[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue May 29 06:31:03 UTC 2018
The branch, master has been updated
via 5b86203 python/samba/netcmd/schema.py: samdb schema update now
via 4b1a862 python/samba/tests/samba_tool/schema.py: Improve schema command testing
via 2c65184 python/samba/netcmd/schema.py: add schema show_oc for attribute
via 74d85d4 python/samba/netcmd/schema.py: add schema query and management.
via 289ae87 python/samba/netcmd/group.py: add group show
via b8e51a8 python/samba/netcmd/{forest.py,main.py}: add configuration controls
from e56b92b torture: Cope with WINBINDD_SHOW_SEQUENCE failure for fake trusts
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5b8620307edfd2897dd61c7e860d95662c547ecc
Author: William Brown <william at blackhats.net.au>
Date: Sat May 19 12:19:58 2018 +1000
python/samba/netcmd/schema.py: samdb schema update now
When we change schema values, we should trigger a schema update to refresh
the changes applied. This is called after a change is made. A helper to
samdb is added so that it's easier for other locations to call additionally.
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue May 29 08:30:52 CEST 2018 on sn-devel-144
commit 4b1a86235ba454b0e5e27ca621d87c8644b2a98c
Author: William Brown <william at blackhats.net.au>
Date: Mon May 28 10:30:39 2018 +1000
python/samba/tests/samba_tool/schema.py: Improve schema command testing
Assert the correct stdout content of the schema test commands.
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2c65184270500dc99b1697af6e830d62093a627f
Author: William Brown <william at blackhats.net.au>
Date: Sun Apr 29 13:28:42 2018 +1200
python/samba/netcmd/schema.py: add schema show_oc for attribute
Often administrators need to add a specific attribute to an object, but
it may not be possible with the objectClasses present. This tool allows
searching "what objectclasses must or may?" take an attribute to help hint
to an administrator what objectclasses can be added to objects to achieve
the changes they want.
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 74d85d4cc246458f51ec9b264310959055f0a0b9
Author: William Brown <william at blackhats.net.au>
Date: Sat Apr 28 15:22:29 2018 +1000
python/samba/netcmd/schema.py: add schema query and management.
Schema management in active directory is complex and dangerous. Having
a tool that safely wraps administrative tasks as well as allowing query
of the schema will make this complex topic more accessible to administrators.
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 289ae87c3bb81b2e1cd30a876a3b694b7264edc5
Author: William Brown <william at blackhats.net.au>
Date: Thu Apr 26 13:59:06 2018 +1000
python/samba/netcmd/group.py: add group show
The samba-tool user command can show the ldif of a user. This is
useful for groups also, especially to determine the objectSID and
objectGUID. Add support for group show to samba-tool.
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b8e51a8174682149bd8381163a6f1a4658da6271
Author: William Brown <william at blackhats.net.au>
Date: Wed Apr 25 17:36:17 2018 +1000
python/samba/netcmd/{forest.py,main.py}: add configuration controls
With samba-tool we should expose ways to easily administer and control
common configuration options. This adds the base framework for modifying
forest settings, generally stored in cn=configuration partition.
An example is:
samba-tool forest directory_service show
samba-tool forest directory_service dsheuristics X
Signed-off-by: William Brown <william at blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 50 +++++
python/samba/ms_schema.py | 9 +-
python/samba/netcmd/domain.py | 11 +-
python/samba/netcmd/forest.py | 162 +++++++++++++++++
python/samba/netcmd/group.py | 81 +++++++++
python/samba/netcmd/main.py | 2 +
python/samba/netcmd/schema.py | 313 ++++++++++++++++++++++++++++++++
python/samba/samdb.py | 13 ++
python/samba/tests/samba_tool/forest.py | 66 +++++++
python/samba/tests/samba_tool/group.py | 10 +
python/samba/tests/samba_tool/schema.py | 113 ++++++++++++
source4/selftest/tests.py | 2 +
12 files changed, 819 insertions(+), 13 deletions(-)
create mode 100644 python/samba/netcmd/forest.py
create mode 100644 python/samba/netcmd/schema.py
create mode 100644 python/samba/tests/samba_tool/forest.py
create mode 100644 python/samba/tests/samba_tool/schema.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index f2154b9..f785e53 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -460,6 +460,26 @@
