netcmd: add domain models and basic model layer

The ORM is somewhat inspired by Django, but it has some key
differences that make it work better with the Ldb database.

A field can be a singular value or a list, so a BooleanField can
either be True, or [True, False, True], or None.

The only thing that many=True does is say that the field "prefers" to
be a list, but really any field can be a list. For example when
creating a new object, it initialises the field as an empty list
rather than None if many=True.

When saving an object, if it is an update operation, only write the
fields that have actually changed.

When updating an object, any fields that are unset (set to None, or an
empty list) will be treated as a REMOVE operation.

Note that silo members should not be saved this way, writing the whole
list can lead to data loss if multiple admins are saving the silo at
the same time. Silo members will need to be handled differently, just
removing one member but not writing the whole list.

Unlike Django, there is no .objects class, instead there are a bunch
of static methods for querying:

  * Model.get
  * Model.query
  * Model.create
  * Model.get_or_create

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

9 files changed, 1167 insertions, 0 deletions

diff --git a/python/samba/netcmd/domain/models/__init__.py b/python/samba/netcmd/domain/models/__init__.py
new file mode 100644
index 00000000000..cd719559b04
--- /dev/null
+++ b/python/samba/netcmd/domain/models/__init__.py
@@ -0,0 +1,28 @@
+# Unix SMB/CIFS implementation.
+#
+# Samba domain models.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from .auth_policy import AuthenticationPolicy
+from .auth_silo import AuthenticationSilo
+from .claim_type import ClaimType
+from .model import MODELS
+from .user import User
+from .value_type import ValueType
diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/netcmd/domain/models/auth_policy.py
new file mode 100644
index 00000000000..fa0b07be910
--- /dev/null
+++ b/python/samba/netcmd/domain/models/auth_policy.py
@@ -0,0 +1,73 @@
+# Unix SMB/CIFS implementation.
+#
+# Authentication policy model.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from enum import IntEnum
+
+from .fields import BooleanField, EnumField, IntegerField, StringField
+from .model import Model
+
+# Ticket-Granting-Ticket lifetimes.
+MIN_TGT_LIFETIME = 45
+MAX_TGT_LIFETIME = 2147483647
+
+
+class StrongNTLMPolicy(IntEnum):
+    DISABLED = 0
+    OPTIONAL = 1
+    REQUIRED = 2
+
+    @classmethod
+    def get_choices(cls):
+        return sorted([choice.capitalize() for choice in cls._member_names_])
+
+    @classmethod
+    def choices_str(cls):
+        return ", ".join(cls.get_choices())
+
+
+class AuthenticationPolicy(Model):
+    description = StringField("description")
+    enforced = BooleanField("msDS-AuthNPolicyEnforced")
+    strong_ntlm_policy = EnumField("msDS-StrongNTLMPolicy", StrongNTLMPolicy)
+    user_allow_ntlm_network_auth = BooleanField(
+        "msDS-UserAllowedNTLMNetworkAuthentication")
+    user_tgt_lifetime = IntegerField("msDS-UserTGTLifetime")
+    service_allow_ntlm_network_auth = BooleanField(
+        "msDS-ServiceAllowedNTLMNetworkAuthentication")
+    service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime")
+    computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime")
+
+    @staticmethod
+    def get_base_dn(ldb):
+        """Return the base DN for the AuthenticationPolicy model.
+
+        :param ldb: Ldb connection
+        :return: Dn object of container
+        """
+        base_dn = ldb.get_config_basedn()
+        base_dn.add_child(
+            "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services")
+        return base_dn
+
+    @staticmethod
+    def get_object_class():
+        return "msDS-AuthNPolicy"
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
new file mode 100644
index 00000000000..2cc8f6ed428
--- /dev/null
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -0,0 +1,49 @@
+# Unix SMB/CIFS implementation.
+#
+# Authentication silo model.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from .fields import DnField, BooleanField, StringField
+from .model import Model
+
+
+class AuthenticationSilo(Model):
+    description = StringField("description")
+    enforced = BooleanField("msDS-AuthNPolicySiloEnforced")
