From 7255e0ced33826d1e528c3e465105e7e194eb36e Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Thu, 3 May 2018 12:12:04 +1200 Subject: netcmd: Split 'domain passwordsettings' into a super-command The show and set options are not really related to each other at all, so it makes sense to split the code into 2 separate commands. We also want to add separate sub-commands for PSOs in a subsequent patch. Because of the way the sub-command was implemented previously, it meant that you could specify other command-line options before the 'set' or 'show' keyword, and the command would still be accepted. However, now that it's a super-command 'set'/'show' needs to be specified before any additional arguments, so we need to update the test code to reflect this. Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam Signed-off-by: Tim Beale --- python/samba/netcmd/domain.py | 356 ++++++++++++++++++++++-------------------- 1 file changed, 190 insertions(+), 166 deletions(-) (limited to 'python') diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index 8b34bfd0f3f..cb2b1ccecb3 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -1263,8 +1263,74 @@ class cmd_domain_level(Command): else: raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand) +class cmd_domain_passwordsettings_show(Command): + """Display current password settings for the domain.""" -class cmd_domain_passwordsettings(Command): + synopsis = "%prog [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + def run(self, H=None, credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + samdb = SamDB(url=H, session_info=system_session(), + credentials=creds, lp=lp) + + domain_dn = samdb.domain_dn() + res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, + attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", + "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold", + "lockOutObservationWindow"]) + assert(len(res) == 1) + try: + pwd_props = int(res[0]["pwdProperties"][0]) + pwd_hist_len = int(res[0]["pwdHistoryLength"][0]) + cur_min_pwd_len = int(res[0]["minPwdLength"][0]) + # ticks -> days + cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24)) + if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000: + cur_max_pwd_age = 0 + else: + cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) + cur_account_lockout_threshold = int(res[0]["lockoutThreshold"][0]) + # ticks -> mins + if int(res[0]["lockoutDuration"][0]) == -0x8000000000000000: + cur_account_lockout_duration = 0 + else: + cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60) + cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60) + except Exception as e: + raise CommandError("Could not retrieve password properties!", e) + + self.message("Password informations for domain '%s'" % domain_dn) + self.message("") + if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0: + self.message("Password complexity: on") + else: + self.message("Password complexity: off") + if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0: + self.message("Store plaintext passwords: on") + else: + self.message("Store plaintext passwords: off") + self.message("Password history length: %d" % pwd_hist_len) + self.message("Minimum password length: %d" % cur_min_pwd_len) + self.message("Minimum password age (days): %d" % cur_min_pwd_age) + self.message("Maximum password age (days): %d" % cur_max_pwd_age) + self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration) + self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold) + self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after) + +class cmd_domain_passwordsettings_set(Command): """Set password settings. Password complexity, password lockout policy, history length, @@ -1274,7 +1340,7 @@ class cmd_domain_passwordsettings(Command): Use against a Windows DC is possible, but group policy will override it. """ - synopsis = "%prog (show|set ) [options]" + synopsis = "%prog [options]" takes_optiongroups = { "sambaopts": options.SambaOptions, @@ -1306,9 +1372,7 @@ class cmd_domain_passwordsettings(Command): help="After this time is elapsed, the recorded number of attempts restarts from zero ( | default). Default is 30.", type=str), ] - takes_args = ["subcommand"] - - def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None, + def run(self, H=None, min_pwd_age=None, max_pwd_age=None, quiet=False, complexity=None, store_plaintext=None, history_length=None, min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None, reset_account_lockout_after=None, credopts=None, sambaopts=None, @@ -1320,195 +1384,155 @@ class cmd_domain_passwordsettings(Command): credentials=creds, lp=lp) domain_dn = samdb.domain_dn() - res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, - attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", - "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold", - "lockOutObservationWindow"]) - assert(len(res) == 1) - try: - pwd_props = int(res[0]["pwdProperties"][0]) - pwd_hist_len = int(res[0]["pwdHistoryLength"][0]) - cur_min_pwd_len = int(res[0]["minPwdLength"][0]) - # ticks -> days - cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24)) - if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000: - cur_max_pwd_age = 0 + msgs = [] + m = ldb.Message() + m.dn = ldb.Dn(samdb, domain_dn) + pwd_props = int(samdb.get_pwdProperties()) + + if complexity is not None: + if complexity == "on" or complexity == "default": + pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX + msgs.append("Password complexity activated!") + elif complexity == "off": + pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX) + msgs.append("Password