3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
5 # Copyright (C) Matthias Dieter Wallnoefer 2009
7 # Based on the original in EJS:
8 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 """Convenience functions for using the SAM."""
31 from samba.ndr import ndr_unpack, ndr_pack
32 from samba.dcerpc import drsblobs, misc
34 __docformat__ = "restructuredText"
36 class SamDB(samba.Ldb):
37 """The SAM database."""
41 def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
42 credentials=None, flags=0, options=None, global_schema=True,
43 auto_connect=True, am_rodc=None):
47 elif url is None and lp is not None:
48 url = lp.get("sam database")
50 super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
51 session_info=session_info, credentials=credentials, flags=flags,
55 dsdb._dsdb_set_global_schema(self)
57 if am_rodc is not None:
58 dsdb._dsdb_set_am_rodc(self, am_rodc)
60 def connect(self, url=None, flags=0, options=None):
61 if self.lp is not None:
62 url = self.lp.private_path(url)
64 super(SamDB, self).connect(url=url, flags=flags,
68 return dsdb._am_rodc(self)
71 # find the DNs for the domain
72 res = self.search(base="",
74 expression="(defaultNamingContext=*)",
75 attrs=["defaultNamingContext"])
76 assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
77 return res[0]["defaultNamingContext"][0]
79 def enable_account(self, filter):
82 :param filter: LDAP filter to find the user (eg samccountname=name)
84 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
85 expression=filter, attrs=["userAccountControl"])
89 userAccountControl = int(res[0]["userAccountControl"][0])
90 if (userAccountControl & 0x2):
91 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
92 if (userAccountControl & 0x20):
93 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
98 replace: userAccountControl
99 userAccountControl: %u
100 """ % (user_dn, userAccountControl)
101 self.modify_ldif(mod)
103 def force_password_change_at_next_login(self, filter):
104 """Forces a password change at next login
106 :param filter: LDAP filter to find the user (eg samccountname=name)
108 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
109 expression=filter, attrs=[])
110 assert(len(res) == 1)
119 self.modify_ldif(mod)
121 def newgroup(self, groupname, groupou=None, grouptype=None,
122 description=None, mailaddress=None, notes=None):
123 """Adds a new group with additional parameters
125 :param groupname: Name of the new group
126 :param grouptype: Type of the new group
127 :param description: Description of the new group
128 :param mailaddress: Email address of the new group
129 :param notes: Notes of the new group
132 group_dn = "CN=%s,%s,%s" % (groupname, (groupou or "CN=Users"), self.domain_dn())
134 # The new user record. Note the reliance on the SAMLDB module which
135 # fills in the default informations
136 ldbmessage = {"dn": group_dn,
137 "sAMAccountName": groupname,
138 "objectClass": "group"}
140 if grouptype is not None:
141 ldbmessage["groupType"] = "%d" % grouptype
143 if description is not None:
144 ldbmessage["description"] = description
146 if mailaddress is not None:
147 ldbmessage["mail"] = mailaddress
149 if notes is not None:
150 ldbmessage["info"] = notes
154 def deletegroup(self, groupname):
157 :param groupname: Name of the target group
160 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
161 self.transaction_start()
163 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
164 expression=groupfilter, attrs=[])
165 if len(targetgroup) == 0:
166 raise Exception('Unable to find group "%s"' % groupname)
167 assert(len(targetgroup) == 1)
168 self.delete(targetgroup[0].dn)
170 self.transaction_cancel()
173 self.transaction_commit()
175 def add_remove_group_members(self, groupname, listofmembers,
176 add_members_operation=True):
177 """Adds or removes group members
179 :param groupname: Name of the target group
