3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
5 # Copyright (C) Matthias Dieter Wallnoefer 2009
7 # Based on the original in EJS:
8 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 """Convenience functions for using the SAM."""
30 from samba import dsdb
31 from samba.ndr import ndr_unpack, ndr_pack
32 from samba.dcerpc import drsblobs, misc, security
34 __docformat__ = "restructuredText"
36 class SamDB(samba.Ldb):
37 """The SAM database."""
41 def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
42 credentials=None, flags=0, options=None, global_schema=True,
43 auto_connect=True, am_rodc=None):
47 elif url is None and lp is not None:
48 url = lp.get("sam database")
50 super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
51 session_info=session_info, credentials=credentials, flags=flags,
55 dsdb._dsdb_set_global_schema(self)
57 if am_rodc is not None:
58 dsdb._dsdb_set_am_rodc(self, am_rodc)
60 def connect(self, url=None, flags=0, options=None):
61 if self.lp is not None:
62 url = self.lp.private_path(url)
64 super(SamDB, self).connect(url=url, flags=flags,
68 return dsdb._am_rodc(self)
71 return str(self.get_default_basedn())
73 def enable_account(self, search_filter):
76 :param search_filter: LDAP filter to find the user (eg samccountname=name)
78 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
79 expression=search_filter, attrs=["userAccountControl"])
83 userAccountControl = int(res[0]["userAccountControl"][0])
84 if (userAccountControl & 0x2):
85 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
86 if (userAccountControl & 0x20):
87 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
92 replace: userAccountControl
93 userAccountControl: %u
94 """ % (user_dn, userAccountControl)
97 def force_password_change_at_next_login(self, search_filter):
98 """Forces a password change at next login
100 :param search_filter: LDAP filter to find the user (eg samccountname=name)
102 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
103 expression=search_filter, attrs=[])
104 assert(len(res) == 1)
113 self.modify_ldif(mod)
115 def newgroup(self, groupname, groupou=None, grouptype=None,
116 description=None, mailaddress=None, notes=None):
117 """Adds a new group with additional parameters
119 :param groupname: Name of the new group
120 :param grouptype: Type of the new group
121 :param description: Description of the new group
122 :param mailaddress: Email address of the new group
123 :param notes: Notes of the new group
126 group_dn = "CN=%s,%s,%s" % (groupname, (groupou or "CN=Users"), self.domain_dn())
128 # The new user record. Note the reliance on the SAMLDB module which
129 # fills in the default informations
130 ldbmessage = {"dn": group_dn,
131 "sAMAccountName": groupname,
132 "objectClass": "group"}
134 if grouptype is not None:
135 ldbmessage["groupType"] = "%d" % grouptype
137 if description is not None:
138 ldbmessage["description"] = description
140 if mailaddress is not None:
141 ldbmessage["mail"] = mailaddress
143 if notes is not None:
144 ldbmessage["info"] = notes
148 def deletegroup(self, groupname):
151 :param groupname: Name of the target group
154 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
155 self.transaction_start()
157 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
158 expression=groupfilter, attrs=[])
159 if len(targetgroup) == 0:
160 raise Exception('Unable to find group "%s"' % groupname)
161 assert(len(targetgroup) == 1)
162 self.delete(targetgroup[0].dn)
164 self.transaction_cancel()
167 self.transaction_commit()
169 def add_remove_group_members(self, groupname, listofmembers,
170 add_members_operation=True):
171 """Adds or removes group members
173 :param groupname: Name of the target group
174 :param listofmembers: Comma-separated list of group members
175 :param add_members_operation: Defines if its an add or remove operation
178 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
179 groupmembers = listofmembers.split(',')
181 self.transaction_start()
183 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
184 expression=groupfilter, attrs=['member'])
185 if len(targetgroup) == 0:
186 raise Exception('Unable to find group "%s"' % groupname)
187 assert(len(targetgroup) == 1)
191 addtargettogroup = """
194 """ % (str(targetgroup[0].dn))
196 for member in groupmembers:
197 targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
198 expression="(|(sAMAccountName=%s)(CN=%s))" % (member, member), attrs=[])
200 if len(targetmember) != 1:
203 if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']):
205 addtargettogroup += """add: member
207 """ % (str(targetmember[0].dn))
209 elif add_members_operation is False and (targetgroup[0].get('member') is not None and str(targetmember[0].dn) in targetgroup[0]['member']):
211 addtargettogroup += """delete: member
213 """ % (str(targetmember[0].dn))
216 self.modify_ldif(addtargettogroup)
219 self.transaction_cancel()
222 self.transaction_commit()
224 def newuser(self, username, password,
225 force_password_change_at_next_login_req=False,
226 useusernameascn=False, userou=None, surname=None, givenname=None, initials=None,
227 profilepath=None, scriptpath=None, homedrive=None, homedirectory=None,
228 jobtitle=None, department=None, company=None, description=None,
229 mailaddress=None, internetaddress=None, telephonenumber=None,
230 physicaldeliveryoffice=None, sd=None, setpassword=True):
231 """Adds a new user with additional parameters
