'''
96 return str(self.get_schema_basedn())
97
98 def disable_account(self, search_filter):
99 """Disables an account
100
101 :param search_filter: LDAP filter to find the user (eg
102 samccountname=name)
103 """
104
105 flags = samba.dsdb.UF_ACCOUNTDISABLE
106 self.toggle_userAccountFlags(search_filter, flags, on=True)
107
108 def enable_account(self, search_filter):
109 """Enables an account
110
111 :param search_filter: LDAP filter to find the user (eg
112 samccountname=name)
113 """
114
115 flags = samba.dsdb.UF_ACCOUNTDISABLE | samba.dsdb.UF_PASSWD_NOTREQD
116 self.toggle_userAccountFlags(search_filter, flags, on=False)
117
118 def toggle_userAccountFlags(self, search_filter, flags, flags_str=None,
119 on=True, strict=False):
120 """Toggle_userAccountFlags
121
122 :param search_filter: LDAP filter to find the user (eg
123 samccountname=name)
124 :param flags: samba.dsdb.UF_* flags
125 :param on: on=True (default) => set, on=False => unset
126 :param strict: strict=False (default) ignore if no action is needed
127 strict=True raises an Exception if...
128 """
129 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
130 expression=search_filter, attrs=["userAccountControl"])
131 if len(res) == 0:
132 raise Exception("Unable to find account where '%s'" % search_filter)
133 assert(len(res) == 1)
134 account_dn = res[0].dn
135
136 old_uac = int(res[0]["userAccountControl"][0])
137 if on:
138 if strict and (old_uac & flags):
139 error = "Account flag(s) '%s' already set" % flags_str
140 raise Exception(error)
141
142 new_uac = old_uac | flags
143 else:
144 if strict and not (old_uac & flags):
145 error = "Account flag(s) '%s' already unset" % flags_str
146 raise Exception(error)
147
148 new_uac = old_uac & ~flags
149
150 if old_uac == new_uac:
151 return
152
153 mod = """
154 dn: %s
155 changetype: modify
156 delete: userAccountControl
157 userAccountControl: %u
158 add: userAccountControl
159 userAccountControl: %u
160 """ % (account_dn, old_uac, new_uac)
161 self.modify_ldif(mod)
162
163 def force_password_change_at_next_login(self, search_filter):
164 """Forces a password change at next login
165
166 :param search_filter: LDAP filter to find the user (eg
167 samccountname=name)
168 """
169 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
170 expression=search_filter, attrs=[])
171 if len(res) == 0:
172 raise Exception('Unable to find user "%s"' % search_filter)
173 assert(len(res) == 1)
174 user_dn = res[0].dn
175
176 mod = """
177 dn: %s
178 changetype: modify
179 replace: pwdLastSet
180 pwdLastSet: 0
181 """ % (user_dn)
182 self.modify_ldif(mod)
183
184 def newgroup(self, groupname, groupou=None, grouptype=None,
185 description=None, mailaddress=None, notes=None, sd=None,
186 gidnumber=None, nisdomain=None):
187 """Adds a new group with additional parameters
188
189 :param groupname: Name of the new group
190 :param grouptype: Type of the new group
191 :param description: Description of the new group
192 :param mailaddress: Email address of the new group
193 :param notes: Notes of the new group
194 :param gidnumber: GID Number of the new group
195 :param nisdomain: NIS Domain Name of the new group
196 :param sd: security descriptor of the object
197 """
198
199 group_dn = "CN=%s,%s,%s" % (groupname, (groupou or "CN=Users"), self.domain_dn())
200
201 # The new user record. Note the reliance on the SAMLDB module which
202 # fills in the default informations
203 ldbmessage = {"dn": group_dn,
204 "sAMAccountName": groupname,
205 "objectClass": "group"}
206
207 if grouptype is not None:
208 ldbmessage["groupType"] = normalise_int32(grouptype)
209
210 if description is not None:
211 ldbmessage["description"] = description
212
213 if mailaddress is not None:
214 ldbmessage["mail"] = mailaddress
215
216 if notes is not None:
217 ldbmessage["info"] = notes
218
219 if gidnumber is not None:
220 ldbmessage["gidNumber"] = normalise_int32(gidnumber)
221
222 if nisdomain is not None:
223 ldbmessage["msSFU30Name"] = groupname
224 ldbmessage["msSFU30NisDomain"] = nisdomain
225
226 if sd is not None:
227 ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
228
229 self.add(ldbmessage)
230
231 def deletegroup(self, groupname):
232 """Deletes a group
233
234 :param groupname: Name of the target group
235 """
236
237 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
238 self.transaction_start()
239 try:
240 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
241 expression=groupfilter, attrs=[])
242 if len(targetgroup) == 0:
243 raise Exception('Unable to find group "%s"' % groupname)
244 assert(len(targetgroup) == 1)
245 self.delete(targetgroup[0].dn)
246 except:
247 self.transaction_cancel()
248 raise
249 else:
250 self.transaction_commit()
251