180 :param listofmembers: Comma-separated list of group members
181 :param add_members_operation: Defines if its an add or remove operation
184 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
185 groupmembers = listofmembers.split(',')
187 self.transaction_start()
189 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
190 expression=groupfilter, attrs=['member'])
191 if len(targetgroup) == 0:
192 raise Exception('Unable to find group "%s"' % groupname)
193 assert(len(targetgroup) == 1)
197 addtargettogroup = """
200 """ % (str(targetgroup[0].dn))
202 for member in groupmembers:
203 targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
204 expression="(|(sAMAccountName=%s)(CN=%s))" % (member, member), attrs=[])
206 if len(targetmember) != 1:
209 if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']):
211 addtargettogroup += """add: member
213 """ % (str(targetmember[0].dn))
215 elif add_members_operation is False and (targetgroup[0].get('member') is not None and str(targetmember[0].dn) in targetgroup[0]['member']):
217 addtargettogroup += """delete: member
219 """ % (str(targetmember[0].dn))
222 self.modify_ldif(addtargettogroup)
225 self.transaction_cancel()
228 self.transaction_commit()
230 def newuser(self, username, password,
231 force_password_change_at_next_login_req=False,
232 useusernameascn=False, userou=None, surname=None, givenname=None, initials=None,
233 profilepath=None, scriptpath=None, homedrive=None, homedirectory=None,
234 jobtitle=None, department=None, company=None, description=None,
235 mailaddress=None, internetaddress=None, telephonenumber=None,
236 physicaldeliveryoffice=None):
237 """Adds a new user with additional parameters
239 :param username: Name of the new user
240 :param password: Password for the new user
241 :param force_password_change_at_next_login_req: Force password change
242 :param useusernameascn: Use username as cn rather that firstname + initials + lastname
243 :param userou: Object container (without domainDN postfix) for new user
244 :param surname: Surname of the new user
245 :param givenname: First name of the new user
246 :param initials: Initials of the new user
247 :param profilepath: Profile path of the new user
248 :param scriptpath: Logon script path of the new user
249 :param homedrive: Home drive of the new user
250 :param homedirectory: Home directory of the new user
251 :param jobtitle: Job title of the new user
252 :param department: Department of the new user
253 :param company: Company of the new user
254 :param description: of the new user
255 :param mailaddress: Email address of the new user
256 :param internetaddress: Home page of the new user
257 :param telephonenumber: Phone number of the new user
258 :param physicaldeliveryoffice: Office location of the new user
262 if givenname is not None:
263 displayname += givenname
265 if initials is not None:
266 displayname += ' %s.' % initials
268 if surname is not None:
269 displayname += ' %s' % surname
272 if useusernameascn is None and displayname is not "":
275 user_dn = "CN=%s,%s,%s" % (cn, (userou or "CN=Users"), self.domain_dn())
277 # The new user record. Note the reliance on the SAMLDB module which
278 # fills in the default informations
279 ldbmessage = {"dn": user_dn,
280 "sAMAccountName": username,
281 "objectClass": "user"}
283 if surname is not None:
284 ldbmessage["sn"] = surname
286 if givenname is not None:
287 ldbmessage["givenName"] = givenname
289 if displayname is not "":
290 ldbmessage["displayName"] = displayname
291 ldbmessage["name"] = displayname
293 if initials is not None:
294 ldbmessage["initials"] = '%s.' % initials
296 if profilepath is not None:
297 ldbmessage["profilePath"] = profilepath
299 if scriptpath is not None:
300 ldbmessage["scriptPath"] = scriptpath
302 if homedrive is not None:
303 ldbmessage["homeDrive"] = homedrive
305 if homedirectory is not None:
306 ldbmessage["homeDirectory"] = homedirectory
