The branch, master has been updated via 3452b0d2cec netcmd: user: readpasswords: move syncpasswords command to readpasswords via 1929cca223d netcmd: user: readpasswords: move getpassword command to readpasswords via 24c567610ab netcmd: user: readpasswords: move common.py to readpasswords via 6319df10b7b netcmd: user: readpasswords: move show command to readpasswords via fab69e47ef8 netcmd: user: readpasswords: turn getpassword.py into readpasswords module via 10aa17a4039 netcmd: user: move user sensitive command via 8c4a6e55495 netcmd: user: move user add_unix_attrs command via 95f6abebeab netcmd: user: move user unlock command via 44a974e1edc netcmd: user: move user rename command via 41492dadcc1 netcmd: user: move user move command via 4a34b6813dc netcmd: user: move user show command via d08f726065f netcmd: user: move user edit command via b51456836d2 netcmd: user: move user getpassword and syncpasswords commands via 65fc1472053 netcmd: user: move user setpassword command via a6e1b5694f1 netcmd: user: move user setprimarygroup command via f20b5f6052f netcmd: user: move user getgroups command via 9b47a424337 netcmd: user: move user password command via 84c13a8696b netcmd: user: move common code used by various password commands via c621183c652 netcmd: user: move user setexpiry command via 69536ff70f2 netcmd: user: move user list command via 0385e4a97e9 netcmd: user: move user disable command via 970c2bcb8e7 netcmd: user: move user enable command via e85070b01d9 netcmd: user: move user delete command via 87aae028900 netcmd: user: move user add command via 5949adab16b netcmd: user: turn user.py into module netcmd.user from 85c8222bdb7 s4:kdc: Fix code spelling
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3452b0d2cec399f7a512877efb02c3e262e2940e Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Aug 1 13:28:33 2023 +1200 netcmd: user: readpasswords: move syncpasswords command to readpasswords Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Aug 4 05:27:53 UTC 2023 on atb-devel-224 commit 1929cca223dc1521458d5c0029de15d5487f2560 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Aug 1 13:25:54 2023 +1200 netcmd: user: readpasswords: move getpassword command to readpasswords Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 24c567610abdb65cdd645ab82e590142636f9dcf Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Aug 1 13:19:51 2023 +1200 netcmd: user: readpasswords: move common.py to readpasswords it only contains code relating to the getpassword module Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6319df10b7bcc810d83491ced9a11e0fdbe7db0b Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Aug 1 13:09:06 2023 +1200 netcmd: user: readpasswords: move show command to readpasswords Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fab69e47ef899a86d5cb65fb4a8578fcc4f63c3e Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Aug 1 13:05:28 2023 +1200 netcmd: user: readpasswords: turn getpassword.py into readpasswords module Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 10aa17a40394cca55941f0eada4967f01bbd7644 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:30:14 2023 +1200 netcmd: user: move user sensitive command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8c4a6e55495d1647a4d2a1f84a9104679f81f4d1 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:28:10 2023 +1200 netcmd: user: move user add_unix_attrs command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 95f6abebeab06d4490930359997d8f8f04ece05f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:26:06 2023 +1200 netcmd: user: move user unlock command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 44a974e1edc1f02a70d8b4e0cf7854d8dea3e26d Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:22:55 2023 +1200 netcmd: user: move user rename command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 41492dadcc1f727f2ab530a86e8312ccfd880111 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:19:34 2023 +1200 netcmd: user: move user move command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4a34b6813dcfa320fa5392b3db7340d75e21485d Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:18:04 2023 +1200 netcmd: user: move user show command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d08f726065f6b758f1bee68ee9cb972ad0cd7ac9 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:09:23 