252 def add_remove_group_members(self, groupname, members,
253 add_members_operation=True):
254 """Adds or removes group members
255
256 :param groupname: Name of the target group
257 :param members: list of group members
258 :param add_members_operation: Defines if its an add or remove
259 operation
260 """
261
262 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (
263 ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
264
265 self.transaction_start()
266 try:
267 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
268 expression=groupfilter, attrs=['member'])
269 if len(targetgroup) == 0:
270 raise Exception('Unable to find group "%s"' % groupname)
271 assert(len(targetgroup) == 1)
272
273 modified = False
274
275 addtargettogroup = """
276 dn: %s
277 changetype: modify
278 """ % (str(targetgroup[0].dn))
279
280 for member in members:
281 filter = ('(&(sAMAccountName=%s)(|(objectclass=user)'
282 '(objectclass=group)))' % ldb.binary_encode(member))
283 foreign_msg = None
284 try:
285 membersid = security.dom_sid(member)
286 except TypeError as e:
287 membersid = None
288
289 if membersid is not None:
290 filter = '(objectSid=%s)' % str(membersid)
291 dn_str = "<SID=%s>" % str(membersid)
292 foreign_msg = ldb.Message()
293 foreign_msg.dn = ldb.Dn(self, dn_str)
294
295 targetmember = self.search(base=self.domain_dn(),
296 scope=ldb.SCOPE_SUBTREE,
297 expression="%s" % filter,
298 attrs=[])
299
300 if len(targetmember) == 0 and foreign_msg is not None:
301 targetmember = [foreign_msg]
302 if len(targetmember) != 1:
303 raise Exception('Unable to find "%s". Operation cancelled.' % member)
304 targetmember_dn = targetmember[0].dn.extended_str(1)
305
306 if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember_dn) not in targetgroup[0]['member']):
307 modified = True
308 addtargettogroup += """add: member
309 member: %s
310 """ % (str(targetmember_dn))
311
312 elif add_members_operation is False and (targetgroup[0].get('member') is not None and targetmember_dn in targetgroup[0]['member']):
313 modified = True
314 addtargettogroup += """delete: member
315 member: %s
316 """ % (str(targetmember_dn))
317
318 if modified is True:
319 self.modify_ldif(addtargettogroup)
320
321 except:
322 self.transaction_cancel()
323 raise
324 else:
325 self.transaction_commit()
326
327 def newuser(self, username, password,
328 force_password_change_at_next_login_req=False,
329 useusernameascn=False, userou=None, surname=None, givenname=None,
330 initials=None, profilepath=None, scriptpath=None, homedrive=None,
331 homedirectory=None, jobtitle=None, department=None, company=None,
332 description=None, mailaddress=None, internetaddress=None,
333 telephonenumber=None, physicaldeliveryoffice=None, sd=None,
334 setpassword=True, uidnumber=None, gidnumber=None, gecos=None,
335 loginshell=None, uid=None, nisdomain=None, unixhome=None,
336 smartcard_required=False):
337 """Adds a new user with additional parameters
338
339 :param username: Name of the new user
340 :param password: Password for the new user
341 :param force_password_change_at_next_login_req: Force password change
342 :param useusernameascn: Use username as cn rather that firstname +
343 initials + lastname
344 :param userou: Object container (without domainDN postfix) for new user
345 :param surname: Surname of the new user
346 :param givenname: First name of the new user
347 :param initials: Initials of the new user
348 :param profilepath: Profile path of the new user
349 :param scriptpath: Logon script path of the new user
350 :param homedrive: Home drive of the new user
351 :param homedirectory: Home directory of the new user
352 :param jobtitle: Job title of the new user
353 :param department: Department of the new user
354 :param company: Company of the new user
355 :param description: of the new user
356 :param mailaddress: Email address of the new user
357 :param internetaddress: Home page of the new user
358 :param telephonenumber: Phone number of the new user
359 :param physicaldeliveryoffice: Office location of the new user
360 :param sd: security descriptor of the object
361 :param setpassword: optionally disable password reset
362 :param uidnumber: RFC2307 Unix numeric UID of the new user
363 :param gidnumber: RFC2307 Unix primary GID of the new user
364 :param gecos: RFC2307 Unix GECOS field of the new user
365 :param loginshell: RFC2307 Unix login shell of the new user
366 :param uid: RFC2307 Unix username of the new user
367 :param nisdomain: RFC2307 Unix NIS domain of the new user
368 :param unixhome: RFC2307 Unix home directory of the new user
369 :param smartcard_required: set the UF_SMARTCARD_REQUIRED bit of the new user
370 """
371
372 displayname = ""
373 if givenname is not None:
374 displayname += givenname
375
376 if initials is not None:
377 displayname += ' %s.' % initials
378
379 if surname is not None:
380 displayname += ' %s' % surname
381
382 cn = username
383 if useusernameascn is None and displayname is not "":
384 cn = displayname
385
386 user_dn = "CN=%s,%s,%s" % (cn, (userou or "CN=Users"), self.domain_dn())
387
388 dnsdomain = ldb.Dn(self, self.domain_dn()).canonical_str().replace("/", "")
389 user_principal_name = "%s@%s" % (username, dnsdomain)
390 # The new user record. Note the reliance on the SAMLDB module which
391 # fills in the default informations
392 ldbmessage = {"dn": user_dn,
393 "sAMAccountName": username,
394 "userPrincipalName": user_principal_name,
395 "objectClass": "user"}
396
397 if smartcard_required:
398 ldbmessage["userAccountControl"] = str(dsdb.UF_NORMAL_ACCOUNT |
399 dsdb.UF_SMARTCARD_REQUIRED)
400 setpassword = False
401
402 if surname is not None:
403 ldbmessage["sn"] = surname
404
405 if givenname is not None:
406 ldbmessage["givenName"] = givenname
407
408 if displayname is not "":
409 ldbmessage["displayName"] = displayname
410 ldbmessage["name"] = displayname
411
412 if initials is not None:
413 ldbmessage["initials"] = '%s.' % initials
414
415 if profilepath is not None:
416 ldbmessage["profilePath"] = profilepath
417
418 if scriptpath is not None:
419 ldbmessage["scriptPath"] = scriptpath
420
421 if homedrive is not None:
422 ldbmessage["homeDrive"] = homedrive
423
424 if homedirectory is not None:
425 ldbmessage["homeDirectory"] = homedirectory
426
427 if jobtitle is not None:
428 ldbmessage["title"] = jobtitle
429
430 if department is not None:
431 ldbmessage["department"] = department
432
433 if company is not None:
434 ldbmessage["company"] = company
435
436 if description is not None:
437 ldbmessage["description"] = description
438
439 if mailaddress is not None:
440 ldbmessage["mail"] = mailaddress
441
442 if internetaddress is not None:
443 ldbmessage["wWWHomePage"] = internetaddress
444
445 if telephonenumber is not None:
446 ldbmessage["telephoneNumber"] = telephonenumber
447
448 if physicaldeliveryoffice is not None:
449 ldbmessage["physicalDeliveryOfficeName"] = physicaldeliveryoffice
450
451 if sd is not None:
452 ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
453
454 ldbmessage2 = None
455 if any(map(lambda b: b is not None, (uid, uidnumber, gidnumber, gecos,
456 loginshell, nisdomain, unixhome))):
457 ldbmessage2 = ldb.Message()
458 ldbmessage2.dn = ldb.Dn(self, user_dn)
459 if uid is not None:
460 ldbmessage2["uid"] = ldb.MessageElement(str(uid), ldb.FLAG_MOD_REPLACE, 'uid')
461 if uidnumber is not None:
462 ldbmessage2["uidNumber"] = ldb.MessageElement(str(uidnumber), ldb.FLAG_MOD_REPLACE, 'uidNumber')
463 if gidnumber is not None:
464 ldbmessage2["gidNumber"] = ldb.MessageElement(str(gidnumber), ldb.FLAG_MOD_REPLACE, 'gidNumber')
465 if gecos is not None:
466 ldbmessage2["gecos"] = ldb.MessageElement(str(gecos), ldb.FLAG_MOD_REPLACE, 'gecos')
467 if loginshell is not None:
468 ldbmessage2["loginShell"] = ldb.MessageElement(str(loginshell), ldb.FLAG_MOD_REPLACE, 'loginShell')
469 if unixhome is not None:
470 ldbmessage2["unixHomeDirectory"] = ldb.MessageElement(
471 str(unixhome), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
472 if nisdomain is not None:
473 ldbmessage2["msSFU30NisDomain"] = ldb.MessageElement(
474 str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
475 ldbmessage2["msSFU30Name"] = ldb.MessageElement(
476 str(username), ldb.FLAG_MOD_REPLACE, 'msSFU30Name')
477 ldbmessage2["unixUserPassword"] = ldb.MessageElement(
478 'ABCD!efgh12345$67890', ldb.FLAG_MOD_REPLACE,
479 'unixUserPassword')
480
481 self.transaction_start()
482 try:
483 self.add(ldbmessage)
484 if ldbmessage2:
485 self.modify(ldbmessage2)
486
487 # Sets the password for it
488 if setpassword:
489 self.setpassword(("(distinguishedName=%s)" %
490 ldb.binary_encode(user_dn)),
491 password,
492 force_password_change_at_next_login_req)
493 except:
494 self.transaction_cancel()
495 raise
496 else:
497 self.transaction_commit()
498
499 def newcomputer(self, computername, computerou=None, description=None,
500 prepare_oldjoin=False, ip_address_list=None,
501 service_principal_name_list=None):
502 """Adds a new user with additional parameters
503
504 :param computername: Name of the new computer
505 :param computerou: Object container for new computer
506 :param description: Description of the new computer
507 :param prepare_oldjoin: Preset computer password for oldjoin mechanism
508 :param ip_address_list: ip address list for DNS A or AAAA record
509 :param service_principal_name_list: string list of servicePincipalName
510 """
511
512 cn = re.sub(r"\$$", "", computername)
513 if cn.count('$'):