308 if jobtitle is not None:
309 ldbmessage["title"] = jobtitle
311 if department is not None:
312 ldbmessage["department"] = department
314 if company is not None:
315 ldbmessage["company"] = company
317 if description is not None:
318 ldbmessage["description"] = description
320 if mailaddress is not None:
321 ldbmessage["mail"] = mailaddress
323 if internetaddress is not None:
324 ldbmessage["wWWHomePage"] = internetaddress
326 if telephonenumber is not None:
327 ldbmessage["telephoneNumber"] = telephonenumber
329 if physicaldeliveryoffice is not None:
330 ldbmessage["physicalDeliveryOfficeName"] = physicaldeliveryoffice
332 self.transaction_start()
336 # Sets the password for it
337 self.setpassword("(dn=" + user_dn + ")", password,
338 force_password_change_at_next_login_req)
340 self.transaction_cancel()
343 self.transaction_commit()
345 def setpassword(self, filter, password,
346 force_change_at_next_login=False,
348 """Sets the password for a user
350 :param filter: LDAP filter to find the user (eg samccountname=name)
351 :param password: Password for the user
352 :param force_change_at_next_login: Force password change
354 self.transaction_start()
356 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
357 expression=filter, attrs=[])
359 raise Exception('Unable to find user "%s"' % (username or filter))
360 assert(len(res) == 1)
368 """ % (user_dn, base64.b64encode(("\"" + password + "\"").encode('utf-16-le')))
370 self.modify_ldif(setpw)
372 if force_change_at_next_login:
373 self.force_password_change_at_next_login(
374 "(dn=" + str(user_dn) + ")")
376 # modify the userAccountControl to remove the disabled bit
377 self.enable_account(filter)
379 self.transaction_cancel()
382 self.transaction_commit()
384 def setexpiry(self, filter, expiry_seconds, no_expiry_req=False):
385 """Sets the account expiry for a user
387 :param filter: LDAP filter to find the user (eg samccountname=name)
388 :param expiry_seconds: expiry time from now in seconds
389 :param no_expiry_req: if set, then don't expire password
391 self.transaction_start()
393 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
395 attrs=["userAccountControl", "accountExpires"])
396 assert(len(res) == 1)
399 userAccountControl = int(res[0]["userAccountControl"][0])
400 accountExpires = int(res[0]["accountExpires"][0])
402 userAccountControl = userAccountControl | 0x10000
405 userAccountControl = userAccountControl & ~0x10000
406 accountExpires = samba.unix2nttime(expiry_seconds + int(time.time()))
411 replace: userAccountControl
412 userAccountControl: %u
413 replace: accountExpires
415 """ % (user_dn, userAccountControl, accountExpires)
417 self.modify_ldif(setexp)
419 self.transaction_cancel()
422 self.transaction_commit()
424 def set_domain_sid(self, sid):
425 """Change the domain SID used by this LDB.
427 :param sid: The new domain sid to use.
429 dsdb._samdb_set_domain_sid(self, sid)
431 def get_domain_sid(self):
432 """Read the domain SID used by this LDB.
435 return dsdb._samdb_get_domain_sid(self)
437 def set_invocation_id(self, invocation_id):
438 """Set the invocation id for this SamDB handle.
440 :param invocation_id: GUID of the invocation id.
442 dsdb._dsdb_set_ntds_invocation_id(self, invocation_id)
444 def get_oid_from_attid(self, attid):
445 return dsdb._dsdb_get_oid_from_attid(self, attid)
447 def get_attid_from_lDAPDisplayName(self, ldap_display_name, is_schema_nc=False):
448 return dsdb._dsdb_get_attid_from_lDAPDisplayName(self, ldap_display_name, is_schema_nc)
450 def get_invocation_id(self):
451 "Get the invocation_id id"
452 return dsdb._samdb_ntds_invocation_id(self)
454 def set_ntds_settings_dn(self, ntds_settings_dn):
455 """Set the NTDS Settings DN, as would be returned on the dsServiceName rootDSE attribute
457 This allows the DN to be set before the database fully exists
459 :param ntds_settings_dn: The new DN to use
461 dsdb._samdb_set_ntds_settings_dn(self, ntds_settings_dn)
