5 # Copyright Matthias Dieter Wallnoefer 2009
6 # Copyright Andrew Kroeger 2009
7 # Copyright Jelmer Vernooij 2009
8 # Copyright Giampaolo Lauria 2011
9 # Copyright Matthieu Patou <mat@matws.net> 2011
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
27 import samba.getopt as options
33 from samba.net import Net, LIBNET_JOIN_AUTOMATIC
35 from samba.join import join_RODC, join_DC, join_subdomain
36 from samba.auth import system_session
37 from samba.samdb import SamDB
38 from samba.dcerpc import drsuapi
39 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
40 from samba.netcmd import (
46 from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
47 from samba.samba3 import Samba3
48 from samba.samba3 import param as s3param
49 from samba.upgrade import upgrade_from_samba3
50 from samba.drs_utils import (
51 sendDsReplicaSync, drsuapi_connect, drsException,
55 from samba.dsdb import (
56 DS_DOMAIN_FUNCTION_2000,
57 DS_DOMAIN_FUNCTION_2003,
58 DS_DOMAIN_FUNCTION_2003_MIXED,
59 DS_DOMAIN_FUNCTION_2008,
60 DS_DOMAIN_FUNCTION_2008_R2,
61 DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL,
62 DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL,
63 UF_WORKSTATION_TRUST_ACCOUNT,
64 UF_SERVER_TRUST_ACCOUNT,
65 UF_TRUSTED_FOR_DELEGATION
68 def get_testparm_var(testparm, smbconf, varname):
69 cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
70 output = os.popen(cmd, 'r').readline()
74 class cmd_domain_export_keytab(Command):
75 """Dumps kerberos keys of the domain into a keytab"""
77 synopsis = "%prog <keytab> [options]"
80 Option("--principal", help="extract only this principal", type=str),
83 takes_args = ["keytab"]
85 def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
86 lp = sambaopts.get_loadparm()
88 net.export_keytab(keytab=keytab, principal=principal)
90 class cmd_domain_info(Command):
91 """Print basic info about a domain and the DC passed as parameter"""
93 synopsis = "%prog domain info <ip_address> [options]"
98 takes_args = ["address"]
100 def run(self, address, credopts=None, sambaopts=None, versionopts=None):
101 lp = sambaopts.get_loadparm()
103 res = netcmd_get_domain_infos_via_cldap(lp, None, address)
104 print "Forest : %s" % res.forest
105 print "Domain : %s" % res.dns_domain
106 print "Netbios domain : %s" % res.domain_name
107 print "DC name : %s" % res.pdc_dns_name
108 print "DC netbios name : %s" % res.pdc_name
109 print "Server site : %s" % res.server_site
110 print "Client site : %s" % res.client_site
112 raise CommandError("Invalid IP address '" + address + "'!")
116 class cmd_domain_join(Command):
117 """Joins domain as either member or backup domain controller"""
119 synopsis = "%prog <dnsdomain> [DC|RODC|MEMBER|SUBDOMAIN] [options]"
122 Option("--server", help="DC to join", type=str),
123 Option("--site", help="site to join", type=str),
124 Option("--targetdir", help="where to store provision", type=str),
125 Option("--parent-domain", help="parent domain to create subdomain under", type=str),
126 Option("--domain-critical-only",
127 help="only replicate critical domain objects",
128 action="store_true"),
129 Option("--machinepass", type=str, metavar="PASSWORD",
130 help="choose machine password (otherwise random)")
133 takes_args = ["domain", "role?"]