514 raise Exception('Illegal computername "%s"' % computername)
515 samaccountname = "%s$" % cn
516
517 computercontainer_dn = "CN=Computers,%s" % self.domain_dn()
518 if computerou:
519 computercontainer_dn = self.normalize_dn_in_domain(computerou)
520
521 computer_dn = "CN=%s,%s" % (cn, computercontainer_dn)
522
523 ldbmessage = {"dn": computer_dn,
524 "sAMAccountName": samaccountname,
525 "objectClass": "computer",
526 }
527
528 if description is not None:
529 ldbmessage["description"] = description
530
531 if service_principal_name_list:
532 ldbmessage["servicePrincipalName"] = service_principal_name_list
533
534 accountcontrol = str(dsdb.UF_WORKSTATION_TRUST_ACCOUNT |
535 dsdb.UF_ACCOUNTDISABLE)
536 if prepare_oldjoin:
537 accountcontrol = str(dsdb.UF_WORKSTATION_TRUST_ACCOUNT)
538 ldbmessage["userAccountControl"] = accountcontrol
539
540 if ip_address_list:
541 ldbmessage['dNSHostName'] = '{}.{}'.format(
542 cn, self.domain_dns_name())
543
544 self.transaction_start()
545 try:
546 self.add(ldbmessage)
547
548 if prepare_oldjoin:
549 password = cn.lower()
550 self.setpassword(("(distinguishedName=%s)" %
551 ldb.binary_encode(computer_dn)),
552 password, False)
553 except:
554 self.transaction_cancel()
555 raise
556 else:
557 self.transaction_commit()
558
559 def deleteuser(self, username):
560 """Deletes a user
561
562 :param username: Name of the target user
563 """
564
565 filter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(username), "CN=Person,CN=Schema,CN=Configuration", self.domain_dn())
566 self.transaction_start()
567 try:
568 target = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
569 expression=filter, attrs=[])
570 if len(target) == 0:
571 raise Exception('Unable to find user "%s"' % username)
572 assert(len(target) == 1)
573 self.delete(target[0].dn)
574 except:
575 self.transaction_cancel()
576 raise
577 else:
578 self.transaction_commit()
579
580 def setpassword(self, search_filter, password,
581 force_change_at_next_login=False, username=None):
582 """Sets the password for a user
583
584 :param search_filter: LDAP filter to find the user (eg
585 samccountname=name)
586 :param password: Password for the user
587 :param force_change_at_next_login: Force password change
588 """
589 self.transaction_start()
590 try:
591 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
592 expression=search_filter, attrs=[])
593 if len(res) == 0:
594 raise Exception('Unable to find user "%s"' % (username or search_filter))
595 if len(res) > 1:
596 raise Exception('Matched %u multiple users with filter "%s"' % (len(res), search_filter))
597 user_dn = res[0].dn
598 if not isinstance(password, text_type):
599 pw = password.decode('utf-8')
600 else:
601 pw = password
602 pw = ('"' + pw + '"').encode('utf-16-le')
603 setpw = """
604 dn: %s
605 changetype: modify
606 replace: unicodePwd
607 unicodePwd:: %s
608 """ % (user_dn, base64.b64encode(pw).decode('utf-8'))
609
610 self.modify_ldif(setpw)
611
612 if force_change_at_next_login:
613 self.force_password_change_at_next_login(
614 "(distinguishedName=" + str(user_dn) + ")")
615
616 # modify the userAccountControl to remove the disabled bit
617 self.enable_account(search_filter)
618 except:
619 self.transaction_cancel()
620 raise
621 else:
622 self.transaction_commit()
623
624 def setexpiry(self, search_filter, expiry_seconds, no_expiry_req=False):
625 """Sets the account expiry for a user
626
627 :param search_filter: LDAP filter to find the user (eg
628 samaccountname=name)
629 :param expiry_seconds: expiry time from now in seconds
630 :param no_expiry_req: if set, then don't expire password
631 """
632 self.transaction_start()
633 try:
634 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
635 expression=search_filter,
636 attrs=["userAccountControl", "accountExpires"])
637 if len(res) == 0:
638 raise Exception('Unable to find user "%s"' % search_filter)
639 assert(len(res) == 1)
640 user_dn = res[0].dn
641
642 userAccountControl = int(res[0]["userAccountControl"][0])
643 accountExpires = int(res[0]["accountExpires"][0])
644 if no_expiry_req:
645 userAccountControl = userAccountControl | 0x10000
646 accountExpires = 0
647 else:
648 userAccountControl = userAccountControl & ~0x10000
649 accountExpires = samba.unix2nttime(expiry_seconds + int(time.time()))
650
651 setexp = """
652 dn: %s
653 changetype: modify
654 replace: userAccountControl
655 userAccountControl: %u
656 replace: accountExpires
657 accountExpires: %u
658 """ % (user_dn, userAccountControl, accountExpires)
659
660 self.modify_ldif(setexp)
661 except:
662 self.transaction_cancel()
663 raise
664 else:
665 self.transaction_commit()
666
667 def set_domain_sid(self, sid):
668 """Change the domain SID used by this LDB.