463 invocation_id = property(get_invocation_id, set_invocation_id)
465 domain_sid = property(get_domain_sid, set_domain_sid)
467 def get_ntds_GUID(self):
468 "Get the NTDS objectGUID"
469 return dsdb._samdb_ntds_objectGUID(self)
471 def server_site_name(self):
472 "Get the server site name"
473 return dsdb._samdb_server_site_name(self)
475 def load_partition_usn(self, base_dn):
476 return dsdb._dsdb_load_partition_usn(self, base_dn)
478 def set_schema(self, schema):
479 self.set_schema_from_ldb(schema.ldb)
481 def set_schema_from_ldb(self, ldb):
482 dsdb._dsdb_set_schema_from_ldb(self, ldb)
484 def get_attribute_from_attid(self, attid):
485 """ Get from an attid the associated attribute
487 :param attid: The attribute id for searched attribute
488 :return: The name of the attribute associated with this id
490 if len(self.hash_oid_name.keys()) == 0:
491 self._populate_oid_attid()
492 if self.hash_oid_name.has_key(self.get_oid_from_attid(attid)):
493 return self.hash_oid_name[self.get_oid_from_attid(attid)]
498 def _populate_oid_attid(self):
499 """Populate the hash hash_oid_name
501 This hash contains the oid of the attribute as a key and
502 its display name as a value
504 self.hash_oid_name = {}
505 res = self.search(expression="objectClass=attributeSchema",
506 controls=["search_options:1:2"],
507 attrs=["attributeID",
511 strDisplay = str(e.get("lDAPDisplayName"))
512 self.hash_oid_name[str(e.get("attributeID"))] = strDisplay
515 def get_attribute_replmetadata_version(self, dn, att):
516 """ Get the version field trom the replPropertyMetaData for
519 :param dn: The on which we want to get the version
520 :param att: The name of the attribute
521 :return: The value of the version field in the replPropertyMetaData
522 for the given attribute. None if the attribute is not replicated
525 res = self.search(expression="dn=%s" % dn,
526 scope=ldb.SCOPE_SUBTREE,
527 controls=["search_options:1:2"],
528 attrs=["replPropertyMetaData"])
532 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
533 str(res[0]["replPropertyMetaData"]))
535 if len(self.hash_oid_name.keys()) == 0:
536 self._populate_oid_attid()
538 # Search for Description
539 att_oid = self.get_oid_from_attid(o.attid)
540 if self.hash_oid_name.has_key(att_oid) and\
541 att.lower() == self.hash_oid_name[att_oid].lower():
546 def set_attribute_replmetadata_version(self, dn, att, value, addifnotexist=False):
547 res = self.search(expression="dn=%s" % dn,
548 scope=ldb.SCOPE_SUBTREE,
549 controls=["search_options:1:2"],
550 attrs=["replPropertyMetaData"])
554 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
555 str(res[0]["replPropertyMetaData"]))
557 now = samba.unix2nttime(int(time.time()))
559 if len(self.hash_oid_name.keys()) == 0:
560 self._populate_oid_attid()
562 # Search for Description
563 att_oid = self.get_oid_from_attid(o.attid)
564 if self.hash_oid_name.has_key(att_oid) and\
565 att.lower() == self.hash_oid_name[att_oid].lower():
567 seq = self.sequence_number(ldb.SEQ_NEXT)
569 o.originating_change_time = now
570 o.originating_invocation_id = misc.GUID(self.get_invocation_id())
571 o.originating_usn = seq
574 if not found and addifnotexist and len(ctr.array) >0:
575 o2 = drsblobs.replPropertyMetaData1()
577 att_oid = self.get_oid_from_attid(o2.attid)
578 seq = self.sequence_number(ldb.SEQ_NEXT)
580 o2.originating_change_time = now
581 o2.originating_invocation_id = misc.GUID(self.get_invocation_id())
582 o2.originating_usn = seq
587 ctr.count = ctr.count + 1
591 replBlob = ndr_pack(repl)
594 msg["replPropertyMetaData"] = ldb.MessageElement(replBlob,
595 ldb.FLAG_MOD_REPLACE,
596 "replPropertyMetaData")
597 self.modify(msg, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"])
600 def write_prefixes_from_schema(self):
601 dsdb._dsdb_write_prefixes_from_schema_to_ldb(self)
603 def get_partitions_dn(self):
604 return dsdb._dsdb_get_partitions_dn(self)