135 def run(self, domain, role=None, sambaopts=None, credopts=None,
136 versionopts=None, server=None, site=None, targetdir=None,
137 domain_critical_only=False, parent_domain=None, machinepass=None):
138 lp = sambaopts.get_loadparm()
139 creds = credopts.get_credentials(lp)
140 net = Net(creds, lp, server=credopts.ipaddress)
143 site = "Default-First-Site-Name"
145 netbios_name = lp.get("netbios name")
150 if role is None or role == "MEMBER":
151 (join_password, sid, domain_name) = net.join_member(domain,
153 LIBNET_JOIN_AUTOMATIC,
154 machinepass=machinepass)
156 self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
159 join_DC(server=server, creds=creds, lp=lp, domain=domain,
160 site=site, netbios_name=netbios_name, targetdir=targetdir,
161 domain_critical_only=domain_critical_only,
162 machinepass=machinepass)
165 join_RODC(server=server, creds=creds, lp=lp, domain=domain,
166 site=site, netbios_name=netbios_name, targetdir=targetdir,
167 domain_critical_only=domain_critical_only,
168 machinepass=machinepass)
170 elif role == "SUBDOMAIN":
171 netbios_domain = lp.get("workgroup")
172 if parent_domain is None:
173 parent_domain = ".".join(domain.split(".")[1:])
174 join_subdomain(server=server, creds=creds, lp=lp, dnsdomain=domain, parent_domain=parent_domain,
175 site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir,
176 machinepass=machinepass)
179 raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role)
183 class cmd_domain_demote(Command):
184 """Demote ourselves from the role of Domain Controller"""
186 synopsis = "%prog [options]"
189 Option("--server", help="DC to force replication before demote", type=str),
190 Option("--targetdir", help="where provision is stored", type=str),
194 def run(self, sambaopts=None, credopts=None,
195 versionopts=None, server=None, targetdir=None):
196 lp = sambaopts.get_loadparm()
197 creds = credopts.get_credentials(lp)
198 net = Net(creds, lp, server=credopts.ipaddress)
200 netbios_name = lp.get("netbios name")
201 samdb = SamDB(session_info=system_session(), credentials=creds, lp=lp)
203 res = samdb.search(expression='(&(objectClass=computer)(serverReferenceBL=*))', attrs=["dnsHostName", "name"])
205 raise CommandError("Unable to search for servers")
208 raise CommandError("You are the latest server in the domain")
212 if str(e["name"]).lower() != netbios_name.lower():
213 server = e["dnsHostName"]
216 print "Using %s as partner server for the demotion" % server
217 ntds_guid = samdb.get_ntds_GUID()
218 (drsuapiBind, drsuapi_handle, supportedExtensions) = drsuapi_connect(server, lp, creds)
221 msg = samdb.search(base=str(samdb.get_config_basedn()), scope=ldb.SCOPE_SUBTREE,
222 expression="(objectGUID=%s)" % ntds_guid,
224 if len(msg) == 0 or "options" not in msg[0]:
225 raise CommandError("Failed to find options on %s" % ntds_guid)
227 dsa_options = int(str(msg[0]['options']))
230 print "Desactivating inbound replication"
235 dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
236 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
239 if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
241 print "Asking partner server %s to synchronize from us" % server
242 for part in (samdb.get_schema_basedn(),
243 samdb.get_config_basedn(),
244 samdb.get_root_basedn()):
246 sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
247 except drsException, e:
248 print "Error while demoting, re-enabling inbound replication"
249 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
250 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
252 raise CommandError("Error while sending a DsReplicaSync for partion %s" % str(part), e)
254 remote_samdb = SamDB(url="ldap://%s" % server,
255 session_info=system_session(),
256 credentials=creds, lp=lp)
258 print "Changing userControl and container"
259 res = remote_samdb.search(base=str(remote_samdb.get_root_basedn()),
260 expression="(&(objectClass=user)(sAMAccountName=%s$))" %
261 netbios_name.upper(),
262 attrs=["userAccountControl"])
264 uac = int(str(res[0]["userAccountControl"]))
267 print "Error while demoting, re-enabling inbound replication"
268 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
269 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
271 raise CommandError("Error while changing account control", e)
274 print "Error while demoting, re-enabling inbound replication"