669
670 :param sid: The new domain sid to use.
671 """
672 dsdb._samdb_set_domain_sid(self, sid)
673
674 def get_domain_sid(self):
675 """Read the domain SID used by this LDB. """
676 return dsdb._samdb_get_domain_sid(self)
677
678 domain_sid = property(get_domain_sid, set_domain_sid,
679 "SID for the domain")
680
681 def set_invocation_id(self, invocation_id):
682 """Set the invocation id for this SamDB handle.
683
684 :param invocation_id: GUID of the invocation id.
685 """
686 dsdb._dsdb_set_ntds_invocation_id(self, invocation_id)
687
688 def get_invocation_id(self):
689 """Get the invocation_id id"""
690 return dsdb._samdb_ntds_invocation_id(self)
691
692 invocation_id = property(get_invocation_id, set_invocation_id,
693 "Invocation ID GUID")
694
695 def get_oid_from_attid(self, attid):
696 return dsdb._dsdb_get_oid_from_attid(self, attid)
697
698 def get_attid_from_lDAPDisplayName(self, ldap_display_name,
699 is_schema_nc=False):
700 '''return the attribute ID for a LDAP attribute as an integer as found in DRSUAPI'''
701 return dsdb._dsdb_get_attid_from_lDAPDisplayName(self,
702 ldap_display_name, is_schema_nc)
703
704 def get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name):
705 '''return the syntax OID for a LDAP attribute as a string'''
706 return dsdb._dsdb_get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name)
707
708 def get_systemFlags_from_lDAPDisplayName(self, ldap_display_name):
709 '''return the systemFlags for a LDAP attribute as a integer'''
710 return dsdb._dsdb_get_systemFlags_from_lDAPDisplayName(self, ldap_display_name)
711
712 def get_linkId_from_lDAPDisplayName(self, ldap_display_name):
713 '''return the linkID for a LDAP attribute as a integer'''
714 return dsdb._dsdb_get_linkId_from_lDAPDisplayName(self, ldap_display_name)
715
716 def get_lDAPDisplayName_by_attid(self, attid):
717 '''return the lDAPDisplayName from an integer DRS attribute ID'''
718 return dsdb._dsdb_get_lDAPDisplayName_by_attid(self, attid)
719
720 def get_backlink_from_lDAPDisplayName(self, ldap_display_name):
721 '''return the attribute name of the corresponding backlink from the name
722 of a forward link attribute. If there is no backlink return None'''
723 return dsdb._dsdb_get_backlink_from_lDAPDisplayName(self, ldap_display_name)
724
725 def set_ntds_settings_dn(self, ntds_settings_dn):
726 """Set the NTDS Settings DN, as would be returned on the dsServiceName
727 rootDSE attribute.
