[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Aug 17 03:54:01 UTC 2018
The branch, master has been updated
via b0130fe docs smb.conf: Clarify that wreplsrv:periodic_interval is in seconds
via f9ff50a Refactor for PEP8 warning E501 line too long
via 60b4a1b Refactor for PEP8 warning E501 line too long
via 68f8a1c2 Fix PEP8 warning E501 line too long
via 7065f52 Refactor for PEP8 warning E501 line too long
via a86e2b3 Refactor for PEP8 warning E501 line too long
via 2bd0a20 Fix PEP8 warning W503 line break before binary operator
via 26ece82 Fix PEP8 warning W291 trailing whitespace
via 87b919b Fix PEP8 warning E303 too many blank lines
via b8920aa Fix PEP8 warning E302 expected 2 blank lines
via 092130b Fix PEP8 warning E231 missing whitespace after ','
via e741a19 Fix PEP8 warning F401 'blah' imported but unused
via 1a30a68 Fix PEP8 warning E225 missing whitespace around operator
via 30e6e04 Fix PEP8 warning F841 local variable 'blah' is assigned to but never used
via 3a05054 samba-tool domain passwordsettings: Avoid except Exception
via 078bd79 python/pso tests: use string .format() style rather than C-style %s/%d.
via 9b86c5f Fix PEP8 warning E122/E126/E127 wrong indent for continuation lines
via 96b726e Fix PEP8 warning E201/202/203 array/dict whitespace
via a39c8f44 Fix PEP8 warning E711 comparison to None
via cd3b06f python3: reuse cmp_fn defined in compat.py
via 2f37149 python/samba/tests: fix SamDB dummy replacement
via d313e0e descriptor: add missing backslash for long sddl str
from 3990df0 WHATSNEW: Add information on new GPO features
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b0130fe4a8aa26919f254dc8a9af80ef942099be
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 17 09:56:57 2018 +1200
docs smb.conf: Clarify that wreplsrv:periodic_interval is in seconds
As requested by oota on samba-technical
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Aug 17 05:53:54 CEST 2018 on sn-devel-144
commit f9ff50ae7c493f84d9ac7271e86efd7aba2b7ce9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 15:55:36 2018 +1200
Refactor for PEP8 warning E501 line too long
Rename a couple of really long functions.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 60b4a1be063888ddac0f484158517aa10b219b5a
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 15:27:09 2018 +1200
Refactor for PEP8 warning E501 line too long
Add a wrapper function to avoid long lines. This also helps
a little to manage/contain the complexity of the code.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 68f8a1c2747fd51a633b34dc4301b1f6acae5de6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 14:34:16 2018 +1200
Fix PEP8 warning E501 line too long
Mostly involves splitting up long strings or comments so that they
span multiple lines. Some place-holder variables have been added in a
few places to avoid exceeding 80 chars.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7065f5299f04f4a7f766f97cf90cb3c913491005
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 14:36:10 2018 +1200
Refactor for PEP8 warning E501 line too long
Rename a parameter that an internal function takes so that the function
call doesn't overrun 80 chars.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a86e2b347a1dc0f7baeae57ff86f6832852d6660
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 14:04:10 2018 +1200
Refactor for PEP8 warning E501 line too long
The attribute names here are so long it means there's not a very nice
way to wrap the long lines, so add a helper function
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2bd0a208dffabe6193c03b912feb7cb86769be04
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:49:16 2018 +1200
Fix PEP8 warning W503 line break before binary operator
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 26ece82e5ec40b8f150c888c6e8fba1c85639e4c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:46:55 2018 +1200
Fix PEP8 warning W291 trailing whitespace
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 87b919b6192c17e14f1663d3512db34417c7de97
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:43:22 2018 +1200
Fix PEP8 warning E303 too many blank lines
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b8920aab21325010fe161a9fd7a279fc3de7790d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:42:18 2018 +1200
Fix PEP8 warning E302 expected 2 blank lines
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 092130be0f5cc5b206abc254543d19661cabc071
