3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
5 # Copyright (C) Matthias Dieter Wallnoefer 2009
7 # Based on the original in EJS:
8 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 """Convenience functions for using the SAM."""
29 from samba
.idmap
import IDmapDB
34 __docformat__
= "restructuredText"
36 class SamDB(samba
.Ldb
):
37 """The SAM database."""
39 def __init__(self
, url
=None, lp
=None, modules_dir
=None, session_info
=None,
40 credentials
=None, flags
=0, options
=None, global_schema
=True):
43 url
= lp
.get("sam database")
45 super(SamDB
, self
).__init
__(url
=url
, lp
=lp
, modules_dir
=modules_dir
,
46 session_info
=session_info
, credentials
=credentials
, flags
=flags
,
50 dsdb
.dsdb_set_global_schema(self
)
52 def connect(self
, url
=None, flags
=0, options
=None):
53 super(SamDB
, self
).connect(url
=self
.lp
.private_path(url
), flags
=flags
,
57 # find the DNs for the domain
58 res
= self
.search(base
="",
60 expression
="(defaultNamingContext=*)",
61 attrs
=["defaultNamingContext"])
62 assert(len(res
) == 1 and res
[0]["defaultNamingContext"] is not None)
63 return res
[0]["defaultNamingContext"][0]
65 def enable_account(self
, filter):
68 :param filter: LDAP filter to find the user (eg samccountname=name)
70 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
71 expression
=filter, attrs
=["userAccountControl"])
75 userAccountControl
= int(res
[0]["userAccountControl"][0])
76 if (userAccountControl
& 0x2):
77 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
78 if (userAccountControl
& 0x20):
79 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
84 replace: userAccountControl
85 userAccountControl: %u
86 """ % (user_dn
, userAccountControl
)
89 def force_password_change_at_next_login(self
, filter):
90 """Forces a password change at next login
92 :param filter: LDAP filter to find the user (eg samccountname=name)
94 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
95 expression
=filter, attrs
=[])
105 self
.modify_ldif(mod
)
107 def newuser(self
, username
, unixname
, password
,
108 force_password_change_at_next_login_req
=False):
111 Note: This call adds also the ID mapping for winbind; therefore it works
114 :param username: Name of the new user
115 :param unixname: Name of the unix user to map to
116 :param password: Password for the new user
117 :param force_password_change_at_next_login_req: Force password change
119 self
.transaction_start()
121 user_dn
= "CN=%s,CN=Users,%s" % (username
, self
.domain_dn())
123 # The new user record. Note the reliance on the SAMLDB module which
124 # fills in the default informations
125 self
.add({"dn": user_dn
,
126 "sAMAccountName": username
,
127 "objectClass": "user"})
129 # Sets the password for it
130 self
.setpassword("(dn=" + user_dn
+ ")", password
,
131 force_password_change_at_next_login_req
)
133 # Gets the user SID (for the account mapping setup)
134 res
= self
.search(user_dn
, scope
=ldb
.SCOPE_BASE
,
135 expression
="objectclass=*",
138 user_sid
= self
.schema_format_value("objectSid", res
[0]["objectSid"][0])
141 idmap
= IDmapDB(lp
=self
.lp
)
143 user
= pwd
.getpwnam(unixname
)
145 # setup ID mapping for this UID
146 idmap
.setup_name_mapping(user_sid
, idmap
.TYPE_UID
, user
[2])
151 self
.transaction_cancel()
153 self
.transaction_commit()
155 def setpassword(self
, filter, password
, force_change_at_next_login
=False):
156 """Sets the password for a user
158 Note: This call uses the "userPassword" attribute to set the password.
159 This works correctly on SAMBA 4 and on Windows DCs with
160 "2003 Native" or higer domain function level.
162 :param filter: LDAP filter to find the user (eg samccountname=name)
163 :param password: Password for the user
164 :param force_change_at_next_login: Force password change
166 self
.transaction_start()
168 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
169 expression
=filter, attrs
=[])
170 assert(len(res
) == 1)
176 replace: userPassword
178 """ % (user_dn
, base64
.b64encode(password
))
180 self
.modify_ldif(setpw
)
182 if force_change_at_next_login
:
183 self
.force_password_change_at_next_login(
184 "(dn=" + str(user_dn
) + ")")
186 # modify the userAccountControl to remove the disabled bit
187 self
.enable_account(filter)
189 self
.transaction_cancel()
191 self
.transaction_commit()
193 def setexpiry(self
, filter, expiry_seconds
, no_expiry_req
=False):
194 """Sets the account expiry for a user
196 :param filter: LDAP filter to find the user (eg samccountname=name)
197 :param expiry_seconds: expiry time from now in seconds
198 :param no_expiry_req: if set, then don't expire password
200 self
.transaction_start()
202 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
204 attrs
=["userAccountControl", "accountExpires"])
205 assert(len(res
) == 1)
208 userAccountControl
= int(res
[0]["userAccountControl"][0])
209 accountExpires
= int(res
[0]["accountExpires"][0])
211 userAccountControl
= userAccountControl |
0x10000
214 userAccountControl
= userAccountControl
& ~
0x10000
215 accountExpires
= samba
.unix2nttime(expiry_seconds
+ int(time
.time()))
220 replace: userAccountControl
221 userAccountControl: %u
222 replace: accountExpires
224 """ % (user_dn
, userAccountControl
, accountExpires
)
226 self
.modify_ldif(setexp
)
228 self
.transaction_cancel()
230 self
.transaction_commit()
232 def set_domain_sid(self
, sid
):
233 """Change the domain SID used by this LDB.
235 :param sid: The new domain sid to use.
237 dsdb
.samdb_set_domain_sid(self
, sid
)
239 def get_domain_sid(self
):
240 """Read the domain SID used by this LDB.
243 dsdb
.samdb_get_domain_sid(self
)
245 def set_invocation_id(self
, invocation_id
):
246 """Set the invocation id for this SamDB handle.
248 :param invocation_id: GUID of the invocation id.
250 dsdb
.dsdb_set_ntds_invocation_id(self
, invocation_id
)
252 def get_invocation_id(self
):
253 "Get the invocation_id id"
254 return dsdb
.samdb_ntds_invocation_id(self
)
256 invocation_id
= property(get_invocation_id
, set_invocation_id
)
258 domain_sid
= property(get_domain_sid
, set_domain_sid
)
260 def get_ntds_GUID(self
):
261 "Get the NTDS objectGUID"
262 return dsdb
.samdb_ntds_objectGUID(self
)
264 def server_site_name(self
):
265 "Get the server site name"
266 return dsdb
.samdb_server_site_name(self
)