728
729 This allows the DN to be set before the database fully exists
730
731 :param ntds_settings_dn: The new DN to use
732 """
733 dsdb._samdb_set_ntds_settings_dn(self, ntds_settings_dn)
734
735 def get_ntds_GUID(self):
736 """Get the NTDS objectGUID"""
737 return dsdb._samdb_ntds_objectGUID(self)
738
739 def server_site_name(self):
740 """Get the server site name"""
741 return dsdb._samdb_server_site_name(self)
742
743 def host_dns_name(self):
744 """return the DNS name of this host"""
745 res = self.search(base='', scope=ldb.SCOPE_BASE, attrs=['dNSHostName'])
746 return str(res[0]['dNSHostName'][0])
747
748 def domain_dns_name(self):
749 """return the DNS name of the domain root"""
750 domain_dn = self.get_default_basedn()
751 return domain_dn.canonical_str().split('/')[0]
752
753 def forest_dns_name(self):
754 """return the DNS name of the forest root"""
755 forest_dn = self.get_root_basedn()
756 return forest_dn.canonical_str().split('/')[0]
757
758 def load_partition_usn(self, base_dn):
759 return dsdb._dsdb_load_partition_usn(self, base_dn)
760
761 def set_schema(self, schema, write_indices_and_attributes=True):
762 self.set_schema_from_ldb(schema.ldb, write_indices_and_attributes=write_indices_and_attributes)
763
764 def set_schema_from_ldb(self, ldb_conn, write_indices_and_attributes=True):
765 dsdb._dsdb_set_schema_from_ldb(self, ldb_conn, write_indices_and_attributes)
766
767 def set_schema_update_now(self):
768 ldif = """
769 dn:
770 changetype: modify
771 add: schemaUpdateNow
772 schemaUpdateNow: 1
773 """
774 self.modify_ldif(ldif)
775
776 def dsdb_DsReplicaAttribute(self, ldb, ldap_display_name, ldif_elements):
777 '''convert a list of attribute values to a DRSUAPI DsReplicaAttribute'''
778 return dsdb._dsdb_DsReplicaAttribute(ldb, ldap_display_name, ldif_elements)
779
780 def dsdb_normalise_attributes(self, ldb, ldap_display_name, ldif_elements):
781 '''normalise a list of attribute values'''
782 return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, ldif_elements)
783
784 def get_attribute_from_attid(self, attid):
785 """ Get from an attid the associated attribute
786
787 :param attid: The attribute id for searched attribute
788 :return: The name of the attribute associated with this id
789 """
790 if len(self.hash_oid_name.keys()) == 0:
791 self._populate_oid_attid()
792 if self.get_oid_from_attid(attid) in self.hash_oid_name:
793 return self.hash_oid_name[self.get_oid_from_attid(attid)]
794 else:
795 return None
796
797 def _populate_oid_attid(self):
798 """Populate the hash hash_oid_name.
799
800 This hash contains the oid of the attribute as a key and
801 its display name as a value
802 """
803 self.hash_oid_name = {}
804 res = self.search(expression="objectClass=attributeSchema",
805 controls=["search_options:1:2"],
806 attrs=["attributeID",
807 "lDAPDisplayName"])
808 if len(res) > 0:
809 for e in res:
810 strDisplay = str(e.get("lDAPDisplayName"))
811 self.hash_oid_name[str(e.get("attributeID"))] = strDisplay
812
813 def get_attribute_replmetadata_version(self, dn, att):
814 """Get the version field trom the replPropertyMetaData for
815 the given field
816
817 :param dn: The on which we want to get the version
818 :param att: The name of the attribute
819 :return: The value of the version field in the replPropertyMetaData
820 for the given attribute. None if the attribute is not replicated
821 """
822
823 res = self.search(expression="distinguishedName=%s" % dn,
824 scope=ldb.SCOPE_SUBTREE,
825 controls=["search_options:1:2"],
826 attrs=["replPropertyMetaData"])
827 if len(res) == 0:
828 return None
829
830 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
831 res[0]["replPropertyMetaData"][0])
832 ctr = repl.ctr
833 if len(self.hash_oid_name.keys()) == 0:
834 self._populate_oid_attid()
835 for o in ctr.array:
836 # Search for Description
837 att_oid = self.get_oid_from_attid(o.attid)
838 if att_oid in self.hash_oid_name and\
839 att.lower() == self.hash_oid_name[att_oid].lower():
840 return o.version
841 return None
842
843 def set_attribute_replmetadata_version(self, dn, att, value,
844 addifnotexist=False):
845 res = self.search(expression="distinguishedName=%s" % dn,
846 scope=ldb.SCOPE_SUBTREE,
847 controls=["search_options:1:2"],
848 attrs=["replPropertyMetaData"])
849 if len(res) == 0:
850 return None
851