+    user_policy = DnField("msDS-UserAuthNPolicy")
+    service_policy = DnField("msDS-ServiceAuthNPolicy")
+    computer_policy = DnField("msDS-ComputerAuthNPolicy")
+    members = DnField("msDS-AuthNPolicySiloMembers", many=True)
+
+    @staticmethod
+    def get_base_dn(ldb):
+        """Return the base DN for the AuthenticationSilo model.
+
+        :param ldb: Ldb connection
+        :return: Dn object of container
+        """
+        base_dn = ldb.get_config_basedn()
+        base_dn.add_child(
+            "CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services")
+        return base_dn
+
+    @staticmethod
+    def get_object_class():
+        return "msDS-AuthNPolicySilo"
diff --git a/python/samba/netcmd/domain/models/claim_type.py b/python/samba/netcmd/domain/models/claim_type.py
new file mode 100644
index 00000000000..7e1c8169870
--- /dev/null
+++ b/python/samba/netcmd/domain/models/claim_type.py
@@ -0,0 +1,58 @@
+# Unix SMB/CIFS implementation.
+#
+# Claim type model.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from .fields import BooleanField, DnField, IntegerField,\
+    PossibleClaimValuesField, StringField
+from .model import Model
+
+
+class ClaimType(Model):
+    enabled = BooleanField("Enabled")
+    description = StringField("description")
+    display_name = StringField("displayName")
+    claim_attribute_source = DnField("msDS-ClaimAttributeSource")
+    claim_is_single_valued = BooleanField("msDS-ClaimIsSingleValued")
+    claim_is_value_space_restricted = BooleanField(
+        "msDS-ClaimIsValueSpaceRestricted")
+    claim_possible_values = PossibleClaimValuesField("msDS-ClaimPossibleValues")
+    claim_source_type = StringField("msDS-ClaimSourceType")
+    claim_type_applies_to_class = DnField(
+        "msDS-ClaimTypeAppliesToClass", many=True)
+    claim_value_type = IntegerField("msDS-ClaimValueType")
+
+    @staticmethod
+    def get_base_dn(ldb):
+        """Return the base DN for the ClaimType model.
+
+        :param ldb: Ldb connection
+        :return: Dn object of container
+        """
+        base_dn = ldb.get_config_basedn()
+        base_dn.add_child("CN=Claim Types,CN=Claims Configuration,CN=Services")
+        return base_dn
+
+    @staticmethod
+    def get_object_class():
+        return "msDS-ClaimType"
+
+    def __str__(self):
+        return str(self.display_name)
diff --git a/python/samba/netcmd/domain/models/exceptions.py b/python/samba/netcmd/domain/models/exceptions.py
new file mode 100644
index 00000000000..01bf3f8c1b8
--- /dev/null
+++ b/python/samba/netcmd/domain/models/exceptions.py
@@ -0,0 +1,24 @@
+# Unix SMB/CIFS implementation.
+#
+# Model and ORM exceptions.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+class MultipleObjectsReturned(Exception):
+    pass
diff --git a/python/samba/netcmd/domain/models/fields.py b/python/samba/netcmd/domain/models/fields.py
new file mode 100644
index 00000000000..ecf46e1bc43
--- /dev/null
+++ b/python/samba/netcmd/domain/models/fields.py
@@ -0,0 +1,431 @@
+# Unix SMB/CIFS implementation.
+#
+# Model fields.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from enum import IntEnum
+
+import io
+from abc import ABCMeta, abstractmethod
+from datetime import datetime
+from xml.etree import ElementTree
+
+from ldb import Dn, MessageElement, string_to_time, timestring
+from samba.dcerpc.misc import GUID
+from samba.ndr import ndr_pack, ndr_unpack
+
+
+class Field(metaclass=ABCMeta):
+    """Base class for all fields.
+
+    Each field will need to implement from_db_value and to_db_value.
+
+    A field must correctly support converting both single valued fields,
+    and list type fields.
+
+    The only thing many=True does is say the field "prefers" to be a list,
+    but really any field can be a list or single value.
+    """
+
+    def __init__(self, name, many=False, default=None, hidden=False):
+        """Creates a new field, should be subclassed.
+
+        :param name: Ldb field name.
+        :param many: If true always convert field to a list when loaded.
+        :param default: Default value or callback method (obj is first argument)
+        :param hidden: If this is True, exclude the field when calling as_dict()
+        """
+        self.name = name
+        self.many = many
+        self.hidden = hidden
+