</refsect3>
<refsect2>
+ <title>forest</title>
+ <para>Manage Forest configuration.</para>
+</refsect2>
+
+<refsect3>
+ <title>forest directory_service</title>
+ <para>Manage directory_service behaviour for the forest.</para>
+</refsect3>
+
+<refsect3>
+ <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
+ <para>Modify dsheuristics directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect3>
+ <title>forest directory_service show</title>
+ <para>Show current directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect2>
<title>fsmo</title>
<para>Manage Flexible Single Master Operations (FSMO).</para>
</refsect2>
@@ -590,6 +610,11 @@
<para>Remove members from the specified AD group.</para>
</refsect3>
+<refsect3>
+ <title>group show <replaceable>groupname</replaceable> [options]</title>
+ <para>Show group object and it's attributes.</para>
+</refsect3>
+
<refsect2>
<title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
<para>Compare two LDAP databases.</para>
@@ -713,6 +738,31 @@
</refsect3>
<refsect2>
+ <title>schema</title>
+ <para>Manage and query schema.</para>
+</refsect2>
+
+<refsect3>
+ <title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
+ <para>Modify the behaviour of an attribute in schema.</para>
+</refsect3>
+
+<refsect3>
+ <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
+ <para>Display an attribute schema definition.</para>
+</refsect3>
+
+<refsect3>
+ <title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
+ <para>Show objectclasses that MAY or MUST contain this attribute.</para>
+</refsect3>
+
+<refsect3>
+ <title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
+ <para>Display an objectclass schema definition.</para>
+</refsect3>
+
+<refsect2>
<title>sites</title>
<para>Manage sites.</para>
</refsect2>
diff --git a/python/samba/ms_schema.py b/python/samba/ms_schema.py
index de6e4b2..e83637542 100644
--- a/python/samba/ms_schema.py
+++ b/python/samba/ms_schema.py
@@ -36,14 +36,17 @@ bitFields["searchflags"] = {
'fTUPLEINDEX': 26, # TP
'fSUBTREEATTINDEX': 25, # ST
'fCONFIDENTIAL': 24, # CF
+ 'fCONFIDENTAIL': 24, # typo
'fNEVERVALUEAUDIT': 23, # NV
'fRODCAttribute': 22, # RO
# missing in ADTS but required by LDIF
- 'fRODCFilteredAttribute': 22, # RO ?
- 'fCONFIDENTAIL': 24, # typo
- 'fRODCFILTEREDATTRIBUTE': 22 # case
+ 'fRODCFilteredAttribute': 22, # RO
+ 'fRODCFILTEREDATTRIBUTE': 22, # case
+ 'fEXTENDEDLINKTRACKING': 21, # XL
+ 'fBASEONLY': 20, # BO
+ 'fPARTITIONSECRET': 19, # SE
}
# ADTS: 2.2.10
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 6698fc9..819ddd6 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -3909,15 +3909,6 @@ class ldif_schema_update:
self.dn = None
self.ldif = ""
- def _ldap_schemaUpdateNow(self, samdb):
- ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
- samdb.modify_ldif(ldif)
-
def can_ignore_failure(self, error):
"""Checks if we can safely ignore failure to apply an LDIF update"""
(num, errstr) = error.args
@@ -3946,7 +3937,7 @@ schemaUpdateNow: 1
# Otherwise the OID-to-attribute mapping in
# _apply_updates_in_file() won't work, because it
# can't lookup the new OID in the schema
- self._ldap_schemaUpdateNow(samdb)
+ samdb.set_schema_update_now()
samdb.modify_ldif(self.ldif, controls=['relax:0'])
else:
diff --git a/python/samba/netcmd/forest.py b/python/samba/netcmd/forest.py
new file mode 100644
index 0000000..9b4f676
--- /dev/null
+++ b/python/samba/netcmd/forest.py
@@ -0,0 +1,162 @@
+# domain management
+#
+# Copyright William Brown <william at blackhats.net.au> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb
+import samba.getopt as options
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.netcmd import (
+ Command,
+ CommandError,
+ SuperCommand,
+ Option
+ )
+
+class cmd_forest_show(Command):
+ """Display forest settings.
+
+ These settings control the behaviour of all domain controllers in this
+ forest. This displays those settings from the replicated configuration
+ partition.
+ """
+
+ synopsis = "%prog [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ domain_dn = samdb.domain_dn()
+ object_dn = "%s,%s" % (self.objectdn, domain_dn)
+
+ # Show all the settings we know how to set in the forest object!
+ res = samdb.search(base=object_dn, scope=ldb.SCOPE_BASE,
+ attrs=self.attributes)
+
+ # Now we just display these attributes. The value is that
+ # we make them a bit prettier and human accessible.
