>From 87c2734c0fed8be0cd87ec6f4a1c5bf686e96807 Mon Sep 17 00:00:00 2001 From: Rowland Penny Date: Mon, 16 Nov 2015 15:51:42 +0000 Subject: [PATCH 2/4] user.py: update user with nis attributes Signed-off-by: Rowland Penny --- python/samba/netcmd/user.py | 156 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index ec91a93..5e491af 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -611,6 +611,161 @@ Example3 shows how an administrator would reset TestUser3 user's password to pas self.outf.write("Changed password OK\n") +class cmd_user_nis_add(Command): + """Add NIS attributes to a user. + +This command adds NIS info to a user account in the Active +Directory domain. +The username specified on the command is the sAMaccountName. + +Unix (RFC2307) attributes will be added to the user account. +Add 'idmap_ldb:use rfc2307 = Yes' to smb.conf to use these +attributes for UID/GID mapping. + +The command may be run from the root userid or another authorized userid. +The -H or --URL= option can be used to execute the command +against a remote server. + +Example: +samba-tool user nisadd User1 --nis-domain=samdom --uid-number=10005 \ +--unix-home=/home/User1 --login-shell=/bin/false [--group-name=unixgroup] + +The example shows how to add RFC2307/NIS attributes to a domain +enabled user account. +The first four parameters are mandatory. + +if the parameter '--group-name' is given, then the groups 'gidNumber' +will be obtained and used for the users 'gidNumber' attribute, this +does of course mean that the group MUST have a 'gidNumber. + +If the last parameter, '--group-name' & is omitted, the users gidNumber +will be set to the gidNumber found in Domain Users. +This means that 'Domain Users' MUST have a gidNumber. +""" + synopsis = "%prog [options]" + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", + type=str, metavar="URL", dest="H"), + Option("--nis-domain", help="User's Unix/RFC2307 NIS domain", + type=str), + Option("--unix-home", help="User's Unix/RFC2307 home directory", + type=str), + Option("--group-name", help="A Unix/RFC2307 enabled AD group", + type=str), + Option("--login-shell", help="User's Unix/RFC2307 login shell", + type=str), + Option("--uid-number", help="User's Unix/RFC2307 numeric UID", + type=str), + Option("--gid-number", help="User's Unix/RFC2307 numeric GID number", + type=str), + + ] + + takes_args = ["username"] + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + def run(self, username, credopts=None, sambaopts=None, versionopts=None, + H=None, nis_domain=None, unix_home=None, uid_number=None, + gid_number=None, group_name=None, login_shell=None): + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + samdb = SamDB(url=H, session_info=system_session(), credentials=creds, + lp=lp) + + if None in (nis_domain, uid_number, login_shell, unix_home): + raise CommandError('Missing parameters. To enable NIS features, ' + 'the following options have to be given: ' + '--nis-domain=, --uid-number, --login-shell=,' + ' --unix-home=, Operation cancelled.') + + domain_dn = samdb.domain_dn() + search_filter = "(samaccountname=%s)" % username + user_dn = samdb.get_object_dn(search_filter) + + # what if user already is a NIS user?? + res = samdb.search(user_dn, + scope=ldb.SCOPE_BASE, + attrs=["uidNumber"]) + if "uidNumber" in res[0]: + raise CommandError("User %s already is a NIS user." % username) + + if group_name is not None: + # get users primary GID from group_name + search_filter = "samaccountname=%s" % group_name + group_dn = samdb.get_object_dn(search_filter) + try: + res = samdb.search(group_dn, + scope=ldb.SCOPE_SUBTREE, + attrs=["gidNumber"]) + assert len(res) == 1 + gid_number = res[0]["gidNumber"][0] + except: + raise CommandError("Group %s does not have a gidNumber" % + group_name) + + if group_name is None: + # set users primary GID to the one from Domain Users + du_dn = "CN=Domain Users,CN=Users," + domain_dn + try: + res = samdb.search(du_dn, + scope=ldb.SCOPE_SUBTREE, + attrs=["gidNumber"]) + assert len(res) == 1 + gid_number = res[0]["gidNumber"][0] + except: + raise CommandError("Domain Users Group does \ +not have a gidNumber attribute") + + if not lp.get("idmap_ldb:use rfc2307"): + self.outf.write("You are setting a Unix/RFC2307 UID or GID. \ +You may want to set 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use those \ +attributes for XID/SID-mapping.\n") + + update_user = """ +dn: %s +changetype: modify +add: uid +uid: %s +- +add: msSFU30Name +msSFU30Name: %s +- +add: msSFU30NisDomain +msSFU30NisDomain: %s +- +add: uidNumber +uidNumber: %s +- +add: gidNumber +gidNumber: %s +- +add: loginShell +loginShell: %s +- +add: unixHomeDirectory +unixHomeDirectory: %s +- +add: unixUserPassword +unixUserPassword: ABCD!efgh12345$67890 +""" % (user_dn, username, username, nis_domain, uid_number, gid_number, + login_shell, unix_home) + + try: + samdb.modify_ldif(update_user) + except Exception, e: + raise CommandError("Failed to update user '%s': " % username, e) + + self.outf.write("User '%s' updated successfully\n" % username) + + class cmd_user(SuperCommand): """User management.""" @@ -624,3 +779,4 @@ class cmd_user(SuperCommand): subcommands["setexpiry"] = cmd_user_setexpiry() subcommands["password"] = cmd_user_password() subcommands["setpassword"] = cmd_user_setpassword() + subcommands["nisadd"] = cmd_user_nis_add() -- 1.7.10.4