+        # This ensures that fields with many=True are always lists.
+        # If this is inconsistent anywhere, it isn't so great to use.
+        if self.many and default is None:
+            self.default = []
+        else:
+            self.default = default
+
+    @abstractmethod
+    def from_db_value(self, ldb, value):
+        """Converts value read from the database to Python value.
+
+        :param ldb: Ldb connection
+        :param value: MessageElement value from the database
+        :returns: Parsed value as Python type
+        """
+        pass
+
+    @abstractmethod
+    def to_db_value(self, value, flags):
+        """Converts value to database value.
+
+        This should return a MessageElement or None, where None means
+        the field will be unset on the next save.
+
+        :param value: Input value from Python field
+        :param flags: MessageElement flags
+        :returns: MessageElement or None
+        """
+        pass
+
+
+class IntegerField(Field):
+    """A simple integer field, can be an int or list of int."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to int or list of int."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [int(item) for item in value]
+        else:
+            return int(value[0])
+
+    def to_db_value(self, value, flags):
+        """Convert int or list of int to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(item) for item in value], flags, self.name)
+        else:
+            return MessageElement(str(value), flags, self.name)
+
+
+class BinaryField(Field):
+    """Similar to StringField but using bytes instead of str.
+
+    This tends to be quite easy because a MessageElement already uses bytes.
+    """
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to bytes or list of bytes.
+
+        The values on the MessageElement should already be bytes so the
+        cast to bytes() is likely not needed in from_db_value.
+        """
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [bytes(item) for item in value]
+        else:
+            return bytes(value[0])
+
+    def to_db_value(self, value, flags):
+        """Convert bytes or list of bytes to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [bytes(item) for item in value], flags, self.name)
+        else:
+            return MessageElement(bytes(value), flags, self.name)
+
+
+class StringField(Field):
+    """A simple string field, may contain str or list of str."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to str or list of str."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [str(item) for item in value]
+        else:
+            return str(value)
+
+    def to_db_value(self, value, flags):
+        """Convert str or list of str to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(item) for item in value], flags, self.name)
+        else:
+            return MessageElement(str(value), flags, self.name)
+
+
+class EnumField(Field):
+    """A field based around Python's Enum type."""
+
+    def __init__(self, name, enum, many=False, default=None):
+        """Create a new EnumField for the given enum class."""
+        self.enum = enum
+        super().__init__(name, many, default)
+
+    def enum_from_value(self, value):
+        """Return Enum instance from value.
+
+        Has a special case for IntEnum as the constructor only accepts int.
+        """
+        if issubclass(self.enum, IntEnum):
+            return self.enum(int(str(value)))
+        else:
+            return self.enum(str(value))
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to enum or list of enum."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [self.enum_from_value(item) for item in value]
+        else:
+            return self.enum_from_value(value)
+
+    def to_db_value(self, value, flags):
+        """Convert enum or list of enum to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(item.value) for item in value], flags, self.name)
+        else:
+            return MessageElement(str(value.value), flags, self.name)
+
+
+class DateTimeField(Field):
+    """A field for parsing ldb timestamps into Python datetime."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to datetime or list of datetime."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [datetime.fromtimestamp(string_to_time(str(item)))
