3 # Sets password settings (Password complexity, history length,
4 # minimum password length, the minimum and maximum password age) on a
7 # Copyright Jelmer Vernooij 2008
8 # Copyright Matthias Dieter Wallnoefer 2009
9 # Copyright Andrew Kroeger 2009
10 # Released under the GNU GPL version 3 or later
14 sys
.path
.insert(0, os
.path
.join(os
.path
.dirname(sys
.argv
[0]), "../bin/python"))
16 import samba
.getopt
as options
20 from samba
.auth
import system_session
21 from samba
.samdb
import SamDB
22 from samba
.dcerpc
.samr
import DOMAIN_PASSWORD_COMPLEX
24 parser
= optparse
.OptionParser("pwsettings (show | set <options>)")
25 sambaopts
= options
.SambaOptions(parser
)
26 parser
.add_option_group(sambaopts
)
27 parser
.add_option_group(options
.VersionOptions(parser
))
28 credopts
= options
.CredentialsOptions(parser
)
29 parser
.add_option_group(credopts
)
30 parser
.add_option("--quiet", help="Be quiet", action
="store_true")
31 parser
.add_option("-H", help="LDB URL for database or target server", type=str)
32 parser
.add_option("--complexity",
33 help="The password complexity (on | off | default). Default is 'on'", type=str)
34 parser
.add_option("--history-length",
35 help="The password history length (<integer> | default). Default is 24.", type=str)
36 parser
.add_option("--min-pwd-length",
37 help="The minimum password length (<integer> | default). Default is 7.", type=str)
38 parser
.add_option("--min-pwd-age",
39 help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
40 parser
.add_option("--max-pwd-age",
41 help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
43 opts
, args
= parser
.parse_args()
46 # print a message if quiet is not set
56 lp
= sambaopts
.get_loadparm()
58 creds
= credopts
.get_credentials(lp
)
60 if opts
.H
is not None:
63 url
= lp
.get("sam database")
65 samdb
= SamDB(url
=url
, session_info
=system_session(),
66 credentials
=creds
, lp
=lp
)
68 domain_dn
= SamDB
.domain_dn(samdb
)
69 res
= samdb
.search(domain_dn
, scope
=ldb
.SCOPE_BASE
,
70 attrs
=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
74 pwd_props
= int(res
[0]["pwdProperties"][0])
75 pwd_hist_len
= int(res
[0]["pwdHistoryLength"][0])
76 min_pwd_len
= int(res
[0]["minPwdLength"][0])
78 min_pwd_age
= int(abs(int(res
[0]["minPwdAge"][0])) / (1e7
* 60 * 60 * 24))
79 max_pwd_age
= int(abs(int(res
[0]["maxPwdAge"][0])) / (1e7
* 60 * 60 * 24))
81 print "ERROR: Could not retrieve password properties!"
83 print "So no settings can be displayed!"
87 message("Password informations for domain '" + domain_dn
+ "'")
89 if pwd_props
& DOMAIN_PASSWORD_COMPLEX
!= 0:
90 message("Password complexity: on")
92 message("Password complexity: off")
93 message("Password history length: " + str(pwd_hist_len
))
94 message("Minimum password length: " + str(min_pwd_len
))
95 message("Minimum password age (days): " + str(min_pwd_age
))
96 message("Maximum password age (days): " + str(max_pwd_age
))
98 elif args
[0] == "set":
102 m
.dn
= ldb
.Dn(samdb
, domain_dn
)
104 if opts
.complexity
is not None:
105 if opts
.complexity
== "on" or opts
.complexity
== "default":
106 pwd_props
= pwd_props | DOMAIN_PASSWORD_COMPLEX
107 msgs
.append("Password complexity activated!")
108 elif opts
.complexity
== "off":
109 pwd_props
= pwd_props
& (~DOMAIN_PASSWORD_COMPLEX
)
110 msgs
.append("Password complexity deactivated!")
112 print "ERROR: Wrong argument '" + opts
.complexity
+ "'!"
115 m
["pwdProperties"] = ldb
.MessageElement(str(pwd_props
),
116 ldb
.FLAG_MOD_REPLACE
, "pwdProperties")
118 if opts
.history_length
is not None:
119 if opts
.history_length
== "default":
122 pwd_hist_len
= int(opts
.history_length
)
124 if pwd_hist_len
< 0 or pwd_hist_len
> 24:
125 print "ERROR: Password history length must be in the range of 0 to 24!"
128 m
["pwdHistoryLength"] = ldb
.MessageElement(str(pwd_hist_len
),
129 ldb
.FLAG_MOD_REPLACE
, "pwdHistoryLength")
130 msgs
.append("Password history length changed!")
132 if opts
.min_pwd_length
is not None:
133 if opts
.min_pwd_length
== "default":
136 min_pwd_len
= int(opts
.min_pwd_length
)
138 if min_pwd_len
< 0 or min_pwd_len
> 14:
139 print "ERROR: Minimum password length must be in the range of 0 to 14!"
142 m
["minPwdLength"] = ldb
.MessageElement(str(min_pwd_len
),
143 ldb
.FLAG_MOD_REPLACE
, "minPwdLength")
144 msgs
.append("Minimum password length changed!")
146 if opts
.min_pwd_age
is not None:
147 if opts
.min_pwd_age
== "default":
150 min_pwd_age
= int(opts
.min_pwd_age
)
152 if min_pwd_age
< 0 or min_pwd_age
> 998:
153 print "ERROR: Minimum password age must be in the range of 0 to 998!"
157 min_pwd_age_ticks
= -int(min_pwd_age
* (24 * 60 * 60 * 1e7
))
159 m
["minPwdAge"] = ldb
.MessageElement(str(min_pwd_age_ticks
),
160 ldb
.FLAG_MOD_REPLACE
, "minPwdAge")
161 msgs
.append("Minimum password age changed!")
163 if opts
.max_pwd_age
is not None:
164 if opts
.max_pwd_age
== "default":
167 max_pwd_age
= int(opts
.max_pwd_age
)
169 if max_pwd_age
< 0 or max_pwd_age
> 999:
170 print "ERROR: Maximum password age must be in the range of 0 to 999!"
174 max_pwd_age_ticks
= -int(max_pwd_age
* (24 * 60 * 60 * 1e7
))
176 m
["maxPwdAge"] = ldb
.MessageElement(str(max_pwd_age_ticks
),
177 ldb
.FLAG_MOD_REPLACE
, "maxPwdAge")
178 msgs
.append("Maximum password age changed!")
180 if max_pwd_age
> 0 and min_pwd_age
>= max_pwd_age
:
181 print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age
, min_pwd_age
)
186 msgs
.append("All changes applied successfully!")
188 message("\n".join(msgs
))
190 print "ERROR: Wrong argument '" + args
[0] + "'!"