2023 +1200 netcmd: user: move user edit command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b51456836d29479ce937d86500015603ff5ded68 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 17:03:57 2023 +1200 netcmd: user: move user getpassword and syncpasswords commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65fc14720537b5b13744cfadf361066d2f5540d0 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 16:39:04 2023 +1200 netcmd: user: move user setpassword command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a6e1b5694f152648c66238e55c064e8da7846431 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 16:35:38 2023 +1200 netcmd: user: move user setprimarygroup command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f20b5f6052fbea72ea1903f3321370c92433ccba Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 16:33:17 2023 +1200 netcmd: user: move user getgroups command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9b47a4243378369ee75102b536df60d4d087dcd8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 16:31:01 2023 +1200 netcmd: user: move user password command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 84c13a8696b0eab06c99eaec25aa4da8dbb7ff1d Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 16:17:55 2023 +1200 netcmd: user: move common code used by various password commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c621183c652c2ce4cff9d2d2113df46546452c50 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 13:25:34 2023 +1200 netcmd: user: move user setexpiry command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 69536ff70f222e67842f5c72aecb224df72e2464 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 13:08:57 2023 +1200 netcmd: user: move user list command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0385e4a97e9abc20bfd425ce36c086f0547996de Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 13:04:54 2023 +1200 netcmd: user: move user disable command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 970c2bcb8e768fafd7bb342171b7b778bcade89f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 12:56:25 2023 +1200 netcmd: user: move user enable command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e85070b01d9301c072d4afd5fbea09be3a13645b Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 12:51:40 2023 +1200 netcmd: user: move user delete command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 87aae028900dc3aa3946582b32d9df8240bb681b Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 12:41:34 2023 +1200 netcmd: user: move user add command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5949adab16b7cbbc561195b98013fceee39ea231 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jul 27 12:14:26 2023 +1200 netcmd: user: turn user.py into module netcmd.user Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/netcmd/user.py | 3676 -------------------- python/samba/netcmd/user/__init__.py | 65 + python/samba/netcmd/user/add.py | 209 ++ python/samba/netcmd/user/add_unix_attrs.py | 244 ++ python/samba/netcmd/user/delete.py | 87 + python/samba/netcmd/user/disable.py | 64 + python/samba/netcmd/user/edit.py | 137 + python/samba/netcmd/user/enable.py | 94 + python/samba/netcmd/user/getgroups.py | 120 + python/samba/netcmd/user/list.py | 108 + python/samba/netcmd/user/move.py | 106 + python/samba/netcmd/user/password.py | 73 + .../user/readpasswords}/__init__.py | 11 +- python/samba/netcmd/user/readpasswords/common.py | 865 +++++ .../samba/netcmd/user/readpasswords/getpassword.py | 202 ++ python/samba/netcmd/user/readpasswords/show.py | 144 + .../netcmd/user/readpasswords/syncpasswords.py | 880 +++++ python/samba/netcmd/user/rename.py | 249 ++ python/samba/netcmd/user/sensitive.py | 83 + python/samba/netcmd/user/setexpiry.py | 101 + python/samba/netcmd/user/setpassword.py | 161 + python/samba/netcmd/user/setprimarygroup.py | 138 + python/samba/netcmd/user/unlock.py | 99 + 23 files changed, 4238 insertions(+), 3678 deletions(-) delete mode 100644 python/samba/netcmd/user.py create mode 100644 python/samba/netcmd/user/__init__.py create mode 100644 python/samba/netcmd/user/add.py create mode 100644 python/samba/netcmd/user/add_unix_attrs.py create mode 100644 python/samba/netcmd/user/delete.py create mode 100644 python/samba/netcmd/user/disable.py create mode 100644 python/samba/netcmd/user/edit.py