233 :param username: Name of the new user
234 :param password: Password for the new user
235 :param force_password_change_at_next_login_req: Force password change
236 :param useusernameascn: Use username as cn rather that firstname + initials + lastname
237 :param userou: Object container (without domainDN postfix) for new user
238 :param surname: Surname of the new user
239 :param givenname: First name of the new user
240 :param initials: Initials of the new user
241 :param profilepath: Profile path of the new user
242 :param scriptpath: Logon script path of the new user
243 :param homedrive: Home drive of the new user
244 :param homedirectory: Home directory of the new user
245 :param jobtitle: Job title of the new user
246 :param department: Department of the new user
247 :param company: Company of the new user
248 :param description: of the new user
249 :param mailaddress: Email address of the new user
250 :param internetaddress: Home page of the new user
251 :param telephonenumber: Phone number of the new user
252 :param physicaldeliveryoffice: Office location of the new user
253 :param sd: security descriptor of the object
254 :param setpassword: optionally disable password reset
258 if givenname is not None:
259 displayname += givenname
261 if initials is not None:
262 displayname += ' %s.' % initials
264 if surname is not None:
265 displayname += ' %s' % surname
268 if useusernameascn is None and displayname is not "":
271 user_dn = "CN=%s,%s,%s" % (cn, (userou or "CN=Users"), self.domain_dn())
273 dnsdomain = ldb.Dn(self, self.domain_dn()).canonical_str().replace("/", "")
274 user_principal_name = "%s@%s" % (username, dnsdomain)
275 # The new user record. Note the reliance on the SAMLDB module which
276 # fills in the default informations
277 ldbmessage = {"dn": user_dn,
278 "sAMAccountName": username,
279 "userPrincipalName": user_principal_name,
280 "objectClass": "user"}
282 if surname is not None:
283 ldbmessage["sn"] = surname
285 if givenname is not None:
286 ldbmessage["givenName"] = givenname
288 if displayname is not "":
289 ldbmessage["displayName"] = displayname
290 ldbmessage["name"] = displayname
292 if initials is not None:
293 ldbmessage["initials"] = '%s.' % initials
295 if profilepath is not None:
296 ldbmessage["profilePath"] = profilepath
298 if scriptpath is not None:
299 ldbmessage["scriptPath"] = scriptpath
301 if homedrive is not None:
302 ldbmessage["homeDrive"] = homedrive
304 if homedirectory is not None:
305 ldbmessage["homeDirectory"] = homedirectory
307 if jobtitle is not None:
308 ldbmessage["title"] = jobtitle
310 if department is not None:
311 ldbmessage["department"] = department
313 if company is not None:
314 ldbmessage["company"] = company
316 if description is not None:
317 ldbmessage["description"] = description
319 if mailaddress is not None:
320 ldbmessage["mail"] = mailaddress
322 if internetaddress is not None:
323 ldbmessage["wWWHomePage"] = internetaddress
325 if telephonenumber is not None:
326 ldbmessage["telephoneNumber"] = telephonenumber
328 if physicaldeliveryoffice is not None:
329 ldbmessage["physicalDeliveryOfficeName"] = physicaldeliveryoffice
332 ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
334 self.transaction_start()
338 # Sets the password for it
340 self.setpassword("(dn=" + user_dn + ")", password,
341 force_password_change_at_next_login_req)
343 self.transaction_cancel()
346 self.transaction_commit()
348 def setpassword(self, search_filter, password,
349 force_change_at_next_login=False,
351 """Sets the password for a user
353 :param search_filter: LDAP filter to find the user (eg samccountname=name)
354 :param password: Password for the user
355 :param force_change_at_next_login: Force password change
357 self.transaction_start()
359 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
360 expression=search_filter, attrs=[])
362 raise Exception('Unable to find user "%s"' % (username or search_filter))
363 assert(len(res) == 1)
371 """ % (user_dn, base64.b64encode(("\"" + password + "\"").encode('utf-16-le')))
373 self.modify_ldif(setpw)
375 if force_change_at_next_login:
376 self.force_password_change_at_next_login(
377 "(dn=" + str(user_dn) + ")")
379 # modify the userAccountControl to remove the disabled bit
380 self.enable_account(search_filter)
382 self.transaction_cancel()
385 self.transaction_commit()
387 def setexpiry(self, search_filter, expiry_seconds, no_expiry_req=False):
388 """Sets the account expiry for a user
390 :param search_filter: LDAP filter to find the user (eg samccountname=name)
391 :param expiry_seconds: expiry time from now in seconds
392 :param no_expiry_req: if set, then don't expire password
394 self.transaction_start()
396 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
397 expression=search_filter,
398 attrs=["userAccountControl", "accountExpires"])
399 assert(len(res) == 1)
402 userAccountControl = int(res[0]["userAccountControl"][0])
403 accountExpires = int(res[0]["accountExpires"][0])
405 userAccountControl = userAccountControl | 0x10000
408 userAccountControl = userAccountControl & ~0x10000
409 accountExpires = samba.unix2nttime(expiry_seconds + int(time.time()))
414 replace: userAccountControl
415 userAccountControl: %u
416 replace: accountExpires
418 """ % (user_dn, userAccountControl, accountExpires)
420 self.modify_ldif(setexp)
422 self.transaction_cancel()
425 self.transaction_commit()
427 def set_domain_sid(self, sid):
428 """Change the domain SID used by this LDB.