275 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
276 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
278 raise CommandError("Unable to find object with samaccountName = %s$"
279 " in the remote dc" % netbios_name.upper())
283 uac ^= (UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION)
284 uac |= UF_WORKSTATION_TRUST_ACCOUNT
289 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
290 ldb.FLAG_MOD_REPLACE,
291 "userAccountControl")
293 remote_samdb.modify(msg)
295 print "Error while demoting, re-enabling inbound replication"
296 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
297 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
300 raise CommandError("Error while changing account control", e)
302 parent = msg.dn.parent()
304 rdn = string.replace(rdn, ",%s" % str(parent), "")
305 # Let's move to the Computer container
309 computer_dn = ldb.Dn(remote_samdb, "CN=Computers,%s" % str(remote_samdb.get_root_basedn()))
310 res = remote_samdb.search(base=computer_dn, expression=rdn, scope=ldb.SCOPE_ONELEVEL)
313 res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
314 scope=ldb.SCOPE_ONELEVEL)
315 while(len(res) != 0 and i < 100):
317 res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
318 scope=ldb.SCOPE_ONELEVEL)
321 print "Error while demoting, re-enabling inbound replication"
322 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
323 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
329 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
330 ldb.FLAG_MOD_REPLACE,
331 "userAccountControl")
333 remote_samdb.modify(msg)
335 raise CommandError("Unable to find a slot for renaming %s,"
336 " all names from %s-1 to %s-%d seemed used" %
337 (str(dc_dn), rdn, rdn, i - 9))
339 newrdn = "%s-%d" % (rdn, i)
342 newdn = ldb.Dn(remote_samdb, "%s,%s" % (newrdn, str(computer_dn)))
343 remote_samdb.rename(dc_dn, newdn)
345 print "Error while demoting, re-enabling inbound replication"
346 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
347 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
353 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
354 ldb.FLAG_MOD_REPLACE,
355 "userAccountControl")
357 remote_samdb.modify(msg)
358 raise CommandError("Error while renaming %s to %s" % (str(dc_dn), str(newdn)), e)
361 server_dsa_dn = samdb.get_serverName()
362 domain = remote_samdb.get_root_basedn()
365 sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn, domain)
366 except drsException, e:
367 print "Error while demoting, re-enabling inbound replication"
368 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
369 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
375 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
376 ldb.FLAG_MOD_REPLACE,
377 "userAccountControl")
379 remote_samdb.modify(msg)
380 remote_samdb.rename(newdn, dc_dn)
381 raise CommandError("Error while sending a removeDsServer", e)
383 for s in ("CN=Entreprise,CN=Microsoft System Volumes,CN=System,CN=Configuration",
384 "CN=%s,CN=Microsoft System Volumes,CN=System,CN=Configuration" % lp.get("realm"),
385 "CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System"):
387 remote_samdb.delete(ldb.Dn(remote_samdb,
388 "%s,%s,%s" % (str(rdn), s, str(remote_samdb.get_root_basedn()))))
389 except ldb.LdbError, l:
392 for s in ("CN=Entreprise,CN=NTFRS Subscriptions",
393 "CN=%s, CN=NTFRS Subscriptions" % lp.get("realm"),
394 "CN=Domain system Volumes (SYSVOL Share), CN=NTFRS Subscriptions",
395 "CN=NTFRS Subscriptions"):
397 remote_samdb.delete(ldb.Dn(remote_samdb,
398 "%s,%s" % (s, str(newdn))))
399 except ldb.LdbError, l:
402 print "Demote successfull"
406 class cmd_domain_level(Command):
407 """Raises domain and forest function levels"""
409 synopsis = "%prog (show|raise <options>) [options]"
412 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
413 metavar="URL", dest="H"),
414 Option("--quiet", help="Be quiet", action="store_true"),
415 Option("--forest-level", type="choice", choices=["2003", "2008", "2008_R2"],
416 help="The forest function level (2003 | 2008 | 2008_R2)"),
417 Option("--domain-level", type="choice", choices=["2003", "2008", "2008_R2"],
418 help="The domain function level (2003 | 2008 | 2008_R2)")
421 takes_args = ["subcommand"]
423 def run(self, subcommand, H=None, forest_level=None, domain_level=None,
424 quiet=False, credopts=None, sambaopts=None, versionopts=None):