create mode 100644 python/samba/netcmd/user/enable.py create mode 100644 python/samba/netcmd/user/getgroups.py create mode 100644 python/samba/netcmd/user/list.py create mode 100644 python/samba/netcmd/user/move.py create mode 100644 python/samba/netcmd/user/password.py copy python/samba/{tests/emulate => netcmd/user/readpasswords}/__init__.py (68%) create mode 100644 python/samba/netcmd/user/readpasswords/common.py create mode 100644 python/samba/netcmd/user/readpasswords/getpassword.py create mode 100644 python/samba/netcmd/user/readpasswords/show.py create mode 100644 python/samba/netcmd/user/readpasswords/syncpasswords.py create mode 100644 python/samba/netcmd/user/rename.py create mode 100644 python/samba/netcmd/user/sensitive.py create mode 100644 python/samba/netcmd/user/setexpiry.py create mode 100644 python/samba/netcmd/user/setpassword.py create mode 100644 python/samba/netcmd/user/setprimarygroup.py create mode 100644 python/samba/netcmd/user/unlock.py Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py deleted file mode 100644 index c292def0985..00000000000 --- a/python/samba/netcmd/user.py +++ /dev/null @@ -1,3676 +0,0 @@ -# user management -# -# Copyright Jelmer Vernooij 2010 <jel...@samba.org> -# Copyright Theresa Halloran 2011 <theresahallo...@gmail.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -import builtins -import samba.getopt as options -import ldb -import pwd -import os -import io -import fcntl -import signal -import errno -import time -import base64 -import binascii -from subprocess import Popen, PIPE, STDOUT, check_call, CalledProcessError -from getpass import getpass -from samba.auth import system_session -from samba.samdb import SamDB, SamDBError -from samba.dcerpc import misc -from samba.dcerpc import security -from samba.dcerpc import drsblobs -from samba.ndr import ndr_unpack -from samba import ( - credentials, - dsdb, - gensec, - generate_random_password, - Ldb, - nttime2float, -) -from samba.net import Net - -from samba.netcmd import ( - Command, - CommandError, - SuperCommand, - Option, -) -from samba.common import get_bytes -from samba.common import get_string -from . import common - -# python[3]-gpgme is abandoned since ubuntu 1804 and debian 9 -# have to use python[3]-gpg instead -# The API is different, need to adapt. - -def _gpgme_decrypt(encrypted_bytes): - """ - Use python[3]-gpgme to decrypt GPG. - """ - ctx = gpgme.Context() - ctx.armor = True # use ASCII-armored - out = io.BytesIO() - ctx.decrypt(io.BytesIO(encrypted_bytes), out) - return out.getvalue() - - -def _gpg_decrypt(encrypted_bytes): - """ - Use python[3]-gpg to decrypt GPG. - """ - ciphertext = gpg.Data(string=encrypted_bytes) - ctx = gpg.Context(armor=True) - # plaintext, result, verify_result - plaintext, _, _ = ctx.decrypt(ciphertext) - return plaintext - - -gpg_decrypt = None - -if not gpg_decrypt: - try: - import gpgme - gpg_decrypt = _gpgme_decrypt - except ImportError: - pass - -if not gpg_decrypt: - try: - import gpg - gpg_decrypt = _gpg_decrypt - except ImportError: - pass - -if gpg_decrypt: - decrypt_samba_gpg_help = ("Decrypt the SambaGPG password as " - "cleartext source") -else: - decrypt_samba_gpg_help = ("Decrypt the SambaGPG password not supported, " - "python[3]-gpgme or python[3]-gpg required") - - -disabled_virtual_attributes = { -} - -virtual_attributes = { - "virtualClearTextUTF8": { - "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, - }, - "virtualClearTextUTF16": { - "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, - }, - "virtualSambaGPG": { - "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, - }, -} - - -def get_crypt_value(alg, utf8pw, rounds=0): - algs = { - "5": {"length": 43}, - "6": {"length": 86}, - } - assert alg in algs - salt = os.urandom(16) - # The salt needs to be in [A-Za-z0-9./] - # base64 is close enough and as we had 16 - # random bytes but only need 16 characters - # we can ignore the possible == at the end - # of the base64 string - # we just need to replace '+' by '.' - b64salt = base64.b64encode(salt)[0:16].replace(b'+', b'.').decode('utf8') - crypt_salt = "" - if rounds != 0: - crypt_salt = "$%s$rounds=%s$%s$" % (alg, rounds, b64salt) - else: - crypt_salt = "$%s$%s$" % (alg, b64salt) - - crypt_value = crypt.crypt(utf8pw, crypt_salt) - if crypt_value is None: - raise NotImplementedError("crypt.crypt(%s) returned