3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
5 # Copyright (C) Matthias Dieter Wallnoefer 2009
7 # Based on the original in EJS:
8 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 """Convenience functions for using the SAM."""
30 from samba
import dsdb
31 from samba
.ndr
import ndr_unpack
, ndr_pack
32 from samba
.dcerpc
import drsblobs
, misc
34 __docformat__
= "restructuredText"
36 class SamDB(samba
.Ldb
):
37 """The SAM database."""
41 def __init__(self
, url
=None, lp
=None, modules_dir
=None, session_info
=None,
42 credentials
=None, flags
=0, options
=None, global_schema
=True,
43 auto_connect
=True, am_rodc
=None):
47 elif url
is None and lp
is not None:
48 url
= lp
.get("sam database")
50 super(SamDB
, self
).__init
__(url
=url
, lp
=lp
, modules_dir
=modules_dir
,
51 session_info
=session_info
, credentials
=credentials
, flags
=flags
,
55 dsdb
._dsdb
_set
_global
_schema
(self
)
57 if am_rodc
is not None:
58 dsdb
._dsdb
_set
_am
_rodc
(self
, am_rodc
)
60 def connect(self
, url
=None, flags
=0, options
=None):
61 if self
.lp
is not None:
62 url
= self
.lp
.private_path(url
)
64 super(SamDB
, self
).connect(url
=url
, flags
=flags
,
68 return dsdb
._am
_rodc
(self
)
71 return str(self
.get_default_basedn())
73 def enable_account(self
, search_filter
):
76 :param search_filter: LDAP filter to find the user (eg samccountname=name)
78 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
79 expression
=search_filter
, attrs
=["userAccountControl"])
83 userAccountControl
= int(res
[0]["userAccountControl"][0])
84 if (userAccountControl
& 0x2):
85 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
86 if (userAccountControl
& 0x20):
87 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
92 replace: userAccountControl
93 userAccountControl: %u
94 """ % (user_dn
, userAccountControl
)
97 def force_password_change_at_next_login(self
, search_filter
):
98 """Forces a password change at next login
100 :param search_filter: LDAP filter to find the user (eg samccountname=name)
102 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
103 expression
=search_filter
, attrs
=[])
104 assert(len(res
) == 1)
113 self
.modify_ldif(mod
)
115 def newgroup(self
, groupname
, groupou
=None, grouptype
=None,
116 description
=None, mailaddress
=None, notes
=None):
117 """Adds a new group with additional parameters
119 :param groupname: Name of the new group
120 :param grouptype: Type of the new group
121 :param description: Description of the new group
122 :param mailaddress: Email address of the new group
123 :param notes: Notes of the new group
126 group_dn
= "CN=%s,%s,%s" % (groupname
, (groupou
or "CN=Users"), self
.domain_dn())
128 # The new user record. Note the reliance on the SAMLDB module which
129 # fills in the default informations
130 ldbmessage
= {"dn": group_dn
,
131 "sAMAccountName": groupname
,
132 "objectClass": "group"}
134 if grouptype
is not None:
135 ldbmessage
["groupType"] = "%d" % grouptype
137 if description
is not None:
138 ldbmessage
["description"] = description
140 if mailaddress
is not None:
141 ldbmessage
["mail"] = mailaddress
143 if notes
is not None:
144 ldbmessage
["info"] = notes
148 def deletegroup(self
, groupname
):
151 :param groupname: Name of the target group
154 groupfilter
= "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname
, "CN=Group,CN=Schema,CN=Configuration", self
.domain_dn())
155 self
.transaction_start()
157 targetgroup
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
158 expression
=groupfilter
, attrs
=[])
159 if len(targetgroup
) == 0:
160 raise Exception('Unable to find group "%s"' % groupname
)
161 assert(len(targetgroup
) == 1)
162 self
.delete(targetgroup
[0].dn
)
164 self
.transaction_cancel()
167 self
.transaction_commit()
169 def add_remove_group_members(self
, groupname
, listofmembers
,
170 add_members_operation
=True):
171 """Adds or removes group members
173 :param groupname: Name of the target group
174 :param listofmembers: Comma-separated list of group members
175 :param add_members_operation: Defines if its an add or remove operation
178 groupfilter
= "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname
, "CN=Group,CN=Schema,CN=Configuration", self
.domain_dn())
179 groupmembers
= listofmembers
.split(',')