+                    for item in value]
+        else:
+            return datetime.fromtimestamp(string_to_time(str(value)))
+
+    def to_db_value(self, value, flags):
+        """Convert datetime or list of datetime to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [timestring(int(datetime.timestamp(item))) for item in value],
+                flags, self.name)
+        else:
+            return MessageElement(timestring(int(datetime.timestamp(value))),
+                                  flags, self.name)
+
+
+class RelatedField(Field):
+    """A field that automatically fetches the related objects.
+
+    Use sparingly, can be a little slow. If in doubt just use DnField instead.
+    """
+
+    def __init__(self, name, model, many=False, default=None):
+        """Create a new RelatedField for the given model."""
+        self.model = model
+        super().__init__(name, many, default)
+
+    def from_db_value(self, ldb, value):
+        """Convert Message element to related object or list of objects.
+
+        Note that fetching related items is not using any sort of lazy
+        loading so use this field sparingly.
+        """
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [self.model.get(ldb, dn=Dn(ldb, str(item))) for item in value]
+        else:
+            return self.model.get(ldb, dn=Dn(ldb, str(value)))
+
+    def to_db_value(self, value, flags):
+        """Convert related object or list of objects to MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(item.dn) for item in value], flags, self.name)
+        else:
+            return MessageElement(str(value.dn), flags, self.name)
+
+
+class DnField(Field):
+    """A Dn field parses the current field into a Dn object."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement to a Dn object or list of Dn objects."""
+        if value is None:
+            return
+        elif isinstance(value, Dn):
+            return value
+        elif len(value) > 1 or self.many:
+            return [Dn(ldb, str(item)) for item in value]
+        else:
+            return Dn(ldb, str(value))
+
+    def to_db_value(self, value, flags):
+        """Convert Dn object or list of Dn objects into a MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(item) for item in value], flags, self.name)
+        else:
+            return MessageElement(str(value), flags, self.name)
+
+
+class GUIDField(Field):
+    """A GUID field decodes fields containing binary GUIDs."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement with a GUID into a str or list of str."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [str(ndr_unpack(GUID, item)) for item in value]
+        else:
+            return str(ndr_unpack(GUID, value[0]))
+
+    def to_db_value(self, value, flags):
+        """Convert str with GUID into MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [ndr_pack(GUID(item)) for item in value], flags, self.name)
+        else:
+            return MessageElement(ndr_pack(GUID(value)), flags, self.name)
+
+
+class BooleanField(Field):
+    """A simple boolean field, can be a bool or list of bool."""
+
+    def from_db_value(self, ldb, value):
+        """Convert MessageElement into a bool or list of bool."""
+        if value is None:
+            return
+        elif len(value) > 1 or self.many:
+            return [str(item) == "TRUE" for item in value]
+        else:
+            return str(value) == "TRUE"
+
+    def to_db_value(self, value, flags):
+        """Convert bool or list of bool into a MessageElement."""
+        if value is None:
+            return
+        elif isinstance(value, list):
+            return MessageElement(
+                [str(bool(item)).upper() for item in value], flags, self.name)
+        else:
+            return MessageElement(str(bool(value)).upper(), flags, self.name)
+
+
+class PossibleClaimValuesField(Field):
+    """Field for parsing possible values XML for claim types.
+
+    This field will be represented by a list of dicts as follows:
+
+    [
+        {"ValueGUID": <GUID>},
+        {"ValueDisplayName: "Display name"},
+        {"ValueDescription: "Optional description or None for no description"},
+        {"Value": <Value>},
+    ]
+
+    Note that the GUID needs to be created client-side when adding entries,
+    leaving it as None then saving it doesn't generate the GUID.