430 :param sid: The new domain sid to use.
432 dsdb._samdb_set_domain_sid(self, sid)
434 def get_domain_sid(self):
435 """Read the domain SID used by this LDB.
438 return dsdb._samdb_get_domain_sid(self)
440 def set_invocation_id(self, invocation_id):
441 """Set the invocation id for this SamDB handle.
443 :param invocation_id: GUID of the invocation id.
445 dsdb._dsdb_set_ntds_invocation_id(self, invocation_id)
447 def get_oid_from_attid(self, attid):
448 return dsdb._dsdb_get_oid_from_attid(self, attid)
450 def get_attid_from_lDAPDisplayName(self, ldap_display_name, is_schema_nc=False):
451 return dsdb._dsdb_get_attid_from_lDAPDisplayName(self, ldap_display_name, is_schema_nc)
453 def get_invocation_id(self):
454 "Get the invocation_id id"
455 return dsdb._samdb_ntds_invocation_id(self)
457 def set_ntds_settings_dn(self, ntds_settings_dn):
458 """Set the NTDS Settings DN, as would be returned on the dsServiceName rootDSE attribute
460 This allows the DN to be set before the database fully exists
462 :param ntds_settings_dn: The new DN to use
464 dsdb._samdb_set_ntds_settings_dn(self, ntds_settings_dn)
466 invocation_id = property(get_invocation_id, set_invocation_id)
468 domain_sid = property(get_domain_sid, set_domain_sid)
470 def get_ntds_GUID(self):
471 "Get the NTDS objectGUID"
472 return dsdb._samdb_ntds_objectGUID(self)
474 def server_site_name(self):
475 "Get the server site name"
476 return dsdb._samdb_server_site_name(self)
478 def load_partition_usn(self, base_dn):
479 return dsdb._dsdb_load_partition_usn(self, base_dn)
481 def set_schema(self, schema):
482 self.set_schema_from_ldb(schema.ldb)
484 def set_schema_from_ldb(self, ldb_conn):
485 dsdb._dsdb_set_schema_from_ldb(self, ldb_conn)
487 def dsdb_DsReplicaAttribute(self, ldb, ldap_display_name, ldif_elements):
488 return dsdb._dsdb_DsReplicaAttribute(ldb, ldap_display_name, ldif_elements)
490 def get_attribute_from_attid(self, attid):
491 """ Get from an attid the associated attribute
493 :param attid: The attribute id for searched attribute
494 :return: The name of the attribute associated with this id
496 if len(self.hash_oid_name.keys()) == 0:
497 self._populate_oid_attid()
498 if self.hash_oid_name.has_key(self.get_oid_from_attid(attid)):
499 return self.hash_oid_name[self.get_oid_from_attid(attid)]
504 def _populate_oid_attid(self):
505 """Populate the hash hash_oid_name
507 This hash contains the oid of the attribute as a key and
508 its display name as a value
510 self.hash_oid_name = {}
511 res = self.search(expression="objectClass=attributeSchema",
512 controls=["search_options:1:2"],
513 attrs=["attributeID",
517 strDisplay = str(e.get("lDAPDisplayName"))
518 self.hash_oid_name[str(e.get("attributeID"))] = strDisplay
521 def get_attribute_replmetadata_version(self, dn, att):
522 """ Get the version field trom the replPropertyMetaData for
525 :param dn: The on which we want to get the version
526 :param att: The name of the attribute
527 :return: The value of the version field in the replPropertyMetaData
528 for the given attribute. None if the attribute is not replicated
531 res = self.search(expression="dn=%s" % dn,
532 scope=ldb.SCOPE_SUBTREE,
533 controls=["search_options:1:2"],
534 attrs=["replPropertyMetaData"])
538 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
539 str(res[0]["replPropertyMetaData"]))
541 if len(self.hash_oid_name.keys()) == 0:
542 self._populate_oid_attid()
544 # Search for Description
545 att_oid = self.get_oid_from_attid(o.attid)