complexity deactivated!") + + if store_plaintext is not None: + if store_plaintext == "on" or store_plaintext == "default": + pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT + msgs.append("Plaintext password storage for changed passwords activated!") + elif store_plaintext == "off": + pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT) + msgs.append("Plaintext password storage for changed passwords deactivated!") + + if complexity is not None or store_plaintext is not None: + m["pwdProperties"] = ldb.MessageElement(str(pwd_props), + ldb.FLAG_MOD_REPLACE, "pwdProperties") + + if history_length is not None: + if history_length == "default": + pwd_hist_len = 24 else: - cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) - cur_account_lockout_threshold = int(res[0]["lockoutThreshold"][0]) - # ticks -> mins - if int(res[0]["lockoutDuration"][0]) == -0x8000000000000000: - cur_account_lockout_duration = 0 - else: - cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60) - cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60) - except Exception as e: - raise CommandError("Could not retrieve password properties!", e) + pwd_hist_len = int(history_length) - if subcommand == "show": - self.message("Password informations for domain '%s'" % domain_dn) - self.message("") - if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0: - self.message("Password complexity: on") - else: - self.message("Password complexity: off") - if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0: - self.message("Store plaintext passwords: on") - else: - self.message("Store plaintext passwords: off") - self.message("Password history length: %d" % pwd_hist_len) - self.message("Minimum password length: %d" % cur_min_pwd_len) - self.message("Minimum password age (days): %d" % cur_min_pwd_age) - self.message("Maximum password age (days): %d" % cur_max_pwd_age) - self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration) - self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold) - self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after) - elif subcommand == "set": - msgs = [] - m = ldb.Message() - m.dn = ldb.Dn(samdb, domain_dn) - pwd_props = int(samdb.get_pwdProperties()) - - if complexity is not None: - if complexity == "on" or complexity == "default": - pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX - msgs.append("Password complexity activated!") - elif complexity == "off": - pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX) - msgs.append("Password complexity deactivated!") - - if store_plaintext is not None: - if store_plaintext == "on" or store_plaintext == "default": - pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT - msgs.append("Plaintext password storage for changed passwords activated!") - elif store_plaintext == "off": - pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT) - msgs.append("Plaintext password storage for changed passwords deactivated!") - - if complexity is not None or store_plaintext is not None: - m["pwdProperties"] = ldb.MessageElement(str(pwd_props), - ldb.FLAG_MOD_REPLACE, "pwdProperties") - - if history_length is not None: - if history_length == "default": - pwd_hist_len = 24 - else: - pwd_hist_len = int(history_length) + if pwd_hist_len < 0 or pwd_hist_len > 24: + raise CommandError("Password history length must be in the range of 0 to 24!") - if pwd_hist_len < 0 or pwd_hist_len > 24: - raise CommandError("Password history length must be in the range of 0 to 24!") + m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len), + ldb.FLAG_MOD_REPLACE, "pwdHistoryLength") + msgs.append("Password history length changed!") - m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len), - ldb.FLAG_MOD_REPLACE, "pwdHistoryLength") - msgs.append("Password history length changed!") + if min_pwd_length is not None: + if min_pwd_length == "default": + min_pwd_len = 7 + else: + min_pwd_len = int(min_pwd_length) - if min_pwd_length is not None: - if min_pwd_length == "default": - min_pwd_len = 7 - else: - min_pwd_len = int(min_pwd_length) + if min_pwd_len < 0 or min_pwd_len > 14: + raise CommandError("Minimum password length must be in the range of 0 to 14!") - if min_pwd_len < 0 or min_pwd_len > 14: - raise CommandError("Minimum password length must be in the range of 0 to 14!") + m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len), + ldb.FLAG_MOD_REPLACE, "minPwdLength") + msgs.append("Minimum password length changed!") - m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len), - ldb.FLAG_MOD_REPLACE, "minPwdLength") - msgs.append("Minimum password length changed!") + if min_pwd_age is not None: + if min_pwd_age == "default": + min_pwd_age = 1 + else: + min_pwd_age = int(min_pwd_age) - if min_pwd_age is not None: - if min_pwd_age == "default": - min_pwd_age = 1 - else: - min_pwd_age = int(min_pwd_age) + if min_pwd_age < 0 or min_pwd_age > 998: + raise CommandError("Minimum password age must be in the range of 0 to 998!") - if min_pwd_age < 0 or min_pwd_age > 998: - raise CommandError("Minimum password age must be in the range of 0 to 998!") + # days -> ticks + min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7)) - # days -> ticks - min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7)) + m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks), + ldb.FLAG_MOD_REPLACE, "minPwdAge") + msgs.append("Minimum password age changed!") - m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks), - ldb.FLAG_MOD_REPLACE, "minPwdAge") - msgs.append("Minimum password age changed!") + if max_pwd_age is