None" % (crypt_salt)) - expected_len = len(crypt_salt) + algs[alg]["length"] - if len(crypt_value) != expected_len: - raise NotImplementedError("crypt.crypt(%s) returned a value with length %d, expected length is %d" % ( - crypt_salt, len(crypt_value), expected_len)) - return crypt_value - -try: - import hashlib - hashlib.sha1() - virtual_attributes["virtualSSHA"] = { - } -except ImportError as e: - reason = "hashlib.sha1()" - reason += " required" - disabled_virtual_attributes["virtualSSHA"] = { - "reason": reason, - } - -for (alg, attr) in [("5", "virtualCryptSHA256"), ("6", "virtualCryptSHA512")]: - try: - import crypt - get_crypt_value(alg, "") - virtual_attributes[attr] = { - } - except ImportError as e: - reason = "crypt" - reason += " required" - disabled_virtual_attributes[attr] = { - "reason": reason, - } - except NotImplementedError as e: - reason = "modern '$%s$' salt in crypt(3) required" % (alg) - disabled_virtual_attributes[attr] = { - "reason": reason, - } - -# Add the wDigest virtual attributes, virtualWDigest01 to virtualWDigest29 -for x in range(1, 30): - virtual_attributes["virtualWDigest%02d" % x] = {} - -# Add Kerberos virtual attributes -virtual_attributes["virtualKerberosSalt"] = {} - -virtual_attributes_help = "The attributes to display (comma separated). " -virtual_attributes_help += "Possible supported virtual attributes: %s" % ", ".join(sorted(virtual_attributes.keys())) -if len(disabled_virtual_attributes) != 0: - virtual_attributes_help += "Unsupported virtual attributes: %s" % ", ".join(sorted(disabled_virtual_attributes.keys())) - - -class cmd_user_add(Command): - """Add a new user. - -This command adds a new user account to the Active Directory domain. The username specified on the command is the sAMaccountName. - -User accounts may represent physical entities, such as people or may be used as service accounts for applications. User accounts are also referred to as security principals and are assigned a security identifier (SID). - -A user account enables a user to logon to a computer and domain with an identity that can be authenticated. To maximize security, each user should have their own unique user account and password. A user's access to domain resources is based on permissions assigned to the user account. - -Unix (RFC2307) attributes may be added to the user account. Attributes taken from NSS are obtained on the local machine. Explicitly given values override values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these attributes for UID/GID mapping. - -The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. - -Example1: -samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd - -Example1 shows how to add a new user to the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The -U option is used to pass the userid and password authorized to issue the command remotely. - -Example2: -sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login - -Example2 shows how to add a new user to the domain against the local server. sudo is used so a user may run the command as root. In this example, after User2 is created, he/she will be forced to change their password when they logon. - -Example3: -samba-tool user add User3 passw3rd --userou='OU=OrgUnit' - -Example3 shows how to add a new user in the OrgUnit organizational unit. - -Example4: -samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text' - -Example4 shows how to add a new user with Unix UID, GID and login-shell set from the local NSS and GECOS set to 'some text'. - -Example5: -samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5 \\ - --uid-number=10005 --login-shell=/bin/false --gid-number=10000 - -Example5 shows how to add a new RFC2307/NIS domain enabled user account. If ---nis-domain is set, then the other four parameters are mandatory. - -""" - synopsis = "%prog <username> [<password>] [options]" - - takes_options = [ - Option("-H", "--URL", help="LDB URL for database or target server", type=str, - metavar="URL", dest="H"), - Option("--must-change-at-next-login", - help="Force password to be changed on next login", - action="store_true"), - Option("--random-password", - help="Generate random password", - action="store_true"), - Option("--smartcard-required", - help="Require a smartcard for interactive logons", - action="store_true"), - Option("--use-username-as-cn", - help="Force use