546 if self.hash_oid_name.has_key(att_oid) and\
547 att.lower() == self.hash_oid_name[att_oid].lower():
552 def set_attribute_replmetadata_version(self, dn, att, value, addifnotexist=False):
553 res = self.search(expression="dn=%s" % dn,
554 scope=ldb.SCOPE_SUBTREE,
555 controls=["search_options:1:2"],
556 attrs=["replPropertyMetaData"])
560 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
561 str(res[0]["replPropertyMetaData"]))
563 now = samba.unix2nttime(int(time.time()))
565 if len(self.hash_oid_name.keys()) == 0:
566 self._populate_oid_attid()
568 # Search for Description
569 att_oid = self.get_oid_from_attid(o.attid)
570 if self.hash_oid_name.has_key(att_oid) and\
571 att.lower() == self.hash_oid_name[att_oid].lower():
573 seq = self.sequence_number(ldb.SEQ_NEXT)
575 o.originating_change_time = now
576 o.originating_invocation_id = misc.GUID(self.get_invocation_id())
577 o.originating_usn = seq
580 if not found and addifnotexist and len(ctr.array) >0:
581 o2 = drsblobs.replPropertyMetaData1()
583 att_oid = self.get_oid_from_attid(o2.attid)
584 seq = self.sequence_number(ldb.SEQ_NEXT)
586 o2.originating_change_time = now
587 o2.originating_invocation_id = misc.GUID(self.get_invocation_id())
588 o2.originating_usn = seq
593 ctr.count = ctr.count + 1
597 replBlob = ndr_pack(repl)
600 msg["replPropertyMetaData"] = ldb.MessageElement(replBlob,
601 ldb.FLAG_MOD_REPLACE,
602 "replPropertyMetaData")
603 self.modify(msg, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"])
606 def write_prefixes_from_schema(self):
607 dsdb._dsdb_write_prefixes_from_schema_to_ldb(self)
609 def get_partitions_dn(self):
610 return dsdb._dsdb_get_partitions_dn(self)
612 def set_minPwdAge(self, value):
614 m.dn = ldb.Dn(self, self.domain_dn())
615 m["minPwdAge"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "minPwdAge")
618 def get_minPwdAge(self):
619 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["minPwdAge"])
622 elif not "minPwdAge" in res[0]:
625 return res[0]["minPwdAge"][0]
627 def set_dsheuristics(self, dsheuristics):
629 m.dn = ldb.Dn(self, "CN=Directory Service,CN=Windows NT,CN=Services,%s"
630 % self.get_config_basedn().get_linearized())
631 if dsheuristics is not None:
632 m["dSHeuristics"] = ldb.MessageElement(dsheuristics, ldb.FLAG_MOD_REPLACE,
635 m["dSHeuristics"] = ldb.MessageElement([], ldb.FLAG_MOD_DELETE, "dSHeuristics")
638 def get_dsheuristics(self):
639 res = self.search("CN=Directory Service,CN=Windows NT,CN=Services,%s"
640 % self.get_config_basedn().get_linearized(),
641 scope=ldb.SCOPE_BASE, attrs=["dSHeuristics"])
644 elif "dSHeuristics" in res[0]:
645 dsheuristics = res[0]["dSHeuristics"][0]
651 def create_ou(self, ou_dn, description=None, name=None, sd=None):
652 """Creates an organizationalUnit object
653 :param ou_dn: dn of the new object
654 :param description: description attribute
655 :param name: name atttribute
656 :param sd: security descriptor of the object, can be
657 an SDDL string or security.descriptor type
660 m.dn = ldb.Dn(self, ou_dn)
661 m["ou"] = ou_dn.split(",")[0][3:]
662 m["objectClass"] = "organizationalUnit"
665 m["description"] = description
667 m["description"] = name
670 assert(isinstance(sd, str) or isinstance(sd, security.descriptor))
671 if isinstance(sd, str):
672 sid = security.dom_sid(self.get_domain_sid())
673 tmp_desc = security.descriptor.from_sddl(sd, sid)
674 m["nTSecurityDescriptor"] = ndr_pack(tmp_desc)
675 elif isinstance(sd, security.descriptor):
676 m["nTSecurityDescriptor"] = ndr_pack(sd)