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:12:28 2018 +1200
Fix PEP8 warning E231 missing whitespace after ','
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e741a1939c13bbd3c9f4ef4ec8c44a32d0c1661b
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 12:31:43 2018 +1200
Fix PEP8 warning F401 'blah' imported but unused
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1a30a68b4a33b5aaacf768b489bf4e444d03ff5a
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:26:23 2018 +1200
Fix PEP8 warning E225 missing whitespace around operator
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 30e6e04c4c0dd9ed4277f88006f2d59247e86590
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 12:38:55 2018 +1200
Fix PEP8 warning F841 local variable 'blah' is assigned to but never used
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3a050542688bc50a0cef463ff468014218ab919f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 10 13:06:36 2018 +1200
samba-tool domain passwordsettings: Avoid except Exception
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 078bd79501d0d4f3c60db7fcab7999eabdcf4cd6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Aug 15 17:21:43 2018 +1200
python/pso tests: use string .format() style rather than C-style %s/%d.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 9b86c5f8bc0eec4d0b818430adea6195bfa6922c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 12:50:41 2018 +1200
Fix PEP8 warning E122/E126/E127 wrong indent for continuation lines
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 96b726ea86071004d22980b017a03746f39fc25f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:36:18 2018 +1200
Fix PEP8 warning E201/202/203 array/dict whitespace
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a39c8f44319b2bdff376ce690ec0fd4f94d0e6bc
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 27 13:33:26 2018 +1200
Fix PEP8 warning E711 comparison to None
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cd3b06fab0a3b5ac0730f8d025b7f20fdf1b3b30
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 14:13:14 2018 +1200
python3: reuse cmp_fn defined in compat.py
This will also fix PEP8 E306:
expected 1 blank line before a nested definition, found 0
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2f37149341afae74738bfd6560333b75edf2b89f
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 13:56:55 2018 +1200
python/samba/tests: fix SamDB dummy replacement
In commit 6de9d878b, a dummy SamDB lambda was added:
SamDB = lambda *x: None
The `*x` will only cover positional args. If we call it with kwargs:
samdb = SamDB(url=url)
We will get TypeError:
<lambda>() got an unexpected keyword argument 'url'
This commit fix this. It also fix PEP8 E731:
do not assign a lambda expression, use a def
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13542
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d313e0e48dac6d517227cf1eff241bd7016b0dde
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Jul 30 11:50:18 2018 +1200
descriptor: add missing backslash for long sddl str
Find this bug while doing PEP8.
We are lucky this code was not used yet.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/wins/wreplsrv-periodic_interval.xml | 2 +-
python/samba/descriptor.py | 4 +-
python/samba/netcmd/pso.py | 223 +++++++++++++--------
python/samba/tests/__init__.py | 4 +-
python/samba/tests/pso.py | 67 ++++---
python/samba/tests/samba_tool/passwordsettings.py | 105 +++++-----
python/samba/upgradehelpers.py | 4 +-
source4/dsdb/tests/python/password_settings.py | 87 ++++----
source4/torture/drs/python/getncchanges.py | 145 ++++++++------
source4/torture/drs/python/link_conflicts.py | 169 ++++++++++------
10 files changed, 474 insertions(+), 336 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml b/docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml
index 5b44993..a3414e3 100644
--- a/docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml
+++ b/docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml
@@ -3,7 +3,7 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This maximum interval in s between 2 periodically scheduled runs
+ <para>This maximum interval in seconds between 2 periodically scheduled runs
where we check for wins.ldb changes and do push notifications to our
push partners. Also wins_config.ldb changes are checked in that
interval and partner configuration reloads are done.