425 lp = sambaopts.get_loadparm()
426 creds = credopts.get_credentials(lp, fallback_machine=True)
428 samdb = SamDB(url=H, session_info=system_session(),
429 credentials=creds, lp=lp)
431 domain_dn = samdb.domain_dn()
433 res_forest = samdb.search("CN=Partitions,%s" % samdb.get_config_basedn(),
434 scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
435 assert len(res_forest) == 1
437 res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
438 attrs=["msDS-Behavior-Version", "nTMixedDomain"])
439 assert len(res_domain) == 1
441 res_dc_s = samdb.search("CN=Sites,%s" % samdb.get_config_basedn(),
442 scope=ldb.SCOPE_SUBTREE, expression="(objectClass=nTDSDSA)",
443 attrs=["msDS-Behavior-Version"])
444 assert len(res_dc_s) >= 1
447 level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
448 level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
449 level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0])
451 min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init value
453 if int(msg["msDS-Behavior-Version"][0]) < min_level_dc:
454 min_level_dc = int(msg["msDS-Behavior-Version"][0])
456 if level_forest < 0 or level_domain < 0:
457 raise CommandError("Domain and/or forest function level(s) is/are invalid. Correct them or reprovision!")
459 raise CommandError("Lowest function level of a DC is invalid. Correct this or reprovision!")
460 if level_forest > level_domain:
461 raise CommandError("Forest function level is higher than the domain level(s). Correct this or reprovision!")
462 if level_domain > min_level_dc:
463 raise CommandError("Domain function level is higher than the lowest function level of a DC. Correct this or reprovision!")
466 raise CommandError("Could not retrieve the actual domain, forest level and/or lowest DC function level!")
468 if subcommand == "show":
469 self.message("Domain and forest function level for domain '%s'" % domain_dn)
470 if level_forest == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
471 self.message("\nATTENTION: You run SAMBA 4 on a forest function level lower than Windows 2000 (Native). This isn't supported! Please raise!")
472 if level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
473 self.message("\nATTENTION: You run SAMBA 4 on a domain function level lower than Windows 2000 (Native). This isn't supported! Please raise!")
474 if min_level_dc == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
475 self.message("\nATTENTION: You run SAMBA 4 on a lowest function level of a DC lower than Windows 2003. This isn't supported! Please step-up or upgrade the concerning DC(s)!")
479 if level_forest == DS_DOMAIN_FUNCTION_2000:
481 elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
482 outstr = "2003 with mixed domains/interim (NT4 DC support)"
483 elif level_forest == DS_DOMAIN_FUNCTION_2003:
485 elif level_forest == DS_DOMAIN_FUNCTION_2008:
487 elif level_forest == DS_DOMAIN_FUNCTION_2008_R2:
490 outstr = "higher than 2008 R2"
491 self.message("Forest function level: (Windows) " + outstr)
493 if level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
494 outstr = "2000 mixed (NT4 DC support)"
495 elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0:
497 elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
498 outstr = "2003 with mixed domains/interim (NT4 DC support)"
499 elif level_domain == DS_DOMAIN_FUNCTION_2003:
501 elif level_domain == DS_DOMAIN_FUNCTION_2008:
503 elif level_domain == DS_DOMAIN_FUNCTION_2008_R2:
506 outstr = "higher than 2008 R2"
507 self.message("Domain function level: (Windows) " + outstr)
509 if min_level_dc == DS_DOMAIN_FUNCTION_2000:
511 elif min_level_dc == DS_DOMAIN_FUNCTION_2003:
513 elif min_level_dc == DS_DOMAIN_FUNCTION_2008:
515 elif min_level_dc == DS_DOMAIN_FUNCTION_2008_R2:
518 outstr = "higher than 2008 R2"
519 self.message("Lowest function level of a DC: (Windows) " + outstr)
521 elif subcommand == "raise":
524 if domain_level is not None:
525 if domain_level == "2003":
526 new_level_domain = DS_DOMAIN_FUNCTION_2003
527 elif domain_level == "2008":
528 new_level_domain = DS_DOMAIN_FUNCTION_2008
529 elif domain_level == "2008_R2":
530 new_level_domain = DS_DOMAIN_FUNCTION_2008_R2
532 if new_level_domain <= level_domain and level_domain_mixed == 0:
533 raise CommandError("Domain function level can't be smaller than or equal to the actual one!")