852 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
853 res[0]["replPropertyMetaData"][0])
854 ctr = repl.ctr
855 now = samba.unix2nttime(int(time.time()))
856 found = False
857 if len(self.hash_oid_name.keys()) == 0:
858 self._populate_oid_attid()
859 for o in ctr.array:
860 # Search for Description
861 att_oid = self.get_oid_from_attid(o.attid)
862 if att_oid in self.hash_oid_name and\
863 att.lower() == self.hash_oid_name[att_oid].lower():
864 found = True
865 seq = self.sequence_number(ldb.SEQ_NEXT)
866 o.version = value
867 o.originating_change_time = now
868 o.originating_invocation_id = misc.GUID(self.get_invocation_id())
869 o.originating_usn = seq
870 o.local_usn = seq
871
872 if not found and addifnotexist and len(ctr.array) > 0:
873 o2 = drsblobs.replPropertyMetaData1()
874 o2.attid = 589914
875 att_oid = self.get_oid_from_attid(o2.attid)
876 seq = self.sequence_number(ldb.SEQ_NEXT)
877 o2.version = value
878 o2.originating_change_time = now
879 o2.originating_invocation_id = misc.GUID(self.get_invocation_id())
880 o2.originating_usn = seq
881 o2.local_usn = seq
882 found = True
883 tab = ctr.array
884 tab.append(o2)
885 ctr.count = ctr.count + 1
886 ctr.array = tab
887
888 if found:
889 replBlob = ndr_pack(repl)
890 msg = ldb.Message()
891 msg.dn = res[0].dn
892 msg["replPropertyMetaData"] = \
893 ldb.MessageElement(replBlob,
894 ldb.FLAG_MOD_REPLACE,
895 "replPropertyMetaData")
896 self.modify(msg, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"])
897
898 def write_prefixes_from_schema(self):
899 dsdb._dsdb_write_prefixes_from_schema_to_ldb(self)
900
901 def get_partitions_dn(self):
902 return dsdb._dsdb_get_partitions_dn(self)
903
904 def get_nc_root(self, dn):
905 return dsdb._dsdb_get_nc_root(self, dn)
906
907 def get_wellknown_dn(self, nc_root, wkguid):
908 h_nc = self.hash_well_known.get(str(nc_root))
909 dn = None
910 if h_nc is not None:
911 dn = h_nc.get(wkguid)
912 if dn is None:
913 dn = dsdb._dsdb_get_wellknown_dn(self, nc_root, wkguid)
914 if dn is None:
915 return dn
916 if h_nc is None:
917 self.hash_well_known[str(nc_root)] = {}
918 h_nc = self.hash_well_known[str(nc_root)]
919 h_nc[wkguid] = dn
920 return dn
921
922 def set_minPwdAge(self, value):
923 value = str(value).encode('utf8')
924 m = ldb.Message()
925 m.dn = ldb.Dn(self, self.domain_dn())
926 m["minPwdAge"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "minPwdAge")
927 self.modify(m)
928
929 def get_minPwdAge(self):
930 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["minPwdAge"])
931 if len(res) == 0:
932 return None
933 elif "minPwdAge" not in res[0]:
934 return None
935 else:
936 return int(res[0]["minPwdAge"][0])
937
938 def set_maxPwdAge(self, value):
939 value = str(value).encode('utf8')
940 m = ldb.Message()
941 m.dn = ldb.Dn(self, self.domain_dn())
942 m["maxPwdAge"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "maxPwdAge")
943 self.modify(m)
944
945 def get_maxPwdAge(self):
946 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["maxPwdAge"])
947 if len(res) == 0:
948 return None
949 elif "maxPwdAge" not in res[0]:
950 return None
951 else:
952 return int(res[0]["maxPwdAge"][0])
953
954 def set_minPwdLength(self, value):
955 value = str(value).encode('utf8')
956 m = ldb.Message()
957 m.dn = ldb.Dn(self, self.domain_dn())
958 m["minPwdLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "minPwdLength")
959 self.modify(m)
960
961 def get_minPwdLength(self):
962 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["minPwdLength"])
963 if len(res) == 0:
964 return None
965 elif "minPwdLength" not in res[0]:
966 return None
967 else:
968 return int(res[0]["minPwdLength"][0])
969
970 def set_pwdProperties(self, value):
971 value = str(value).encode('utf8')
972 m = ldb.Message()
973 m.dn = ldb.Dn(self, self.domain_dn())
974 m["pwdProperties"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdProperties")
975 self.modify(m)
976
977 def get_pwdProperties(self):
978 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["pwdProperties"])
979 if len(res) == 0:
980 return None
981 elif "pwdProperties" not in res[0]:
982 return None
983 else:
984 return int(res[0]["pwdProperties"][0])
985
986 def set_dsheuristics(self, dsheuristics):
987 m = ldb.Message()
988 m.dn = ldb.Dn(self, "CN=Directory Service,CN=Windows NT,CN=Services,%s"