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 1e56e53..7a55e27 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -374,8 +374,8 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
def get_paritions_crossref_subdomain_descriptor(domain_sid, name_map={}):
sddl = "O:SubdomainAdminsG:SubdomainAdminsD:AI" \
- "(A;;RPWPCRCCLCLORCWOWDSW;;;SubdomainAdmins)"
- "(A;;RPLCLORC;;;AU)"
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;SubdomainAdmins)" \
+ "(A;;RPLCLORC;;;AU)" \
"(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
return sddl2binary(sddl, domain_sid, name_map)
diff --git a/python/samba/netcmd/pso.py b/python/samba/netcmd/pso.py
index b12f00d..96f0b4f 100644
--- a/python/samba/netcmd/pso.py
+++ b/python/samba/netcmd/pso.py
@@ -15,21 +15,21 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import samba
import samba.getopt as options
import ldb
from samba.samdb import SamDB
from samba.netcmd import (Command, CommandError, Option, SuperCommand)
-from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
+from samba.dcerpc.samr import (DOMAIN_PASSWORD_COMPLEX,
+ DOMAIN_PASSWORD_STORE_CLEARTEXT)
from samba.auth import system_session
-import pdb
-
NEVER_TIMESTAMP = int(-0x8000000000000000)
+
def pso_container(samdb):
return "CN=Password Settings Container,CN=System,%s" % samdb.domain_dn()
+
def timestamp_to_mins(timestamp_str):
"""Converts a timestamp in -100 nanosecond units to minutes"""
# treat a timestamp of 'never' the same as zero (this should work OK for
@@ -40,25 +40,29 @@ def timestamp_to_mins(timestamp_str):
else:
return abs(int(timestamp_str)) / (1e7 * 60)
+
def timestamp_to_days(timestamp_str):
"""Converts a timestamp in -100 nanosecond units to days"""
return timestamp_to_mins(timestamp_str) / (60 * 24)
+
def mins_to_timestamp(mins):
"""Converts a value in minutes to -100 nanosecond units"""
timestamp = -int((1e7) * 60 * mins)
return str(timestamp)
+
def days_to_timestamp(days):
"""Converts a value in days to -100 nanosecond units"""
timestamp = mins_to_timestamp(days * 60 * 24)
return str(timestamp)
+
def show_pso_by_dn(outf, samdb, dn, show_applies_to=True):
"""Displays the password settings for a PSO specified by DN"""
# map from the boolean LDB value to the CLI string the user sees
- on_off_str = { "TRUE" : "on", "FALSE" : "off" }
+ on_off_str = {"TRUE": "on", "FALSE": "off"}
pso_attrs = ['name', 'msDS-PasswordSettingsPrecedence',
'msDS-PasswordReversibleEncryptionEnabled',
@@ -103,20 +107,24 @@ def show_pso_by_dn(outf, samdb, dn, show_applies_to=True):
else:
outf.write("\nNote: PSO does not apply to any users or groups.\n")
+
def check_pso_valid(samdb, pso_dn, name):
"""Gracefully bail out if we can't view/modify the PSO specified"""
# the base scope search for the PSO throws an error if it doesn't exist
try:
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE,
attrs=['msDS-PasswordSettingsPrecedence'])
- except Exception as e:
- raise CommandError("Unable to find PSO '%s'" % name)
+ except ldb.LdbError as e:
+ if e.args[0] == ldb.ERR_NO_SUCH_OBJECT:
+ raise CommandError("Unable to find PSO '%s'" % name)
+ raise
# users need admin permission to modify/view a PSO. In this case, the
# search succeeds, but it doesn't return any attributes
if 'msDS-PasswordSettingsPrecedence' not in res[0]:
raise CommandError("You may not have permission to view/modify PSOs")
+
def show_pso_for_user(outf, samdb, username):
"""Displays the password settings for a specific user"""
@@ -129,8 +137,8 @@ def show_pso_for_user(outf, samdb, username):
if len(res) == 0:
outf.write("User '%s' not found.\n" % username)
elif 'msDS-ResultantPSO' not in res[0]:
- outf.write("No PSO applies to user '%s'. The default domain settings apply.\n"
- % username)
+ outf.write("No PSO applies to user '%s'. "
+ "The default domain settings apply.\n" % username)