of username as user's CN", - action="store_true"), - Option("--userou", - help="DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>'", - type=str), - Option("--surname", help="User's surname", type=str), - Option("--given-name", help="User's given name", type=str), - Option("--initials", help="User's initials", type=str), - Option("--profile-path", help="User's profile path", type=str), - Option("--script-path", help="User's logon script path", type=str), - Option("--home-drive", help="User's home drive letter", type=str), - Option("--home-directory", help="User's home directory path", type=str), - Option("--job-title", help="User's job title", type=str), - Option("--department", help="User's department", type=str), - Option("--company", help="User's company", type=str), - Option("--description", help="User's description", type=str), - Option("--mail-address", help="User's email address", type=str), - Option("--internet-address", help="User's home page", type=str), - Option("--telephone-number", help="User's phone number", type=str), - Option("--physical-delivery-office", help="User's office location", type=str), - Option("--rfc2307-from-nss", - help="Copy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell)", - action="store_true"), - Option("--nis-domain", help="User's Unix/RFC2307 NIS domain", type=str), - Option("--unix-home", help="User's Unix/RFC2307 home directory", - type=str), - Option("--uid", help="User's Unix/RFC2307 username", type=str), - Option("--uid-number", help="User's Unix/RFC2307 numeric UID", type=int), - Option("--gid-number", help="User's Unix/RFC2307 primary GID number", type=int), - Option("--gecos", help="User's Unix/RFC2307 GECOS field", type=str), - Option("--login-shell", help="User's Unix/RFC2307 login shell", type=str), - ] - - takes_args = ["username", "password?"] - - takes_optiongroups = { - "sambaopts": options.SambaOptions, - "credopts": options.CredentialsOptions, - "versionopts": options.VersionOptions, - } - - def run(self, username, password=None, credopts=None, sambaopts=None, - versionopts=None, H=None, must_change_at_next_login=False, - random_password=False, use_username_as_cn=False, userou=None, - surname=None, given_name=None, initials=None, profile_path=None, - script_path=None, home_drive=None, home_directory=None, - job_title=None, department=None, company=None, description=None, - mail_address=None, internet_address=None, telephone_number=None, - physical_delivery_office=None, rfc2307_from_nss=False, - nis_domain=None, unix_home=None, uid=None, uid_number=None, - gid_number=None, gecos=None, login_shell=None, - smartcard_required=False): - - if smartcard_required: - if password is not None and password != '': - raise CommandError('It is not allowed to specify ' - '--newpassword ' - 'together with --smartcard-required.') - if must_change_at_next_login: - raise CommandError('It is not allowed to specify ' - '--must-change-at-next-login ' - 'together with --smartcard-required.') - - if random_password and not smartcard_required: - password = generate_random_password(128, 255) - - while True: - if smartcard_required: - break - if password is not None and password != '': - break - password = getpass("New Password: ") - passwordverify = getpass("Retype Password: ") - if not password == passwordverify: - password = None - self.outf.write("Sorry, passwords do not match.\n") - - if rfc2307_from_nss: - pwent = pwd.getpwnam(username) - if uid is None: - uid = username - if uid_number is None: - uid_number = pwent[2] - if gid_number is None: - gid_number = pwent[3] - if gecos is None: - gecos = pwent[4] - if login_shell is None: - login_shell = pwent[6] - - lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp) - - if uid_number or gid_number: - if not lp.get("idmap_ldb:use rfc2307"): - self.outf.write("You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n") - - if nis_domain is not None: - if None in (uid_number, login_shell, unix_home, gid_number): - raise CommandError('Missing parameters. To enable NIS features, ' - 'the following options have to be given: ' - '--nis-domain=, --uidNumber=, --login-shell=' - ', --unix-home=, --gid-number= Operation ' - 'cancelled.') - - try: - samdb = SamDB(url=H, session_info=system_session(), - credentials=creds, lp=lp) - samdb.newuser(username, password, force_password_change_at_next_login_req=must_change_at_next_login, - useusernameascn=use_username_as_cn, userou=userou, surname=surname, givenname=given_name, initials=initials, - profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory, - jobtitle=job_title, department=department, company=company, description=description, - mailaddress=mail_address, internetaddress=internet_address, - telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office, - nisdomain=nis_domain, unixhome=unix_home, uid=uid, - uidnumber=uid_number, gidnumber=gid_number, - gecos=gecos, loginshell=login_shell, - smartcard_required=smartcard_required) - except Exception as e: - raise CommandError("Failed to add user '%s': " % username, e) - - self.outf.write("User '%s' added successfully\n" % username) - -class cmd_user_delete(Command): - """Delete a user. - -This command deletes a user account from the Active Directory domain. The username specified on the command is the sAMAccountName. - -Once the account is deleted, all permissions and memberships associated with that account are deleted. If a new user account is added with the same name as a previously deleted account name, the new user does not have the previous permissions. The new account user will be assigned a new security identifier (SID) and permissions and memberships will have to be added. - -The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. - -Example1: -samba-tool user delete User1 -H ldap://samba.samdom.example.com --username=administrator --password=passw1rd - -Example1 shows how to delete a user in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to issue the command on that server. - -Example2: -sudo samba-tool user delete User2 - -Example2 shows how to delete a user in the domain against the local server. sudo is used so a user may run the command as root. - -""" - synopsis = "%prog <username> [options]" - - takes_options = [ - Option("-H", "--URL", help="LDB URL for database or target server", type=str, - metavar="URL", dest="H"), - ] - - takes_args = ["username"] - takes_optiongroups = { - "sambaopts": options.SambaOptions, - "credopts": options.CredentialsOptions, - "versionopts": options.VersionOptions, - } - - def run(self, username, credopts=None, sambaopts=None, versionopts=None, - H=None): - lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp, fallback_machine=True) - - samdb = SamDB(url=H, session_info=system_session(), - credentials=creds, lp=lp) - - filter = ("(&(sAMAccountName=%s)(sAMAccountType=805306368))" % - ldb.binary_encode(username)) - - try: - res = samdb.search(base=samdb.domain_dn(), - scope=ldb.SCOPE_SUBTREE, - expression=filter, - attrs=["dn"]) - user_dn = res[0].dn - except IndexError: - raise CommandError('Unable to find user "%s"' % (username)) - - try: - samdb.delete(user_dn) - except Exception as e: - raise CommandError('Failed to remove user "%s"' % username, e) - self.outf.write("Deleted user %s\n" % username) - - -class cmd_user_list(Command): - """List all users.""" - - synopsis = "%prog [options]" - - takes_options = [ - Option("-H", "--URL", help="LDB URL for database or target server", type=str, - metavar="URL", dest="H"), - Option("--hide-expired", - help="Do not list expired user accounts", - default=False, - action='store_true'), - Option("--hide-disabled", - default=False, - action='store_true', - help="Do not list disabled user accounts"), - Option("-b", "--base-dn", - help="Specify base DN to use", - type=str), - Option("--full-dn", dest="full_dn", - default=False, - action='store_true', - help="Display DN instead of the sAMAccountName.") - ] - - takes_optiongroups = { - "sambaopts": options.SambaOptions, - "credopts": options.CredentialsOptions, - "versionopts": options.VersionOptions, - } - - def run(self, - sambaopts=None, - credopts=None, - versionopts=None, - H=None, - hide_expired=False, - hide_disabled=False, - base_dn=None, - full_dn=False): - lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp, fallback_machine=True) - - samdb = SamDB(url=H, session_info=system_session(), - credentials=creds, lp=lp) - - search_dn = samdb.domain_dn() - if base_dn: - search_dn = samdb.normalize_dn_in_domain(base_dn) - - filter_expires = "" - if hide_expired is True: - current_nttime = samdb.get_nttime() - filter_expires = "(|(accountExpires=0)(accountExpires>=%u))" % ( - current_nttime) - - filter_disabled = "" -- Samba Shared Repository