989 % self.get_config_basedn().get_linearized())
990 if dsheuristics is not None:
991 m["dSHeuristics"] = \
992 ldb.MessageElement(dsheuristics,
993 ldb.FLAG_MOD_REPLACE,
994 "dSHeuristics")
995 else:
996 m["dSHeuristics"] = \
997 ldb.MessageElement([], ldb.FLAG_MOD_DELETE,
998 "dSHeuristics")
999 self.modify(m)
1000
1001 def get_dsheuristics(self):
1002 res = self.search("CN=Directory Service,CN=Windows NT,CN=Services,%s"
1003 % self.get_config_basedn().get_linearized(),
1004 scope=ldb.SCOPE_BASE, attrs=["dSHeuristics"])
1005 if len(res) == 0:
1006 dsheuristics = None
1007 elif "dSHeuristics" in res[0]:
1008 dsheuristics = res[0]["dSHeuristics"][0]
1009 else:
1010 dsheuristics = None
1011
1012 return dsheuristics
1013
1014 def create_ou(self, ou_dn, description=None, name=None, sd=None):
1015 """Creates an organizationalUnit object
1016 :param ou_dn: dn of the new object
1017 :param description: description attribute
1018 :param name: name atttribute
1019 :param sd: security descriptor of the object, can be
1020 an SDDL string or security.descriptor type
1021 """
1022 m = {"dn": ou_dn,
1023 "objectClass": "organizationalUnit"}
1024
1025 if description:
1026 m["description"] = description
1027 if name:
1028 m["name"] = name
1029
1030 if sd:
1031 m["nTSecurityDescriptor"] = ndr_pack(sd)
1032 self.add(m)
1033
1034 def sequence_number(self, seq_type):
1035 """Returns the value of the sequence number according to the requested type
1036 :param seq_type: type of sequence number
1037 """
1038 self.transaction_start()
1039 try:
1040 seq = super(SamDB, self).sequence_number(seq_type)
1041 except:
1042 self.transaction_cancel()
1043 raise
1044 else:
1045 self.transaction_commit()
1046 return seq
1047
1048 def get_dsServiceName(self):
1049 '''get the NTDS DN from the rootDSE'''
1050 res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
1051 return str(res[0]["dsServiceName"][0])
1052
1053 def get_serverName(self):
1054 '''get the server DN from the rootDSE'''
1055 res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["serverName"])
1056 return str(res[0]["serverName"][0])
1057
1058 def dns_lookup(self, dns_name, dns_partition=None):
1059 '''Do a DNS lookup in the database, returns the NDR database structures'''
1060 if dns_partition is None:
1061 return dsdb_dns.lookup(self, dns_name)
1062 else:
1063 return dsdb_dns.lookup(self, dns_name,
1064 dns_partition=dns_partition)
1065
1066 def dns_extract(self, el):
1067 '''Return the NDR database structures from a dnsRecord element'''
1068 return dsdb_dns.extract(self, el)
1069
1070 def dns_replace(self, dns_name, new_records):
1071 '''Do a DNS modification on the database, sets the NDR database
1072 structures on a DNS name
1073 '''
1074 return dsdb_dns.replace(self, dns_name, new_records)
1075
1076 def dns_replace_by_dn(self, dn, new_records):
1077 '''Do a DNS modification on the database, sets the NDR database
1078 structures on a LDB DN
1079
1080 This routine is important because if the last record on the DN
1081 is removed, this routine will put a tombstone in the record.
1082 '''
1083 return dsdb_dns.replace_by_dn(self, dn, new_records)
1084
1085 def garbage_collect_tombstones(self, dn, current_time,
1086 tombstone_lifetime=None):
1087 '''garbage_collect_tombstones(lp, samdb, [dn], current_time, tombstone_lifetime)
1088 -> (num_objects_expunged, num_links_expunged)'''
1089
1090 if tombstone_lifetime is None:
1091 return dsdb._dsdb_garbage_collect_tombstones(self, dn,
1092 current_time)
1093 else:
1094 return dsdb._dsdb_garbage_collect_tombstones(self, dn,
1095 current_time,
1096 tombstone_lifetime)
1097
1098 def create_own_rid_set(self):
1099 '''create a RID set for this DSA'''
1100 return dsdb._dsdb_create_own_rid_set(self)
1101
1102 def allocate_rid(self):
1103 '''return a new RID from the RID Pool on this DSA'''
1104 return dsdb._dsdb_allocate_rid(self)
1105
1106 def normalize_dn_in_domain(self, dn):
1107 '''return a new DN expanded by adding the domain DN
1108
1109 If the dn is already a child of the domain DN, just
1110 return it as-is.
1111
1112 :param dn: relative dn
1113 '''
1114 domain_dn = ldb.Dn(self, self.domain_dn())
1115
1116 if isinstance(dn, ldb.Dn):
1117 dn = str(dn)
1118
1119 full_dn = ldb.Dn(self, dn)
1120 if not full_dn.is_child_of(domain_dn):
1121 full_dn.add_base(domain_dn)
1122 return full_dn
Samba GIT mirror