535 if new_level_domain > min_level_dc:
536 raise CommandError("Domain function level can't be higher than the lowest function level of a DC!")
538 # Deactivate mixed/interim domain support
539 if level_domain_mixed != 0:
540 # Directly on the base DN
542 m.dn = ldb.Dn(samdb, domain_dn)
543 m["nTMixedDomain"] = ldb.MessageElement("0",
544 ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
548 m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup") + ",CN=Partitions,%s" % ldb.get_config_basedn())
549 m["nTMixedDomain"] = ldb.MessageElement("0",
550 ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
553 except ldb.LdbError, (enum, emsg):
554 if enum != ldb.ERR_UNWILLING_TO_PERFORM:
557 # Directly on the base DN
559 m.dn = ldb.Dn(samdb, domain_dn)
560 m["msDS-Behavior-Version"]= ldb.MessageElement(
561 str(new_level_domain), ldb.FLAG_MOD_REPLACE,
562 "msDS-Behavior-Version")
566 m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
567 + ",CN=Partitions,%s" % ldb.get_config_basedn())
568 m["msDS-Behavior-Version"]= ldb.MessageElement(
569 str(new_level_domain), ldb.FLAG_MOD_REPLACE,
570 "msDS-Behavior-Version")
573 except ldb.LdbError, (enum, emsg):
574 if enum != ldb.ERR_UNWILLING_TO_PERFORM:
577 level_domain = new_level_domain
578 msgs.append("Domain function level changed!")
580 if forest_level is not None:
581 if forest_level == "2003":
582 new_level_forest = DS_DOMAIN_FUNCTION_2003
583 elif forest_level == "2008":
584 new_level_forest = DS_DOMAIN_FUNCTION_2008
585 elif forest_level == "2008_R2":
586 new_level_forest = DS_DOMAIN_FUNCTION_2008_R2
587 if new_level_forest <= level_forest:
588 raise CommandError("Forest function level can't be smaller than or equal to the actual one!")
589 if new_level_forest > level_domain:
590 raise CommandError("Forest function level can't be higher than the domain function level(s). Please raise it/them first!")
592 m.dn = ldb.Dn(samdb, "CN=Partitions,%s" % ldb.get_config_basedn())
593 m["msDS-Behavior-Version"]= ldb.MessageElement(
594 str(new_level_forest), ldb.FLAG_MOD_REPLACE,
595 "msDS-Behavior-Version")
597 msgs.append("Forest function level changed!")
598 msgs.append("All changes applied successfully!")
599 self.message("\n".join(msgs))
601 raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
605 class cmd_domain_passwordsettings(Command):
606 """Sets password settings
608 Password complexity, history length, minimum password length, the minimum
609 and maximum password age) on a Samba4 server.