+
+    The field itself just converts the XML to list and vice versa, it doesn't
+    automatically generate GUIDs for entries, this is entirely up to the caller.
+    """
+
+    # Namespaces for PossibleValues xml parsing.
+    NAMESPACE = {
+        "xsd": "http://www.w3.org/2001/XMLSchema",
+        "xsi": "http://www.w3.org/2001/XMLSchema-instance",
+        "": "http://schemas.microsoft.com/2010/08/ActiveDirectory/PossibleValues"
+    }
+
+    def from_db_value(self, ldb, value):
+        """Parse MessageElement with XML to list of dicts."""
+        if value is not None:
+            root = ElementTree.fromstring(str(value))
+            string_list = root.find("StringList", self.NAMESPACE)
+
+            values = []
+            for item in string_list.findall("Item", self.NAMESPACE):
+                values.append({
+                    "ValueGUID": item.find("ValueGUID", self.NAMESPACE).text,
+                    "ValueDisplayName": item.find("ValueDisplayName",
+                                                  self.NAMESPACE).text,
+                    "ValueDescription": item.find("ValueDescription",
+                                                  self.NAMESPACE).text,
+                    "Value": item.find("Value", self.NAMESPACE).text,
+                })
+
+            return values
+
+    def to_db_value(self, value, flags):
+        """Convert list of dicts back fo XML as a MessageElement."""
+        if value is None:
+            return
+
+        # Possible values should always be a list of dict, but for consistency
+        # with other fields just wrap a single value into a list and continue.
+        if isinstance(value, list):
+            possible_values = value
+        else:
+            possible_values = [value]
+
+        # No point storing XML of an empty list.
+        # Return None, the field will be unset on the next save.
+        if len(possible_values) == 0:
+            return
+
+        # root node
+        root = ElementTree.Element("PossibleClaimValues")
+        for name, url in self.NAMESPACE.items():
+            if name == "":
+                root.set("xmlns", url)
+            else:
+                root.set(f"xmlns:{name}", url)
+
+        # StringList node
+        string_list = ElementTree.SubElement(root, "StringList")
+
+        # List of values
+        for item_dict in possible_values:
+            item = ElementTree.SubElement(string_list, "Item")
+            item_guid = ElementTree.SubElement(item, "ValueGUID")
+            item_guid.text = item_dict["ValueGUID"]
+            item_name = ElementTree.SubElement(item, "ValueDisplayName")
+            item_name.text = item_dict["ValueDisplayName"]
+            item_desc = ElementTree.SubElement(item, "ValueDescription")
+            item_desc.text = item_dict["ValueDescription"]
+            item_value = ElementTree.SubElement(item, "Value")
+            item_value.text = item_dict["Value"]
+
+        # NOTE: indent was only added in Python 3.9 so can't be used yet.
+        # ElementTree.indent(root, space="\t", level=0)
+
+        out = io.BytesIO()
+        ElementTree.ElementTree(root).write(out,
+                                            encoding="utf-16",
+                                            xml_declaration=True,
+                                            short_empty_elements=False)
+
+        # Back to str as that is what MessageElement needs.
+        return MessageElement(out.getvalue().decode("utf-16"), flags, self.name)
diff --git a/python/samba/netcmd/domain/models/model.py b/python/samba/netcmd/domain/models/model.py
new file mode 100644
index 00000000000..b7a0a123c4f
--- /dev/null
+++ b/python/samba/netcmd/domain/models/model.py
@@ -0,0 +1,396 @@
+# Unix SMB/CIFS implementation.
+#
+# Model and basic ORM for the Ldb database.
+#
+# Copyright (C) Catalyst.Net Ltd. 2023
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import inspect
+from abc import ABCMeta, abstractmethod
+
+from ldb import ERR_NO_SUCH_OBJECT, FLAG_MOD_ADD, FLAG_MOD_REPLACE, LdbError,\
+    Message, MessageElement, SCOPE_BASE, SCOPE_SUBTREE, binary_encode
+from samba.sd_utils import SDUtils
+
+from .exceptions import MultipleObjectsReturned
+from .fields import DateTimeField, DnField, Field, GUIDField, IntegerField,\
+    StringField
+