outf.write("Refer to 'samba-tool domain passwordsettings show'.\n")
else:
# sanity-check user has permissions to view PSO details (non-admin
@@ -143,15 +151,21 @@ def show_pso_for_user(outf, samdb, username):
# PSOs that apply directly to a user don't necessarily have the best
# precedence, which could be a little confusing for PSO management
if 'msDS-PSOApplied' in res[0]:
- outf.write("\nNote: PSO applies directly to user (any group PSOs are overridden)\n")
+ outf.write("\nNote: PSO applies directly to user "
+ "(any group PSOs are overridden)\n")
else:
outf.write("\nPSO applies to user via group membership.\n")
+
+def msg_add_attr(msg, attr_name, value, ldb_oper):
+ msg[attr_name] = ldb.MessageElement(value, ldb_oper, attr_name)
+
+
def make_pso_ldb_msg(outf, samdb, pso_dn, create, lockout_threshold=None,
complexity=None, precedence=None, store_plaintext=None,
history_length=None, min_pwd_length=None,
min_pwd_age=None, max_pwd_age=None, lockout_duration=None,
- reset_account_lockout_after=None):
+ reset_lockout_after=None):
"""Packs the given PSO settings into an LDB message"""
m = ldb.Message()
@@ -165,32 +179,30 @@ def make_pso_ldb_msg(outf, samdb, pso_dn, create, lockout_threshold=None,
ldb_oper = ldb.FLAG_MOD_REPLACE
if precedence is not None:
- m["msDS-PasswordSettingsPrecedence"] = ldb.MessageElement(str(precedence),
- ldb_oper, "msDS-PasswordSettingsPrecedence")
+ msg_add_attr(m, "msDS-PasswordSettingsPrecedence", str(precedence),
+ ldb_oper)
if complexity is not None:
bool_str = "TRUE" if complexity == "on" else "FALSE"
- m["msDS-PasswordComplexityEnabled"] = ldb.MessageElement(bool_str,
- ldb_oper, "msDS-PasswordComplexityEnabled")
+ msg_add_attr(m, "msDS-PasswordComplexityEnabled", bool_str, ldb_oper)
if store_plaintext is not None:
bool_str = "TRUE" if store_plaintext == "on" else "FALSE"
- m["msDS-msDS-PasswordReversibleEncryptionEnabled"] = \
- ldb.MessageElement(bool_str, ldb_oper,
- "msDS-PasswordReversibleEncryptionEnabled")
+ msg_add_attr(m, "msDS-PasswordReversibleEncryptionEnabled",
+ bool_str, ldb_oper)
if history_length is not None:
- m["msDS-PasswordHistoryLength"] = ldb.MessageElement(str(history_length),
- ldb_oper, "msDS-PasswordHistoryLength")
+ msg_add_attr(m, "msDS-PasswordHistoryLength", str(history_length),
+ ldb_oper)
if min_pwd_length is not None:
- m["msDS-MinimumPasswordLength"] = ldb.MessageElement(str(min_pwd_length),
- ldb_oper, "msDS-MinimumPasswordLength")
+ msg_add_attr(m, "msDS-MinimumPasswordLength", str(min_pwd_length),
+ ldb_oper)
if min_pwd_age is not None:
min_pwd_age_ticks = days_to_timestamp(min_pwd_age)
- m["msDS-MinimumPasswordAge"] = ldb.MessageElement(min_pwd_age_ticks,
- ldb_oper, "msDS-MinimumPasswordAge")
+ msg_add_attr(m, "msDS-MinimumPasswordAge", min_pwd_age_ticks,
+ ldb_oper)
if max_pwd_age is not None:
# Windows won't let you set max-pwd-age to zero. Here we take zero to
@@ -199,63 +211,73 @@ def make_pso_ldb_msg(outf, samdb, pso_dn, create, lockout_threshold=None,
max_pwd_age_ticks = str(NEVER_TIMESTAMP)
else:
max_pwd_age_ticks = days_to_timestamp(max_pwd_age)
- m["msDS-MaximumPasswordAge"] = ldb.MessageElement(max_pwd_age_ticks,
- ldb_oper, "msDS-MaximumPasswordAge")
+ msg_add_attr(m, "msDS-MaximumPasswordAge", max_pwd_age_ticks, ldb_oper)
if lockout_duration is not None:
lockout_duration_ticks = mins_to_timestamp(lockout_duration)
- m["msDS-LockoutDuration"] = ldb.MessageElement(lockout_duration_ticks,
- ldb_oper, "msDS-LockoutDuration")
+ msg_add_attr(m, "msDS-LockoutDuration", lockout_duration_ticks,
+ ldb_oper)
if lockout_threshold is not None:
- m["msDS-LockoutThreshold"] = ldb.MessageElement(str(lockout_threshold),
- ldb_oper, "msDS-LockoutThreshold")
+ msg_add_attr(m, "msDS-LockoutThreshold", str(lockout_threshold),
+ ldb_oper)
- if reset_account_lockout_after is not None:
- observation_window_ticks = mins_to_timestamp(reset_account_lockout_after)
- m["msDS-LockoutObservationWindow"] = ldb.MessageElement(observation_window_ticks,
- ldb_oper, "msDS-LockoutObservationWindow")
+ if reset_lockout_after is not None:
+ msg_add_attr(m, "msDS-LockoutObservationWindow",
+ mins_to_timestamp(reset_lockout_after), ldb_oper)
return m
+
def check_pso_constraints(min_pwd_length=None, history_length=None,
min_pwd_age=None, max_pwd_age=None):
"""Checks PSO settings fall within valid ranges"""
# check values as per section 3.1.1.5.2.2 Constraints in MS-ADTS spec
if history_length is not None and history_length > 1024:
- raise CommandError("Bad password history length: valid range is 0 to 1024")
+ raise CommandError("Bad password history length: "
+ "valid range is 0 to 1024")
if min_pwd_length is not None and min_pwd_length > 255:
- raise CommandError("Bad minimum password length: valid range is 0 to 255")
+ raise CommandError("Bad minimum password length: "
+ "valid range is 0 to 255")
if min_pwd_age is not None and max_pwd_age is not None:
# note max-age=zero is a special case meaning 'never expire'
if min_pwd_age >= max_pwd_age and max_pwd_age != 0:
- raise CommandError("Minimum password age must be less than the maximum age")
+ raise CommandError("Minimum password age must be less than "
+ "maximum age")
# the same args are used for both create and set commands
pwd_settings_options = [
- Option("--complexity", type="choice", choices=["on","off"],
+ Option("--complexity", type="choice", choices=["on", "off"],
help="The password complexity (on | off)."),
- Option("--store-plaintext", type="choice", choices=["on","off"],
- help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off)."),
+ Option("--store-plaintext", type="choice", choices=["on", "off"],
+ help="Store plaintext passwords where account have "
+ "'store passwords with reversible encryption' set (on | off)."),
Option("--history-length",
help="The password history length (<integer>).", type=int),
Option("--min-pwd-length",
help="The minimum password length (<integer>).", type=int),
Option("--min-pwd-age",
- help="The minimum password age (<integer in days>). Default is domain setting.", type=int),
+ help=("The minimum password age (<integer in days>). "
+ "Default is domain setting."), type=int),
Option("--max-pwd-age",
- help="The maximum password age (<integer in days>). Default is domain setting.", type=int),
- Option("--account-lockout-duration",
- help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins>). Default is domain setting", type=int),
- Option("--account-lockout-threshold",
- help="The number of bad password attempts allowed before locking out the account (<integer>). Default is domain setting.", type=int),
+ help=("The maximum password age (<integer in days>). "
+ "Default is domain setting."), type=int),
+ Option("--account-lockout-duration", type=int,
+ help=("The length of time an account is locked out after exceeding "
+ "the limit on bad password attempts (<integer in mins>). "
+ "Default is domain setting")),
+ Option("--account-lockout-threshold", type=int,
+ help=("The number of bad password attempts allowed before locking "
+ "out the account (<integer>). Default is domain setting.")),
Option("--reset-account-lockout-after",
- help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer in mins>). Default is domain setting.", type=int),
- ]
+ help=("After this time is elapsed, the recorded number of attempts "
+ "restarts from zero (<integer in mins>). "
+ "Default is domain setting."), type=int)]
+
def num_options_in_args(options, args):
"""
@@ -271,6 +293,7 @@ def num_options_in_args(options, args):
num_opts += 1
return num_opts
+
class cmd_domain_pwdsettings_pso_create(Command):
"""Creates a new Password Settings Object (PSO).