181 self
.transaction_start()
183 targetgroup
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
184 expression
=groupfilter
, attrs
=['member'])
185 if len(targetgroup
) == 0:
186 raise Exception('Unable to find group "%s"' % groupname
)
187 assert(len(targetgroup
) == 1)
191 addtargettogroup
= """
194 """ % (str(targetgroup
[0].dn
))
196 for member
in groupmembers
:
197 targetmember
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
198 expression
="(|(sAMAccountName=%s)(CN=%s))" % (member
, member
), attrs
=[])
200 if len(targetmember
) != 1:
203 if add_members_operation
is True and (targetgroup
[0].get('member') is None or str(targetmember
[0].dn
) not in targetgroup
[0]['member']):
205 addtargettogroup
+= """add: member
207 """ % (str(targetmember
[0].dn
))
209 elif add_members_operation
is False and (targetgroup
[0].get('member') is not None and str(targetmember
[0].dn
) in targetgroup
[0]['member']):
211 addtargettogroup
+= """delete: member
213 """ % (str(targetmember
[0].dn
))
216 self
.modify_ldif(addtargettogroup
)
219 self
.transaction_cancel()
222 self
.transaction_commit()
224 def newuser(self
, username
, password
,
225 force_password_change_at_next_login_req
=False,
226 useusernameascn
=False, userou
=None, surname
=None, givenname
=None, initials
=None,
227 profilepath
=None, scriptpath
=None, homedrive
=None, homedirectory
=None,
228 jobtitle
=None, department
=None, company
=None, description
=None,
229 mailaddress
=None, internetaddress
=None, telephonenumber
=None,
230 physicaldeliveryoffice
=None):
231 """Adds a new user with additional parameters
233 :param username: Name of the new user
234 :param password: Password for the new user
235 :param force_password_change_at_next_login_req: Force password change
236 :param useusernameascn: Use username as cn rather that firstname + initials + lastname
237 :param userou: Object container (without domainDN postfix) for new user
238 :param surname: Surname of the new user
239 :param givenname: First name of the new user
240 :param initials: Initials of the new user
241 :param profilepath: Profile path of the new user
242 :param scriptpath: Logon script path of the new user
243 :param homedrive: Home drive of the new user
244 :param homedirectory: Home directory of the new user
245 :param jobtitle: Job title of the new user
246 :param department: Department of the new user
247 :param company: Company of the new user
248 :param description: of the new user
249 :param mailaddress: Email address of the new user
250 :param internetaddress: Home page of the new user
251 :param telephonenumber: Phone number of the new user
252 :param physicaldeliveryoffice: Office location of the new user
256 if givenname
is not None:
257 displayname
+= givenname
259 if initials
is not None:
260 displayname
+= ' %s.' % initials
262 if surname
is not None:
263 displayname
+= ' %s' % surname
266 if useusernameascn
is None and displayname
is not "":
269 user_dn
= "CN=%s,%s,%s" % (cn
, (userou
or "CN=Users"), self
.domain_dn())
271 dnsdomain
= ldb
.Dn(self
, self
.domain_dn()).canonical_str().replace("/", "")
272 user_principal_name
= "%s@%s" % (username
, dnsdomain
)
273 # The new user record. Note the reliance on the SAMLDB module which
274 # fills in the default informations
275 ldbmessage
= {"dn": user_dn
,
276 "sAMAccountName": username
,
277 "userPrincipalName": user_principal_name
,
278 "objectClass": "user"}
280 if surname
is not None:
281 ldbmessage
["sn"] = surname
283 if givenname
is not None:
284 ldbmessage
["givenName"] = givenname
286 if displayname
is not "":
287 ldbmessage
["displayName"] = displayname
288 ldbmessage
["name"] = displayname
290 if initials
is not None:
291 ldbmessage
["initials"] = '%s.' % initials
293 if profilepath
is not None:
294 ldbmessage
["profilePath"] = profilepath
296 if scriptpath
is not None:
297 ldbmessage
["scriptPath"] = scriptpath
299 if homedrive
is not None:
300 ldbmessage
["homeDrive"] = homedrive
302 if homedirectory
is not None:
303 ldbmessage
["homeDirectory"] = homedirectory
305 if jobtitle
is not None:
306 ldbmessage
["title"] = jobtitle
308 if department
is not None:
309 ldbmessage
["department"] = department
311 if company
is not None:
312 ldbmessage
["company"] = company
314 if description