+ # There should only be one response!
+ res_object = res[0]
+
+ self.outf.write("Settings for %s\n" % object_dn)
+ for attr in self.attributes:
+ try:
+ self.outf.write("%s: %s\n" % (attr, res_object[attr][0]))
+ except KeyError:
+ self.outf.write("%s: <NO VALUE>\n" % attr)
+
+class cmd_forest_set(Command):
+ """Modify forest settings.
+
+ This will alter the setting specified to value.
+ """
+
+ attribute = None
+ objectdn = None
+
+ synopsis = "%prog value [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["value"]
+
+ def run(self, value, H=None, credopts=None, sambaopts=None, versionopts=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ domain_dn = samdb.domain_dn()
+ object_dn = "%s,%s" % (self.objectdn, domain_dn)
+
+ # Create the modification
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, object_dn)
+ m[self.attribute] = ldb.MessageElement(
+ value, ldb.FLAG_MOD_REPLACE, self.attribute)
+
+ samdb.modify(m)
+ self.outf.write("set %s: %s\n" % (self.attribute, value))
+
+
+# Then you override it for each setting name:
+
+class cmd_forest_show_directory_service(cmd_forest_show):
+ """Display Directory Service settings for the forest.
+
+ These settings control how the Directory Service behaves on all domain
+ controllers in the forest.
+ """
+ objectdn = "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration"
+ attributes = ['dsheuristics']
+
+class cmd_forest_set_directory_service_dsheuristics(cmd_forest_set):
+ """Set the value of dsheuristics on the Directory Service.
+
+ This value alters the behaviour of the Directory Service on all domain
+ controllers in the forest. Documentation related to this parameter can be
+ found here: https://msdn.microsoft.com/en-us/library/cc223560.aspx
+
+ In summary each "character" of the number-string, controls a setting.
+ A common setting is to set the value "2" in the 7th character. This controls
+ anonymous search behaviour.
+
+ Example: dsheuristics 0000002
+
+ This would allow anonymous LDAP searches to the domain (you may still need
+ to alter access controls to allow this).
+ """
+ objectdn = "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration"
+ attribute = 'dsheuristics'
+
+class cmd_forest_directory_service(SuperCommand):
+ """Forest configuration partition management."""
+
+ subcommands = {}
+ subcommands["show"] = cmd_forest_show_directory_service()
+ subcommands["dsheuristics"] = cmd_forest_set_directory_service_dsheuristics()
+
+class cmd_forest(SuperCommand):
+ """Forest management."""
+
+ subcommands = {}
+ subcommands["directory_service"] = cmd_forest_directory_service()
diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
index a4969cc..9e1e110 100644
--- a/python/samba/netcmd/group.py
+++ b/python/samba/netcmd/group.py
@@ -26,6 +26,7 @@ from getpass import getpass
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dsdb import (
+ ATYPE_SECURITY_GLOBAL_GROUP,
GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
GTYPE_SECURITY_GLOBAL_GROUP,
@@ -500,6 +501,85 @@ class cmd_group_move(Command):
self.outf.write('Moved group "%s" into "%s"\n' %
(groupname, full_new_parent_dn))
+class cmd_group_show(Command):
+ """Display a group AD object.
+
+This command displays a group object and it's attributes in the Active
+Directory domain.
+The group name specified on the command is the sAMAccountName of the group.
+
+The command may be run from the root userid or another authorized userid.
+
+The -H or --URL= option can be used to execute the command against a remote
+server.
+
+Example1:
+samba-tool group show Group1 -H ldap://samba.samdom.example.com \
+-U administrator --password=passw1rd
+
+Example1 shows how to display a group's attributes in the domain against a remote
+LDAP server.
+
+The -H parameter is used to specify the remote target server.
+
+Example2:
+samba-tool group show Group2
+
+Example2 shows how to display a group's attributes in the domain against a local
+LDAP server.
+
+Example3:
+samba-tool group show Group3 --attributes=member,objectGUID
+
+Example3 shows how to display a users objectGUID and member attributes.