@@ -298,8 +321,8 @@ class cmd_domain_pwdsettings_pso_create(Command):
}
takes_options = pwd_settings_options + [
- Option("-H", "--URL", help="LDB URL for database or target server", type=str,
- metavar="URL", dest="H"),
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ metavar="URL", dest="H", type=str)
]
takes_args = ["psoname", "precedence"]
@@ -318,14 +341,18 @@ class cmd_domain_pwdsettings_pso_create(Command):
try:
precedence = int(precedence)
except ValueError:
- raise CommandError("The PSO's precedence should be a numerical value. Try --help")
+ raise CommandError("The PSO's precedence should be "
+ "a numerical value. Try --help")
# sanity-check that the PSO doesn't already exist
pso_dn = "CN=%s,%s" % (psoname, pso_container(samdb))
try:
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE)
- except Exception as e:
- pass
+ except ldb.LdbError as e:
+ if e.args[0] == ldb.ERR_NO_SUCH_OBJECT:
+ pass
+ else:
+ raise
else:
raise CommandError("PSO '%s' already exists" % psoname)
@@ -333,14 +360,17 @@ class cmd_domain_pwdsettings_pso_create(Command):
# otherwise there's no point in creating a PSO
num_pwd_args = num_options_in_args(pwd_settings_options, self.raw_argv)
if num_pwd_args == 0:
- raise CommandError("Please specify at least one password policy setting. Try --help")
+ raise CommandError("Please specify at least one password policy "
+ "setting. Try --help")
# it's unlikely that the user will specify all 9 password policy
# settings on the CLI - current domain password-settings as the default
# values for unspecified arguments
if num_pwd_args < len(pwd_settings_options):
- self.message("Not all password policy options have been specified.")
- self.message("For unspecified options, the current domain password settings will be used as the default values.")
+ self.message("Not all password policy options "
+ "have been specified.")
+ self.message("For unspecified options, the current domain password"
+ " settings will be used as the default values.")
# lookup the current domain password-settings
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_BASE,
@@ -395,7 +425,7 @@ class cmd_domain_pwdsettings_pso_create(Command):
min_pwd_age=min_pwd_age, max_pwd_age=max_pwd_age,
lockout_duration=account_lockout_duration,
lockout_threshold=account_lockout_threshold,
- reset_account_lockout_after=reset_account_lockout_after)
+ reset_lockout_after=reset_account_lockout_after)
# create the new PSO
try:
@@ -406,9 +436,12 @@ class cmd_domain_pwdsettings_pso_create(Command):
except ldb.LdbError as e:
(num, msg) = e.args
if num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS:
- raise CommandError("Administrator permissions are needed to create a PSO.")
+ raise CommandError("Administrator permissions are needed "
+ "to create a PSO.")
else:
- raise CommandError("Failed to create PSO '%s': %s" %(pso_dn, msg))
+ raise CommandError("Failed to create PSO '%s': %s" % (pso_dn,
+ msg))
+
class cmd_domain_pwdsettings_pso_set(Command):
"""Modifies a Password Settings Object (PSO)."""