is not None:
315 ldbmessage
["description"] = description
317 if mailaddress
is not None:
318 ldbmessage
["mail"] = mailaddress
320 if internetaddress
is not None:
321 ldbmessage
["wWWHomePage"] = internetaddress
323 if telephonenumber
is not None:
324 ldbmessage
["telephoneNumber"] = telephonenumber
326 if physicaldeliveryoffice
is not None:
327 ldbmessage
["physicalDeliveryOfficeName"] = physicaldeliveryoffice
329 self
.transaction_start()
333 # Sets the password for it
334 self
.setpassword("(dn=" + user_dn
+ ")", password
,
335 force_password_change_at_next_login_req
)
337 self
.transaction_cancel()
340 self
.transaction_commit()
342 def setpassword(self
, search_filter
, password
,
343 force_change_at_next_login
=False,
345 """Sets the password for a user
347 :param search_filter: LDAP filter to find the user (eg samccountname=name)
348 :param password: Password for the user
349 :param force_change_at_next_login: Force password change
351 self
.transaction_start()
353 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
354 expression
=search_filter
, attrs
=[])
356 raise Exception('Unable to find user "%s"' % (username
or search_filter
))
357 assert(len(res
) == 1)
365 """ % (user_dn
, base64
.b64encode(("\"" + password
+ "\"").encode('utf-16-le')))
367 self
.modify_ldif(setpw
)
369 if force_change_at_next_login
:
370 self
.force_password_change_at_next_login(
371 "(dn=" + str(user_dn
) + ")")
373 # modify the userAccountControl to remove the disabled bit
374 self
.enable_account(search_filter
)
376 self
.transaction_cancel()
379 self
.transaction_commit()
381 def setexpiry(self
, search_filter
, expiry_seconds
, no_expiry_req
=False):
382 """Sets the account expiry for a user
384 :param search_filter: LDAP filter to find the user (eg samccountname=name)
385 :param expiry_seconds: expiry time from now in seconds
386 :param no_expiry_req: if set, then don't expire password
388 self
.transaction_start()
390 res
= self
.search(base
=self
.domain_dn(), scope
=ldb
.SCOPE_SUBTREE
,
391 expression
=search_filter
,
392 attrs
=["userAccountControl", "accountExpires"])
393 assert(len(res
) == 1)
396 userAccountControl
= int(res
[0]["userAccountControl"][0])
397 accountExpires
= int(res
[0]["accountExpires"][0])
399 userAccountControl
= userAccountControl |
0x10000
402 userAccountControl
= userAccountControl
& ~
0x10000
403 accountExpires
= samba
.unix2nttime(expiry_seconds
+ int(time
.time()))
408 replace: userAccountControl
409 userAccountControl: %u
410 replace: accountExpires
412 """ % (user_dn
, userAccountControl
, accountExpires
)
414 self
.modify_ldif(setexp
)
416 self
.transaction_cancel()
419 self
.transaction_commit()
421 def set_domain_sid(self
, sid
):
422 """Change the domain SID used by this LDB.
424 :param sid: The new domain sid to use.
426 dsdb
._samdb
_set
_domain
_sid
(self
, sid
)
428 def get_domain_sid(self
):
429 """Read the domain SID used by this LDB.
432 return dsdb
._samdb
_get
_domain
_sid
(self
)
434 def set_invocation_id(self
, invocation_id
):
435 """Set the invocation id for this SamDB handle.
437 :param invocation_id: GUID of the invocation id.
439 dsdb
._dsdb
_set
_ntds
_invocation
_id
(self
, invocation_id
)
441 def get_oid_from_attid(self
, attid
):
442 return dsdb
._dsdb
_get
_oid
_from
_attid
(self
, attid
)
444 def get_attid_from_lDAPDisplayName(self
, ldap_display_name
, is_schema_nc
=False):
445 return dsdb
._dsdb
_get
_attid
_from
_lDAPDisplayName
(self
, ldap_display_name
, is_schema_nc
)
447 def get_invocation_id(self
):
448 "Get the invocation_id id"
449 return dsdb
._samdb
_ntds
_invocation
_id
(self
)
451 def set_ntds_settings_dn(self
, ntds_settings_dn
):
452 """Set the NTDS Settings DN, as would be returned on the dsServiceName rootDSE attribute
454 This allows the DN to be set before the database fully exists
456 :param ntds_settings_dn: The new DN to use
458 dsdb
._samdb
_set
_ntds
_settings
_dn
(self
, ntds_settings_dn
)
460 invocation_id
= property(get_invocation_id
, set_invocation_id
)
462 domain_sid
= property(get_domain_sid
, set_domain_sid
)
464 def get_ntds_GUID(self
):
465 "Get the NTDS objectGUID"
466 return dsdb
._samdb
_ntds
_objectGUID
(self
)
468 def server_site_name(self
):
469 "Get the server site name"
470 return dsdb
._samdb
_server