612 synopsis = "%prog (show|set <options>) [options]"
615 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
616 metavar="URL", dest="H"),
617 Option("--quiet", help="Be quiet", action="store_true"),
618 Option("--complexity", type="choice", choices=["on","off","default"],
619 help="The password complexity (on | off | default). Default is 'on'"),
620 Option("--store-plaintext", type="choice", choices=["on","off","default"],
621 help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
622 Option("--history-length",
623 help="The password history length (<integer> | default). Default is 24.", type=str),
624 Option("--min-pwd-length",
625 help="The minimum password length (<integer> | default). Default is 7.", type=str),
626 Option("--min-pwd-age",
627 help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
628 Option("--max-pwd-age",
629 help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
632 takes_args = ["subcommand"]
634 def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
635 quiet=False, complexity=None, store_plaintext=None, history_length=None,
636 min_pwd_length=None, credopts=None, sambaopts=None,
638 lp = sambaopts.get_loadparm()
639 creds = credopts.get_credentials(lp)
641 samdb = SamDB(url=H, session_info=system_session(),
642 credentials=creds, lp=lp)
644 domain_dn = samdb.domain_dn()
645 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
646 attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
647 "minPwdAge", "maxPwdAge"])
648 assert(len(res) == 1)
650 pwd_props = int(res[0]["pwdProperties"][0])
651 pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
652 cur_min_pwd_len = int(res[0]["minPwdLength"][0])
654 cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
655 if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000:
658 cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
660 raise CommandError("Could not retrieve password properties!", e)
662 if subcommand == "show":
663 self.message("Password informations for domain '%s'" % domain_dn)
665 if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
666 self.message("Password complexity: on")
668 self.message("Password complexity: off")
669 if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
670 self.message("Store plaintext passwords: on")
672 self.message("Store plaintext passwords: off")
673 self.message("Password history length: %d" % pwd_hist_len)
674 self.message("Minimum password length: %d" % cur_min_pwd_len)
675 self.message("Minimum password age (days): %d" % cur_min_pwd_age)
676 self.message("Maximum password age (days): %d" % cur_max_pwd_age)
677 elif subcommand == "set":
680 m.dn = ldb.Dn(samdb, domain_dn)
682 if complexity is not None:
683 if complexity == "on" or complexity == "default":
684 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
685 msgs.append("Password complexity activated!")
686 elif complexity == "off":
687 pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
688 msgs.append("Password complexity deactivated!")
690 if store_plaintext is not None:
691 if store_plaintext == "on" or store_plaintext == "default":
692 pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
693 msgs.append("Plaintext password storage for changed passwords activated!")
694 elif store_plaintext == "off":
695 pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
696 msgs.append("Plaintext password storage for changed passwords deactivated!")
698 if complexity is not None or store_plaintext is not None:
699 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
700 ldb.FLAG_MOD_REPLACE, "pwdProperties")
702 if history_length is not None:
703 if history_length == "default":
706 pwd_hist_len = int(history_length)
708 if pwd_hist_len < 0 or pwd_hist_len > 24:
709 raise CommandError("Password history length must be in the range of 0 to 24!")
711 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
712 ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
713 msgs.append("Password history length changed!")
715 if min_pwd_length is not None:
716 if min_pwd_length == "default":
719 min_pwd_len = int(min_pwd_length)
721 if min_pwd_len < 0 or min_pwd_len > 14:
722 raise CommandError("Minimum password length must be in the range of 0 to 14!")
724 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
725 ldb.FLAG_MOD_REPLACE, "minPwdLength")
726 msgs.append("Minimum password length changed!")
728 if min_pwd_age is not None:
729 if min_pwd_age == "default":
732 min_pwd_age = int(min_pwd_age)
734 if min_pwd_age < 0 or min_pwd_age > 998:
735 raise CommandError("Minimum password age must be in the range of 0 to 998!")
738 min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
740 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
741 ldb.FLAG_MOD_REPLACE, "minPwdAge")
742 msgs.append("Minimum password age changed!")
744 if max_pwd_age is not None:
745 if max_pwd_age == "default":
748 max_pwd_age = int(max_pwd_age)
750 if max_pwd_age < 0 or max_pwd_age > 999:
751 raise CommandError("Maximum password age must be in the range of 0 to 999!")
755 max_pwd_age_ticks = -0x8000000000000000
757 max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
759 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
760 ldb.FLAG_MOD_REPLACE, "maxPwdAge")
761 msgs.append("Maximum password age changed!")
763 if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
764 raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
767 raise CommandError("You must specify at least one option to set. Try --help")
769 msgs.append("All changes applied successfully!")