+# Keeps track of registered models.
+# This gets populated by the ModelMeta class.
+MODELS = {}
+
+
+class ModelMeta(ABCMeta):
+
+    def __new__(mcls, name, bases, namespace, **kwargs):
+        cls = super().__new__(mcls, name, bases, namespace, **kwargs)
+
+        if cls.__name__ != "Model":
+            cls.fields = dict(inspect.getmembers(cls, lambda f: isinstance(f, Field)))
+            cls.meta = mcls
+            MODELS[name] = cls
+
+        return cls
+
+
+class Model(metaclass=ModelMeta):
+    cn = StringField("cn")
+    distinguished_name = DnField("distinguishedName")
+    dn = DnField("dn")
+    ds_core_propagation_data = DateTimeField("dsCorePropagationData",
+                                             hidden=True)
+    instance_type = IntegerField("instanceType")
+    name = StringField("name")
+    object_category = DnField("objectCategory")
+    object_class = StringField("objectClass",
+                               default=lambda obj: obj.get_object_class())
+    object_guid = GUIDField("objectGUID")
+    usn_changed = IntegerField("uSNChanged", hidden=True)
+    usn_created = IntegerField("uSNCreated", hidden=True)
+    when_changed = DateTimeField("whenChanged", hidden=True)
+    when_created = DateTimeField("whenCreated", hidden=True)
+
+    def __init__(self, **kwargs):
+        """Create a new model instance and optionally populate fields.
+
+        Does not save the object to the database, call .save() for that.
+
+        :param kwargs: Optional input fields to populate object with
+        """
+        for field_name, field in self.fields.items():
+            if field_name in kwargs:
+                default = kwargs[field_name]
+            elif callable(field.default):
+                default = field.default(self)
+            else:
+                default = field.default
+
+            setattr(self, field_name, default)
+
+    def __repr__(self):
+        """Return object representation for this model."""
+        return f"<{self.__class__.__name__}: {self}>"
+
+    def __str__(self):
+        """Stringify model instance to implement in each model."""
+        return str(self.cn)
+
+    def __eq__(self, other):
+        """Basic object equality check only really checks if the dn matches.
+
+        :param other: The other object to compare with
+        """
+        if other is None:
+            return False
+        else:
+            return self.dn == other.dn
+
+    def __json__(self):
+        """Automatically called by custom JSONEncoder class.
+
+        When turning an object into json any fields of type RelatedField
+        will also end up calling this method.
+        """
+        if self.dn is not None:
+            return str(self.dn)
+
+    @staticmethod
+    @abstractmethod
+    def get_base_dn(ldb):
+        """Return the base DN for the container of this model.
+
+        :param ldb: Ldb connection
+        :return: Dn to use for new objects
+        """
+        pass
+
+    @classmethod
+    def get_search_dn(cls, ldb):
+        """Return the DN used for querying.
+
+        By default, this just calls get_base_dn, but it is possible to
+        return a different Dn for querying.
+
+        :param ldb: Ldb connection
+        :return: Dn to use for searching
+        """
+        return cls.get_base_dn(ldb)
+
+    @staticmethod
+    @abstractmethod
+    def get_object_class():
+        """Returns the objectClass for this model."""
+        pass
+
+    @classmethod
+    def from_message(cls, ldb, message):
+        """Create a new model instance from the Ldb Message object.
+
+        :param ldb: Ldb connection
+        :param message: Ldb Message object to create instance from
+        """
+        obj = cls()
+        obj._apply(ldb, message)
+        return obj
+
+    def _apply(self, ldb, message):
+        """Internal method to apply Ldb Message to current object.
+
+        :param ldb: Ldb connection
+        :param message: Ldb Message object to apply
+        """
+        for attr, field in self.fields.items():
+            if field.name in message:
+                setattr(self, attr, field.from_db_value(ldb, message[field.name]))
+
+    def refresh(self, ldb, fields=None):
+        """Refresh object from database.
+
+        :param ldb: Ldb connection
+        :param fields: Optional list of fi