+"""
+ synopsis = "%prog <group name> [options]"
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ Option("--attributes",
+ help=("Comma separated list of attributes, "
+ "which will be printed."),
+ type=str, dest="group_attrs"),
+ ]
+
+ takes_args = ["groupname"]
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ def run(self, groupname, credopts=None, sambaopts=None, versionopts=None,
+ H=None, group_attrs=None):
+
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp, fallback_machine=True)
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ attrs = None
+ if group_attrs:
+ attrs = group_attrs.split(",")
+
+ filter = ("(&(sAMAccountType=%d)(sAMAccountName=%s))" %
+ ( ATYPE_SECURITY_GLOBAL_GROUP,
+ ldb.binary_encode(groupname)))
+
+ domaindn = samdb.domain_dn()
+
+ try:
+ res = samdb.search(base=domaindn, expression=filter,
+ scope=ldb.SCOPE_SUBTREE, attrs=attrs)
+ user_dn = res[0].dn
+ except IndexError:
+ raise CommandError('Unable to find group "%s"' % (groupname))
+
+ for msg in res:
+ user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
+ self.outf.write(user_ldif)
+
class cmd_group(SuperCommand):
"""Group management."""
@@ -511,3 +591,4 @@ class cmd_group(SuperCommand):
subcommands["list"] = cmd_group_list()
subcommands["listmembers"] = cmd_group_list_members()
subcommands["move"] = cmd_group_move()
+ subcommands["show"] = cmd_group_show()
diff --git a/python/samba/netcmd/main.py b/python/samba/netcmd/main.py
index 40762fa..8379766 100644
--- a/python/samba/netcmd/main.py
+++ b/python/samba/netcmd/main.py
@@ -63,12 +63,14 @@ class cmd_sambatool(SuperCommand):
subcommands["domain"] = None
subcommands["drs"] = None
subcommands["dsacl"] = None
+ subcommands["forest"] = None
subcommands["fsmo"] = None
subcommands["gpo"] = None
subcommands["group"] = None
subcommands["ldapcmp"] = None
subcommands["ntacl"] = None
subcommands["rodc"] = None
+ subcommands["schema"] = None
subcommands["sites"] = None
subcommands["spn"] = None
subcommands["testparm"] = None
diff --git a/python/samba/netcmd/schema.py b/python/samba/netcmd/schema.py
new file mode 100644
index 0000000..9a356a4
--- /dev/null
+++ b/python/samba/netcmd/schema.py
@@ -0,0 +1,313 @@
+# Manipulate ACLs on directory objects
+#
+# Copyright (C) William Brown <william at blackhats.net.au> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb
+import samba.getopt as options
+from samba.ms_schema import bitFields
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.netcmd import (
+ Command,
+ CommandError,
+ SuperCommand,
+ Option
+ )
+
+class cmd_schema_attribute_modify(Command):
+ """Modify attribute settings in the schema partition.
+
+ This commands allows minor modifications to attributes in the schema. Active
+ Directory does not allow many changes to schema, but important modifications
+ are related to indexing. This command overwrites the value of searchflags,
+ so be sure to view the current content before making changes.
+
+ Example1:
+ samba-tool schema attribute modify uid \
+ --searchflags="fATTINDEX,fPRESERVEONDELETE"
+
+ This alters the uid attribute to be indexed and to be preserved when
+ converted to a tombstone.
+
+ Important search flag values are:
+
+ fATTINDEX: create an equality index for this attribute.
+ fPDNTATTINDEX: create a container index for this attribute (ie OU).
+ fANR: specify that this attribute is a member of the ambiguous name
+ resolution set.
+ fPRESERVEONDELETE: indicate that the value of this attribute should be
+ preserved when the object is converted to a tombstone (deleted).
+ fCOPY: hint to clients that this attribute should be copied.
+ fTUPLEINDEX: create a tuple index for this attribute. This is used in
+ substring queries.
+ fSUBTREEATTINDEX: create a browsing index for this attribute. VLV searches
+ require this.
+ fCONFIDENTIAL: indicate that the attribute is confidental and requires
+ special access checks.
+ fNEVERVALUEAUDIT: indicate that changes to this value should NOT be audited.
+ fRODCFILTEREDATTRIBUTE: indicate that this value should not be replicated to
+ RODCs.
+ fEXTENDEDLINKTRACKING: indicate to the DC to perform extra link tracking.
+ fBASEONLY: indicate that this attribute should only be displayed when the
+ search scope of the query is SCOPE_BASE or a single object result.
+ fPARTITIONSECRET: indicate that this attribute is a partition secret and
+ requires special access checks.
+
+ The authoritative source of this information is the MS-ADTS.
+ """
+ synopsis = "%prog attribute [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
--
Samba Shared Repository
More information about the samba-cvs
mailing list