not None: + if max_pwd_age == "default": + max_pwd_age = 43 + else: + max_pwd_age = int(max_pwd_age) - if max_pwd_age is not None: - if max_pwd_age == "default": - max_pwd_age = 43 - else: - max_pwd_age = int(max_pwd_age) + if max_pwd_age < 0 or max_pwd_age > 999: + raise CommandError("Maximum password age must be in the range of 0 to 999!") - if max_pwd_age < 0 or max_pwd_age > 999: - raise CommandError("Maximum password age must be in the range of 0 to 999!") + # days -> ticks + if max_pwd_age == 0: + max_pwd_age_ticks = -0x8000000000000000 + else: + max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7)) - # days -> ticks - if max_pwd_age == 0: - max_pwd_age_ticks = -0x8000000000000000 - else: - max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7)) + m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks), + ldb.FLAG_MOD_REPLACE, "maxPwdAge") + msgs.append("Maximum password age changed!") - m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks), - ldb.FLAG_MOD_REPLACE, "maxPwdAge") - msgs.append("Maximum password age changed!") + if account_lockout_duration is not None: + if account_lockout_duration == "default": + account_lockout_duration = 30 + else: + account_lockout_duration = int(account_lockout_duration) - if account_lockout_duration is not None: - if account_lockout_duration == "default": - account_lockout_duration = 30 - else: - account_lockout_duration = int(account_lockout_duration) + if account_lockout_duration < 0 or account_lockout_duration > 99999: + raise CommandError("Maximum password age must be in the range of 0 to 99999!") - if account_lockout_duration < 0 or account_lockout_duration > 99999: - raise CommandError("Maximum password age must be in the range of 0 to 99999!") + # minutes -> ticks + if account_lockout_duration == 0: + account_lockout_duration_ticks = -0x8000000000000000 + else: + account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7)) - # minutes -> ticks - if account_lockout_duration == 0: - account_lockout_duration_ticks = -0x8000000000000000 - else: - account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7)) + m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks), + ldb.FLAG_MOD_REPLACE, "lockoutDuration") + msgs.append("Account lockout duration changed!") - m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks), - ldb.FLAG_MOD_REPLACE, "lockoutDuration") - msgs.append("Account lockout duration changed!") + if account_lockout_threshold is not None: + if account_lockout_threshold == "default": + account_lockout_threshold = 0 + else: + account_lockout_threshold = int(account_lockout_threshold) - if account_lockout_threshold is not None: - if account_lockout_threshold == "default": - account_lockout_threshold = 0 - else: - account_lockout_threshold = int(account_lockout_threshold) + m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold), + ldb.FLAG_MOD_REPLACE, "lockoutThreshold") + msgs.append("Account lockout threshold changed!") - m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold), - ldb.FLAG_MOD_REPLACE, "lockoutThreshold") - msgs.append("Account lockout threshold changed!") + if reset_account_lockout_after is not None: + if reset_account_lockout_after == "default": + reset_account_lockout_after = 30 + else: + reset_account_lockout_after = int(reset_account_lockout_after) - if reset_account_lockout_after is not None: - if reset_account_lockout_after == "default": - reset_account_lockout_after = 30 - else: - reset_account_lockout_after = int(reset_account_lockout_after) + if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999: + raise CommandError("Maximum password age must be in the range of 0 to 99999!") - if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999: - raise CommandError("Maximum password age must be in the range of 0 to 99999!") + # minutes -> ticks + if reset_account_lockout_after == 0: + reset_account_lockout_after_ticks = -0x8000000000000000 + else: + reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7)) - # minutes -> ticks - if reset_account_lockout_after == 0: - reset_account_lockout_after_ticks = -0x8000000000000000 - else: - reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7)) + m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks), + ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow") + msgs.append("Duration to reset account lockout after changed!") - m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks), - ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow") - msgs.append("Duration to reset account lockout after changed!") + if max_pwd_age > 0 and min_pwd_age >= max_pwd_age: + raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)) - if max_pwd_age > 0 and min_pwd_age >= max_pwd_age: - raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)) + if len(m) == 0: + raise CommandError("You must specify at least one option to set. Try --help") + samdb.modify(m) + msgs.append("All changes applied successfully!") + self.message("\n".join(msgs)) - if len(m) == 0: - raise CommandError("You must specify at least one option to set. Try --help") - samdb.modify(m) - msgs.append("All changes applied successfully!") - self.message("\n".join(msgs)) - else: - raise CommandError("Wrong argument '%s'!" % subcommand) +class cmd_domain_passwordsettings(SuperCommand): + """Manage password policy settings.""" + subcommands = {} + subcommands["show"] = cmd_domain_passwordsettings_show() + subcommands["set"] = cmd_domain_passwordsettings_set() class cmd_domain_classicupgrade(Command): """Upgrade from Samba classic (NT4-like) database to Samba AD DC database. -- cgit v1.2.3