_site
_name
(self
)
472 def load_partition_usn(self
, base_dn
):
473 return dsdb
._dsdb
_load
_partition
_usn
(self
, base_dn
)
475 def set_schema(self
, schema
):
476 self
.set_schema_from_ldb(schema
.ldb
)
478 def set_schema_from_ldb(self
, ldb_conn
):
479 dsdb
._dsdb
_set
_schema
_from
_ldb
(self
, ldb_conn
)
481 def dsdb_DsReplicaAttribute(self
, ldb
, ldap_display_name
, ldif_elements
):
482 return dsdb
._dsdb
_DsReplicaAttribute
(ldb
, ldap_display_name
, ldif_elements
)
484 def get_attribute_from_attid(self
, attid
):
485 """ Get from an attid the associated attribute
487 :param attid: The attribute id for searched attribute
488 :return: The name of the attribute associated with this id
490 if len(self
.hash_oid_name
.keys()) == 0:
491 self
._populate
_oid
_attid
()
492 if self
.hash_oid_name
.has_key(self
.get_oid_from_attid(attid
)):
493 return self
.hash_oid_name
[self
.get_oid_from_attid(attid
)]
498 def _populate_oid_attid(self
):
499 """Populate the hash hash_oid_name
501 This hash contains the oid of the attribute as a key and
502 its display name as a value
504 self
.hash_oid_name
= {}
505 res
= self
.search(expression
="objectClass=attributeSchema",
506 controls
=["search_options:1:2"],
507 attrs
=["attributeID",
511 strDisplay
= str(e
.get("lDAPDisplayName"))
512 self
.hash_oid_name
[str(e
.get("attributeID"))] = strDisplay
515 def get_attribute_replmetadata_version(self
, dn
, att
):
516 """ Get the version field trom the replPropertyMetaData for
519 :param dn: The on which we want to get the version
520 :param att: The name of the attribute
521 :return: The value of the version field in the replPropertyMetaData
522 for the given attribute. None if the attribute is not replicated
525 res
= self
.search(expression
="dn=%s" % dn
,
526 scope
=ldb
.SCOPE_SUBTREE
,
527 controls
=["search_options:1:2"],
528 attrs
=["replPropertyMetaData"])
532 repl
= ndr_unpack(drsblobs
.replPropertyMetaDataBlob
,
533 str(res
[0]["replPropertyMetaData"]))
535 if len(self
.hash_oid_name
.keys()) == 0:
536 self
._populate
_oid
_attid
()
538 # Search for Description
539 att_oid
= self
.get_oid_from_attid(o
.attid
)
540 if self
.hash_oid_name
.has_key(att_oid
) and\
541 att
.lower() == self
.hash_oid_name
[att_oid
].lower():
546 def set_attribute_replmetadata_version(self
, dn
, att
, value
, addifnotexist
=False):
547 res
= self
.search(expression
="dn=%s" % dn
,
548 scope
=ldb
.SCOPE_SUBTREE
,
549 controls
=["search_options:1:2"],
550 attrs
=["replPropertyMetaData"])
554 repl
= ndr_unpack(drsblobs
.replPropertyMetaDataBlob
,
555 str(res
[0]["replPropertyMetaData"]))
557 now
= samba
.unix2nttime(int(time
.time()))
559 if len(self
.hash_oid_name
.keys()) == 0:
560 self
._populate
_oid
_attid
()
562 # Search for Description
563 att_oid
= self
.get_oid_from_attid(o
.attid
)
564 if self
.hash_oid_name
.has_key(att_oid
) and\
565 att
.lower() == self
.hash_oid_name
[att_oid
].lower():
567 seq
= self
.sequence_number(ldb
.SEQ_NEXT
)
569 o
.originating_change_time
= now
570 o
.originating_invocation_id
= misc
.GUID(self
.get_invocation_id())
571 o
.originating_usn
= seq
574 if not found
and addifnotexist
and len(ctr
.array
) >0:
575 o2
= drsblobs
.replPropertyMetaData1()
577 att_oid
= self
.get_oid_from_attid(o2
.attid
)
578 seq
= self
.sequence_number(ldb
.SEQ_NEXT
)
580 o2
.originating_change_time
= now
581 o2
.originating_invocation_id
= misc
.GUID(self
.get_invocation_id())
582 o2
.originating_usn
= seq
587 ctr
.count
= ctr
.count
+ 1
591 replBlob
= ndr_pack(repl
)
594 msg
["replPropertyMetaData"] = ldb
.MessageElement(replBlob
,
595 ldb
.FLAG_MOD_REPLACE
,
596 "replPropertyMetaData")
597 self
.modify(msg
, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"])
600 def write_prefixes_from_schema(self
):
601 dsdb
._dsdb
_write
_prefixes
_from
_schema
_to
_ldb
(self
)
603 def get_partitions_dn(self
):
604 return dsdb
._dsdb
_get
_partitions
_dn
(self
)
606 def set_minPwdAge(self
, value
):
608 m
.dn
= ldb
.Dn(self
, self
.domain_dn())
609 m
["minPwdAge"] = ldb
.MessageElement(value
, ldb
.FLAG_MOD_REPLACE
, "minPwdAge")
612 def get_minPwdAge(self
):
613 res
= self
.search(self
.domain_dn(), scope
=ldb
.SCOPE_BASE
, attrs
=["minPwdAge"])
616 elif not "minPwdAge" in res
[0]:
619 return res
[0]["minPwdAge"][0]