@@ -423,7 +456,8 @@ class cmd_domain_pwdsettings_pso_set(Command):
takes_options = pwd_settings_options + [
Option("--precedence", type=int,
- help="This PSO's precedence relative to other PSOs. Lower precedence is better (<integer>)."),
+ help=("This PSO's precedence relative to other PSOs. "
+ "Lower precedence is better (<integer>).")),
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
]
@@ -448,19 +482,23 @@ class cmd_domain_pwdsettings_pso_set(Command):
# we expect the user to specify at least one password-policy setting
num_pwd_args = num_options_in_args(pwd_settings_options, self.raw_argv)
if num_pwd_args == 0 and precedence is None:
- raise CommandError("Please specify at least one password policy setting. Try --help")
+ raise CommandError("Please specify at least one password policy "
+ "setting. Try --help")
if min_pwd_age is not None or max_pwd_age is not None:
- # if we're modifying either the max or min pwd-age, check the max is
- # always larger. We may have to fetch the PSO's setting to verify this
+ # if we're modifying either the max or min pwd-age, check the max
+ # is always larger. We may have to fetch the PSO's setting to
+ # verify this
res = samdb.search(pso_dn, scope=ldb.SCOPE_BASE,
attrs=['msDS-MinimumPasswordAge',
'msDS-MaximumPasswordAge'])
if min_pwd_age is None:
- min_pwd_age = timestamp_to_days(res[0]['msDS-MinimumPasswordAge'][0])
+ min_pwd_ticks = res[0]['msDS-MinimumPasswordAge'][0]
+ min_pwd_age = timestamp_to_days(min_pwd_ticks)
if max_pwd_age is None:
- max_pwd_age = timestamp_to_days(res[0]['msDS-MaximumPasswordAge'][0])
+ max_pwd_ticks = res[0]['msDS-MaximumPasswordAge'][0]
+ max_pwd_age = timestamp_to_days(max_pwd_ticks)
check_pso_constraints(max_pwd_age=max_pwd_age, min_pwd_age=min_pwd_age,
history_length=history_length,
@@ -475,7 +513,7 @@ class cmd_domain_pwdsettings_pso_set(Command):
min_pwd_age=min_pwd_age, max_pwd_age=max_pwd_age,
lockout_duration=account_lockout_duration,
lockout_threshold=account_lockout_threshold,
- reset_account_lockout_after=reset_account_lockout_after)
+ reset_lockout_after=reset_account_lockout_after)
# update the PSO
try:
@@ -485,7 +523,7 @@ class cmd_domain_pwdsettings_pso_set(Command):
show_pso_by_dn(self.outf, samdb, pso_dn, show_applies_to=False)
except ldb.LdbError as e:
(num, msg) = e.args
- raise CommandError("Failed to update PSO '%s': %s" %(pso_dn, msg))
+ raise CommandError("Failed to update PSO '%s': %s" % (pso_dn, msg))
class cmd_domain_pwdsettings_pso_delete(Command):
@@ -500,8 +538,8 @@ class cmd_domain_pwdsettings_pso_delete(Command):
}
takes_options = [
- Option("-H", "--URL", help="LDB URL for database or target server", type=str,
- metavar="URL", dest="H"),
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ metavar="URL", dest="H", type=str)
]
takes_args = ["psoname"]
@@ -527,6 +565,7 @@ def pso_cmp(a, b):
b_precedence = int(b['msDS-PasswordSettingsPrecedence'][0])
return a_precedence - b_precedence
+
class cmd_domain_pwdsettings_pso_list(Command):
"""Lists all Password Settings Objects (PSOs)."""
@@ -539,8 +578,8 @@ class cmd_domain_pwdsettings_pso_list(Command):
}
takes_options = [
- Option("-H", "--URL", help="LDB URL for database or target server", type=str,
- metavar="URL", dest="H"),
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ metavar="URL", dest="H", type=str)
]
def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
@@ -557,7 +596,8 @@ class cmd_domain_pwdsettings_pso_list(Command):
# an unprivileged search against Windows returns nothing here. On Samba
# we get the PSO names, but not their attributes
if len(res) == 0 or 'msDS-PasswordSettingsPrecedence' not in res[0]:
- self.outf.write("No PSOs are present, or you don't have permission to view them.\n")
+ self.outf.write("No PSOs are present, or you don't have permission"
+ " to view them.\n")
return
# sort the PSOs so they're displayed in order of precedence
@@ -568,7 +608,8 @@ class cmd_domain_pwdsettings_pso_list(Command):
for pso in pso_list:
precedence = pso['msDS-PasswordSettingsPrecedence']
- self.outf.write("%-10s | %s\n" %(precedence, pso['name']))
+ self.outf.write("%-10s | %s\n" % (precedence, pso['name']))
+
class cmd_domain_pwdsettings_pso_show(Command):
"""Display a Password Settings Object's details."""
@@ -582,8 +623,8 @@ class cmd_domain_pwdsettings_pso_show(Command):
}
takes_options = [
- Option("-H", "--URL", help="LDB URL for database or target server", type=str,
- metavar="URL", dest="H"),
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ metavar="URL", dest="H", type=str)
]
takes_args = ["psoname"]
@@ -612,8 +653,8 @@ class cmd_domain_pwdsettings_pso_show_user(Command):
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list