770 self.message("\n".join(msgs))
772 raise CommandError("Wrong argument '%s'!" % subcommand)
775 class cmd_domain_samba3upgrade(Command):
776 """Upgrade from Samba3 database to Samba4 AD database.
778 Specify either a directory with all samba3 databases and state files (with --dbdir) or
779 samba3 testparm utility (with --testparm).
782 synopsis = "%prog [options] <samba3_smb_conf>"
784 takes_optiongroups = {
785 "sambaopts": options.SambaOptions,
786 "versionopts": options.VersionOptions
790 Option("--dbdir", type="string", metavar="DIR",
791 help="Path to samba3 database directory"),
792 Option("--testparm", type="string", metavar="PATH",
793 help="Path to samba3 testparm utility from the previous installation. This allows the default paths of the previous installation to be followed"),
794 Option("--targetdir", type="string", metavar="DIR",
795 help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
796 Option("--quiet", help="Be quiet", action="store_true"),
797 Option("--verbose", help="Be verbose", action="store_true"),
798 Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]",
799 help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"),
802 takes_args = ["smbconf"]
804 def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None,
805 quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None):
807 if not os.path.exists(smbconf):
808 raise CommandError("File %s does not exist" % smbconf)
810 if testparm and not os.path.exists(testparm):
811 raise CommandError("Testparm utility %s does not exist" % testparm)
813 if dbdir and not os.path.exists(dbdir):
814 raise CommandError("Directory %s does not exist" % dbdir)
816 if not dbdir and not testparm:
817 raise CommandError("Please specify either dbdir or testparm")
819 logger = self.get_logger()
821 logger.setLevel(logging.DEBUG)
823 logger.setLevel(logging.WARNING)
825 logger.setLevel(logging.INFO)
827 if dbdir and testparm:
828 logger.warning("both dbdir and testparm specified, ignoring dbdir.")
831 lp = sambaopts.get_loadparm()
833 s3conf = s3param.get_context()
836 s3conf.set("realm", sambaopts.realm)
839 if use_xattrs == "yes":
841 elif use_xattrs == "auto" and not s3conf.get("posix:eadb"):
843 tmpfile = tempfile.NamedTemporaryFile(prefix=os.path.abspath(targetdir))
845 tmpfile = tempfile.NamedTemporaryFile(prefix=os.path.abspath(os.path.dirname(lp.get("private dir"))))
847 samba.ntacls.setntacl(lp, tmpfile.name,
848 "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
851 # FIXME: Don't catch all exceptions here
852 logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
853 "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
856 # Set correct default values from dbdir or testparm
859 paths["state directory"] = dbdir
860 paths["private dir"] = dbdir
861 paths["lock directory"] = dbdir
863 paths["state directory"] = get_testparm_var(testparm, smbconf, "state directory")
864 paths["private dir"] = get_testparm_var(testparm, smbconf, "private dir")
865 paths["lock directory"] = get_testparm_var(testparm, smbconf, "lock directory")
866 # "testparm" from Samba 3 < 3.4.x is not aware of the parameter
867 # "state directory", instead make use of "lock directory"
868 if len(paths["state directory"]) == 0:
869 paths["state directory"] = paths["lock directory"]
872 s3conf.set(p, paths[p])
874 # load smb.conf parameters
875 logger.info("Reading smb.conf")
877 samba3 = Samba3(smbconf, s3conf)
879 logger.info("Provisioning")
880 upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session(),
883 class cmd_domain(SuperCommand):
884 """Domain management"""
887 subcommands["demote"] = cmd_domain_demote()
888 subcommands["exportkeytab"] = cmd_domain_export_keytab()
889 subcommands["info"] = cmd_domain_info()
890 subcommands["join"] = cmd_domain_join()
891 subcommands["level"] = cmd_domain_level()
892 subcommands["passwordsettings"] = cmd_domain_passwordsettings()
893 subcommands["samba3upgrade"] = cmd_domain_samba3upgrade()
git.samba.org / ddiss / samba.git / blob