3 # Sets password settings.
4 # (Password complexity, history length, minimum password length, the minimum
5 # and maximum password age) on a Samba4 server
7 # Copyright Matthias Dieter Wallnoefer 2009
8 # Copyright Andrew Kroeger 2009
9 # Copyright Jelmer Vernooij 2009
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25 import samba
.getopt
as options
28 from samba
.auth
import system_session
29 from samba
.samdb
import SamDB
30 from samba
.dcerpc
.samr
import DOMAIN_PASSWORD_COMPLEX
31 from samba
.netcmd
import Command
, CommandError
, Option
33 class cmd_pwsettings(Command
):
34 """Sets password settings.
36 Password complexity, history length, minimum password length, the minimum
37 and maximum password age) on a Samba4 server.
40 synopsis
= "(show | set <options>)"
42 takes_optiongroups
= {
43 "sambaopts": options
.SambaOptions
,
44 "versionopts": options
.VersionOptions
,
45 "credopts": options
.CredentialsOptions
,
49 Option("-H", help="LDB URL for database or target server", type=str),
50 Option("--quiet", help="Be quiet", action
="store_true"),
51 Option("--complexity", type="choice", choices
=["on","off","default"],
52 help="The password complexity (on | off | default). Default is 'on'"),
53 Option("--history-length",
54 help="The password history length (<integer> | default). Default is 24.", type=str),
55 Option("--min-pwd-length",
56 help="The minimum password length (<integer> | default). Default is 7.", type=str),
57 Option("--min-pwd-age",
58 help="The minimum password age (<integer in days> | default). Default is 0.", type=str),
59 Option("--max-pwd-age",
60 help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
63 takes_args
= ["subcommand"]
65 def run(self
, subcommand
, H
=None, min_pwd_age
=None, max_pwd_age
=None,
66 quiet
=False, complexity
=None, history_length
=None,
67 min_pwd_length
=None, credopts
=None, sambaopts
=None,
69 lp
= sambaopts
.get_loadparm()
70 creds
= credopts
.get_credentials(lp
)
75 url
= lp
.get("sam database")
77 samdb
= SamDB(url
=url
, session_info
=system_session(),
78 credentials
=creds
, lp
=lp
)
80 domain_dn
= SamDB
.domain_dn(samdb
)
81 res
= samdb
.search(domain_dn
, scope
=ldb
.SCOPE_BASE
,
82 attrs
=["pwdProperties", "pwdHistoryLength", "minPwdLength",
83 "minPwdAge", "maxPwdAge"])
86 pwd_props
= int(res
[0]["pwdProperties"][0])
87 pwd_hist_len
= int(res
[0]["pwdHistoryLength"][0])
88 cur_min_pwd_len
= int(res
[0]["minPwdLength"][0])
90 cur_min_pwd_age
= int(abs(int(res
[0]["minPwdAge"][0])) / (1e7
* 60 * 60 * 24))
91 cur_max_pwd_age
= int(abs(int(res
[0]["maxPwdAge"][0])) / (1e7
* 60 * 60 * 24))
93 raise CommandError("Could not retrieve password properties!")
95 if subcommand
== "show":
96 self
.message("Password informations for domain '%s'" % domain_dn
)
98 if pwd_props
& DOMAIN_PASSWORD_COMPLEX
!= 0:
99 self
.message("Password complexity: on")
101 self
.message("Password complexity: off")
102 self
.message("Password history length: %d" % pwd_hist_len
)
103 self
.message("Minimum password length: %d" % cur_min_pwd_len
)
104 self
.message("Minimum password age (days): %d" % cur_min_pwd_age
)
105 self
.message("Maximum password age (days): %d" % cur_max_pwd_age
)
106 elif subcommand
== "set":
109 m
.dn
= ldb
.Dn(samdb
, domain_dn
)
111 if complexity
is not None:
112 if complexity
== "on" or complexity
== "default":
113 pwd_props
= pwd_props | DOMAIN_PASSWORD_COMPLEX
114 msgs
.append("Password complexity activated!")
115 elif complexity
== "off":
116 pwd_props
= pwd_props
& (~DOMAIN_PASSWORD_COMPLEX
)
117 msgs
.append("Password complexity deactivated!")
119 m
["pwdProperties"] = ldb
.MessageElement(str(pwd_props
),
120 ldb
.FLAG_MOD_REPLACE
, "pwdProperties")
122 if history_length
is not None:
123 if history_length
== "default":
126 pwd_hist_len
= int(history_length
)
128 if pwd_hist_len
< 0 or pwd_hist_len
> 24:
129 raise CommandError("Password history length must be in the range of 0 to 24!")
131 m
["pwdHistoryLength"] = ldb
.MessageElement(str(pwd_hist_len
),
132 ldb
.FLAG_MOD_REPLACE
, "pwdHistoryLength")
133 msgs
.append("Password history length changed!")
135 if min_pwd_length
is not None:
136 if min_pwd_length
== "default":
139 min_pwd_len
= int(min_pwd_length
)
141 if min_pwd_len
< 0 or min_pwd_len
> 14:
142 raise CommandError("Minimum password length must be in the range of 0 to 14!")
144 m
["minPwdLength"] = ldb
.MessageElement(str(min_pwd_len
),
145 ldb
.FLAG_MOD_REPLACE
, "minPwdLength")
146 msgs
.append("Minimum password length changed!")
148 if min_pwd_age
is not None:
149 if min_pwd_age
== "default":
152 min_pwd_age
= int(min_pwd_age
)
154 if min_pwd_age
< 0 or min_pwd_age
> 998:
155 raise CommandError("Minimum password age must be in the range of 0 to 998!")
158 min_pwd_age_ticks
= -int(min_pwd_age
* (24 * 60 * 60 * 1e7
))
160 m
["minPwdAge"] = ldb
.MessageElement(str(min_pwd_age_ticks
),
161 ldb
.FLAG_MOD_REPLACE
, "minPwdAge")
162 msgs
.append("Minimum password age changed!")
164 if max_pwd_age
is not None:
165 if max_pwd_age
== "default":
168 max_pwd_age
= int(max_pwd_age
)
170 if max_pwd_age
< 0 or max_pwd_age
> 999:
171 raise CommandError("Maximum password age must be in the range of 0 to 999!")
174 max_pwd_age_ticks
= -int(max_pwd_age
* (24 * 60 * 60 * 1e7
))
176 m
["maxPwdAge"] = ldb
.MessageElement(str(max_pwd_age_ticks
),
177 ldb
.FLAG_MOD_REPLACE
, "maxPwdAge")
178 msgs
.append("Maximum password age changed!")
180 if max_pwd_age
> 0 and min_pwd_age
>= max_pwd_age
:
181 raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age
, min_pwd_age
))
184 msgs
.append("All changes applied successfully!")
185 self
.message("\n".join(msgs
))
187 raise CommandError("Wrong argument '%s'!" % subcommand
)